Netgate SG-1000 microFirewall

Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Messages - virgiliomi

Pages: [1] 2 3 4 5 ... 38
Traffic Monitoring / Re: Monthly traffic reports?
« on: Yesterday at 09:12:52 pm »
There are definitely issues with the Status_Traffic_Totals package... mine's showing two "11/2017" months, and data for March 2018 is being shown as February as a result.

Official pfSense Hardware / Re: Coreboot update - release notes?
« on: February 13, 2018, 04:14:22 pm »
Then I must have been behind and didn't realize there was an update somewhere in the past. I'm currently running the version.

Thanks for the link, ivor!

Official pfSense Hardware / Coreboot update - release notes?
« on: February 10, 2018, 07:15:03 pm »
I noticed that there was an update to the Coreboot package... so naturally after updating the package, I check to see if there's an update to the Coreboot software to be installed. Sure enough there is. Any release notes on what this might fix?

IDS/IPS / Re: Snort OpenAppID RULES Detectors fail to download
« on: January 24, 2018, 07:35:12 pm »
It might have everything to do with the timing of downloading your updates for Snort. I installed Snort not quite a month ago and have been downloading the OpenAppID Rules without any problems to date. I have my Snort updates run at 4:05a Eastern (GMT-5), with one update per day.

General Questions / Re: Ransomware Detection Capability
« on: January 20, 2018, 07:05:21 am »
I agree with johnpoz, this just for detection. Machine is still infected.
Correct... you haven't prevented the infection, but you have prevented data loss from occurring. And you still have the opportunity to remove the infection without incurring any data loss. Of course, if you're not backing up your data, shame on you... but that's a different story. :)

IPv6 / Re: comcast business head-scratcher...
« on: January 18, 2018, 09:23:52 pm »
With Comcast Business, spending the extra for a static IP Address isn't worth it IMHO. The inflexibility you get by having to use their own gateway ends up causing more problems than it's worth.

Skip the static IP, get a nice D3.1 modem (even if you don't have a speed tier that requires it, having the extra RF spectrum available is never a bad thing) and connect pfSense right to the modem. Request your /56 and go to town. Get your IPv4 address and set up Dynamic DNS to automatically update a hostname in your domain (so many Dynamic DNS services available!). Anything on the internet that needs to connect in, use the hostname instead of a static IP address.

And this is even if your IP address ever changes. I don't think I've actually had my IP address and /60 prefix (I'm a consumer customer, not business) change for months. It'll probably be a year in a couple more months.

General Questions / Re: Ransomware Detection Capability
« on: January 18, 2018, 09:02:32 pm »
User runs code - infected, all their stuff encrypted.. How does your blocking their C&C prevent that?
Usually before the encryption begins, there's a key exchange that takes place between the malware and the C&C server. If communication to the C&C server is blocked, then you can at least extend the amount of time to remove the malware before it finds a way around the block.

General Questions / Re: Is DMZ supported in pfSense firewall?
« on: January 18, 2018, 08:57:12 pm »
If you want the servers in your DMZ to be accessible via IPv4, yes, you do.  If you have IPv6 available and you're happy with your DMZ devices being only accessible through IPv6 (assuming they support it), then there's no requirement that you create IPv4 port forwards.

IPv6 / Re: [Solved] Comcast Residential ipv6 doesnt work
« on: December 30, 2017, 04:44:04 pm »
In your WAN settings, you want to request a different prefix size. With residential service, you can request as low as /60, which will give you 16 /64's to use on various networks.

You will want to delete your DUID after changing the setting (you'll need to shell to the router and rm /var/db/dhcp6c_duid) then release/renew the WAN connection so it creates a new DUID and requests a new lease and prefix from Comcast's DHCPv6 server. Then you should be able to set up multiple networks using Track Interface and select a different prefix ID for each network.

Looks to be working well! It went through my leases and showed all the hosts that I would expect it to. The comparison to the NDP table to show MAC address seems to work as well. Not that MAC address has much to do with DHCPv6 like it does with DHCPv4, but if paired with the OUI file (placed wherever NMAP places it), you can at least see who made the device or network adapter. :)

I did also contact my ISP through chat, and he told me to try connecting a gigabit capable PC directly to the media converter to confirm that the same thing would happen, but I mean even if it would recognize my PC as 1000 mbps that won't help me much I need it to recognize my firewall as gigabit.. Any suggestions?
The point of the test is to make sure that there isn't something misconfigured in the media converter. If your computer with a 1 Gbps capable NIC also links up at 100 Mbps, then something may not be set right in the media converter. If it links up at 1 Gbps, then there may be something up with the SG-3100 (though with it being new, one would hope not!).

If you connect your computer to the WAN port on the SG-3100, does it link up at 1 Gbps? Most PCs will show the link speed somewhere in the GUI.

If there's some way to apply this through the System Patches package, I'd be happy to do so... but I don't see an actual patch file, commit ID, or whatever is needed to be able to apply it that way. I'm not one to go through and just replace files.

Nope, the Sonos devices will all still receive addresses from your DHCP server. The Sonos mesh wireless network is just an extension of your existing network.

Do I find a spreadsheet useful? I used to long ago, when I would give static IP addresses to devices that needed to be manually configured... but now I just use DHCP reservations instead (so if I take a device somewhere else, it can still use DHCP without me needing to change anything), and I can see what's being used through the Status > DHCP Leases page. A spreadsheet could be helpful if you decide to set up a new router and either want to start with a clean configuration or can't import (if you go to a completely different platform) so you can set everything back up... but you could just copy/paste the data from the DHCP Leases page into your favorite spreadsheet application or print the page.

I think with what has been posted, blocking your Sonos IP address(es) at pfSense would be the best way to go.

However, just so you know, you'll also want to turn off automatic app updating on your mobile devices too, because otherwise when Sonos releases an update, your mobile devices will get the new app, then constantly prompt to update your Sonos devices until the versions match.

Pro tip for the firewall rule: If you have multiple Sonos devices, group them together within the address range of a smaller subnet size. For example, I have my Sonos devices between x.x.x.177 and x.x.x.190. By doing this, I can create one firewall rule for network x.x.x.176/28 on my LAN to block all of my Sonos devices easily.

2.4 Development Snapshots / Re: Two Error Messages
« on: December 09, 2017, 06:35:59 pm »
Now, lets get to the bottom of [...] the 502 error!
Do you run pfBlockerng? There appears to be an issue with it that causes the 502 error.

Pages: [1] 2 3 4 5 ... 38