Netgate SG-1000 microFirewall

Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.


Messages - curtisgrice

Pages: [1] 2 3 4 5 6
1
are you able to ssh into the switch and see if there are any logs/console output wen plugging/unplugging?

2
I have  a converted Dell MC7354 thats appears to work but I am unable to figure out settings for Google project Fi.

Looking at the logs I see the following:
Code: [Select]
Dec 13 20:27:50 ppp [opt2_link0] LCP: state change Closed --> Initial
Dec 13 20:27:50 ppp [opt2_link0] LCP: Down event
Dec 13 20:27:50 ppp [opt2_link0] Link: DOWN event
Dec 13 20:27:50 ppp [opt2_link0] LCP: LayerFinish
Dec 13 20:27:50 ppp [opt2_link0] LCP: state change Closing --> Closed
Dec 13 20:27:48 ppp [opt2_link0] LCP: SendTerminateReq #3
Dec 13 20:27:46 ppp [opt2_link0] LCP: LayerDown
Dec 13 20:27:46 ppp [opt2_link0] LCP: SendTerminateReq #2
Dec 13 20:27:46 ppp [opt2] IPV6CP: state change Closed --> Initial
Dec 13 20:27:46 ppp [opt2] IPV6CP: Down event
Dec 13 20:27:46 ppp [opt2] IPCP: state change Closed --> Initial
Dec 13 20:27:46 ppp [opt2] IPCP: Down event
Dec 13 20:27:46 ppp [opt2] IPV6CP: state change Stopped --> Closed
Dec 13 20:27:46 ppp [opt2] IPV6CP: Close event
Dec 13 20:27:46 ppp [opt2] IPCP: state change Stopped --> Closed
Dec 13 20:27:46 ppp [opt2] IPCP: Close event
Dec 13 20:27:46 ppp [opt2] Bundle: Status update: up 0 links, total bandwidth 9600 bps
Dec 13 20:27:46 ppp [opt2_link0] Link: Leave bundle "opt2"
Dec 13 20:27:46 ppp [opt2_link0] LCP: state change Opened --> Closing
Dec 13 20:27:46 ppp [opt2_link0] LCP: Close event
Dec 13 20:27:46 ppp [opt2_link0] Link: CLOSE event
Dec 13 20:27:46 ppp [opt2] Bundle: closing link "opt2_link0"...
Dec 13 20:27:46 ppp [opt2] Bundle: No NCPs left. Closing links...
Dec 13 20:27:46 ppp [opt2] IPV6CP: LayerFinish
Dec 13 20:27:46 ppp [opt2] IPV6CP: state change Req-Sent --> Stopped
Dec 13 20:27:46 ppp [opt2] IPV6CP: parameter negotiation failed
Dec 13 20:27:46 ppp [opt2] IPCP: LayerFinish
Dec 13 20:27:46 ppp [opt2] IPCP: state change Req-Sent --> Stopped
Dec 13 20:27:46 ppp [opt2] IPCP: parameter negotiation failed
Dec 13 20:27:46 ppp [opt2_link0] LCP: no reply to 1 echo request(s)
Dec 13 20:27:44 ppp [opt2] COMPPROTO VJCOMP, 16 comp. channels, no comp-cid
Dec 13 20:27:44 ppp [opt2] IPADDR 0.0.0.0
Dec 13 20:27:44 ppp [opt2] IPCP: SendConfigReq #10
Dec 13 20:27:44 ppp [opt2] IPV6CP: SendConfigReq #10
Dec 13 20:27:42 ppp [opt2] IPV6CP: SendConfigReq #9
Dec 13 20:27:42 ppp [opt2] COMPPROTO VJCOMP, 16 comp. channels, no comp-cid
Dec 13 20:27:42 ppp [opt2] IPADDR 0.0.0.0
Dec 13 20:27:42 ppp [opt2] IPCP: SendConfigReq #9
