Netgate SG-1000 microFirewall

Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.


Messages - Michel-angelo

Pages: [1] 2 3
1
All that done, it works now, but I may have configured wrong.

Regarding NAT configuration (Firewall > NAT > Outbound), mine was set to "Automatic outbound NAT rule generation (IPsec passthrough included)". This was its default configuration, I had never touched it. All what it did had been generated automatically. It contained three pairs of rules (total 6 rules), related respectively to the 127.0.0.0 /8 source (whatever that may be) and my two VLANS. Then, the instruction was to add a new outbound NAT rule. Specifically: (1) switch to "Manual outbound NAT" ; (2) create the ModemAccess new outbound NAT rule ; (3) save. Now, my Firewall > NAT > Outbound configuration is set to "Manual Outbound NAT rule generation (AON - Advanced Outbound NAT)". The screen shot below shows that I have now my original 6 automated rules plus the one that I manually added.

I still do not know the role of the initial 6 automated rules and would be perfectly unable to determine when this set of rules would need to be changed. For that reason, it seems to me I would be better off switching now to "Hybrid Outbound NAT rule generation (Automatic Outbound NAT + rules below)", thus preserving the one manual rule that I created, the former 6 automated rules that were formerly generated automatically, plus any additions (or changes) to my initial 6 automated rules.

To which extent is my thinking wrong ?

Any advice on this would be welcome. TIA.

2
Thanks Grimson. It took me a full day to get it to work. I just succeeded. Not the fault of the instructions, though: Two possible causes for my difficulties:

On the new ModemAccess interface the instruction states "give it an IP address in the same subnet as the modem, such as 192.168.1.5/24". I gave it 10.0.0.5 and forgot to specify /24. By default, the Pfsense configurations sets it other than /24 (a smaller subnetwork, probably /32, which does not include 10.0.0.138 in its subnetwork).

But then, I could not access anyway. PING, as advertised to me by Johnpoz on this forum, helped me enormously. My computer wanted to access https://10.0.0.138 while the modem wanted to respond to a request to http://10.0.0.138. Currently, I have access only through my iPad. [Edit] I now have access through 1Password > Safari (my normal setup). It was a problem of caches.

Nevertheless, problem solved, it works, was not simple. Thanks.

3
Hello, My SG-1000 microfirewall is usually configured as a router with its WAN port connected by DHCP to the LAN port of a modem-router. The modem-router connects to my ISP by PPPoE.

Today, I want to test replacing my usual modem-router by a Thomson Speedtouch ST510V6 modem, which is configured in bridge mode instead of being a router. So, instead of using DHCP on the SG-1000's WAN port, I use PPPoE and the Username and password given to me by my ISP.

As configured, the Thomson Speedtouch LAN port IP is 10.0.0.1, while its WEB GUI access is at IP 10.0.0.138.

I can connect my Macbook computer to the Thomson Speedtouch WEB GUI by a direct ethernet cable at the IP address 10.0.0.138 and configure it from there.

If I connect the Thomson Speedtouch to the WAN port of my SG-1000 by PPPoE, and then connect my mac computer to the LAN port of the SG-1000, the mac computer receives internet connection. However, it can no longer access the WEB GUI of the Thomson Speedtouch.

On the Terminal application of the mac, PING appears to be blocked by the SG-1000. If I issue the terminal command: "ping 10.0.0.138", the reply is:

Request timeout for icmp_seq xx
60 bytes from 80.10.124.25: Communication prohibited by filter
Vr HL TOS  Len   ID Flg  off TTL Pro  cks      Src      Dst
 4  5  00 5400 2907   0 0000  3e  01 8707 192.168.1.105  10.0.0.138

Repeated for each ping attempt.

The sole change I did on the SG-1000 configuration was replacing DHCP by PPPoE (with Username and password) on the WAN configuration of the SG-1000.

What could I be doing wrong ? What should I do to access the WEB GUI of the Thomson speedtouch modem through the SG-1000 firewall ? TIA for any help.

4
Messages from the pfSense Team / Re: An update on Meltdown and Spectre
« on: February 01, 2018, 05:16:45 am »
Kejianshi reply #3 above (24 Jan) is enough to give me the comfort I seek from this forum.

I believe nobody is allowed access to my device : webGUI, console, SSH, physical, other. All closed. Thanks kejianshi.

