Netgate SG-1000 microFirewall

Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Topics - virgiliomi

Pages: [1] 2
Official pfSense Hardware / Coreboot update - release notes?
« on: February 10, 2018, 07:15:03 pm »
I noticed that there was an update to the Coreboot package... so naturally after updating the package, I check to see if there's an update to the Coreboot software to be installed. Sure enough there is. Any release notes on what this might fix?

Gaming / Xbox One (incl. S and X) - Howto for Open NAT
« on: November 25, 2017, 09:48:17 pm »
I don't easily see a definitive Howto for how to get Open NAT on the Xbox One, and I've done this on both my Xbox One and Xbox One X, even simultaneously, and have no problems with both getting open NAT for Xbox Live, so I wanted to share my settings. I'm running pfSense 2.4.2 now, though I was running 2.4.1 when I set it all up. I'm not using UPnP at all, so there's no risk to network security for other devices or programs that could open ports using that. It's possible that UPnP could actually interfere with the settings I provide below, so if you have issues, try disabling UPnP first.

Here's how I did it...

1. First, set a static IP address or DHCP reservation for the console, whatever you prefer. If you have multiple consoles, see the note below on grouping multiple consoles together with neighboring IP addresses to simplify the Outbound NAT rule.

2. Verify the port number in the Xbox network settings. If you have multiple consoles, go into the advanced settings and manually choose a high port number. Each console will need to use a different port number for this to work.

3. Create the port forward(s) in the Firewall > NAT > Port Forward. TCP/UDP, port number, and forward to the IP address you assigned to the console. Reload the filter when done.

4. Go to the Outbound NAT settings. Set to Hybrid. This will allow you to create your manual rule for the Xbox, but allow everything else to still operate using automatic rules. Save. If you are using manual Outbound NAT for other reasons, then you can likely keep it manual and just create the appropriate rule for the Xbox IP address(es).

5. Add a new Outbound mapping. Specify the IP Address of your console as the source and 32 for the mask for a single console. If you have multiple consoles, see the note below for a change to the IP address and netmask settings. In the translation section, check the box for Static Port.  Save this rule. Reload the filter again.

You're done. Go back to your console, make sure the IP address is set properly if you're using a DHCP reservation, and if all is good, you should have Open NAT, at least for Xbox Live services. It's possible that other games may need other ports open too, but at a minimum, this should meet the core requirements for Xbox Live.

** For multiple consoles **
If you have multiple consoles, use neighboring IP addresses that are within a smaller network range. By doing this, in the Outbound NAT rule, you can specify the netmask that corresponds to the size of your smaller address block. In the future, you can add more consoles just by adding a port forward (and DHCP reservation, if you're using that method). If you need to increase the size of the "network" to accommodate more consoles, just change the netmask in the outbound NAT rule.

If you really want to, you could just simply create multiple Outbound NAT rules, one for each console... but I prefer the idea of having all my consoles grouped together with neighboring IP addresses, just for the purpose of network management.

Example scenario...
Xbox One: x.x.x.161, port 55123
Xbox One X: x.x.x.162, port 56124
Created two port forwards, one for each console
Set Outbound NAT to Hybrid
Created manual Outbound NAT rule, x.x.x.160/29 (allows use of addresses from x.x.x.161-166), checked static port setting

If I need to add more consoles in the future (I doubt I ever will, but just to entertain the idea), I can change the /29 to /28 and go from 161 to 174 in IP addresses for consoles.

So I've been running the 2.4 beta from the day I got my SG-2440. As release nears, I know that the "factory" version is of course optimized for the Netgate hardware, and thus would like to return to that once 2.4 has been released. But I don't want to just restore my CE config file and have it remove any of those optimizations because they aren't present in my config.

Is there a way to get my box back to running the factory version with its optimizations without having to manually redo my config? Are there certain sections that I shouldn't import from my CE config, or that I could merge between my config and an unmodified factory one?

2.4 Development Snapshots / ZFS on SG-2440
« on: April 06, 2017, 09:21:24 pm »
So I'm the daring type who took my SG-2440 and put 2.4 on it as soon as I got it home. But I wasn't able to install with ZFS. When I tried, the installer completed, rebooted, I removed my USB drive, and ZFS failed to mount.

My thought is that when my USB drive was connected, it was da0 and the built-in storage was da1, but when I removed my USB drive, the device identifiers changed, so the config no longer reflected the correct location. Unfortunately, I wasn't even able to get it to pick up when I tried pointing it to zfs:zroot/da0 (I think that's the format I used, based on what was presented) and the specific partitions as well, so I don't know what was going on.