Dec 13 20:27:40 ppp [opt2] COMPPROTO VJCOMP, 16 comp. channels, no comp-cid
Dec 13 20:27:40 ppp [opt2] IPADDR 0.0.0.0
Dec 13 20:27:40 ppp [opt2] IPCP: SendConfigReq #8
Dec 13 20:27:40 ppp [opt2] IPV6CP: SendConfigReq #8
Dec 13 20:27:38 ppp [opt2] IPV6CP: SendConfigReq #7
Dec 13 20:27:38 ppp [opt2] COMPPROTO VJCOMP, 16 comp. channels, no comp-cid
Dec 13 20:27:38 ppp [opt2] IPADDR 0.0.0.0
Dec 13 20:27:38 ppp [opt2] IPCP: SendConfigReq #7
Dec 13 20:27:36 ppp [opt2] COMPPROTO VJCOMP, 16 comp. channels, no comp-cid
Dec 13 20:27:36 ppp [opt2] IPADDR 0.0.0.0
Dec 13 20:27:36 ppp [opt2] IPCP: SendConfigReq #6
Dec 13 20:27:36 ppp [opt2] IPV6CP: SendConfigReq #6
Dec 13 20:27:34 ppp [opt2] COMPPROTO VJCOMP, 16 comp. channels, no comp-cid
Dec 13 20:27:34 ppp [opt2] IPADDR 0.0.0.0
Dec 13 20:27:34 ppp [opt2] IPCP: SendConfigReq #5
Dec 13 20:27:34 ppp [opt2] IPV6CP: SendConfigReq #5
Dec 13 20:27:32 ppp [opt2] COMPPROTO VJCOMP, 16 comp. channels, no comp-cid
Dec 13 20:27:32 ppp [opt2] IPADDR 0.0.0.0
Dec 13 20:27:32 ppp [opt2] IPCP: SendConfigReq #4
Dec 13 20:27:32 ppp [opt2] IPV6CP: SendConfigReq #4
Dec 13 20:27:30 ppp [opt2] COMPPROTO VJCOMP, 16 comp. channels, no comp-cid
Dec 13 20:27:30 ppp [opt2] IPADDR 0.0.0.0
Dec 13 20:27:30 ppp [opt2] IPCP: SendConfigReq #3
Dec 13 20:27:30 ppp [opt2] IPV6CP: SendConfigReq #3
Dec 13 20:27:28 ppp [opt2] COMPPROTO VJCOMP, 16 comp. channels, no comp-cid
Dec 13 20:27:28 ppp [opt2] IPADDR 0.0.0.0
Dec 13 20:27:28 ppp [opt2] IPCP: SendConfigReq #2
Dec 13 20:27:28 ppp [opt2] IPV6CP: SendConfigReq #2
Dec 13 20:27:26 ppp [opt2] IPV6CP: SendConfigReq #1
Dec 13 20:27:26 ppp [opt2] IPV6CP: state change Starting --> Req-Sent
Dec 13 20:27:26 ppp [opt2] IPV6CP: Up event
Dec 13 20:27:26 ppp [opt2] COMPPROTO VJCOMP, 16 comp. channels, no comp-cid
Dec 13 20:27:26 ppp [opt2] IPADDR 0.0.0.0
Dec 13 20:27:26 ppp [opt2] IPCP: SendConfigReq #1
Dec 13 20:27:26 ppp [opt2] IPCP: state change Starting --> Req-Sent
Dec 13 20:27:26 ppp [opt2] IPCP: Up event
Dec 13 20:27:26 ppp [opt2] IPV6CP: LayerStart
Dec 13 20:27:26 ppp [opt2] IPV6CP: state change Initial --> Starting
Dec 13 20:27:26 ppp [opt2] IPV6CP: Open event
Dec 13 20:27:26 ppp [opt2] IPCP: LayerStart
Dec 13 20:27:26 ppp [opt2] IPCP: state change Initial --> Starting
Dec 13 20:27:26 ppp [opt2] IPCP: Open event
Dec 13 20:27:26 ppp [opt2] Bundle: Status update: up 1 link, total bandwidth 100000000 bps
Dec 13 20:27:26 ppp [opt2_link0] Link: Join bundle "opt2"
Dec 13 20:27:26 ppp [opt2_link0] Link: Matched action 'bundle "opt2" ""'
Dec 13 20:27:26 ppp [opt2_link0] LCP: authorization successful
Dec 13 20:27:26 ppp [opt2_link0] CHAP: rec'd SUCCESS #1 len: 4
