Netgate SG-1000 microFirewall

Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Messages - cmb

Pages: 1 2 3 4 [5] 6 7 8 9 ... 756
Routing and Multi WAN / Re: No DNS resolution on failover WAN
« on: July 20, 2016, 05:53:56 pm »
That's only relevant where you have forwarding mode enabled in Unbound (which might be preferable regardless). Without forwarding mode, you need to enable default gateway switching.

IPsec / Re: Traffic not routed to IPSec but default gateway in stead
« on: July 20, 2016, 05:15:44 pm »
That doesn't match the P2 you have defined, so it's not supposed to go over the VPN. Needs to be source of the network, not single IP, like your other one.

Firewalling / Re: New Azure pfSense VM - problem opening ports
« on: July 20, 2016, 04:18:20 pm »
Firewall>NAT, Outbound. Switch to hybrid mode. Add a rule, interface LAN, source any, dest, dest port 3389, all else at defaults. Save and apply changes.

Create firewall rule on both WAN and LAN to pass the GRE protocol. And thats it!!

Only on LAN, the WAN rule isn't doing anything useful and should be removed.

Firewalling / Re: New Azure pfSense VM - problem opening ports
« on: July 20, 2016, 12:36:48 pm »
The target VM I'm sure isn't pointing to the WAN IP as its default gateway. You'll either have to source NAT that traffic via outbound NAT, or change the target server's default gateway. The former, while in most circumstances wouldn't be the most desirable option, might be the best option for Azure.

CARP/VIPs / Re: How to use Other VIPs with routed ISP network
« on: July 20, 2016, 12:35:15 pm »
Why only one?

Because the others need to be assigned to the hosts that are using them. Only the gateway IP is assigned to the firewall.

It won't answer from WAN by default because the rules don't permit it. You're checking from LAN, or have opened up your WAN rules much more than you should.

Check 'sockstat -4' for what it's binding to, and the conf files in /var/unbound/. Guessing your outbound interfaces include WAN, which makes it bind there.

OpenVPN / Re: OpenVPN periodically disconnecting? Why? How to fix?
« on: July 19, 2016, 08:43:09 pm »
Yes, UDP is always preferable unless you're in a circumstance where it can't be used (UDP can't get between client and server). There's a reason VoIP uses UDP, as retransmissions are pointless, by the time it would be retransmitted the data is useless. TCP VPN would just result in out of order delivery of VoIP in the case of packet loss, which best case the phone and PBX just ignore since it's too old to be useful, but worst case sometimes makes VoIP phones and/or PBXes behave poorly.

Static IP WANs rules out the most common reason for a forced reconnection. Likely a connectivity issue between the two, or possibly something between the two dropping a TCP connection. Switching to UDP could prevent that from occurring if that is the case.

Installation and Upgrades / Re: issue installing PFSense
« on: July 19, 2016, 07:56:43 pm »
It's failing to read from the CD. Probably a bad CD-ROM drive.

In that case, because you don't have a matching port forward.

OpenVPN / Re: OpenVPN periodically disconnecting? Why? How to fix?
« on: July 19, 2016, 07:46:39 pm »
You should use UDP rather than TCP unless you have no other option for some reason. Probably not in and of itself why it's disconnecting.

Part of it's from ping-restarts which means the client and server lost connectivity to each other. Part of it looks like a normal service restart, like what would happen if you have a dynamic IP WAN and it reconnects/updates its IP.

Correlate those times with the system log, anything happening there?

It's likely having issues reading the ISO at the ESX level for some reason would be my best guess. Don't bother with 32 bit, that's a dead end and should never be used on 64 bit systems.

Probably because you're testing from LAN, not WAN, and don't have reflection enabled.

OpenVPN / Re: Gateway is down even though the OpenVPN is up.
« on: July 19, 2016, 06:45:06 pm »
Set the monitor IP on that gateway to something on the Internet that replies to pings.

Pages: 1 2 3 4 [5] 6 7 8 9 ... 756