Netgate SG-1000 microFirewall

Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Messages - Gertjan

Pages: [1] 2 3 4 5 ... 170
If you do not receive a valid response then your DNS servers may have been wiped
... or you keep the default DNS Resolver activated.
Root DNS can't get wiped - and if they do, Internet, as we know it, is dead anyway.

Btw : I'm answering here because I think - not having any proof - that so many people mess up their DNS, without knowing what they are actually doing. LAN devices still work, they resolve, but pfSense can't resolve anymore, so no more upgrade notifications, no more package upgrades proposed. And the day they want to upgrade pfSense, all 'hell' breaks loose.
All this because they went '' haywire (Google should have chosen, there would be less issues for sure), or some other remote resolver, without finishing the job.

Good thing you posted your findings, although
Code: [Select]
echo "nameserver x.x.x.x" > /etc/resolv.confcould work under special, non default conditions. By default unbound isn't using /etc/resolv.conf, see
I'd would like an explanation of this one :
Code: [Select]
route add default y.y.y.y

Installation and Upgrades / Re: Problems installing pfSense
« on: Yesterday at 12:23:29 pm »
The only escape is changing computer?
Far better escapes exists : like using pfSense-certified devices  ;)

But I'm not saying your PC can't work with pfSense. I couldn't. Several thousands forum users exists here - and far more different BIOS settings so the chance exists that you are the only one that can figure it out which one makes "it work".

Another test : install a plain vanilla FreBSD first.

Installation and Upgrades / Re: 2.3.5_1 update bricked my SG-4860
« on: Yesterday at 10:32:24 am »

Cable it up, and see here for further instructions : pfSense Forum pfSense English Support Official pfSense Hardware - do what the forum user "Ivor" says, for example  :

General Questions / Re: Can't log in to websites
« on: Yesterday at 08:45:58 am »
Here : System => Advanced => Miscellaneous => Load Balancing => Use sticky connections
Wonder why ... Jamerson never spoke abound load balancing.

DHCP and DNS / Re: Intermittent DNS timeouts - DNS Resolver
« on: March 22, 2018, 05:26:44 am »
When I was resolving I felt I was seeing too much traffic to East Aisa, and experienced disturbing things like duplicate login screens to places like PayPal. I became suspicious of DNS malfeasance at the TLD level in E. Asia. So my decision to Forward Unbound to North America based public servers was for security & privacy purposes.
Enforce DNSSEC - only used by the Resolver.
Add a tool in your browser so you can see DNSSEC is validated.

When using a forwarder, you hand over your request to another DNS server (so just one more place where spoofing can happen), that finally will use "world wide resolving" anyway.

"duplicate login screens to places like PayPal" = pisching pages ? these are not indexed buy the major search engins. You can access these sites/pages when you receive a pure spam mail with a link.
This isn't a real problem actually : your bank, paypal, the fisc, etc will never send you a mail with a link to the login page.
Falling into the trap of a pisching page is, I'm sorry to say so, for those who really still do not understand what "Internet" is ...
These people need to learn,
the access to the Internet should be controlled, locked down, and only made accessible for those who passed all the examens ..
Chose your option.

Is it possible to force Unbound to resolve only to specific TLD root servers in the United states and Canada ?
The tld root servers are syncing all the time.
If one has wrong info, they all have.

I guess it possible to edit the root level file that unbound uses to find tld servers, which are used to find the domain name servers.
Keep in mind that this USA based root server could still direct the request to a tld (a registrar) server situated "on the other side of the planet".

DHCP and DNS / Re: Inability to get DHCP ? No Carrier
« on: March 22, 2018, 05:02:01 am »
You are talking about the connection between your 3100 and the ASUS RT N56U router, right ?

Cut the problem in half : Put a switch between them and use two cables - see what happens.

Packages / Re: ACME - Renewal number of days not yet reached
« on: March 21, 2018, 05:46:09 pm »
Well, the cron job only renews if the "certificate date" +"Certificate renewal after" < "current date".
It surely doesn't renew every day.

As per "Let's Encrypt" house rules, such a cron should run one a day - or even more, and undertake a renewal after +/- 60 days.
You can choose these "60 days" in the settings.

Btw : you found the code.
Add some echo lines, especially where the date from the current cert is extracted and print that.
Then $renewafterdays  is add, and if the result is should be smaller then the current moment, then renewal proceeds.

For example : the code is reading/using the 'right' certificate ?


No guru here  ;)
Image 1 and 2 seem ok - nothing really to see actually.
But rule 3 : WAN_DHCP as a gateway ? I haven't set 'nothing'.

Do you see the login page ? Login User defined ? They have the 'rights' to visite the captive portal ?

Added to that : after reading : first issue : people mess up DNS.
They leave the perfect DNS Resolver to switch to the DNS forwarder with exotic settings.
Better : FreeRadius + MySQL. Or better is : make portal work with local user authorization, and build up from there.
Then there are those with roque AP points.
VLAN mess ... (not your issue probably).
DHCP server on each OPTx is ok ? (pool, etc)
So, client receive an IP, Gateway and DNS (last 2 should be the IP of the OPTx network - so 192.168.y.1)
Client can resolve  ;D

Tour turn.

Packages / Re: Renewal number of days not yet reached
« on: March 21, 2018, 12:16:16 pm »
As already wrote Acme package version is 0.1.23.

You should read this Topic: ACMEv2 is live!  (Read 1132 times)
0.1.24 and 0.1.25 exist.
acme is bleeding edge technology. Always use the latest version .... and still, lighting up some candles is advisable.