5
Firewalling / Re: Create a guest network with VLAN tag 1003
« on: December 31, 2017, 04:23:01 am »
Iím attempting to get my guest network setup on my Airport Extremes and this thread has been very helpful but a couple of things Iím not sure about.

Iím using a Netgear GS724Tv2 switch to create the vlans MAIN_VLAN10 (pvid10) for all my desktops, printers and servers and WIFI_VLAN20 (pvid20) for the Airports. If Iím understanding correctly the Airports will tag guest traffic with 1003?
I will just clarify the airport Extreme (or Express, or time Capsule) side.
When used as a router, an Airport Extreme (and the other new Airport base stations) will be able to *create a guest network by VLAN tagging, assigning the Vlan tag 1003 to packets going to the guest network (ethernet or wireless).
When used as a wifi simple access point, an airport Extreme base station will recognise packets Vlan tagged 1003 and be able to send them to the wireless guest network.
Given that your airport base stations are wifi access points and not routers, none of them will do the Vlan tagging. But they will need it. You need to do it on your guest interface in the pfSense router. pfSense > Interfaces > VlanAssignment > Vlans. I attach a copy of my setup. HTH

6
Traffic Shaping / Re: PRIQ Traffic Shaper - How to optimize ?
« on: December 15, 2017, 06:31:22 am »
<Quote KOM>PRIQ doesn't care about bandwidth.</Unquote>

Thanks KOM, this means I should not bother recording bandwidth.   

<Quote KOM>It's purely for prioritizing specific traffic types, eg HTTP vs SSH vs email.  You can fiddle with the WAN/LAN bandwidth settings but they won't do anything with PRIQ.<Unquote>

Today's Modem ISP's data are:   Downstream   Upstream   
SNR Margin:                  7.0         5.0   db
Line Attenuation:            63.5      31.5 db
Data Rate:                  3424      896   kbps
My today's inputs to the shaper are (all others remaining the same)

1 WAN, 2 LANS, PRIQ,         3110       770 kbps

Looking into it, there seems to be a correlation between my PRIQ settings and ADSL line's stability (lifetime between undesired modem resets). If I get fewer resets, it seems to me my ISP rewards me by increasing Downstream data rate. Across all my tests, Upstream data rate seems to be constant (odd, is it not ?), while Downstream data rare fluctuates, and seems to do so in a not-random fashion.

For the purpose of better prioritizing specific traffic types, eg HTTP vs SSH vs email, maybe for the more precise purpose of reducing probability of undesired modem resets to stabilize the working of the resulting traffic, I understand I should look at the Queues page. Is there anything there I should look at ? TIA

7
Traffic Shaping / PRIQ Traffic Shaper - How to optimize ?
« on: December 14, 2017, 07:27:45 am »
Hello. Beginner in using pfSense, I have configured my SG-1000 to do traffic shaping with Priority Queuing (PRIQ).

The set-up is as simple as I could make it:

1 WAN and two LANS (home and guests), no phone over IP, no TV over IP, no peer to peer, no games. Hence the setup is basic also:

Modem ISP data:         Downstream   Upstream   
SNR Margin:            7.0         6.0   db
Line Attenuation:              63.5              31.5 db
Data Rate:            3424                    896 kbpss

Using the wizard: I use presently the ratio .86 for downstream and upstream (3424 x 0.86 = 3000). It works and the ADSL line from my ISP seems to be stable. But I have no way to know if this is the optimal setting and how to improve.
1 WAN, 2 LANS, PRIQ,   3000       770 kbps

No VoIP, No use for penalty box, No peer to peer, no games, no change to other applications.

I have tried adjusting download and upload speed for the WAN, using the same proportional reduction for both, and adjusted each day at .80, then .82, then .84, then .86, then .88, then .90 and so on. Each day, I performed speed tests and, more recently, made a screenshot of the queues. This did not help me determining how to optimise.

What should I be trying to optimize ?

8
Firewalling / Re: Create a guest network with VLAN tag 1003
« on: November 06, 2017, 05:15:18 am »
Now I can reply to your two posts. A basic understanding of ports and IP and such is a huge plus that is for sure ;) YES indeed, that is a huge requirement. The french forum provides a link to a great tutorial (<http://irp.nain-t.net/doku.php>). I need to spend more time there.

