Netgate SG-1000 microFirewall

Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.


Messages - e4ch

Pages: [1]
1
DHCP and DNS / Auto-renew DHCP after outage
« on: February 23, 2018, 12:45:31 pm »
Whenever I reboot my networking gear or when there was an Internet outage, it remains down. I can only fix it by manually renewing the DHCP of my WAN (Release, Renew on Status / Interfaces page). I want this to happen automatically. How can I configure this?

When it's not working, already the start page in "Interfaces" shows in the last column "n/a" for WAN, while it shows the correct external IP when up.
In Status / Interfaces the value for Gateway IPv4 is always filled out (both when up and not working), but only when up, the IPv4 Address and external DNS are shown.
The Status and DHCP values both show as "up" even when it's not working.
I have screenshots if necessary. The checkbox "Relinquish Lease" is not checked (no idea what that is).

I'm using the latest version on official hardware (2.4.2-RELEASE-p1 amd64 on Netgate SG-4860).

I assume the provider's modem assigns a different IP after its reboot or something and the pfsense firewall doesn't detect it or something like that. I want this to fix itself. How can I do this (preferably without writing complicated scripts or manual non-UI configuration).

2
Regarding the host name without FQDN, that was from another post I found here. Initially I only had the IP there and it didn't work, hence I tried more options. But it actually makes sense to have only the name (like "pfsense" or something) there as well, because if you are in a Windows domain, then the domain is added automatically and if DNS is configured like that, then only the "abc" should work too - but only if the name in the certificate matches of course. But I agree that this is not a good idea.

But yes, you found the problem. Somehow I missed the dropdown with the Alternative Names Type, not sure why. Thanks for the screenshot (only visible to logged-in users), which made it clear. After creating a new certificate with the correct type ("IP address"), it now works. I wonder why IE didn't complain about this mismatch. It seems that Chrome is more strict there and that is good.

Thanks for your help!

3
Hi I don't want to publish the exact names, but I have something like the following:
Hostname: abc
Domain: def.com
Certificate name: abc
Subject Alternative Name in certificate:
 - DNS Name=abc
 - DNS Name=abc.def.com
 - DNS Name=192.168.1.1
When I use Chrome 63 (64-bit) with URL https://192.168.1.1, then I get the error.
I don't think the  names are relevant, because I'm using an IP. The domain name "def.com" exists, but "abc" is arbitrary and not in the DNS.
For this error to appear, the domain name of the URL must not match one of the S.A.N. of the certificate, but it is matching as you can see.
Did you use a CA as well? Maybe something with the CA is wrong. I used key length 4096, digest sha512, country code CH, dummy entries for the rest and Common Name "internal-ca".

4
I have created a new internal CA (in System / Certificate Manager / CAs), imported the certificate into Windows in (local machine) Trusted Root / Registry, created a certificate (in System / Certificate Manager / Certificates) as Server Certificate, used it for the web UI (in System / Advanced / SSL Certificate). Name was a random name (something like pfSense) and I added 3 Subject Alternate Names:
- something like myfirewall
- something like myfirewall.mydomain.com
- IP address of the firewall (the one where it's reachable from LAN)
When accessing the web UI from IE it works fine, but Chrome complains with the error NET::ERR_CERT_COMMON_NAME_INVALID. I'm accessing the site by IP; no DNS name is used yet. Chrome Help says that the SAN must be wrong, but I cannot see such a problem.
How can I fix this?

5
NAT / Re: How to set up FTP? (client behind pfSense, active mode)
« on: December 17, 2017, 06:17:19 am »
Look at the FTP Client Proxy package.

Thanks for your reply Derelict. Unfortunately I already knew that I probably needed to install a package or something (see my question). As I'm new to pfSense, I was looking for instructions. Anyway, after some more hours of googling, I found the solution myself. For anyone else reading this thread, here's the solution. It always is easy or even trivial after you know the solution.

I found the thread https://forum.pfsense.org/index.php?topic=89841.0 where user jimp in this forum explains that he implemented this package. The link goes to GitHub (https://github.com/pfsense/pfsense-packages/commit/a868b2522ef865f117c892a07ae3507686783ff3), to a specific commit, and the post is from 2015, but looking at the GitHub repository, there are 12112 commits, with the latest from 12 Oct 2015.
Anyway, there is no need to work with GitHub, or compile anything, here are the simple instructions:

1. Remove all FTP-related firewall rules you have already added while trying around.
2. In pfSense, go to System / Package Manager / Available Packages and install "FTP_Client_Proxy"
3. Go to Services / FTP Client Proxy and select the following options:
- Check "Enable the FTP Proxy"
- Local Interface = LAN
- Check "Early Firewall Rule" (only if you have a "block all" rule at the end)
- Save

I tested with pfSense version 2.4.2-RELEASE-p1 (amd64) and it works fine from the browser.

Very simple and straightforward - if you know how.

6
NAT / How to set up FTP? (client behind pfSense, active mode)
« on: December 16, 2017, 07:38:01 pm »
I understand how FTP works in all modes (see http://slacksite.com/other/ftp.html) and I have the following scenario:
I want all clients on the LAN to be able to connect to random FTP servers on the Internet, mainly to download software, usually not even a login is required. Mostly by following links on web pages.
I do understand that FTP is an old technology and should no longer be used, but unfortunately it is.
When following links in browsers, I assume we are talking about Active FTP here. If I'm wrong, let me know.
Passive FTP would work "out-of-the-box", but not with browsers and not when all upper ports are closed by default, so that's not an option.
My previous router with DD-WRT supported this without configuring anything (maybe the browser was switching to passive FTP and of course outgoing traffic is always open there).
Then I had a ZyWALL, where I had to enable FTP ALG to get this working.
Now I have pfSense and don't know how to configure this. I understand that older versions had FTP ALG, but this is no longer included or something.
I heard there are "packages" to install this FTP proxy. I know FTP is crap, but as long as it is used (=forever) pfSense should provide some support for it.
The help page for this (https://doc.pfsense.org/index.php/FTP_without_a_Proxy) also doesn't tell anything how to set this up (except "will not work"). There's a link to a command-line tool though. Is there any documentation on how to set this up? I mean this must be something that everyone needs, so it should be fairly common. I see a lot of questions, but no real answers to this.

Pages: [1]