Netgate SG-1000 microFirewall

Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.


Messages - Derelict

Pages: [1] 2 3 4 5 ... 654
1
Use the ID of the inside pfSense interface.

2
Firewalling / Re: Blocking RFC 1918 traffic not working
« on: Today at 04:25:41 pm »
You cannot use a layer 3 device (life pfSense) to isolate layer 2 clients from each other. That has to be done in your switching or wireless infrastructure.

Client-to-client traffic occurs on the same subnet. The firewall is not involved at all.

4
What do you mean "wouldn't allow?" Please expand. I have done just that many times.

5
You might ask them to put that list on their webserver it a plain-text format. That way you could just periodically update a URL type alias from their site.

Absent that, yes, you will probably need to keep the alias updated yourself.

6
OpenVPN / Re: LAN to LAN not routing
« on: Today at 04:14:16 am »
In an SSL/TLS server with a tunnel network as a /29 or larger, the server is in server mode, not peer-to-peer mode.

The Remote Networks in the Server configuration establish kernel routes into the OpenVPN server instance.

When the packet is in OpenVPN it needs an iroute to know which client to send the traffic to even if there is only one.

These iroutes are most-easily-established using the Remote Networks in a Client-Specific Override.

The same holds true for a Remote Access SSL/TLS server but rarely comes into play because the server is only exchanging traffic with the client's tunnel address, not a network routed behind the tunnel address. Routing to the tunnel address does not require an iroute because the server knows to which client each tunnel address belongs.

In shared-key mode you can only have one client. Even if you give a /24 as a tunnel address it is treated as a /30.

From the book in the SSL/TLS Server Section:

Quote
The last piece of the puzzle is to add Client Specific Overrides for each client site. These are needed to tie a client subnet to a particular certificate for a site so that it may be properly routed.

    Navigate to VPN > OpenVPN, Client Specific Overrides tab
    Click + to add a new override
    Fill in the fields on this screen as follows:

Common Name:   Enter the CN of the first client site. In this example, that is clientB.
IPv4 Remote Network:
    This field sets up the required iroute so enter the clientB LAN subnet, 10.5.0.0/24

    Click Save

I didn't notice the TAP mode. Yeah. Use tun mode.

7
OpenVPN / Re: LAN to LAN not routing
« on: Yesterday at 09:29:24 pm »
Ya know, this forum allows uploading of screenshots as attachments.

SSL/TLS with larger than a /30 tunnel network also requires client-specific overrides.

Try changing the tunnel network to a /30.

8
Routing and Multi WAN / Re: MultiNetting the LAN interface?
« on: Yesterday at 04:58:52 pm »
That sounds completely convoluted but you don't control NAT sourced from a specific network on rules on that network. You control them with Outbound NAT.

The easiest way is to probably enable Hybrid mode then make a NO NAT rule for the public source addresses on that WAN address.

There is no such thing as 'classic Multinet.' Putting tewo layer 3 networks on one layer 2 is something that should only be used to do something like transition to new addressing. It should not be used as a permanent solution to anything.

9
OpenVPN / Re: LAN to LAN not routing
« on: Yesterday at 04:36:43 pm »
Or screen shots. I would actually rather look at screen shots than the OpenVPN .conf files.

10
CARP/VIPs / Re: CARP sync failure
« on: Yesterday at 04:34:24 pm »
Glad it's working.

Status > Interfaces is probably the best tool to use for this since it lists all of the interface elements in play in order in one place.

11
Traffic Shaping / Re: What's the trick to matching on DSCP?
« on: Yesterday at 04:28:11 pm »
Hmm. I really don't like all those pass rules. For instance:

pass inet proto tcp  from any to any port 80 tracker 1517388036 flags S/SA keep state  queue (Medium)  label "USER_RULE: Web Traffic"
pass inet proto tcp  from any to any port 443 tracker 1517388051 flags S/SA keep state  queue (Medium)  label "USER_RULE: Web Traffic"
pass inet proto tcp  from any to any port 8080 tracker 1517388891 flags S/SA keep state  queue (Medium)  label "USER_RULE: Netflix"


All of those rules pass all of that traffic into WAN to any destination because they are on any interface in any direction. They are not quick but they will apply into WAN unless explicitly blocked later.

I would use match rules to get the traffic into queues.

If you are actually trying to shape inbound connections, I would set those queues on the WAN rules that pass the traffic inbound. Not on floating rules on any interface in any direction.

As to the matching of the traffic, I would look at the actual states created. Start an scp session to $animal. Replace $animal with the actual address here:

pfctl -vvss | grep -A 3 $animal

That will show the rule that actually created the state.

You can then look at the rule set.

Example:


lagg0.27 tcp 172.22.65.40:443 <- 172.21.17.223:53862       ESTABLISHED:ESTABLISHED
   [4028622099 + 63839]  [2827568173 + 41808]
   age 36:54:41, expires in 23:59:52, 49468:87001 pkts, 7928748:83412443 bytes, rule 430
   id: 030000005b237f67 creatorid: a50e3ea2


pfctl -vvsr | grep '^@430'


@430(1461729127) pass in quick on lagg0.27 inet from 172.21.17.192/26 to any flags S/SA keep state label "USER_RULE"


Be sure that is the floating rule you want. If not figure out why the rule that is creating the state is matching instead.

It looks like what you have should be working. Have to figure out why it isn't.

I don't have time to lab this right now. Sorry.

12
Traffic Shaping / Re: What's the trick to matching on DSCP?
« on: Yesterday at 05:30:34 am »
Hmm. What kind of floating rules? How about you post them?

13
OpenVPN / Re: Site to Site, OpenVPN config file
« on: February 22, 2018, 02:38:47 pm »
If you were using SSL/TLS, then the exporter will only show users with certificates created by the same CA set in the OpenVPN server as the Peer Certificate Authority. Without that they wouldn't be able to log in anyway so they are not shown for export.

There is no Shared Key remote access server so I don't know what you actually did.

Why are we talking about the Windows client when you're dealing with a site-to-site?


14
NAT / Re: NAT/Port Forwarding not working
« on: February 22, 2018, 02:00:58 pm »
And the firewall logs will not include passed traffic unless you explicitly tell that pass rule to log.

You need to be looking exclusively at packet captures, pretty much.

15
OpenVPN / Re: LAN to LAN not routing
« on: February 22, 2018, 01:57:29 pm »
Shouldn't matter to this issue but what are you trying to do with those SMB rules? They don't make a lot of sense. WAN net is not the internet. WAN net is the subnet of the WAN interface. Any is the internet.

You are going to have to post more data. Like the OpenVPN connection profiles on each side, the routing tables, etc.

Pages: [1] 2 3 4 5 ... 654