Netgate SG-1000 microFirewall

Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Messages - virgiliomi

Pages: 1 2 [3] 4 5 6 7 ... 39
IPv6 / Re: Selectively block IPv6
« on: November 13, 2017, 09:28:37 pm »
You might be able to get away with trying managed only on dhcpv6, set up a static assignment for his device, then add a firewall rule to block that address from the internet...

Worth a try...
This is probably the best solution... and should work as long as the prefix from your ISP doesn't change.

Traffic Monitoring / Re: Can someone please explain these figures to me
« on: October 22, 2017, 07:40:28 pm »
A variety of things could explain different numbers.

DNS lookups from cache would show traffic on LAN but not WAN or OPT1.  Any other caching you might be doing (like using Squid as a cache) can also have such an effect.

Data compression on the OpenVPN connection could also cause differences.

Depending on the media of your ISP, you could be receiving a variety of broadcast traffic on WAN. There are likely external connection attempts that are being blocked by the firewall on WAN too... those still get counted as traffic on the interface.

The numbers aren't different enough that I would think there are problems. If one interface were double the amount of the other two, then I might find reason for concern... but a difference of a couple of megabytes in an hour isn't a big deal IMHO.

General Questions / Re: Traffic Monitoring
« on: October 20, 2017, 08:57:46 pm »
You might look at the Status Traffic Totals package. You can get hourly numbers for the past 24 hours, daily numbers for the past 30 days, and monthly numbers for the past 12 months.

It's not broken down into particular hosts though... just a total in and out for the interface.

Bridge mode is the best way of doing things.

If you use bridge mode how does authentication work, i.e. is it PPPoE?
Unfortunately, Bridge mode isn't an option with Comcast Business if you have static IP addresses. They run RIP to advertise the static addresses back upstream, which requires that it run as a gateway, not in bridge mode.

Bridge mode on Comcast Business can only be used with dynamic addresses, and there's no authentication, just DHCP/DHCPv6 to get an IPv4 address and up to a /56 of IPv6 addresses.

I agree with Derelict though as a way to test what might be going on.

It sounds like there are not only two different VLANs, but they're on two different physical interfaces in pfSense (igb1 and igb2).

As mentioned by Grimson, when they're in the same VLAN there's no routing going on, just packets going through the switch to get from one device to another. When they're in different VLANs, the path goes all the way back to pfSense, which has to route each packet from one network to the other. And don't forget that TCP is a two-way street, as there are acknowledgement packets that go the opposite direction of the data that also need to be routed. Performance here is likely being limited by your CPU.

Since you're using VLANs, and pfSense has to route between them, that's where you're getting slowed down.

General Questions / Re: Do I need to do any additional config with AP
« on: October 17, 2017, 07:45:06 am »
If there are VLANs in use, and one of your AP's is in that different VLAN, then that rule could be preventing access to the LAN network... like for guest users, you wouldn't want them to have access to your main LAN. So where that rule is located is important. Screenshots would definitely help.

IPv6 / Re: Why so many NDP entries for iPhone?
« on: October 09, 2017, 09:26:00 pm »
Not sure why your iPhone would have so many NDP entries. I have an iPhone and an iPad, and as with most devices on my network, they have only two NDP entries... one for the link-local address, one for the IP address being received via DHCPv6.

It's possible that if you have SLAAC enabled (Unmanaged or Assisted modes in the RA settings), the phone could be changing its SLAAC privacy address frequently enough that it keeps multiple entries.

IPv6 / Re: IPv6 Comcast issue
« on: October 03, 2017, 08:32:47 pm »
Before you changed the prefix length setting to 60, did you previously connect with it set to 64? If so, you'll need to delete the DUID file and release/renew the WAN interface so a new DUID is presented to Comcast's DHCPv6 servers. Otherwise Comcast's server will continue to provide you with a /64, since that's what it originally leased to your box. That might explain the inability to connect from the LAN, because pfSense isn't receiving the IP address block it's expecting.

Just a note to luckman212... Verizon and Level 3 have no affiliation with each other. Those IP addresses you posted belong to Level 3.

Level 3 was recently acquired by CenturyLink, in an effort to increase business/enterprise services. Verizon has nothing to do with them.

Is there a way for someone who purchased the official pfSense hardware to obtain the official factory image which came with the original equipment?

You'll need to register for an account in the pfSense portal ( and register your pfSense device with your account. After that, there should be a box with a link to factory reinstall images. Not sure which model of device with the C2758 you have (I think there are two), and that might impact which image version you download. It should be noted that only released versions are available, so 2.4 (which is VERY close to release) is not there yet.

940 Mbps happens to be about what most people will see with a single 1 Gbps interface, after taking into account protocol overhead, so they're still pushing 1 Gbps through the line.

Of course, the caveat is that they're providing "Up to 940 Mbps"... if you're in-depth on the technology behind FiOS, it is actually shared connectivity between you and possibly up to 31 other neighbors, so if a couple of your neighbors also have gigabit service and have major downloads going on, that could actually prevent you from getting full speed.

Official pfSense Hardware / Re: New SG-3100
« on: September 15, 2017, 07:56:53 am »
Yes, but ports on the same VLAN will be handled in the switch without having to be handed off to the SoC. Silly things like bridging interfaces onto one "LAN" should be a thing of the past on the SG-3100.

True, though my thought was more if you have one VLAN on one port, another VLAN on another port, then routing between them would be handed back to the SoC, etc. But yes, same VLANs stay within the switch.

Official pfSense Hardware / Re: New SG-3100
« on: September 14, 2017, 09:46:38 pm »
Just remember that the 4-port switch is linked at 2.5 Gbps to the pfSense LAN interface... so you won't be able to use more than two switch ports to full capacity if you're going to have inter-VLAN routing going on.

General Questions / Re: pfSense with ARRIS MODEM and Linksys E900 DDWRT
« on: September 13, 2017, 09:25:14 am »
Some ISPs require that you use their gateway (modem + router in one) in order to get a static public IP address. They run a routing protocol on their router that communicates with their upstream routers, telling them to route data for your static IP address to your gateway. They don't allow third-party devices to run the same routing protocol because there is significant potential for abuse by giving out the key(s) needed for the routing protocol to function.

So if you were using your "modem" (in quotes because I'm guessing that it's really a gateway) as a router before, and you had a static IP address before, then that's why you're not getting a static IP address anymore. You've changed your "modem" so that it is strictly operating as a modem (bridge mode), so it's not running that routing protocol anymore and isn't able to accommodate a static IP address as a result.

General Questions / Re: Is SSDP functionality connected to UPnP?
« on: September 11, 2017, 08:53:00 pm »
UPnP is used for more than just setting port forwards on a router/gateway. There are media operations that it's also capable of, and many devices that support DLNA will also detect UPnP devices (for example, my smart TV will detect all of my Sonos speakers, even though my Sonos speakers only speak UPnP, not DLNA).

Windows Media Player's media library sharing functionality also uses UPnP.

Pages: 1 2 [3] 4 5 6 7 ... 39