Netgate SG-1000 microFirewall

Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.


Messages - Derelict

Pages: 1 2 [3] 4 5 6 7 ... 650
31
It could be a hardware fault but there is really no way to know with the information being provided.

32
Routing and Multi WAN / Re: WAN ISP insists on DHCP for static IPs
« on: February 11, 2018, 10:21:23 pm »
I would agree that ISP service profile and provisioning is junk.

33
Read up one post. There is no identifiable problem with the firewall software. I would suggest starting another thread detailing exactly what you are seeing instead.

34
How is the switchport connnected to cxgb0 currently configured?

What, specifically, isn't working.

You are going to have to be very specific to overcome this language barrier.

35
Please describe EXACTLY what interface you are talking about and please post the screen shots of Interfaces > Assignments and the switch port you are connecting to pfSense.

Setting the PVID (native) here says you want the traffic UNTAGGED on that port:


interface Ethernet1/40
  switchport mode trunk
  switchport trunk native vlan 10
  switchport trunk allowed vlan 1-10


If it is tagged on one interface it has to be tagged on the other.

36
That is still not tagging LAN with VLAN ID 2.

Create VLAN 2 on interface igb1

Change the Network port for LAN to VLAN 2 on igb1

Patch igb1 to a trunk port with VLAN 2 tagged on it.

Be sure the firewall rules on LAN pass the desired traffic that will be inbound to it.

37
Routing and Multi WAN / Re: WAN ISP insists on DHCP for static IPs
« on: February 11, 2018, 08:08:12 pm »
There is no way to get a DHCP CARP VIP so it is never going to work.

38
If you want OPT1 to talk VLAN 2 to a Cisco trunk port, the OPT1 interface needs to be assigned to VLAN 2 on ethX on pfSense. With ethX being whatever that physical interface is.

39
If pfSense is connected to Ethernet 1/40 you have to assign the pfSense interface to VLAN 2. Is this ESXi or what? Where is pfSense? Physical or virtual?

What is the exact physical layout? What is connected to what?

40
General Questions / Re: Logging Internet Dropouts
« on: February 11, 2018, 04:45:36 pm »
Are you running suricata?

41
General Questions / Re: Logging Internet Dropouts
« on: February 11, 2018, 04:44:59 pm »
The pfSense quality graph is also quite valuable for detection in the outbound direction.


If you have gateway monitoring on WAN (the default setting), the system is automatically keeping track of two pings per second in Status > Monitoring.

From there select settings, change the left axis to Quality / WANGW (or the local equivalent).

A good place to start with Options: 8 hours, Resolution: 1 minute.

Another place to check is in Status > System Logs, Gateways. Any events there with "Alarm" in them are times when the ping monitor had excessive loss or latency.

A failure will look something like this: Jan 7 15:05:31 dpinger WANGW 8.8.8.8: Alarm latency 0us stddev 0us loss 100%

Lines like this are just the dpinger process starting or reloading and are normal:

dpinger send_interval 500ms loss_interval 2000ms time_period 60000ms report_interval 0ms data_len 0 alert_interval 1000ms latency_alarm 500ms loss_alarm 20% dest_addr 8.8.4.4 bind_addr 198.51.0.16 identifier "DSLGW "

Sometimes it is beneficial to change your monitoring address to something further out. In that example you can see that I am monitoring a google DNS server there. In general, monitoring the ISP gateway is fine if it reliably responds to pings. Changes to the monitor IP address can be made in System > Routing and editing the appropriate gateway.

42
I could not duplicate this.

WAN VIP: 172.25.228.10, Inside server 172.25.233.100


Redirect to address 172.25.228.10

# NAT Inbound Redirects
rdr on re1 proto tcp from any to 172.25.228.10 port 80 -> 172.25.233.100
# Reflection redirect
rdr on { re0 re2 enc0 openvpn } proto tcp from any to 172.25.228.10 port 80 -> 172.25.233.100

OPT1    tcp    192.168.1.100:36433 -> 172.25.233.100:80 (172.25.228.10:80)    ESTABLISHED:ESTABLISHED    2 / 1    112 B / 60 B    
LAN    tcp    192.168.1.100:36433 -> 172.25.233.100:80    ESTABLISHED:ESTABLISHED    2 / 1    112 B / 60 B


Redirect to Host Alias web_server

table <web_server> {   172.25.228.10 }
web_server = "<web_server>"

# NAT Inbound Redirects
rdr on re1 proto tcp from any to $web_server port 80 -> 172.25.233.100
# Reflection redirect
rdr on { re0 re2 enc0 openvpn } proto tcp from any to $web_server port 80 -> 172.25.233.100

OPT1    tcp    192.168.1.100:36434 -> 172.25.233.100:80 (172.25.228.10:80)    ESTABLISHED:ESTABLISHED    2 / 1    112 B / 60 B    
LAN    tcp    192.168.1.100:36434 -> 172.25.233.100:80    ESTABLISHED:ESTABLISHED    2 / 1    112 B / 60 B


Redirect to Network alias web_server_net

table <web_server_net> {   172.25.228.10/32 }
web_server_net = "<web_server_net>"

# NAT Inbound Redirects
rdr on re1 proto tcp from any to $web_server_net port 80 -> 172.25.233.100
# Reflection redirect
rdr on { re0 re2 enc0 openvpn } proto tcp from any to $web_server_net port 80 -> 172.25.233.100

OPT1    tcp    192.168.1.100:36435 -> 172.25.233.100:80 (172.25.228.10:80)    ESTABLISHED:ESTABLISHED    2 / 1    112 B / 60 B    
LAN    tcp    192.168.1.100:36435 -> 172.25.233.100:80    ESTABLISHED:ESTABLISHED    2 / 1    112 B / 60 B

43
You have to TAG from the switch to pfSense on VLAN 55.

Set the ports to normal devices to UNTAGGED.

There are LOTS of different ways you can lock yourself out doing this stuff from the interfaces you are trying to change layer 2 on.

Work back from where you are physically located.

If you are connected to the switch, change pfSense then the switch.

If you are connected to the switch through pfSense, change the switch then pfSense.

Often easier to do it on another interface you are not changing at all.

44
Routing and Multi WAN / Re: WAN ISP insists on DHCP for static IPs
« on: February 11, 2018, 05:08:48 am »
Quote
My next step is to setup a second pfSense box with sync, so I want to make sure it's setup correctly before moving forward.
If you want to do HA you will find that that ISP's service is going to not work very well. You'll probably need to either get a real business-class, static service from them or use somebody else.

45
Routing and Multi WAN / Re: Static route between 2 pfSense
« on: February 11, 2018, 04:23:02 am »
You probably need to add outbound NAT for all of the private subnets on pfSense WAN.

Manually adding the static routes very likely enabled pfSense to know what networks were downstream so they were picked up by Automatic Outbound NAT.

Nothing like that is possible when pfSense doesn't have the routes in the configuration since they are dynamically-learned.

Pages: 1 2 [3] 4 5 6 7 ... 650