Netgate SG-1000 microFirewall

Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.


Messages - Derelict

Pages: [1] 2 3 4 5 ... 650
1
NAT / Re: Intermittent NAT failures
« on: February 15, 2018, 10:11:49 pm »
How many states? I am unsure what the behavior is if there is not an available ephemeral source port for the outbound translation. You might need a pool of outbound NAT addresses if that is the case.

If you are truly seeing something intermittent there, that would be something I would certainly look at, especially if it only occurs during periods of high-traffic. That would take tens of thousands of simultaneous connections all to the same destination protocol:host:port however and seems unlikely.

Have you done anything like setting static source ports, reducing the available ephemeral source ports or maybe something else with outbound NAT?

2
Then only one or none should be connected to wired I would think.

If they expect functioning STP on home networks they're in for a long, hard ride.

3
Why wireless and wired on the sonos? Shouldn't it be one or the other?

The easiest way to prevent layer 2 loops would be to not make the loop in the first place.

4
Hardware / Re: pfSense on Dell R710
« on: February 14, 2018, 02:04:56 am »
It should run like a scalded ape on an R710. Unless you are caching, hard drive speed is pretty much irrelevant. Even if you are caching it is pretty much irrelevant.

I have never had any issues with the broadcom drivers. They seem fine. In fact, a few years ago, pfSense sold some used Dells. Can't remember the model but pretty sure they had bce NICs. Have personal experience running on some old IBM 1Us with zero issues. bce NICs there too.

Nothing wrong with a drive mirror for an install such as this. Though on that hardware you would be a candidate to try leaving the controller in JBOD and running a ZFS mirror if you put 8GB+ into it.

Install it and try it. Don't cost nothin'.

5
Virtualization installations and techniques / Re: Azure Firewall Setup
« on: February 13, 2018, 10:21:29 pm »
Quote
In azure I have to virtual subnets 10.0.3.0/24 and 10.0.2.0/24
Looks like that LAN interface is 10.0.2.4/32 to me.

6
Hardware / Re: WAN port gets reassigned to add-on NIC
« on: February 13, 2018, 10:19:10 pm »
Good to hear.

Always nice to have more router ports.

7
Virtualization installations and techniques / Re: Azure Firewall Setup
« on: February 13, 2018, 09:08:26 pm »
Did you try it like I suggested with an interface on the LAN subnet + NAT instead of those publics?

Azure has zero way of knowing it needs to route those inside publics to the pfSense WAN. If it is going to be possible, that needs to happen.

8
NAT / Re: Intermittent NAT failures
« on: February 13, 2018, 08:15:00 pm »
What are we looking at there?

What interface is em1?

What do the states look like?

What rule is creating them?

What are your Outbound NAT rules?

You mentioned TCP is not affected but that pcap shows presumably outbound SYNs from 10.0.0.0/8 addresses. Hard to say whether those were translated or not since details were not provided.

9
Virtualization installations and techniques / Re: Azure Firewall Setup
« on: February 13, 2018, 04:22:25 pm »
That can be done if:

1. Azure will route public addresses to the public address of pfSense. In this case you might be able to just use the publics as they are.

2. Azure will allow multiple public addresses on the WAN interface.

https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-multiple-ip-addresses-powershell

You might be able to get away with one outside address for multiple inside servers by using something like HAproxy to steer the traffic to the correct server based on requested hostname or SNI.

10
IPv6 / Re: Setup Dual Stack with NAT on v4
« on: February 13, 2018, 03:57:23 pm »
Doesn't really matter where he is. IPv6 is IPv6. If they will only give a single /64 it is the wrong product for the use case.

Not that I know of. Best case would probably be NPt with a ULA/64 on the inside interface. You would have to set up VIPs on the WAN which doesn't scale because you need something out there to respond to neighbor discovery.

A routed /64, /56, or /48 is what you want. Did you ask if that was available?

11
Virtualization installations and techniques / Re: Azure Firewall Setup
« on: February 13, 2018, 03:44:17 pm »
I don't think you can do that.

I would put one on the same subnet as the LAN interface and try changing the 0.0.0.0/0 route on that and see if you at least can get a normal, natted LAN connection going.

12
IPv6 / Re: Setup Dual Stack with NAT on v4
« on: February 13, 2018, 03:16:38 pm »
That is fine but it is not how IPv6 works.

Every interface gets a /64.

At a minimum they should put a /64 on the interface and route a /64 to you over that so you can put it on the inside interface for use on inside hosts.

Don't get mired in IPv4 depletion practices when deploying IPv6. They are completely different things. There is no scarcity in IPv6.

13
Please provide more details such as the type of OpenVPN you set up (SSL/TLS, Etc)

And what you are putting in the Local and Remote Network fields on each side, the Tunnel network settings, etc.

14
IPv6 / Re: Setup Dual Stack with NAT on v4
« on: February 13, 2018, 02:12:10 pm »
I would ask them to route you a /48 in addition to the WAN interface /64.

They shouldn't have any issue with that.

15
Virtualization installations and techniques / Re: Azure setup
« on: February 13, 2018, 12:52:04 pm »
You want LAN public IPs to be routed from the outside to the inside VMs on the pfSense inside interface?

Does Azure even support routing like that? Without NAT, they would have to know to route the traffic to those addresses to the pfSense WAN address.

Pages: [1] 2 3 4 5 ... 650