Netgate SG-1000 microFirewall

Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Messages - Trel

Pages: 1 2 [3] 4 5 6 7 ... 25
General Discussion / Re: Question about web filters
« on: March 04, 2016, 01:12:25 pm »
Yes from work. That must be how it was categorized then, they track all web access.

If they're doing that, and you're using HTTPS, then Option 3 from my originl post is what's happening.

General Discussion / Re: Question about web filters
« on: March 04, 2016, 10:23:21 am »
I just have a general question about web filters and how they work. Specifically how does a web filter view content on a private discussion forum to block it according to content?

My scenario: I run a small (40 members) private discussion forum for bullet casting and reloading from home using a free subdomain. My employer uses websense for it's content filtering and one of the many things they filter is weapon related content.  Recently my discussion forum was blocked due to weapon content. How can a web filter "see" the content of a member only private discussion board that is not visible to guests?

Please understand I am NOT trying to circumvent this, just curious how it works.

There's a few options.

Option 1: It uses a database for content filtering and your site is listed in that database as having weapons content.
Option 2: You're using HTTP and they are scanning the actual content
Option 3: You're using HTTPS and they have a trusted certificate on their client machines which lets them intercept and decrypt the traffic between the clients and them at which point they can scan the actual content
Option 4: False Positive on any of the above

General Discussion / Re: Can anyone help me pick a new switch?
« on: March 03, 2016, 09:04:36 am »
Please go with the SG300 series switch, because the SG200 does not have a CLI likes the SG300 series
switches come with, and if you donīt need the Layer3 features disable it in the setting and use it as a
Layer2 switch but then with CLI!!!

Another one would be the D-Link DGS1510-24 that would fitting your needs.

Oh that's a big one.  I'll look at the 300 and the D-Link.

CLI is one of the big things I'm looking for.  So much easier for simple operations than a ton of page loads.  Thanks.

(May need to look for older revisions of it though for price.  It's for a home network so budget  Though no set cap.  I'm putting money towards it while I run my powerconnect 2824 to the ground).

General Discussion / Re: Can anyone help me pick a new switch?
« on: March 02, 2016, 10:15:55 pm »
Cisco SG300-24 $270 new. 24 1gb ports, 2 SFP slots, web manageable, ssh manageable, runs IOS[1], and the best part, does layer 3 routing (static routes, no routing protocols). Fanless.

VLANs, ACLs, Radius and TACACS authentication, and a ton of other things you probably won't need.

I just bought one of these for a client, and so far have been extremely impressed with it.

f you want to go the used route, looks like Cisco 2960G switches are going for under $200 on ebay. I have several of these, and they are great switches, but they aren't fanless. No layer 3 either.

[1] - Cisco calls it IOS, and it behaves like IOS (tab autocompletes, ? gives possible matches), but the actual commands aren't the same as a Catalyst or Nexus switch.

I'm having a hell of a time finding any actual places that list SG300-24
The one you linked on Newegg is something completely different.

This is the closest I can find with 24 gigabit ports:
Is that a recommended one?  If so I'd probably go for that used.

Right now I'm on a Dell Powerconnect 2724 (and I'll be honest, it's horrible.  It takes 5+ pageloads to create and assign a vlan.)  It's fine if the commands aren't the same as a Catalyst.  The only CLI I actually have used for a switch is Extreme, so I have nothing Cisco to unlearn.

And if you don't need Layer 3 the SG200-24 is even cheaper. But for the extra $50 or so I'd get the router code.

I can't find a 200-24 (I found a 200-26 though) and that does mention Layer 3 capabilities?  Did they maybe add that to the 200 line?

The only "-24" ones I'm seeing are SF and are 10/100 not gigabit.

General Discussion / Can anyone help me pick a new switch?
« on: March 02, 2016, 02:52:11 pm »
I'm looking to upgrade my current switch (it's old, very old).
I'm hoping to find something used, 24+ gigabit ports, and managed (preferable with CLI access (over SSH, not only serial) not just web).
(An extra bonus if it's passively cooled).

I'm fine with something used on Ebay.  Does such a switch exist?

Cache/Proxy / Re: [Solved] Can't get ACL to match on Haproxy
« on: February 01, 2016, 03:10:51 pm »
I don't know why host contains fails, but with host matches, works.

Cache/Proxy / [Solved] Can't get ACL to match on Haproxy
« on: February 01, 2016, 01:31:49 pm »
I'm have an issue getting an ACL to work.

I've tried using Host Matches and Host Contains

The domain I'm testing with is: (or and I have a second domain also pointed at that server which shows the same page.
Both show 503.

I'm attaching a screenshot of the settings

Now, if I check the "NOT" box to invert the match on the ACL, shows the intended page, however, do does the completely different domain I also have pointed to it.

I can't figure out what I'm doing wrong here.

Addititionally, I ran a packet capture to verify that the host is set correctly in the requests and it's requesting
Code: [Select]
GET /radio/ HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:43.0) Gecko/20100101 Firefox/43.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
Cache-Control: max-age=0

So I'm not sure what I'm doing wrong.

(I'm using the Devel package which says it's actually 1.6 stable)

DHCP and DNS / Question on Static ARP
« on: December 22, 2015, 11:00:33 am »
The info text under the entry in DHCP says

"This option persists even if DHCP server is disabled. Only the machines listed below will be able to communicate with the firewall on this NIC."

I have multiple VLANs of the same NIC.
Does this affect other vlan interfaces on the same physical NIC, or should that say "on this interface" rather than "on this NIC"?