Using pfsense webui and pressing button there are no issue at all: certificates are always updated (with daily limit).
Something is very wrong then.
My cert dates from ... 3 days before - a new wild card cert - I consider it old already  ;)
When I hit Issue, I will get a new one - and a (huge) log is created, no matter what.

I advise you to ditch all settings, and restart.

I just tried it - hitting Issue again :
Code: [Select]
Renewing certificateaccount:
server: letsencrypt-production-2

/usr/local/pkg/acme/ --issue -d '' -d '*' --home '/tmp/acme/' --accountconf '/tmp/acme/' --force --reloadCmd '/tmp/acme/' --dns 'dns_nsupdate' --dnssleep '60' --log-level 3 --log '/tmp/acme/'

[path] => /etc:/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin/
[PATH] => /etc:/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin/
[NSUPDATE_SERVER] => /tmp/acme/
[NSUPDATE_KEY] => /tmp/acme/
[Wed Mar 21 18:12:24 CET 2018] Multi domain=',DNS:*'
[Wed Mar 21 18:12:24 CET 2018] Getting domain auth token for each domain
[Wed Mar 21 18:12:29 CET 2018] Getting webroot for domain=''
[Wed Mar 21 18:12:30 CET 2018] Getting webroot for domain='*'
[Wed Mar 21 18:12:30 CET 2018] is already verified, skip dns-01.
[Wed Mar 21 18:12:30 CET 2018] * is already verified, skip dns-01.
[Wed Mar 21 18:12:30 CET 2018] Verify finished, start to sign.
[Wed Mar 21 18:12:33 CET 2018] Cert success.
[Wed Mar 21 18:12:33 CET 2018] Your cert is in /tmp/acme/
[Wed Mar 21 18:12:33 CET 2018] Your cert key is in /tmp/acme/
[Wed Mar 21 18:12:33 CET 2018] The intermediate CA cert is in /tmp/acme/
[Wed Mar 21 18:12:33 CET 2018] And the full chain certs is there: /tmp/acme/
[Wed Mar 21 18:12:33 CET 2018] Run reload cmd: /tmp/acme/

IMPORT CERT, /tmp/acme/, /tmp/acme/
update cert![Wed Mar 21 18:12:33 CET 2018] Reload success
This is the small log that shows in the GUI when done.

Packages / Re: Renewal number of days not yet reached
« on: March 21, 2018, 06:52:23 am »

First what versions ? pfSense / acme

Issue/Renew manually - and then have a look at the generated log file.

Remember : you don't have to wait the entire renewal period. After setting up an account, and hitting "Issue", you can repeat the "Issue" a couple of minutes later. There is of course a limit of 5 a day or something like that.

Packages / Re: General security
« on: March 21, 2018, 04:59:25 am »

It's ok if you want to test drive every package, but keep in mind that pfSense, as it delivered, is already safe.
A package like snort could very easily add insecurity to your network. Because you think it's adds security, but you do not know what it does, neither how to set it up, neither how to check it. You think it does job the job for you, but actually, it's the other way around : a tool will be as good for you as as you understood it.
When you reached that point, you can tell in a split second if you need package X or Y.
By default : you need nothing.

If a users wants to visit site that contains files loaded with viruses, etc, well, that up to the user, right ?
It's like our cars : the are not limited to 90 km/hours or xx miles/hours. Some cars can make more then x/hours : up to you not to do so.

I'll present you another simple rule : it's not because package exists that they all should be used - a very recent thread, elsewhere on the forum, already treats the same subject.
If security is a real issue for you, start educating the end users. The sad thing is : this isn't available as a package.

edit : found it : read it.

Captive Portal / Re: [Captive portal] Can't get to the login page.
« on: March 21, 2018, 04:46:29 am »
Exact, no need to fill that field.

Don't need to check the next field neither : "DNS Server Override". For a solid, secure DNS functionality you could use what Internet is offering since the day it was born : use the root DNS **.
pfSense uses a Resolver out of the box. Keep it that way.

** except, of course, if your ISP wants you to use its DNS servers (and blocks all other "port 53 request" to other destination) then you are out of luck. Consider ditching the ISP.


A question : what do you mean by : A WAN (ISP) and LAN (ISP) ?

What do you mean by public DNS : the build in resolver works just fine.

It doesn't chock you : chaving an image with a non-connected WAN interface (your first image) - and telling us that "it doesn't work"

You want to route from where to where ?

You are a using Realtek NIC. See other forum threads about this one. I advise you not to do so.

Btw : pfSense didn't invent VLAN's - but make your live simpler at the beginning : one network == one NIC.

When you cerate a LAN (or VLAN) drop in also a firewall rule that let everything in (TCP,UDP,ICMP,IPv4,IPV6). Later on, change that rule for a set of rule more adequate for your needs.

At the beginning, stay away from floating rules.

DHCP and DNS / Re: OpenVPN having an issue resolving hostnames or DNS
« on: March 20, 2018, 08:30:23 am »
Currently, the only way they can connect is by using their IP address, but with DHCP that doesn't really work. Looking for a better solution than just using static IP's or IP reservations.
Devices that must be reached from LAN or outside should have a IP that "doesn't move".
When the DHCP pool is bigger as the number of LAN devices, then the IP that the DHCP server hands out will be pretty "static", but could move.
So - no need to use static information, but you'll be needing DHCP Static mappings.

Nice side effect : check the "DHCP Static mappings" check in the DNS Resolver, and then no need to use IP addressees anymore - use the device name.
When I VPN into my company network, I can access my company "Windows 2012 server" just fine (RDP) - never needed to use an IP.

Pages: [1] 2 3 4 5 ... 170