Yes, I got the logic of rules ordering, which means a huge difference from what I am used to from Apple devices, like the preset guest network set of rules on Airport routers which just work like magic.

PING ? I need to learn how to use it. This never crossed my head.

DNS. <quote>So what you set in dns under general is pointless unless your forwarding..  Or you want pfsense to use something else for dns if its own resolver is down. Ie the 127.0.0.1 entry.</unquote> OK. I will not experiment on forwarding. I experimented as planned on an allow rule on top allowing access to port 53 (DNS) similar to your rule on your DMZ. It did its magic and everything immediately worked just like magic. No need for HTTP allow rule and the serie of equivalent rules... I will check on the tutorial above to better understand why my INVITES, who are expected to know nothing about DNS, need to be allowed to send packets to 192.168.2.1 (their router address) on port 53 for internet and mail to work for them.

I did some clean-up job on my rules. Here they are (5 active rules). They work fine and I understand they should be protective enough to allow me some rest and prepare for my next endeavour which will be the implementation of a crude form of traffic shaping to prevent the IP clients downloading stuff from appropriating all bandwith away from my wife's web browsing. This will be for next month. Thanks johnpoz, thanks a lot. I would never have managed that alone (even with tons of books).  ;D ;D ;D

9
Firewalling / Re: Create a guest network with VLAN tag 1003
« on: November 06, 2017, 03:35:20 am »
Thanks johnpoz. I wanted to do my homework on PING and DNS and post my existing rules before anything else, so here it goes:

2.1 PING. I never use ping so did not know why allowing ping to INVITES would be useful to them to permit their internet access. The PFSense docs state in Connectivity Troubleshooting "Check that the LAN (INVITES) rule allows all protocols, or at least TCP and UDP ports for reaching DNS and HTTP/HTTPS and allow ICMP for testing [...]". This does not seem to say why PING is needed to INVITES (for testing?). So I searched again, and on security.stackexchange at "Is there any risk in allowing PING packets *out* through a firewall?", the subsequent discussion seems to state PING is a comfort rather than a *MUST and that (at a high cost to their convenience) denying PING to INVITES would remove the security risk cased by allowing ICMP reply echo back in. So PING does not seem to be mandatory for my INVITES.

2.2 DNS servers. There I am more confused. I edited my earlier post. My setup is as standard pfSense as possible and, accordingly, the SG-1000 connects via DHCP to the Zyxel modem router which receives DNS info from my ISP. So, in my control panel, DNS Server addresses are 127.0.0.1 (originated from the SG-1000 setup), 192.168.0.1 (the Zyxel modem router) 8.8.8.8 and 8.8.4.4 added in by the SG-1000. No mention even of the 80.10.246.130 DNS server provided by my ISP to the Zyxel modem router. So I may need to copy your rule "Allow DNS to PFSense".

(3) My rules are attached, unchanged so far (5 of them are grayed out, only 4 are active). As they are, they allow internet access to INVITES. What would blocks them would be my use my rule "Block packets to This firewall". I will experiment on (1) an allow rule on top allowing access to port53 (DNS) similat to your rule on your DMZ and (2) on an allow rule on top to allow HTTP traffic through the HTTP port (I have the list of ports somewhere), just to see whether or not HTTP requires it (a test which can't do harm) and report back here. Thanks.

10
Firewalling / Re: Create a guest network with VLAN tag 1003
« on: November 05, 2017, 10:15:29 am »
Thank you for the reply. That does help enormously. This is also quite above my level of understanding, so: (1) thank you very much for your consideration on this, (2) I will, with regards so far only to IPv4 (IPv6 will be maŮana for me), do my homework and try to understand (2.1) why allowing ping may be important for IPv4 clients on the INVITES network, (2.2) why allowing DNS to pfSense may be useful to IPv4 clients (in my config, DNS is mainly provided by the PPPoE server of my ISP so I would anticipate that it would flow through gracefully). I will try to understand first instead of copying the rules. I intend to reply tomorrow and will (3) post then my current rules, without changing them until then. All that after allowing time to my bicycle club.  :D Thanks and sorry for the delay.

11
Firewalling / Re: Create a guest network with VLAN tag 1003
« on: November 04, 2017, 08:07:47 am »
OK, so My rule "block packets to IP 192.168.1.1" is too narrow. I need (1) to block all packets to This Firewall and (2) allow by a higher level rule internet access, which is the services that I want to allow to pfsense INVITES. I tried many things, which all failed.

