Netgate SG-1000 microFirewall

Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Topics - Trel

Pages: 1 [2] 3 4 5
Firewalling / Question on one of my rules (or more)
« on: August 19, 2015, 12:59:53 pm »
For that one rule the LAN -> LAN pass.
Is there ANY, not just usual, but any (if the only situation would be LAN->This Firewall, I want to change it to that.)

Other than that, is there anything else that should be changed or simplified?

The "Local_Networks" alias in the "LAN -> Local_Networks" is an alias containing the subnets for all interfaces I have, so I can put a block above the allow any rule and then just pass the inter-interfact traffic I want.  (Such as letting the printer communicate with the guest network)

(And the LAN_DHCP -> * block is to block people who pull a DHCP address from getting online if they fall in the DHCP range rather than the static leases I assigned, as a quick way to find people who plug into the wrong network.  This is a home network, so I just smack people upside the head when they do this if I get the "I can't get online" bit)

Every time I use the auto updater, it knocks me from amd64 to i386.
I do not have any server manually set.

It has done this multiple times over multiple upgrades.

I now need to schedule downtime again to do a fresh install.  Is there anyway to prevent or at least get some sort of warning if it's going to change the architecture so I can abort the upgrade?

After I did the upgrade from 2.2.2 -> 2.2.3, all wireless devices (through an AP on a switch) popped up the new network window as if it was the first time being plugged into the network.

I haven't had a chance to look at the AP to see if something coincidentally got changed there (which is unlikely) but was there anything that could have caused this on the Pfsense end?  It lines up perfectly with that upgrade.

General Questions / Question on pfsense and vlan handling
« on: May 28, 2015, 11:35:12 am »
How does pfsense deal with tagged traffic on an interface that it wasn't setup to monitor it on?

For example if I have Opt2 with no vlans configured on Pfsense and I start sending traffic tagged for vlan 500 on that interface, will pfsense drop it, or will it ignore the vlan tag?

In the following scenario, a port off pfsense goes to an access point which has client isolation on.

Would a rule in pfsense then either allow or disallow devices to talk to each other on that segment allowing me to bypass (selectively?) client isolation?

webGUI / Problem with certs matching their CA
« on: May 24, 2015, 01:25:38 am »
I'm doing the following

1. Create CSR
2. Have cert signed
3. Import Intermediate CA into CA tab (using import existing CA)
4. Edit cert and paste cert in field below CSR

Result, it completes and shows the cert, but the issuer is shown as "external" where as the previous cert I'm replacing shows the correct issuer from the CA tab.
I'm not sure what I'm doing wrong here.

Is there any way to have an alias made per interface for every IP registered in the DHCP server?
Including anything that was static or dynamically assigned that would update as leases are created or expire?

I was thinking along the lines of something like DHCP_LAN being an autogenerated alias.

Cache/Proxy / Squid + Virtual IP
« on: April 28, 2015, 10:21:02 am »
If I want to use squid with a virtual IP, what interface should the IP be on, and what interface should squid be setup to listen on?
(I want to be able to use squid on multiple interfaces using the same virtual IP)

(And this should be an alias IP, right?)

Firewalling / Nested Aliases
« on: April 24, 2015, 11:15:18 am »
Can Aliases be nested?

For example, could I have "malicious_ips", "ad_servers", "other_things"

and then have an alias "block_these" that contains the previous three aliases which I could then write a rule for?

Firewalling / Do my rules appear to be sane?
« on: April 20, 2015, 01:21:59 pm »
I should add that I have a floating block + don't log for IPv6 which is why my final allow any is only IPv4.

webGUI / Does 2.2.2 correct the IGMP logspam in the webgui view?
« on: April 15, 2015, 03:15:17 pm »
Did 2.2.2 correct the IGMP logspam when viewing the firewall logs in the webgui?

DHCP and DNS / 2.2.1 Force disabling of harden glue? Why?
« on: March 17, 2015, 02:51:57 pm »
Force disabling of harden glue configuration option, and remove GUI control of that option. Problem with Unbound pre-1.5.2 means in 2.2-RELEASE, having this option enabled, and DNSSEC disabled, could lead to DNS cache poisoning.

It references this bug:

Why is this being force disabled?  That was the option to enable to stop the cache poisoning myself and many others were experiencing.
It was having it OFF that led to the poisoning.

DHCP and DNS / Problem looking up a few domains
« on: March 09, 2015, 01:50:52 am »
I have DNSSEC, Harden DNSSEC data, and Harden Glue on.

Code: [Select]

[2.2-RELEASE][]/root: drill
;; ->>HEADER<<- opcode: QUERY, rcode: SERVFAIL, id: 21456
;; flags: qr rd ra ; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;;    IN      A




;; Query time: 669 msec
;; WHEN: Mon Mar  9 02:44:17 2015
;; MSG SIZE  rcvd: 26
[2.2-RELEASE][]/root: drill
;; ->>HEADER<<- opcode: QUERY, rcode: SERVFAIL, id: 46673
;; flags: qr rd ra ; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;;        IN      A




;; Query time: 723 msec
;; WHEN: Mon Mar  9 02:44:33 2015
;; MSG SIZE  rcvd: 30

Any idea why I can't look those up?  If I use any other DNS server I get an answer.

Code: [Select]
Mar 5 11:50:47 kernel: ath0: ath_reset: unable to reset hardware; hal status 14
Mar 5 11:50:47 kernel: ath0: stuck beacon; resetting (bmiss count 4)

I am getting this over and over in my system logs.
Is there anything I can look at to get more information or a known fix?

DHCP and DNS / Unbound root hints, and auto-trust anchor question
« on: February 21, 2015, 06:59:30 pm »
Where does unbound keep these files and how can I forcibly update them?

Pages: 1 [2] 3 4 5