Dec 13 20:27:26 ppp [opt2_link0] CHAP: sending RESPONSE #1 len: 25
Dec 13 20:27:26 ppp [opt2_link0] CHAP: Using authname "user"
Dec 13 20:27:26 ppp [opt2_link0] Name: "UMTS_CHAP_SRVR"
Dec 13 20:27:26 ppp [opt2_link0] CHAP: rec'd CHALLENGE #1 len: 35
Dec 13 20:27:26 ppp [opt2_link0] LCP: rec'd Discard Request #7 (Opened)
Dec 13 20:27:26 ppp [opt2_link0] LCP: LayerUp
Dec 13 20:27:26 ppp [opt2_link0] LCP: auth: peer wants CHAP, I want nothing
Dec 13 20:27:26 ppp [opt2_link0] LCP: state change Ack-Sent --> Opened
Dec 13 20:27:26 ppp [opt2_link0] MAGICNUM 0xba589272
Dec 13 20:27:26 ppp [opt2_link0] MRU 1500
Dec 13 20:27:26 ppp [opt2_link0] ACCMAP 0x000a0000
Dec 13 20:27:26 ppp [opt2_link0] PROTOCOMP
Dec 13 20:27:26 ppp [opt2_link0] ACFCOMP
Dec 13 20:27:26 ppp [opt2_link0] LCP: rec'd Configure Ack #1 (Ack-Sent)
Dec 13 20:27:26 ppp [opt2_link0] LCP: state change Req-Sent --> Ack-Sent
Dec 13 20:27:26 ppp [opt2_link0] ACFCOMP
Dec 13 20:27:26 ppp [opt2_link0] PROTOCOMP
Dec 13 20:27:26 ppp [opt2_link0] MAGICNUM 0x451bbe77
Dec 13 20:27:26 ppp [opt2_link0] AUTHPROTO CHAP MD5
Dec 13 20:27:26 ppp [opt2_link0] ACCMAP 0x00000000
Dec 13 20:27:26 ppp [opt2_link0] LCP: SendConfigAck #6
Dec 13 20:27:26 ppp [opt2_link0] ACFCOMP
Dec 13 20:27:26 ppp [opt2_link0] PROTOCOMP
Dec 13 20:27:26 ppp [opt2_link0] MAGICNUM 0x451bbe77
Dec 13 20:27:26 ppp [opt2_link0] AUTHPROTO CHAP MD5
Dec 13 20:27:26 ppp [opt2_link0] ACCMAP 0x00000000
Dec 13 20:27:26 ppp [opt2_link0] LCP: rec'd Configure Request #6 (Req-Sent)
Dec 13 20:27:26 ppp [opt2_link0] MAGICNUM 0xba589272
Dec 13 20:27:26 ppp [opt2_link0] MRU 1500
Dec 13 20:27:26 ppp [opt2_link0] ACCMAP 0x000a0000
Dec 13 20:27:26 ppp [opt2_link0] PROTOCOMP
Dec 13 20:27:26 ppp [opt2_link0] ACFCOMP
Dec 13 20:27:26 ppp [opt2_link0] LCP: SendConfigReq #1
Dec 13 20:27:26 ppp [opt2_link0] LCP: state change Starting --> Req-Sent
Dec 13 20:27:26 ppp [opt2_link0] LCP: Up event
Dec 13 20:27:26 ppp [opt2_link0] Link: UP event
Dec 13 20:27:26 ppp [opt2_link0] MODEM: chat script succeeded
Dec 13 20:27:26 ppp [opt2_link0] CHAT: Connected at 100000000.
Dec 13 20:27:26 ppp [opt2_link0] CHAT: ATDT*99#
Dec 13 20:27:26 ppp [opt2_link0] CHAT: Dialing server at *99#...
Dec 13 20:27:26 ppp [opt2_link0] CHAT: Detected Hayes compatible modem.
Dec 13 20:27:26 ppp [opt2_link0] CHAT: +CGDCONT=1,"IP","h2g2"
Dec 13 20:27:26 ppp [opt2_link0] LCP: LayerStart
Dec 13 20:27:26 ppp [opt2_link0] LCP: state change Initial --> Starting
Dec 13 20:27:26 ppp [opt2_link0] LCP: Open event
Dec 13 20:27:26 ppp [opt2_link0] Link: OPEN event
Dec 13 20:27:26 ppp [opt2] Bundle: Interface ng0 created

