Netgate SG-1000 microFirewall

Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Messages - Trel

Pages: 1 2 3 4 [5] 6 7 8 9 ... 25
Firewalling / Question about rules when redirecting DNS to firewall
« on: October 25, 2015, 01:15:34 pm »
I was looking at this:

It said "If DNS requests to other DNS servers are blocked, such as in the Blocking DNS queries to external resolvers example, ensure the rule to pass DNS to is above any rule that blocks DNS. "

My question is if my DNS block rule blocks DNS requests to destinations which are "NOT This Firewall", then that line would not apply, correct?

Well, back button in the browser behaves differently than loading the preivous page from scratch. Using back button (depending on how the pages are programmed) can show the previous page with all forms filled in or selected as the user did earlier, which may not be desirable (especially when the user is troubleshooting or not sure what to select, etc.).

Having a separate "Cancel" button was useful to make sure that the user can abandon/restart the current workflow without any side effects, making 100% sure that possible mistakes made on the previous pages are all wiped out.

This is the big reason I would agree with this.
And I definitely have been bit (not on pfsense) by form/session data preserved by hitting back that wouldn't be if there was a fresh page load.
Another reason is that sometimes a back button can bring you back to a redirect page and you'll just end up in a loop, especially on mobile devices which may not be as graceful.

I always use a cancel button or breadcrumb link when available rather than hitting back.

Installation and Upgrades / How to set up with no WAN
« on: October 14, 2015, 08:54:51 am »
I'm installing on a spare laptop to test a few things.
I only want a LAN interface, but I can't see any way to set nothing for the WAN, if I choose em0 for the WAN, I'm unable to select anything but the wireless card for the LAN and vice versa.

Is there anything I can do to bypass setting up a WAN interface?

DHCP and DNS / Re: NameCheap - A record not found
« on: September 02, 2015, 04:03:16 pm »
Trel, my TLD is a .info. I've been forcing my connection through work so I'm outside my network, but still getting the same results.

johnpoz, I'll send you the PM. Thank you!

Could you post the specific host/domain you're trying to update, you can mask it if you want, so something like

So is your setup

host: @


host: sub


host: @

(I know in my case, I had to use the custom option and do this<domain>&password=<password>&ip=%IP%
because of )

DHCP and DNS / Re: NameCheap - A record not found
« on: September 01, 2015, 02:48:21 pm »
Quick question, are you using an @ record with a domain that has a TLD with a period in it other than "", or an @ record off a subdomain like

Firewalling / Re: Question on one of my rules (or more)
« on: August 20, 2015, 09:19:17 am »
Yes.  A better way to do what you want without source LAN net dest LAN net would be source LAN net dest LAN address.

But on 2.2+ This Firewall is the way to go.

I'll change it to "This Firewall" over the weekend and then I'll do a test with the virtual IP case to see if PFSense handles that or if it's covered by the switching layer.

Firewalling / Re: Question on one of my rules (or more)
« on: August 19, 2015, 02:56:04 pm »
What rare event to you anticipate that involves traffic for LAN net being routed to your LAN interface?

Something from LAN to Firewall (other than the ports in anti-lockout) or LAN to Virtual IP on firewall.
(More specifically that second one as I don't know if the "This Firewall" option would cover that.)

Firewalling / Question on one of my rules (or more)
« on: August 19, 2015, 12:59:53 pm »
For that one rule the LAN -> LAN pass.
Is there ANY, not just usual, but any (if the only situation would be LAN->This Firewall, I want to change it to that.)

Other than that, is there anything else that should be changed or simplified?

The "Local_Networks" alias in the "LAN -> Local_Networks" is an alias containing the subnets for all interfaces I have, so I can put a block above the allow any rule and then just pass the inter-interfact traffic I want.  (Such as letting the printer communicate with the guest network)

(And the LAN_DHCP -> * block is to block people who pull a DHCP address from getting online if they fall in the DHCP range rather than the static leases I assigned, as a quick way to find people who plug into the wrong network.  This is a home network, so I just smack people upside the head when they do this if I get the "I can't get online" bit)

I find this hard to believe to be honest..
That doesn't change the fact that it's happened.
I do not have a custom URL set, nor did I choose the opposite architecture in the settings.
The only ISO I have for install is the amd64 one.

If I back up my config, the only option from the firmware section is

Code: [Select]

I've seen a number of posts from people this happened to.  The answer is always that they must have changed the URL to the i386 one at some point, or restored a backup that had it set, but I checked my last 6 months of backups, and none have any set.  Plus my last install was with a USB with a /conf/config.xml file on a USB drive.  That was still sitting on top of my box.  It wasn't set in that one either.  Something is downloading the auto-updates from the wrong repo.

Every time I use the auto updater, it knocks me from amd64 to i386.
I do not have any server manually set.

It has done this multiple times over multiple upgrades.

I now need to schedule downtime again to do a fresh install.  Is there anyway to prevent or at least get some sort of warning if it's going to change the architecture so I can abort the upgrade?

I run DHCP, but it's static entries.

I couldn't do that per say.

What I did do was compare a new config backup to the one I did prior to the install.

I don't see anything that could have caused it.  The only change other than the packages being in a different order and a few new preferences existing (such as hiding deprecated ones, etc) that should have no bearing, is an internal nat rule which again shouldn't cause this.

Short of rolling back to 2.2.2 and testing with actual monitoring happening, is there anything else I could look at?

I'm aware of that.  It's just not something I do on a home network.
I'll verify the settings when I'm home again, but that's the extent of what I can do now.

It's too late at this point.
It already happened to all computers.

I'm trying to figure out what happened after the fact.

So you have no rollback contingency in case something that affected your setup wasnt caught before ESF rolled out an update?

I have a backup of my old config and a 2.2.2 iso.

This is a home network.  I am allowed to hit people who complain about downtime.

It's too late at this point.
It already happened to all computers.

I'm trying to figure out what happened after the fact.

Pages: 1 2 3 4 [5] 6 7 8 9 ... 25