I looked in the printed book "pfSense the definitive guide" and in "The pfSense book" which I had downloaded last week in epub format to my iPad. I found no mention on how to allow INVITES clients (INVITES IPs) to talk to the services I want.  Like dns, ping..

The rule "Allow to WAN net" defeated my blocking rule "block packets to This firewall" and allowed access to the firwall web interface.
 
On the opposite, "Allow packets to all TCP/UDP" does not suffice to give internet access.
 
 I am currently short on ideas. I need to get away from the computer, move back to simpler bicycle life and will try again tomorrow. Thanks, johnpoz, for your kind help. I guess I have a slow brain, which translates into cerveau lent in french, a pun (cerf volant).

12
Firewalling / Re: Create a guest network with VLAN tag 1003
« on: November 03, 2017, 10:19:50 am »
Hello, johnpoz. I had not tested enough. With my new ruleset, the INVITES (guests) were denied access to the internet. By trial and error, I found the culprit: "Block packets to this Firewall (all IPs on the firewall, wan, lan, opt, etc.) (this SG-1000)"

I replaced it by

Block packets to IP 192.168.1.1 (this SG-1000)

There it works. So the second option of your suggestion, instead of blocking access to IP 192.168.1.1 (the SG-1000 Web interface), of "either block it to the specific interface you concerned with ; Or use the built in alias "this firewall" which is all IPs on the firewall, wan, lan, opt, etc." was, apparently, too broad. It blocked internet access.

I attach a picture of the current ruleset I now use.

TIA for any comment.

13
Thanks kejianshi, thanks ivor.

It probably went this way because (1) I was lucky (This was week-end time and I already had at hand a SD-Card adapter for my camera, a micro-SD-Card for my bicycle Garmin GPS device and a screwdriver for no justifiable cause) and (2) I cheated (spend a good part of the night and early morning to get this behind me) . Next time if any will be easier.

I forgot to ask a key question to spare me the purchase of a new micro-SD card: now that the SG-1000 is configured with the currently available 2.4.0 firmware, could I now restore the firmware OS from a USB Memory stick, in case of need ?

14
Thanks ivor, I will try do do what you suggest and report below difficulties in doing it.

BTW, it is almost certain that I managed to somehow break it. However, shortly after receiving the SG-1000, I received on the Dashboard an indication that a new version was available for download. By my sole mistake, I accepted to do this installation and subsequently got the following error message : "Notices > Filter reload > "There were error(s) loading the rules: /tmp/rules.debug:18: cannot define table bogonsv6: Canot allocate memory - the line in question reads [18]: table &lt;bogonsv6&gt; persist file &quot;/etc/bogonsv6&quot;
@2017-08-23 11:20:29". Believing there was a flaw in the firmware updater, I inquired from Netgate sales and was, there, instead referred to the forum owing to the fact that I had not purchased an assistance contract with Netgate. Later on, I upgraded to 2.4.0, believing the issue would correct itself. Maybe it did not correct itself automagically.  Maybe that is the cause !

Indeed, as kejianshi may have assumed, I have almost never wiped out a drive and installed and OS from fresh, and my desire to avoid this pain is the reason why I bought the SG-1000 from Netgate in the first place.

1 - I received my SG-1000 in August 2017, which was a long time after Dec 29, 2016, so I should assume that the SG-1000 includes a boot environment capable of booting from the USB OTG port. However, I searched everywhere on the web interface the version of U-Boot to check compliance. I found nothing. To take the least risky route without asking from 5 guys how to wipe a drive and install firmware from fresh, I therefore tried the longer route using a  Micro-SD memory card. I found a spare on with maps of France, Australia and New Zeland in my Garmin bike GPS box, saved its content and started to work.

2 - To verify the downloaded image, I did not use sha256 command, which appeared not to exist on my mac (mac OS 10.12.6). Instead, after some internet search, I used the "shasum -a 256 file.xxx" command.

3 - I verified the file system of the micro-SD card existing partition, it showed on Disk utilities as: MS-DOS (FAT32). I suppose this does not matter.

