The pfSense Store

Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Messages - virgiliomi

Pages: [1] 2 3 4 5 ... 38
IPv6 / Re: [Solved] Comcast Residential ipv6 doesnt work
« on: December 30, 2017, 04:44:04 pm »
In your WAN settings, you want to request a different prefix size. With residential service, you can request as low as /60, which will give you 16 /64's to use on various networks.

You will want to delete your DUID after changing the setting (you'll need to shell to the router and rm /var/db/dhcp6c_duid) then release/renew the WAN connection so it creates a new DUID and requests a new lease and prefix from Comcast's DHCPv6 server. Then you should be able to set up multiple networks using Track Interface and select a different prefix ID for each network.

Looks to be working well! It went through my leases and showed all the hosts that I would expect it to. The comparison to the NDP table to show MAC address seems to work as well. Not that MAC address has much to do with DHCPv6 like it does with DHCPv4, but if paired with the OUI file (placed wherever NMAP places it), you can at least see who made the device or network adapter. :)

I did also contact my ISP through chat, and he told me to try connecting a gigabit capable PC directly to the media converter to confirm that the same thing would happen, but I mean even if it would recognize my PC as 1000 mbps that won't help me much I need it to recognize my firewall as gigabit.. Any suggestions?
The point of the test is to make sure that there isn't something misconfigured in the media converter. If your computer with a 1 Gbps capable NIC also links up at 100 Mbps, then something may not be set right in the media converter. If it links up at 1 Gbps, then there may be something up with the SG-3100 (though with it being new, one would hope not!).

If you connect your computer to the WAN port on the SG-3100, does it link up at 1 Gbps? Most PCs will show the link speed somewhere in the GUI.

If there's some way to apply this through the System Patches package, I'd be happy to do so... but I don't see an actual patch file, commit ID, or whatever is needed to be able to apply it that way. I'm not one to go through and just replace files.

Nope, the Sonos devices will all still receive addresses from your DHCP server. The Sonos mesh wireless network is just an extension of your existing network.

Do I find a spreadsheet useful? I used to long ago, when I would give static IP addresses to devices that needed to be manually configured... but now I just use DHCP reservations instead (so if I take a device somewhere else, it can still use DHCP without me needing to change anything), and I can see what's being used through the Status > DHCP Leases page. A spreadsheet could be helpful if you decide to set up a new router and either want to start with a clean configuration or can't import (if you go to a completely different platform) so you can set everything back up... but you could just copy/paste the data from the DHCP Leases page into your favorite spreadsheet application or print the page.

I think with what has been posted, blocking your Sonos IP address(es) at pfSense would be the best way to go.

However, just so you know, you'll also want to turn off automatic app updating on your mobile devices too, because otherwise when Sonos releases an update, your mobile devices will get the new app, then constantly prompt to update your Sonos devices until the versions match.

Pro tip for the firewall rule: If you have multiple Sonos devices, group them together within the address range of a smaller subnet size. For example, I have my Sonos devices between x.x.x.177 and x.x.x.190. By doing this, I can create one firewall rule for network x.x.x.176/28 on my LAN to block all of my Sonos devices easily.

2.4 Development Snapshots / Re: Two Error Messages
« on: December 09, 2017, 06:35:59 pm »
Now, lets get to the bottom of [...] the 502 error!
Do you run pfBlockerng? There appears to be an issue with it that causes the 502 error.

Gaming / Re: Xbox One (incl. S and X) - Howto for Open NAT
« on: December 06, 2017, 06:41:21 pm »
If the game uses Xbox Live for everything on the network side, then I would think it would work.

If the game uses its own servers, a different port number that you can't change (to make each console use a unique port), or requires UPnP, then obviously my solution would not work.

General Questions / Re: VoIP degradation of quality
« on: December 02, 2017, 05:32:38 pm »
It could be the codec that your softphone is using. If you can change the codec order in the softphone, or change it to use the same codec that your ATAs are using, that might be a big help to keep the Pi from having to transcode the audio data.

IPv6 / Re: 2.4.2 update broke DHCPv6 lease list and/or reservations?
« on: December 02, 2017, 06:25:22 am »
There's a known issue with the DHCPv6 lease list not working right... Bug 7413

It's been kicked down the road a couple of versions now, since at least 2.4.0... hopefully it gets fixed soon.

IPv6 / Re: Windows 10 and RDNSS
« on: December 02, 2017, 06:22:45 am »
Because of Windows 10, I have usually run DHCPv6 on my main LAN, but have a second guest network that is set to Unmanaged (which is where my work Android device resides when I'm at home). Anyway, to test this, I connected my Win10 laptop (which is running the Fall Creators Update - build 1709) to my Guest network.

