Netgate SG-1000 microFirewall

Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.


Messages - NogBadTheBad

Pages: [1] 2 3 4 5 ... 34
1
Packages / Re: Managed Switch Configuration with Avahi
« on: Today at 02:24:18 am »
Should I add MyPrivateNet to the Avahi domain field?

No it needs to be different local is fine.

Re the packet capture, Diagnostics -> Packet Capture and select the interface you want to capture on and hit start.

You can download the packet capture and open it in wireshark.

2
Packages / Re: Managed Switch Configuration with Avahi
« on: Yesterday at 04:22:19 pm »
Something tells me that the multicast from the WLAN may not be making it to the LAN?  According to Ubiquiti, the Unifi AC allows broadcast from LAN to WLAN by default, but I have not found if it is true from WLAN to LAN.

Thats easy to work out do a packet capture on VLAN/subnet B, open it up in wireshark and use ip.addr >= 224.0.0.0 as a display filter or ip.addr >= 224.0.0.0  || ipv6.addr >= ff00:: if you run IPv4 & IPv6 :)

3
General Questions / Re: Setting display columns
« on: Yesterday at 10:29:17 am »
Think its the netstat command rather than the terminal, you can tell how many columns the terminal thinks is available via a stty -a

[2.4.2-RELEASE][admin@pfsense]/root: stty -a
speed 9600 baud; 24 rows; 132 columns;
lflags: icanon isig iexten echo echoe -echok echoke -echonl echoctl
   -echoprt -altwerase -noflsh -tostop -flusho -pendin -nokerninfo
   -extproc
iflags: -istrip icrnl -inlcr -igncr ixon -ixoff ixany imaxbel -ignbrk
   brkint -inpck -ignpar -parmrk
oflags: opost onlcr -ocrnl tab0 -onocr -onlret
cflags: cread cs8 -parenb -parodd hupcl -clocal -cstopb -crtscts -dsrflow
   -dtrflow -mdmbuf
cchars: discard = ^O; dsusp = ^Y; eof = ^D; eol = <undef>;
   eol2 = <undef>; erase = ^?; erase2 = ^H; intr = ^C; kill = ^U;
   lnext = ^V; min = 1; quit = ^\; reprint = ^R; start = ^Q;
   status = ^T; stop = ^S; susp = ^Z; time = 0; werase = ^W;
[2.4.2-RELEASE][admin@pfsenset]/root:

I default to a terminal 24 x 132, the output from stty -a changes if I resize the terminal window

Actually try a netstat -r -W, a man netstat on my Mac shows :-

"−W In certain displays, avoid truncating addresses even if this causes some fields to overflow."

4
Packages / Re: Managed Switch Configuration with Avahi
« on: Yesterday at 08:32:14 am »
Have a look in the firewall logs, do you see any multicast packets being blocked ?

Also there are multicast options in the UniFi software, its under wireless networks.

5
IPv6 / Re: Setup Dual Stack with NAT on v4
« on: Yesterday at 08:15:36 am »

6
Installation and Upgrades / Re: Can i install pfsense on a macmini
« on: February 17, 2018, 05:06:11 am »
VMware ESXi

https://www.vmware.com/products/esxi-and-esx.html

You'll need to run it as a router on a stick as there's only 1 ethernet port unless tou get a thunderbolt to ethernet adaptor, not even sure if the adaptor would be seen under the VMware hypervisor.

https://en.wikipedia.org/wiki/One-armed_router

7
General Questions / Re: Multi-Static IP configuration using bridged Hitron
« on: February 16, 2018, 10:22:00 am »
Quote
The target IP address is, I think .62.x.x.176 (at the far end of the tunnel), with the Hitron sat on .177.

What address do they give you for your default route?

When setting up a laptop plugged into one of the Hitron LAN ports to test connectivity, they suggested an IP address of 62.x.x.178, a netmask of 255.255.255.248 and a Default GW of 62.x.x.177

If you do an arp -a from the laptop does the mac address of 62.x.x.177 tie in with anything marked on the Hitron ?

9
General Questions / Re: Multi-Static IP configuration using bridged Hitron
« on: February 16, 2018, 08:49:56 am »
How is this any different from what I do on IPv6?  I get a /56 prefix from my ISP.

He's just got a single IPv4 subnet from his ISP and the /29 is allocated to his WAN interface, so there's no choice other than to NAT public to private.

Check out page 220 of the pfSense book, the Example Single IP Address 1:1 Configuration section.

10
General Questions / Re: Multi-Static IP configuration using bridged Hitron
« on: February 16, 2018, 08:27:39 am »
Quote
You'll need to NAT.

Why??  If he has enough addresses in his subnet, there's absolutely no reason to use NAT and reasons why not to use it.  He has 6 addresses available and no more than 5 devices.

The address space he wants to use is sat on the WAN side of pfSense, the WAN interface has a /29 subnet mask.

If you NAT the public IP address to a private one you can control what services can hit the end device.

He said:
Quote
My assigned address block is 62.x.x.176-183

That means he has a block of 8 addresses, 6 usable.  A /29 mask means 8 addresses.  The ISP will route traffic for his addresses to his WAN interface and pfSense will filter appropriately.  This is basic networking.  Bottom line, addresses in this 62.x.x.176 /29 subnet is what pfSense had to deal with.  This is not the same as where someone has a single IPv4 address that has to be shared via NAT.

It amazes me how much people's thinking has been poisoned by NAT being used so much, to the point they fail to understand how things really work.  NAT is a hack to get around the IPv4 address shortage and nothing more.

So explain where this host is going to sit if he want's it to be accessible via a public IP address ?

He also mentioned "Yes, that's the subnet mask on the WAN interface."

11
General Questions / Re: Multi-Static IP configuration using bridged Hitron
« on: February 16, 2018, 08:08:46 am »
Quote
You'll need to NAT.

Why??  If he has enough addresses in his subnet, there's absolutely no reason to use NAT and reasons why not to use it.  He has 6 addresses available and no more than 5 devices.

The address space he wants to use is sat on the WAN side of pfSense, the WAN interface has a /29 subnet mask.

If you NAT the public IP address to a private one you can control what services can hit the end device.

12
General Questions / Re: Multi-Static IP configuration using bridged Hitron
« on: February 16, 2018, 06:14:42 am »
You'll need to NAT.

Create some form of DMZ put the server there and 1:1 NAT or port forward using your WAN address to the host sat in the DMZ, but you'll need to change the ports pfSense runs on System -> Advanced -> Admin Access

13
General Questions / Re: Multi-Static IP configuration using bridged Hitron
« on: February 16, 2018, 05:53:19 am »
Pop the webserver the other side of the firewall and do a 1:1 NAT.

https://doc.pfsense.org/index.php/1:1_NAT

What subnet mask is on the WAN interface 255.255.255.248 aka /29 ?


14
webGUI / Suggestion - Graph Table Sizes
« on: February 14, 2018, 02:38:16 pm »
Just a thought, would it be possible to monitor the line count in the tables and graph them via Status -> Monitoring.

It would be nice to get an overall view of snort2c and maybe the other out of the box defined tables.

If it's something that is viable I'll pop in a redmine.

15
So, Netgear just told me I need to enable STP on the switch and it will work.  I will give it a try this evening.  :D

Ewww why wouldn't it be enabled by default, the bunch of chumps.

Pages: [1] 2 3 4 5 ... 34