OpenVPN / Re: Optional tunnel all for mobile clients
« on: December 03, 2015, 12:14:46 pm »
Hmm. Last thing I want is my users getting in there and clicky-clicky around.

What you currently use doesn't do it?

This is what I currently use (on Windows at least):

Not exactly the best option, especially when it comes to the end user.  I'd much rather them have a checkbox than attempting to edit a config file.

OpenVPN / Re: Optional tunnel all for mobile clients
« on: December 02, 2015, 08:27:09 pm »
I'd say it depends on the client. Attached is a Viscosity for Mac screenshot.

An alternative would be two OpenVPN servers, one that pushes the default gateway and DNS servers and one that does split tunneling. The client could connect to the one with the desired behavior.

Two servers is how I currently do it.

Other than Viscosity, do you happen to know of any good Windows (mostly this) + Linux (but this too) OpenVPN clients w/ GUI if possible?  (I know that's not technically what I asked originally)

OpenVPN / Optional tunnel all for mobile clients
« on: December 02, 2015, 12:04:22 pm »
Is there any way I can have it that mobile clients by default do not tunnel all, but the client can enable it if necessary?
(PFSense is the server, various machines (Windows, Linux, Android) are the clients)

NAT / Re: RDP to Virtual IP
« on: November 04, 2015, 03:00:07 pm »
I love pfSense ... working great. I just have one issue ...

My ISP has provided me with a block of 5 usable addresses for WAN traffic. I have the one ending in 205 as the main WAN address. I have set up the other 4 as Virtual IPs 201 - 204. I made one Linux box on internal address 100 NAT 1:1 with Virtual IP 201, and created a firewall rule allowing SSH through. I can SSH through VIP 201 no issue at all. pfSense rocks!

I did the same thing with RDP. I made on Windows server on internal address 5 NAT 1:1 with Virtual IP 202, and created a firewall rule allowing RDP through. HOWEVER, I can't seem to RDP in on 202. If I do the same thing with the main 205 WAN address, I can RDP into my network beautifully.

I tried the same thing with the other VIPs and same result. No RDP through the Virtual IPs. NO PROBLEM through the main WAN IP on 205. I CAN do SSH through any of them ... just NOT RDP.

Any suggestions? I have tried changing the VIP types from IP Alias to Other, Arp Proxy, and CARP but nothing works. Would love to get this working. Thank you!

Since you're coming from outside, are you sure the Windows Firewall has a rule to let it in from outside your local network?  I've been bitten by that before.

NAT / Re: Assistance with an internal port forward
« on: November 04, 2015, 09:20:08 am »
For anyone wondering what I ended up doing was setting up DNS entries for the different servers.

Externally, they all point to the same IP, internally, to the different servers.
As I get my hands on the devices with the old config, I'll update them accordingly.

Since it's all going off a single IP, the external devices which I can't updated would work just as well with as with when it comes to the port forward externally.

NAT / Re: Assistance with an internal port forward
« on: November 03, 2015, 08:54:04 am »
^ exactly... You also have some moron hard coding ports in the url??  This is also really bad practice if you ask me...

Also lets clarify "hardcode"  your saying the application has in its code, and to change that has to be recompiled?  Or are you saying its in the registry and or conf or ini file that controls the application.. And you just don't want to push out the update to the configuration?

It's not that they don't want to push out the configuration, but that the devices it's on need to have the configuration changed, which can't be done remotely.  (Not that they don't want to push out config, but that there's no mechanism to do so here). An example using the Icecast server.  It's a playlist included with the device that has the proper URI to the Icecast server.  I could change it in the config on their devices, but I can't do that without the device.  Remotely changing it isn't an option.  On the one I have sitting next to me, I already did, but the guy three states over, not so much.

However, they won't be available to change any time in the near future.  If I change it to multiple subdomains off the hostname, I break it for everyone who's currently remote.  If I don't, I'm apparently breaking (or rather, not making it work) for everyone who is local at the moment.

Only possible workable solution if port forwarding is not an option is to use DNS to make multiple names, and deal with the remote ones as they come in.
It looks like it's going to be a case of "It's definitely not the best way, it's just the only way".

NAT / Re: Assistance with an internal port forward
« on: November 02, 2015, 06:36:49 pm »
I try to tell people that shouldn't be used as a hostname. I always lose. Whoever did that painted you into a corner.

So you're saying both those URLs need to go to different destination servers?

Yes, you'll need a port forward.  Doing it with the clients on the same subnet as the servers is going to be pretty hokey. You see, NAT is a router function and you don't route same-subnet traffic so anything that "works" will be a hack.

My recommendation is to put the servers (which you say you can change) on a different subnet and NAT port forwards will work fine. But you've already said you can't do that either.

You might try enabling the NAT destination IP again and and checking Static route filtering in System > Advanced > Firewall/NAT tab .

Well it's not specifically, I don't think they want me mentioning their real one.  But I agree.  My home setup has an internal domain, but I use,, etc to separate them even when they all point to the same IP externally.

For the static route filtering option, it refers to defined interfaces, not physical ones, right?

Do you have any idea at all why the NAT rule I have in the picture I uploaded earlier works when it's destination is * vs any one IP/Alias?

EDIT: the static route filtering option didn't make a difference, if it absolutely can't be done without forwarding ALL destinations at that port, I'll have to tell them it can't be done.

Pages: 1 2 [3] 4 5 6 7 ... 25