Netgate SG-1000 microFirewall

Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Messages - Derelict

Pages: 1 2 3 [4] 5 6 7 8 ... 653
IPsec / Re: Only 1 IPSec VPN Tunnel Can be UP at a Time
« on: February 18, 2018, 10:16:12 pm »
Then why would your P2s be the same on multiple sites if those networks are not reachable on that tunnel?

PTP SSL/TLS with a tunnel network larger than a /30 puts the server side into server mode.

This means that you have to have remote networks on the server configuration to get the traffic into OpenVPN then you also have to have Client-Specific overrides with the remote networks set to tell OpenVPN which client to send the traffic to. Even if there is only one.

You might try setting the tunnel network to /30 ands see if things start to make more sense. Especially if there will only ever be one client.

NAT / Re: NAT rule is not working
« on: February 18, 2018, 08:13:11 pm »
Exhaustive list of other things to check here.

When it works from the same subnet but not from others it is almost always either the local firewall on the target or the default gateway of the target is wrong.

NAT / Re: Cisco BT Signal Booster behind pfSense
« on: February 18, 2018, 03:45:51 am »
You should not have to do anything to use any cell booster behind pfSense in its default configuration. If you have messed about with the default outbound NAT static port on port 500 or something, maybe you might have to undo that.

They generally initiate an OUTBOUND IPsec connection to the cell provider. Nothing should be required on the firewall. No special rules, no special port forwards, etc.

They generally require a good GPS signal and can take a LONG TIME to sync up.

The best we can try to do if it is not working is interpret the specific instructions or guidance they provided. You would need to post that.

Port mapping rule for UDP/4500 on WAN interface ->
You do not need this for an outbound connection.

Manual outbound NAT configured - only a rule for * -> WAN address configured for the subnet
Why manual? Automatic will capture that.

Currently an additional rule for UDP/any going to WAN interface
Zero idea what that means. Post the rule.

I realize those were posted a while ago by someone else but you stated you did the same thing.

NAT / Re: Intermittent NAT failures
« on: February 15, 2018, 10:11:49 pm »
How many states? I am unsure what the behavior is if there is not an available ephemeral source port for the outbound translation. You might need a pool of outbound NAT addresses if that is the case.

If you are truly seeing something intermittent there, that would be something I would certainly look at, especially if it only occurs during periods of high-traffic. That would take tens of thousands of simultaneous connections all to the same destination protocol:host:port however and seems unlikely.

Have you done anything like setting static source ports, reducing the available ephemeral source ports or maybe something else with outbound NAT?

Then only one or none should be connected to wired I would think.

If they expect functioning STP on home networks they're in for a long, hard ride.

Why wireless and wired on the sonos? Shouldn't it be one or the other?

The easiest way to prevent layer 2 loops would be to not make the loop in the first place.

Hardware / Re: pfSense on Dell R710
« on: February 14, 2018, 02:04:56 am »
It should run like a scalded ape on an R710. Unless you are caching, hard drive speed is pretty much irrelevant. Even if you are caching it is pretty much irrelevant.

I have never had any issues with the broadcom drivers. They seem fine. In fact, a few years ago, pfSense sold some used Dells. Can't remember the model but pretty sure they had bce NICs. Have personal experience running on some old IBM 1Us with zero issues. bce NICs there too.

Nothing wrong with a drive mirror for an install such as this. Though on that hardware you would be a candidate to try leaving the controller in JBOD and running a ZFS mirror if you put 8GB+ into it.

Install it and try it. Don't cost nothin'.

Virtualization installations and techniques / Re: Azure Firewall Setup
« on: February 13, 2018, 10:21:29 pm »
In azure I have to virtual subnets and
Looks like that LAN interface is to me.

Hardware / Re: WAN port gets reassigned to add-on NIC
« on: February 13, 2018, 10:19:10 pm »
Good to hear.

Always nice to have more router ports.

Virtualization installations and techniques / Re: Azure Firewall Setup
« on: February 13, 2018, 09:08:26 pm »
Did you try it like I suggested with an interface on the LAN subnet + NAT instead of those publics?

Azure has zero way of knowing it needs to route those inside publics to the pfSense WAN. If it is going to be possible, that needs to happen.

NAT / Re: Intermittent NAT failures
« on: February 13, 2018, 08:15:00 pm »
What are we looking at there?

What interface is em1?

What do the states look like?

What rule is creating them?

What are your Outbound NAT rules?

You mentioned TCP is not affected but that pcap shows presumably outbound SYNs from addresses. Hard to say whether those were translated or not since details were not provided.

Virtualization installations and techniques / Re: Azure Firewall Setup
« on: February 13, 2018, 04:22:25 pm »
That can be done if:

1. Azure will route public addresses to the public address of pfSense. In this case you might be able to just use the publics as they are.

2. Azure will allow multiple public addresses on the WAN interface.

You might be able to get away with one outside address for multiple inside servers by using something like HAproxy to steer the traffic to the correct server based on requested hostname or SNI.

IPv6 / Re: Setup Dual Stack with NAT on v4
« on: February 13, 2018, 03:57:23 pm »
Doesn't really matter where he is. IPv6 is IPv6. If they will only give a single /64 it is the wrong product for the use case.

Not that I know of. Best case would probably be NPt with a ULA/64 on the inside interface. You would have to set up VIPs on the WAN which doesn't scale because you need something out there to respond to neighbor discovery.

A routed /64, /56, or /48 is what you want. Did you ask if that was available?

Virtualization installations and techniques / Re: Azure Firewall Setup
« on: February 13, 2018, 03:44:17 pm »
I don't think you can do that.

I would put one on the same subnet as the LAN interface and try changing the route on that and see if you at least can get a normal, natted LAN connection going.

Pages: 1 2 3 [4] 5 6 7 8 ... 653