Has anyone with this configuration been able to get it working?

3
Hardware / Re: LTE on RCC-VE 2440 with Sierra Wireless MC7354
« on: February 27, 2018, 12:50:46 pm »
Sorry so bump a dead thread but....

Yeah, I never did get his working though I would still like to. Has anyone else had luck with this?

4
"each going into a PDU transfer switch so if one unit fails the other takes over."

That is a great idea!  So you in a sense double your battery life.. The 2nd UPS takes over once the 1st has ran out?  That is a really great idea!!  Link to the PDU your using?
One UPS is on and under no load while the other is the only one doing anything. If for some reason A cuts out like in the case of a dead battery or a blown fuse etc. It will switch to the other. Each UPS must be sized for worst case scenario as when it switches, your going from 0 to full load instantly.

Its an APC AP7752. You would probably need pigtails for the plugs but thats cheap enough.

We use them at work for some of out telecom gear that only has one PSU.

5
Packages / Re: FRR RIP
« on: February 27, 2018, 12:24:04 pm »
 :'(

RIP can't get no love. Yeah I should use something more secure anyway.. It's just handy because in a home lab it just works and everything supports it.

6
Hardware / Re: SFP Twinax cables
« on: February 26, 2018, 10:24:37 am »
Doing a bit more reading and I found the following article that seems to suggest that the PHY resides on the HBA/NIC. This means that all the extra electronics are there to support the physical media itself be it UTP (RJ45) or some form of fiber. The module (aside from perhaps doing some line filtering where applicable for the media (cat5/6) and perhaps rudimentary link detection) does nothing to the data stream itself, no extra encoding. Therefore using SFP(+) as a DAC patch cable MAY work as its just serial data out and serial data in.

10GbE SFP+ PHYs: Requirements and leading solutions

7
Hardware / Re: SFP Twinax cables
« on: February 26, 2018, 09:23:15 am »
SFP (and GBIC) is a somewhat over-engineered standard. Some connectors have logic, eeproms, power regulation, sensors etc. and some SFP/miniGBIC ports only take certain types. Often, there are artificial limitations on what is supported.

It's not comparable to ethernet, but mostly comparable to Thunderbolt or GBIC/MII adapters. Part of the network card is 'inside' the connector. Traditional ethernet is bigger than you think, most people never get past 'network card, ethernet port, ethernet cable', but there is a lot more like the MAC, PHY and MII. For instance: https://stackoverflow.com/questions/15777399/clarification-on-ethernet-mii-sgmii-rgmii-and-phy

Thanks for the link. It sounds like the PHY resides in the SFP(+) connector and that's where we run into compatibility issues with different cables. I was aware of the EEPROM and that tells the "card" whats connected, it's capabilities, and and vendor lock in BS. That connects over i2c on pins 4 and 5 (I think, these seem to be a general diagnostic connection if supported by the module/cable).

8
Hardware / Re: SFP Twinax cables
« on: February 26, 2018, 08:16:24 am »
Ok, does it work like UTP ethernet where it tries to filter out any matching signals on the wires (sort of anyway)? is there fancy logic on the PCB in the connector? I would love to find a good resource on the topic but as "SFP" is not an ISO/IEEE standard but a MultiSource Agreement between vendors. Alos this "Agreement" seems to be fiber centric an not fully applicable to passive or active twinax "SFP" cables. Now to find cable teardowns and look into pinouts.

