Netgate SG-1000 microFirewall

Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Messages - virgiliomi

Pages: 1 [2] 3 4 5 6 ... 38
General Questions / Re: VoIP degradation of quality
« on: December 02, 2017, 05:32:38 pm »
It could be the codec that your softphone is using. If you can change the codec order in the softphone, or change it to use the same codec that your ATAs are using, that might be a big help to keep the Pi from having to transcode the audio data.

IPv6 / Re: 2.4.2 update broke DHCPv6 lease list and/or reservations?
« on: December 02, 2017, 06:25:22 am »
There's a known issue with the DHCPv6 lease list not working right... Bug 7413

It's been kicked down the road a couple of versions now, since at least 2.4.0... hopefully it gets fixed soon.

IPv6 / Re: Windows 10 and RDNSS
« on: December 02, 2017, 06:22:45 am »
Because of Windows 10, I have usually run DHCPv6 on my main LAN, but have a second guest network that is set to Unmanaged (which is where my work Android device resides when I'm at home). Anyway, to test this, I connected my Win10 laptop (which is running the Fall Creators Update - build 1709) to my Guest network.

I don't have any DNS servers specified, so pfSense should be simply specifying its own IP address instead, but my Win10 laptop does not appear to receive any IPv6 DNS servers when connected to my Guest network. However, I do specify a domain search list in the RA settings, and it does appear to be picking that up... not sure why it's not getting the server IP though.

General Questions / Re: VoIP degradation of quality
« on: December 02, 2017, 06:07:39 am »
Just a note though, that some larger VoIP services may use a single hostname, then rotate servers using SRV records under that hostname. In fact, the hostname that could be used could point to their website, but the SRV records within could point to their VoIP servers elsewhere, not even in the same physical location. That makes monitoring a bit harder.

If it's not your bandwidth that is the issue, other potential issues could be the audio format being used for the call - check your Pi's CPU usage during the call; it may be having to convert audio formats and could be falling behind over time - or issues on your provider's end. Try setting up a phone, SIP client, or ATA to point directly to your provider and see if it happens there as well.

Packages / Re: Anyone have a guide for FRR and OSPF?
« on: November 28, 2017, 03:50:06 pm »
I think you need to be in the Routing and Multi-WAN forum, not the Packages - Traffic Monitoring forum. I know OSPF is a routing protocol... not sure what FRR is, but everything else in your post seems to be about routing, not monitoring traffic on your network.

If your question is about one of the routing protocol packages, then maybe the general Packages forum might also be appropriate.

Gaming / Xbox One (incl. S and X) - Howto for Open NAT
« on: November 25, 2017, 09:48:17 pm »
I don't easily see a definitive Howto for how to get Open NAT on the Xbox One, and I've done this on both my Xbox One and Xbox One X, even simultaneously, and have no problems with both getting open NAT for Xbox Live, so I wanted to share my settings. I'm running pfSense 2.4.2 now, though I was running 2.4.1 when I set it all up. I'm not using UPnP at all, so there's no risk to network security for other devices or programs that could open ports using that. It's possible that UPnP could actually interfere with the settings I provide below, so if you have issues, try disabling UPnP first.

Here's how I did it...

1. First, set a static IP address or DHCP reservation for the console, whatever you prefer. If you have multiple consoles, see the note below on grouping multiple consoles together with neighboring IP addresses to simplify the Outbound NAT rule.

2. Verify the port number in the Xbox network settings. If you have multiple consoles, go into the advanced settings and manually choose a high port number. Each console will need to use a different port number for this to work.

3. Create the port forward(s) in the Firewall > NAT > Port Forward. TCP/UDP, port number, and forward to the IP address you assigned to the console. Reload the filter when done.

4. Go to the Outbound NAT settings. Set to Hybrid. This will allow you to create your manual rule for the Xbox, but allow everything else to still operate using automatic rules. Save. If you are using manual Outbound NAT for other reasons, then you can likely keep it manual and just create the appropriate rule for the Xbox IP address(es).

5. Add a new Outbound mapping. Specify the IP Address of your console as the source and 32 for the mask for a single console. If you have multiple consoles, see the note below for a change to the IP address and netmask settings. In the translation section, check the box for Static Port.  Save this rule. Reload the filter again.

You're done. Go back to your console, make sure the IP address is set properly if you're using a DHCP reservation, and if all is good, you should have Open NAT, at least for Xbox Live services. It's possible that other games may need other ports open too, but at a minimum, this should meet the core requirements for Xbox Live.

** For multiple consoles **
If you have multiple consoles, use neighboring IP addresses that are within a smaller network range. By doing this, in the Outbound NAT rule, you can specify the netmask that corresponds to the size of your smaller address block. In the future, you can add more consoles just by adding a port forward (and DHCP reservation, if you're using that method). If you need to increase the size of the "network" to accommodate more consoles, just change the netmask in the outbound NAT rule.

