Netgate SG-1000 microFirewall

Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Messages - cmb

Pages: 1 2 3 [4] 5 6 7 8 ... 756
General Questions / Re: Cablem Modem Access - Behind Pfsense
« on: July 22, 2016, 07:03:05 pm »
You block RFC1918 networks on WAN. 192.168.x.y is one of those private RFC1918 networks.
At  Interfaces | WAN  you should uncheck "Block private networks".

That's only for ingress traffic. Reaching the modem is egress. Don't change that, it's fine as-is.

Firewalling / Re: skip rules when gateway is down not working-bug?
« on: July 22, 2016, 04:44:49 pm »
I will see if I can give that a try, but the question I have is can you create a gateway group utilizing interfaces that are *ALREADY* in another group?


There is currently no pagination in the logs.

NAT / Re: NO NAT DMZ not working when NO NAT is configured
« on: July 22, 2016, 02:42:17 pm »
That means that /28 isn't being routed to you, which it has to be for that to function. Have your ISP route the /28 to your WAN IP (assuming your WAN IP is in a diff subnet) and it will work as you're configuring it.

CARP/VIPs / Re: CARP and D-Link DGS-1210-52
« on: July 22, 2016, 02:39:06 pm »
problem 5 PC with WinXP and ALL raspberry (over 500)

Not induced by CARP, no Windows or Linux versions have any issues with it. You're misdiagnosing whatever the real problem is there.

Installation and Upgrades / Re: Help me choose correct install
« on: July 22, 2016, 02:36:03 pm »
If you bought the SG version, then it's already installed, no need to install anything. See the quick start guide. You don't want or need to down-rev it.

General Questions / Re: PFSense 2.3 broke tftp proxy feature
« on: July 22, 2016, 02:13:18 pm »
You can't install a patch that's for compiled code. Upgrade to 2.3.2 and you'll have the fix. The most recent snapshot is essentially identical to what release will be.

CARP/VIPs / Re: CARP and D-Link DGS-1210-52
« on: July 22, 2016, 02:27:33 am »
The DLink is broken, you need to either get them to fix that, or get a non-broken switch. CARP works the same as all router redundancy protocols (VRRP, HSRP) in that regard, and those are the only switches in the world that have that issue.

No OS, Linux, Windows or otherwise, has any problem with CARP.  No switches other than those DLinks have a problem with it.

Firewalling / Re: doom port 666 open on pfsense?
« on: July 22, 2016, 12:34:32 am »
Almost certainly upstream of you, or wrong. You'd have to configure something on port 666, or a port forward, for that to be the case. Nothing in the system will bind to 666, though a variety of services can be configured on any port you want.

NAT / Re: NAT Duplication?
« on: July 21, 2016, 04:14:14 pm »
Where you have a 1:1 NAT and a port forward like that, the rule that allows traffic through the port forward will also allow traffic through the 1:1 NAT. That's how it's always worked, just the nature of how pf functions since the translation applies first for WAN rules.

If you specify the "pass" option in the port forward, so there is no associated firewall rule, that should keep it restricted to only the high port you're port forwarding through.

OpenVPN / Re: Double "redirect gateway" entry in ccd
« on: July 21, 2016, 02:19:36 pm »

Great, I have possibly another one.
Can go to redmine myself?

Sure, you can register your own account and open tickets. If you have a good description of the expected result, the actual result, and how to replicate, then opening a bug ticket would be preferable to forum threads. If you're not sure about something or don't have all those specifics, then start a forum thread first to discuss.

NAT / Re: Outbound NAT and LAN internet access
« on: July 20, 2016, 11:24:58 pm »
Oh, so you have no NAT at all on those IPs, it's a public routed subnet. Thought it was just diff NAT.

In that case, it's probably easiest to let the automatic outbound rules handle most of it, and add an outbound NAT rule on interface WAN, source of your public IP subnet, and choose the option to not NAT. Then traffic matching that won't get NATed, and everything else will use the automatic outbound NAT.

OpenVPN / Re: Double "redirect gateway" entry in ccd
« on: July 20, 2016, 07:59:18 pm »

NAT / Re: Outbound NAT and LAN internet access
« on: July 20, 2016, 07:11:26 pm »
Leave your outbound NAT in hybrid mode, then your servers will use the outbound NAT rules you manually defined, and everything else will hit the automatic.

IPsec / Re: Dead peer detection required on both ends?
« on: July 20, 2016, 06:44:39 pm »
Must match on both sides. Not likely you'll encounter issues on an ALIX, only if it's under such extreme load that you need to upgrade hardware anyway.

Pages: 1 2 3 [4] 5 6 7 8 ... 756