Any thoughts on how best to install ZFS on a 2440? I'd rather not try things until there's a known good process in place. For the moment I'm just running with UFS instead. I'm fortunate that power where I live is extremely stable, even in the worst of severe thunderstorms and icy winter weather... though I still have a UPS connected anyway.

2.4 Development Snapshots / DHCPv6 leases not updating in webgui
« on: March 19, 2017, 08:50:59 pm »
So I run DHCPv6 on my main LAN, and many of my devices connected to this network are using DHCPv6 to obtain IPv6 addresses (Android gets sent to the Guest network, where only SLAAC is used). Anyway, I noticed today that when I went to look at my DHCPv6 leases, it only showed two addresses... one is static, the other is my network printer. But when I go look at the /var/dhcpd/var/db/dhcpd6.leases file, I see many other leases there (iPhone, iPad, Apple TV, and a couple other Windows computers).

Any thoughts on why they might not be showing up in the webgui, or how to get it so that they show up?

2.4 Development Snapshots / POST issue? DDNS "Save and Force Update"
« on: February 19, 2017, 06:57:22 am »
The Save and Force Update button on the DDNS page doesn't seem to do anything... it certainly doesn't save the settings and nearest I can tell, it doesn't force an update either.

Hardware / Intel Atom C2xxx LPC failures
« on: February 05, 2017, 07:29:31 am »
Get ready folks... this is going to be a fun ride soon. :) Cisco has started having routers and switches fail due to an LPC clock failure. Coincidentally, Intel has updated the errata of their Atom C2000-series chips, indicating that an LPC clock failure can prevent the system from booting. Cisco didn't name-and-shame the company producing the failed part in their gear, but it's pretty coincidental that Intel happens to update their errata at the same time Cisco announces issues with their hardware indicating the same failure.

Cisco claims that the failure can start after as little as 18 months of use.

Intel claims to have a platform-level workaround that can be used. Of course, there are no details in the errata about the workaround.

This could make for some fun times soon, given all of the Rangeley chips being used in systems running pfSense.

Article on The Register, the update at the bottom indicates the Atom may be at fault in Cisco's gear.

DHCP and DNS / DHCPv6 Static Mapping + DNS issue
« on: September 06, 2016, 08:39:32 am »
I've already created a bug report (#6768)for this, just wondering if others might be seeing the same thing...

I have two devices on my LAN with static DHCPv6 mappings... yet when I look up their hostnames, the IP address returned by unbound is not correct. The prefix in the DNS IP address would be the prefix 0 value (x:y:z:7a70::) for the /60 that I get from my ISP... but my LAN uses prefix 1 (x:y:z:7a71::), not prefix 0.

I haven't tried this with my guest network (which uses prefix 5) to see what gets returned in that case.

Edit: Well, I'd love to try it with my guest network, but I can't get pfSense to show me the DHCPv6 leases for that interface so I can get the DUID and create a DHCPv6 static mapping! But the computer has received a DHCPv6 address on that interface...

Edit 2: Still can't get DHCPv6 lease on my Guest interface to show up to try a static mapping there, but I noticed something looking at the static entries... When entering the DHCPv6 static mapping, ONLY the host portion of the address is entered. But I'm guessing that in creating the DNS entry, it appears as though the prefix appended to the host portion is the base (0) prefix, not the proper prefix for the interface that the static entry is being configured on (1 for my LAN).

2.3.2 Development Snapshots / Monitoring graph > NTP produces error
« on: July 16, 2016, 12:06:34 pm »
When I go to the monitoring graphs, then select "NTP", when I update the graph I get this error:

Error: SyntaxError: Unexpected token W in JSON at position 1

Additionally, there's a crash report (I've submitted two over two days, IPs below)

v4: 73.171.116.x
v6 WAN: 2001:558:6036:61:x:x:x:x

I don't think it would come from the v6 LAN, but if you can't find from the v6 WAN, let me know and I'll provide the LAN address.

I did not have this issue with 2.3.1, so not sure if something changed in the RRD data between versions, or if there's a new issue.

The following log entries regarding bogons update appeared... the one about IPv6, however, is incorrect.

Code: [Select]
Apr 1 03:01:00 root is starting up.
Apr 1 03:01:00 root is sleeping for 35853
Apr 1 12:58:33 root is beginning the update cycle.
Apr 1 12:58:34 root Bogons V4 file downloaded: 3759 addresses added.
Apr 1 12:58:34 root Bogons V6 file downloaded but not updating IPv6 bogons table because IPv6 Allow is off
Apr 1 12:58:34 root is ending the update cycle.