I have seen a few photos of passive SFP twinax connector split open and there seems to only be a few passive electrical components likely for filtering/decoupling.

Things that may cause incompatibility:
  • Number of data lines
  • Signaling frequency and related passive filter components
  • Pinouts
  • Resistance of the coax used

Don't mind me. I just think this out on the keyboard. Perhaps someone has some technical information they can add or correct.

9
Yeah, I don't play around with my UPS setup. I have two units that would run my home lab for at least 30min each going into a PDU transfer switch so if one unit fails the other takes over. This is ideal for things like routers and switches that normally only have one power cable. Needless to say, I have never had an unintental power failure on my router.  ;D

10
Hardware / Re: SFP Twinax cables
« on: February 26, 2018, 07:33:26 am »
Yeah that's what I was expecting. I was hoping that a passive layer one component with the same physical connecter would be cross compatible. Sounds like that's just not going to be the case. Tough I would still like to know the physical difference. More pins used? different pinout? number of used conductors in the cable?

All in the quest for more knowledge and a cheaper lab  ::)

11
Hardware / Re: Overkill or Under Qualified?
« on: February 26, 2018, 07:28:24 am »
"As for running running your home gateway/router as a VM, don't. Especially if your using vlans."

Huh??  Running pfsense on a vm with multiple vlan is no different then if single network.. As long as you have a switch that handles vlans, and know how to setup the switching in your VM host its really quite simple and easy to run/manage.

A simple 4095 setting on your vswitch in esxi for example allows you to tag any vlans you want to pfsense - which you can then just setup vlans in pfsense.  Or you could use port groups on your vswitch with the tag of the vlan you want to pass to the vmnic you connect to pfsense, etc.

I ran like this for years on multiple vlans on esxi, even once I moved to pfsense on hardware I still run vlans into different VMs and even run a downstream pfsense VM via a transit vlan from the edge sg4860.. My sg300s are in L3 mode, but as of current only using L2.. I just put them in L3 for future lab/testing work, etc.  They are more than happy to function as L2 when in L3 mode, etc.  You can use both at the same time where some could be routed at your sg300, and other vlans are just L2 and routed via pfsense, etc.

I guess what I was getting at is the chicken egg situation. vCenter is on vlan 50 pc is on vlan 2 and you need to reboot your only host. well then you have to plug you pc into a vlan 50 port or login to the switch to reconfigure your PC port (if its on your PCs vlan) startup your pfSense VM and go back and put you PC back in its normal vlan.


Yeah You can do it and it works, but IF your using vCenter automatic startup of VMs is unsupported. If its just a stand alone host just make sure you don't have any dependence on routing for your VMs to boot up. One example would be a routed SAN. This is never a good idea but I have seen people do it in the FreeNAS forums. (lots of odd network setups over there)

12
Hardware / SFP Twinax cables
« on: February 25, 2018, 06:00:10 pm »
Im a bit new and nieve when it comes to SFP SFP+, Twinax passive/active etc.

Im looking at getting a few 10GB nics for point to point links and I found a deal on ebay for some NetApp sfp patch cables. Its normally used to link disk shelves together using fibre channel as the transport.

My question is simply this: will this passive cable work with 10gbe cards?


Please enlighten me & thank you in advance!

13
Packages / FRR RIP
« on: February 25, 2018, 01:27:45 pm »
I wanted to play around with the FRR routing package but for the sake of simplicity, I use RIP in my lab. I know FRR fully supports RIP but the GUI for it seems to be missing. Am I missing something or will I need to manually add the RIP configuration to the files if that's even an option.

I know I could use routed but it would be nice to have it all under one umbrella.

14
General Questions / Re: pfSense MTU, Bufferbloat and Netalyzr results
« on: February 25, 2018, 12:12:53 pm »
It's means somewhere there's a router with an MTU of 552 bytes, which is very small. 
Agreed but where? The only router in my home network is my pfSense box.