If you really want to, you could just simply create multiple Outbound NAT rules, one for each console... but I prefer the idea of having all my consoles grouped together with neighboring IP addresses, just for the purpose of network management.

Example scenario...
Xbox One: x.x.x.161, port 55123
Xbox One X: x.x.x.162, port 56124
Created two port forwards, one for each console
Set Outbound NAT to Hybrid
Created manual Outbound NAT rule, x.x.x.160/29 (allows use of addresses from x.x.x.161-166), checked static port setting

If I need to add more consoles in the future (I doubt I ever will, but just to entertain the idea), I can change the /29 to /28 and go from 161 to 174 in IP addresses for consoles.

IPv6 / Re: IPv6 hosting website
« on: November 19, 2017, 07:48:13 pm »
I was hoping that pfSense would have an ability to define a firewall rule Destination something like this: "PD::aaaa:bbbb:cccc:dddd" where "PD" is a variable whose value is the prefix.  This would be similar to the way they prepend the delegated prefix to the host range in the DHCPv6 server.

Funny you mention this... I asked for this functionality over a year ago. See this: Allow IPv6 firewall entries with dynamic PD prefix + static host address

IPv6 / Re: Selectively block IPv6
« on: November 13, 2017, 09:28:37 pm »
You might be able to get away with trying managed only on dhcpv6, set up a static assignment for his device, then add a firewall rule to block that address from the internet...

Worth a try...
This is probably the best solution... and should work as long as the prefix from your ISP doesn't change.

Traffic Monitoring / Re: Can someone please explain these figures to me
« on: October 22, 2017, 07:40:28 pm »
A variety of things could explain different numbers.

DNS lookups from cache would show traffic on LAN but not WAN or OPT1.  Any other caching you might be doing (like using Squid as a cache) can also have such an effect.

Data compression on the OpenVPN connection could also cause differences.

Depending on the media of your ISP, you could be receiving a variety of broadcast traffic on WAN. There are likely external connection attempts that are being blocked by the firewall on WAN too... those still get counted as traffic on the interface.

The numbers aren't different enough that I would think there are problems. If one interface were double the amount of the other two, then I might find reason for concern... but a difference of a couple of megabytes in an hour isn't a big deal IMHO.

General Questions / Re: Traffic Monitoring
« on: October 20, 2017, 08:57:46 pm »
You might look at the Status Traffic Totals package. You can get hourly numbers for the past 24 hours, daily numbers for the past 30 days, and monthly numbers for the past 12 months.

It's not broken down into particular hosts though... just a total in and out for the interface.

Bridge mode is the best way of doing things.

If you use bridge mode how does authentication work, i.e. is it PPPoE?
Unfortunately, Bridge mode isn't an option with Comcast Business if you have static IP addresses. They run RIP to advertise the static addresses back upstream, which requires that it run as a gateway, not in bridge mode.

Bridge mode on Comcast Business can only be used with dynamic addresses, and there's no authentication, just DHCP/DHCPv6 to get an IPv4 address and up to a /56 of IPv6 addresses.

I agree with Derelict though as a way to test what might be going on.

It sounds like there are not only two different VLANs, but they're on two different physical interfaces in pfSense (igb1 and igb2).

As mentioned by Grimson, when they're in the same VLAN there's no routing going on, just packets going through the switch to get from one device to another. When they're in different VLANs, the path goes all the way back to pfSense, which has to route each packet from one network to the other. And don't forget that TCP is a two-way street, as there are acknowledgement packets that go the opposite direction of the data that also need to be routed. Performance here is likely being limited by your CPU.

Since you're using VLANs, and pfSense has to route between them, that's where you're getting slowed down.

General Questions / Re: Do I need to do any additional config with AP
« on: October 17, 2017, 07:45:06 am »
If there are VLANs in use, and one of your AP's is in that different VLAN, then that rule could be preventing access to the LAN network... like for guest users, you wouldn't want them to have access to your main LAN. So where that rule is located is important. Screenshots would definitely help.

IPv6 / Re: Why so many NDP entries for iPhone?
« on: October 09, 2017, 09:26:00 pm »
Not sure why your iPhone would have so many NDP entries. I have an iPhone and an iPad, and as with most devices on my network, they have only two NDP entries... one for the link-local address, one for the IP address being received via DHCPv6.

It's possible that if you have SLAAC enabled (Unmanaged or Assisted modes in the RA settings), the phone could be changing its SLAAC privacy address frequently enough that it keeps multiple entries.

IPv6 / Re: IPv6 Comcast issue
« on: October 03, 2017, 08:32:47 pm »
Before you changed the prefix length setting to 60, did you previously connect with it set to 64? If so, you'll need to delete the DUID file and release/renew the WAN interface so a new DUID is presented to Comcast's DHCPv6 servers. Otherwise Comcast's server will continue to provide you with a /64, since that's what it originally leased to your box. That might explain the inability to connect from the LAN, because pfSense isn't receiving the IP address block it's expecting.

Pages: 1 [2] 3 4 5 6 ... 38