IPv6 Allow is on, and always has been. I have and use IPv6 on a daily basis, and all of my interfaces are configured, and it's working great too. Someone might want to check this script to make sure it's checking the right setting for IPv6 Allow...

So I've seen this for a couple of days now... and it's a unique one.

I'll turn on my Windows system... desktop, laptop, it doesn't matter. IPv6 RA is Stateless DHCP (since Windows doesn't use RDNSS to get DNS server info). Computer receives the RA, determines a SLAAC IP address with privacy extensions, etc.

IPv6 works great. Sites load using IPv6 (as determined by the IPvFoo extension to Chrome). I can ping hosts using hostname and an IPv6 address is used. IPv6 test sites pass wonderfully.

24 hours pass... this is the default valid lifetime of the RA. All of a sudden, sites load using IPv4. Pinging a hostname results in the IPv4 address being pinged. IPv6 is no longer preferred over IPv4. BUT... it DOES still work. If I ping -6, I get replies. IPv6 test sites show IPv6 works, but that IPv4 is preferred.

Not sure if this is a Windows issue. None of my other devices - Apple (iOS and OS X) or Android, that I can see/tell - have an issue like this. But this issue only just started happening, and the only thing that's changed is the 2.3 snapshots on my pfSense box. I can reboot the computer and IPv6 works great again... for the next 24 hours.


2.3-RC Snapshot Feedback and Issues - ARCHIVED / NEW Monitoring graph
« on: March 03, 2016, 04:20:54 pm »
Looks great! Definitely has a few bugs though...

Here are a couple I found just quickly trying it out...

Quality graph: Loss is identified in "ms"... oops! :)

I set both left and right axes, then when I set the right axis to none and updated, the colors and lines remained on the graph (though they moved vertically a bit when I pressed update). The right axis lines remained at whatever time scale it was set to when it was on (evident by the fact that when I was at the 8 hour mark for the left axis, the line dots were about 1/3 across on the right axis).

RRD graph for NTP is enabled, but no option for NTP as an axis.

So I updated to the latest snapshot through the GUI update function... I noticed that among the packages that were downloaded was rrdtool... but after pfSense rebooted, I no longer have the RRD option on the Status menu. What can I do to get it back?

So here's a chain of events from last night that seems to have earned me a loss of IPv6 connectivity from my hosts.

1. Opened interface settings for GUEST (OPT1/igb2) network.
2. Changed no setting (though I could've easily just changed something simple like speed/duplex).
3. Saved, then applied, the settings for the interface.
4. Dashboard showed no IPv6 address for GUEST interface.
5. In interface settings, disabled GUEST interface, saved/applied, then re-enabled the interface, saved/applied.
6. Dashboard shows GUEST interface with IPv4 and IPv6 addresses. WAN and LAN show both addresses as well.
7. Host on LAN network is now observed as only browsing to IPv4 addresses for dual-stack sites.
8. Try pinging dual-stack host from LAN network, IPv4 responds, IPv6 does not.
9. Reboot pfSense.
10. Still no IPv6 on LAN. Try host on GUEST, no IPv6 there either.
11. It's late, I go to sleep.
12. 6 hours later, tried connecting from different host on LAN, hoping something might have worked itself out overnight... still no IPv6 connectivity.
13. I can ping IPv6 from pfSense, even from LAN interface (didn't try from GUEST), so routing seems to be fine.

WAN requests and receives a /60 from ISP via DHCP-PD.
LAN interface is configured to track WAN, using prefix ID 0. LAN RA is managed, DHCPv6 configured (::1000-::1FFF).
GUEST interface is configured to track WAN, using prefix ID 5. GUEST RA is assisted, DHCPv6 configured (::1000-::1FFF).

Possible radvd issue? I didn't see anything unusual in the Services widget... maybe its config got borked somehow?

Separately, the fact that after making a change (or not) to interface settings in step 2 and applying them in step 3 caused the IPv6 address to disappear from an interface seems unusual. I think that should be checked out as well, but after figuring out what has caused both of my networks to lose IPv6 connectivity.

Any chance someone could try and duplicate this and see if it happens for them? :)

When I log into pfSense on either my iPhone or iPad, then browse to a list (for example, either of the DHCP/v6 Leases lists), when I tap on a header to sort the list on that field, it sorts the list (ascending), then reverse-sorts the list (descending). I've tried in both Chrome and Safari on both devices (of course, I know that Chrome is really using the same Webkit engine behind-the-scenes as Safari, so I'd expect the same behavior in both).

I don't have any Android devices I can try to see if it happens there also.

Pages: [1] 2