The address 172.30.1.206 is within the 172.16.0.0 /12 private address range, but it could be anywhere.  You can get an idea where with traceroute.
Ran traceroot with pfSense and got,
Code: [Select]
1  10.87.0.1 (10.87.0.1)  18.093 ms  17.771 ms  18.594 ms
 2  64.64.117.1 (64.64.117.1)  18.339 ms  18.170 ms  18.203 ms
 3  ethernet6-1-br2.pnj1.choopa.net (108.61.66.137)  19.032 ms
    ethernet6-1-br1.pnj1.choopa.net (108.61.66.133)  17.802 ms
    ethernet6-1-br2.pnj1.choopa.net (108.61.66.137)  19.281 ms
 4  vl50-er1.pnj1.choopa.net (66.55.144.145)  17.988 ms
    vl24-er2.pnj1.choopa.net (108.61.248.13)  19.497 ms
    vl39-er2.pnj1.choopa.net (66.55.144.150)  22.685 ms
 5  * * *
 6  * * *
 7  * * *
 8  * * *
 9  * * *
10  * * *
11  * * *
12  * * *
13  * * *
14  * * *
15  * * *
16  * * *
17  * * *
18  * * *
19  * * *
20  * * *
21  * * *
22  * * *
23  * * *
24  * * *
25  * * *
26  * * *
27  * * *
28  * * *
29  * * *
30  * * *

Also ran traceroot on my PC and got,
Code: [Select]
C:\WINDOWS\system32>tracert 172.30.1.206

Tracing route to 172.30.1.206 over a maximum of 30 hops

  1     6 ms     7 ms     6 ms  10.10.10.10
  2     6 ms     6 ms     7 ms  burl-lnk-70-109-168-169.ngn.east.myfairpoint.net [70.109.168.169]
  3    13 ms    13 ms    13 ms  pool-64-222-213-130.port.east.myfairpoint.net [64.222.213.130]
  4     *        *        *     Request timed out.
  5     *        *        *     Request timed out.
  6     *        *        *     Request timed out.
  7     *        *        *     Request timed out.
  8     *        *        *     Request timed out.
  9     *        *        *     Request timed out.
 10     *        *        *     Request timed out.
 11     *        *        *     Request timed out.
 12     *        *        *     Request timed out.
 13     *        *        *     Request timed out.
 14     *        *        *     Request timed out.
 15     *        *        *     Request timed out.
 16     *        *        *     Request timed out.
 17     *        *        *     Request timed out.
 18     *        *        *     Request timed out.
 19     *        *        *     Request timed out.
 20     *        *        *     Request timed out.
 21     *        *        *     Request timed out.
 22     *        *        *     Request timed out.
 23     *        *        *     Request timed out.
 24     *        *        *     Request timed out.
 25     *        *        *     Request timed out.
 26     *        *        *     Request timed out.
 27     *        *        *     Request timed out.
 28     *        *        *     Request timed out.
 29     *        *        *     Request timed out.
 30     *        *        *     Request timed out.

Trace complete.

Doesn't appear that the traceroots are at all revealing. I am even more confused now seeing how different the 2 traceroots are.

Running a traceroute on 172.30.1.206 will just keep hitting net next hops default gateway until it get lucky and hits a router with that network in its routing table or until it hits the L3 TTL.

You would need to run a traceroute to the netalyzr.icsi.berkeley.edu testing host (not necessarily that address). from that you can look at the DNS ptr records (host names found by IP) to get a sense of where that is.

The address it reported could be an address in your ISPs network or just an IP on an interface on a router along the way.

Also try both ICMP and TCP traceroute as many transit routers cant be bothered to reply to a ICMP/UDP ping.

15
It sounds like your file system may be fubar. Backup your config, and do a fresh install of the latest version and use ZFS. This will make things much more reliable in your situation. But also get a UPS.  :P

The reinstall process is not bad at all and should take about 30 min from logging into portal.pfsense.org to restoring your config and rebooting.

Pages: [1] 2 3 4 5 6