4 - I wrote the image:

sudo dd if=/Users/xxx/Desktop/pfSense-netgate-uFW-recover-2.4.0-RELEASE-arm.img of=/dev/rdisk3 bs=4m

I inputted my admin password on demand, the writing failed. Cause: "resource busy". So, after another internet search, I decided to unmount the existing partition from the micro-SD.

I hit again in Terminal 

sudo dd if=/Users/xxx/Desktop/pfSense-netgate-uFW-recover-2.4.0-RELEASE-arm.img of=/dev/rdisk3 bs=4m

Nothing happened, so I shut down the terminal window and looked into disk utilities. Suddenly the Micro SD card appeared (mounted) on the desktop with a new name: FATRECOV

FATRECOV contained three files:

MLO, u-boot.img and ubldr.bin

Maybe I had stopped the process and damaged the installer. 

I repeated the same process and it produced, in about 1 minute and a half of complete silence:

238+1 records in
238+1 records out
1000000000 bytes transferred in 94.095442 secs (10627507 bytes/sec)
[MacBookPro-de-xxx:~] xxx% 
 
 The volume appears as follows in disk utilities:
 
 FATRECOV:   35.8 Mo
 
 FreeBSD:    964.1 Mo
 
 It will call it a success !!! So I have so far completed writing the installer to a micro-SD card without the 5 guys intervention. 

I inserted the micro-SD card into the SG-1000. 

I connected the SG-1000 to console, unplugged to the power cable.

The rest went as indicated on the SG-1000 FAQ

After rebooting, I did a second reboot, which went well. I then Halted the system (option 7) and unplugged the SG-1000 from the power cable.

I went to the basement and plugged again the Zyxel modem and the SG-1000 in operation for my network.

I came back upstairs to take control of the SG-1000 via the web interface and reset the configuration to its last saved state.

It worked. Now the console seems to work correctly. Thanks, ivor for telling me how.

To prevent the reoccurrence of "5 guys trying to explain how to wipe a drive and install firmware from fresh", you may want to clarify the FAQ on the following:

In: How do I restore the firewall OS? (firmware)

1 - "This version of U-Boot identified itself as: "---", it would be best to specify where to look.

In: Writing an OS Installation Image to Flash Media

2 - To verify checksum on Mac OS (10.12.6), replace "sha256" command line by "shasum -a 256 file.xxx"

3 - For the installation media, you may want to specify a partition map scheme. Here, my Micro-USB card was "as purchased" (as needed by Windows machines). Maybe another partition map scheme may fail.

4 - When writing the image to the Flash Media on Mac OS (10.12.6), you may specify that if the system replies "Resource busy", the existing partition needs to be unmounted for the writing to work.

5 - Using Terminal is not common to mac users, you would best indicate that, after inputting the administrator password, the writing will proceed, it took 90 seconds for me and absolutely nothing shows that the writing is in progress.

Thanks ivor for this fascinating learning experiment. kejianshi was right: I had never done such a thing.

As far as I am concerned, this thread is solved.

15
Firewalling / Re: Create a guest network with VLAN tag 1003
« on: October 29, 2017, 11:41:22 am »
Thanks johnpoz, this is immensely useful.

2 - OK. Thanks a lot. It helps to know this deny all rule is there by default.

3 - I created a rule "Block packets to all IPs on the firewall, wan, lan, opt, etc. (this SG-1000)". I tried it, it seems to work. Access is allowed when I am on the LAN and access seems denied when I am on the INVITES network.

4 - I created a rule "Block packets to IP 192.168.0.1 (the Zyxel modem-router)". Similarly, I tried it and it seems to work.

Then on System / Advanced      Miscellaneous

Gateway monitoring       I have Ticked   "Skip rules when gateway is down"

If I understand your two last suggestions well,

I would create either one of the two following additional rules on INVITES gateway (created for the photo below but not active yet):

Either: as a first rule "Block all packets from INVITES to LAN" (not active)

Or as a last rule "And allow all INVITES' packets except to LAN addresses" (not active).

More precisely, I would create either one of these two rules and remove the rule "And allow INVITES to internet gateway only" and remove the "Skip rules when gateway is down" instruction.

I am writing this with the pfSense definitive guide (the book) open in front of me and I do not even find there (nor in the pfsense Book on the web) the definitions of the default aliases (like This Firewall, LAN net, INVITES net).

Is my understanding correct ? TIA

Pages: [1] 2 3