Netgate SG-1000 microFirewall

Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Messages - virgiliomi

Pages: [1] 2 3 4 5 ... 38
General Questions / Re: Ransomware Detection Capability
« on: January 20, 2018, 07:05:21 am »
I agree with johnpoz, this just for detection. Machine is still infected.
Correct... you haven't prevented the infection, but you have prevented data loss from occurring. And you still have the opportunity to remove the infection without incurring any data loss. Of course, if you're not backing up your data, shame on you... but that's a different story. :)

IPv6 / Re: comcast business head-scratcher...
« on: January 18, 2018, 09:23:52 pm »
With Comcast Business, spending the extra for a static IP Address isn't worth it IMHO. The inflexibility you get by having to use their own gateway ends up causing more problems than it's worth.

Skip the static IP, get a nice D3.1 modem (even if you don't have a speed tier that requires it, having the extra RF spectrum available is never a bad thing) and connect pfSense right to the modem. Request your /56 and go to town. Get your IPv4 address and set up Dynamic DNS to automatically update a hostname in your domain (so many Dynamic DNS services available!). Anything on the internet that needs to connect in, use the hostname instead of a static IP address.

And this is even if your IP address ever changes. I don't think I've actually had my IP address and /60 prefix (I'm a consumer customer, not business) change for months. It'll probably be a year in a couple more months.

General Questions / Re: Ransomware Detection Capability
« on: January 18, 2018, 09:02:32 pm »
User runs code - infected, all their stuff encrypted.. How does your blocking their C&C prevent that?
Usually before the encryption begins, there's a key exchange that takes place between the malware and the C&C server. If communication to the C&C server is blocked, then you can at least extend the amount of time to remove the malware before it finds a way around the block.

General Questions / Re: Is DMZ supported in pfSense firewall?
« on: January 18, 2018, 08:57:12 pm »
If you want the servers in your DMZ to be accessible via IPv4, yes, you do.  If you have IPv6 available and you're happy with your DMZ devices being only accessible through IPv6 (assuming they support it), then there's no requirement that you create IPv4 port forwards.

IPv6 / Re: [Solved] Comcast Residential ipv6 doesnt work
« on: December 30, 2017, 04:44:04 pm »
In your WAN settings, you want to request a different prefix size. With residential service, you can request as low as /60, which will give you 16 /64's to use on various networks.

You will want to delete your DUID after changing the setting (you'll need to shell to the router and rm /var/db/dhcp6c_duid) then release/renew the WAN connection so it creates a new DUID and requests a new lease and prefix from Comcast's DHCPv6 server. Then you should be able to set up multiple networks using Track Interface and select a different prefix ID for each network.

Looks to be working well! It went through my leases and showed all the hosts that I would expect it to. The comparison to the NDP table to show MAC address seems to work as well. Not that MAC address has much to do with DHCPv6 like it does with DHCPv4, but if paired with the OUI file (placed wherever NMAP places it), you can at least see who made the device or network adapter. :)

I did also contact my ISP through chat, and he told me to try connecting a gigabit capable PC directly to the media converter to confirm that the same thing would happen, but I mean even if it would recognize my PC as 1000 mbps that won't help me much I need it to recognize my firewall as gigabit.. Any suggestions?
The point of the test is to make sure that there isn't something misconfigured in the media converter. If your computer with a 1 Gbps capable NIC also links up at 100 Mbps, then something may not be set right in the media converter. If it links up at 1 Gbps, then there may be something up with the SG-3100 (though with it being new, one would hope not!).

If you connect your computer to the WAN port on the SG-3100, does it link up at 1 Gbps? Most PCs will show the link speed somewhere in the GUI.

If there's some way to apply this through the System Patches package, I'd be happy to do so... but I don't see an actual patch file, commit ID, or whatever is needed to be able to apply it that way. I'm not one to go through and just replace files.

Nope, the Sonos devices will all still receive addresses from your DHCP server. The Sonos mesh wireless network is just an extension of your existing network.

Do I find a spreadsheet useful? I used to long ago, when I would give static IP addresses to devices that needed to be manually configured... but now I just use DHCP reservations instead (so if I take a device somewhere else, it can still use DHCP without me needing to change anything), and I can see what's being used through the Status > DHCP Leases page. A spreadsheet could be helpful if you decide to set up a new router and either want to start with a clean configuration or can't import (if you go to a completely different platform) so you can set everything back up... but you could just copy/paste the data from the DHCP Leases page into your favorite spreadsheet application or print the page.

I think with what has been posted, blocking your Sonos IP address(es) at pfSense would be the best way to go.

However, just so you know, you'll also want to turn off automatic app updating on your mobile devices too, because otherwise when Sonos releases an update, your mobile devices will get the new app, then constantly prompt to update your Sonos devices until the versions match.

Pro tip for the firewall rule: If you have multiple Sonos devices, group them together within the address range of a smaller subnet size. For example, I have my Sonos devices between x.x.x.177 and x.x.x.190. By doing this, I can create one firewall rule for network x.x.x.176/28 on my LAN to block all of my Sonos devices easily.

2.4 Development Snapshots / Re: Two Error Messages
« on: December 09, 2017, 06:35:59 pm »
Now, lets get to the bottom of [...] the 502 error!
Do you run pfBlockerng? There appears to be an issue with it that causes the 502 error.

Gaming / Re: Xbox One (incl. S and X) - Howto for Open NAT
« on: December 06, 2017, 06:41:21 pm »
If the game uses Xbox Live for everything on the network side, then I would think it would work.

If the game uses its own servers, a different port number that you can't change (to make each console use a unique port), or requires UPnP, then obviously my solution would not work.

General Questions / Re: VoIP degradation of quality
« on: December 02, 2017, 05:32:38 pm »
It could be the codec that your softphone is using. If you can change the codec order in the softphone, or change it to use the same codec that your ATAs are using, that might be a big help to keep the Pi from having to transcode the audio data.

IPv6 / Re: 2.4.2 update broke DHCPv6 lease list and/or reservations?
« on: December 02, 2017, 06:25:22 am »
There's a known issue with the DHCPv6 lease list not working right... Bug 7413

It's been kicked down the road a couple of versions now, since at least 2.4.0... hopefully it gets fixed soon.

IPv6 / Re: Windows 10 and RDNSS
« on: December 02, 2017, 06:22:45 am »
Because of Windows 10, I have usually run DHCPv6 on my main LAN, but have a second guest network that is set to Unmanaged (which is where my work Android device resides when I'm at home). Anyway, to test this, I connected my Win10 laptop (which is running the Fall Creators Update - build 1709) to my Guest network.

I don't have any DNS servers specified, so pfSense should be simply specifying its own IP address instead, but my Win10 laptop does not appear to receive any IPv6 DNS servers when connected to my Guest network. However, I do specify a domain search list in the RA settings, and it does appear to be picking that up... not sure why it's not getting the server IP though.

Pages: [1] 2 3 4 5 ... 38