I don't have any DNS servers specified, so pfSense should be simply specifying its own IP address instead, but my Win10 laptop does not appear to receive any IPv6 DNS servers when connected to my Guest network. However, I do specify a domain search list in the RA settings, and it does appear to be picking that up... not sure why it's not getting the server IP though.

General Questions / Re: VoIP degradation of quality
« on: December 02, 2017, 06:07:39 am »
Just a note though, that some larger VoIP services may use a single hostname, then rotate servers using SRV records under that hostname. In fact, the hostname that could be used could point to their website, but the SRV records within could point to their VoIP servers elsewhere, not even in the same physical location. That makes monitoring a bit harder.

If it's not your bandwidth that is the issue, other potential issues could be the audio format being used for the call - check your Pi's CPU usage during the call; it may be having to convert audio formats and could be falling behind over time - or issues on your provider's end. Try setting up a phone, SIP client, or ATA to point directly to your provider and see if it happens there as well.

Packages / Re: Anyone have a guide for FRR and OSPF?
« on: November 28, 2017, 03:50:06 pm »
I think you need to be in the Routing and Multi-WAN forum, not the Packages - Traffic Monitoring forum. I know OSPF is a routing protocol... not sure what FRR is, but everything else in your post seems to be about routing, not monitoring traffic on your network.

If your question is about one of the routing protocol packages, then maybe the general Packages forum might also be appropriate.

Gaming / Xbox One (incl. S and X) - Howto for Open NAT
« on: November 25, 2017, 09:48:17 pm »
I don't easily see a definitive Howto for how to get Open NAT on the Xbox One, and I've done this on both my Xbox One and Xbox One X, even simultaneously, and have no problems with both getting open NAT for Xbox Live, so I wanted to share my settings. I'm running pfSense 2.4.2 now, though I was running 2.4.1 when I set it all up. I'm not using UPnP at all, so there's no risk to network security for other devices or programs that could open ports using that. It's possible that UPnP could actually interfere with the settings I provide below, so if you have issues, try disabling UPnP first.

Here's how I did it...

1. First, set a static IP address or DHCP reservation for the console, whatever you prefer. If you have multiple consoles, see the note below on grouping multiple consoles together with neighboring IP addresses to simplify the Outbound NAT rule.

2. Verify the port number in the Xbox network settings. If you have multiple consoles, go into the advanced settings and manually choose a high port number. Each console will need to use a different port number for this to work.

3. Create the port forward(s) in the Firewall > NAT > Port Forward. TCP/UDP, port number, and forward to the IP address you assigned to the console. Reload the filter when done.

4. Go to the Outbound NAT settings. Set to Hybrid. This will allow you to create your manual rule for the Xbox, but allow everything else to still operate using automatic rules. Save. If you are using manual Outbound NAT for other reasons, then you can likely keep it manual and just create the appropriate rule for the Xbox IP address(es).

5. Add a new Outbound mapping. Specify the IP Address of your console as the source and 32 for the mask for a single console. If you have multiple consoles, see the note below for a change to the IP address and netmask settings. In the translation section, check the box for Static Port.  Save this rule. Reload the filter again.

You're done. Go back to your console, make sure the IP address is set properly if you're using a DHCP reservation, and if all is good, you should have Open NAT, at least for Xbox Live services. It's possible that other games may need other ports open too, but at a minimum, this should meet the core requirements for Xbox Live.

** For multiple consoles **
If you have multiple consoles, use neighboring IP addresses that are within a smaller network range. By doing this, in the Outbound NAT rule, you can specify the netmask that corresponds to the size of your smaller address block. In the future, you can add more consoles just by adding a port forward (and DHCP reservation, if you're using that method). If you need to increase the size of the "network" to accommodate more consoles, just change the netmask in the outbound NAT rule.

If you really want to, you could just simply create multiple Outbound NAT rules, one for each console... but I prefer the idea of having all my consoles grouped together with neighboring IP addresses, just for the purpose of network management.

Example scenario...
Xbox One: x.x.x.161, port 55123
Xbox One X: x.x.x.162, port 56124
Created two port forwards, one for each console
Set Outbound NAT to Hybrid
Created manual Outbound NAT rule, x.x.x.160/29 (allows use of addresses from x.x.x.161-166), checked static port setting

If I need to add more consoles in the future (I doubt I ever will, but just to entertain the idea), I can change the /29 to /28 and go from 161 to 174 in IP addresses for consoles.

IPv6 / Re: IPv6 hosting website
« on: November 19, 2017, 07:48:13 pm »
I was hoping that pfSense would have an ability to define a firewall rule Destination something like this: "PD::aaaa:bbbb:cccc:dddd" where "PD" is a variable whose value is the prefix.  This would be similar to the way they prepend the delegated prefix to the host range in the DHCPv6 server.

Funny you mention this... I asked for this functionality over a year ago. See this: Allow IPv6 firewall entries with dynamic PD prefix + static host address

Pages: [1] 2 3 4 5 ... 38