Netgate SG-1000 microFirewall

Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Messages - virgiliomi

Pages: 1 2 3 [4] 5 6 7 8 ... 39
virgiliomi - my Sonos is on ethernet, my laptop is on Wifi - it seems you have your sonos & the app via ethernet?

re: avahi , i've just installed the package, trying to figure out the specific setup.

in the meantime if anyone has other thoughts - pls share.
No, my WiFi just doesn't use a separate subnet from the rest of my LAN. I have a specific Guest VLAN/SSID that is separate, but my main WiFi SSID is on the same subnet as my wired network.

Re: Avahi... like I said, I've not used it myself, but maybe this thread might get you pointed in the right direction:

General Questions / Re: Plex keeps changing from nearby to indirect
« on: September 10, 2017, 08:35:11 am »
First, I wouldn't enable NAT Reflection on a global level. It can be set for each NAT rule individually, and that's how I would do it as not everything needs it. I do have it enabled for my Plex port forward, and have found things to work seamlessly with it this way. It's actually required for Sonos to be able to access Plex because of a limitation in Plex's Sonos implementation.

Using the custom setting for DNS Rebinding would be a good idea too. I also have this set in my DNS Resolver settings. There is also a setting for DNS Forwarder (dnsmasq). Both can be found here.

And if you're forwarding DNS to OpenDNS or somewhere else that blocks DNS Rebinding on its own, a domain override for the domain would be good too, though I'd override with Plex's own DNS servers instead of using another DNS provider to remove a variable from the equation.

I think people have used Avahi to get Sonos' device discovery to work across different subnets. I've not had to do this myself (I have a Sonos component wired to my network, rather than using their WiFi setup) so I can't provide much insight, but that might give you something else to search for that might turn up results.

Most providers' gateway devices have some way to enable bridge mode... some will have it buried in an advanced option, others you may need to call and have them enable it instead... but this is what you want so you don't have pfSense sitting behind another router with its own firewall and security settings. With their device in bridge mode, your pfSense box should be able to request an IPv6 address for WAN and a prefix for LAN. If you have multiple internal networks that you want IPv6 addresses for, you'll need to get a smaller prefix that gives you multiple /64's for your own use.

General Questions / Re: Send an email when the gateway falls
« on: September 07, 2017, 07:17:32 am »
For public IP addresses, use dynamic DNS with a static hostname then... the router will update the hostname with the correct IP address if/when it changes.

Not sure of a way to handle it if your carrier is using NAT. Maybe see if they have IPv6 available also, and use that instead as your down-detector?

2.4 Development Snapshots / Re: ZFS install
« on: September 07, 2017, 07:03:18 am »
Are you pressing the space bar to select the disk?
This. It isn't immediately evident, but you actually need to select the disk to tell the installer to use it. This confused me for a bit when I first reloaded my system to use ZFS also.

Ok. I was expecting the reload of the OS image... just wasn't sure if something in my CE config would replace/overwrite something in the factory setup. Glad to know I can just reload my CE config onto the factory version.

So I've been running the 2.4 beta from the day I got my SG-2440. As release nears, I know that the "factory" version is of course optimized for the Netgate hardware, and thus would like to return to that once 2.4 has been released. But I don't want to just restore my CE config file and have it remove any of those optimizations because they aren't present in my config.

Is there a way to get my box back to running the factory version with its optimizations without having to manually redo my config? Are there certain sections that I shouldn't import from my CE config, or that I could merge between my config and an unmodified factory one?

2.4 Development Snapshots / Re: 2.4.0 - How Often to Update?
« on: August 15, 2017, 08:15:19 pm »
When I first start running a beta version, I'll update maybe once every two to three weeks... four if I'm being especially lazy. As we get closer to release, I'll update weekly. If there's an issue I've experienced that has been fixed, or something that wasn't affecting me but I want to test the fix for, I'll update sooner.

Then when the release hits, I'll run that for a few months before determining if I want to participate in the next beta. I usually join in for major release betas, not so much for minor ones.

I'm not sure what's going on here, but while swapping modems this afternoon (upgraded to a DOCSIS 3.1 modem), I had my pfSense WAN interface not connected for a bit. After reconnecting it, and just now looking in the DNS Resolver logs, I have extended the log view up to 5000 lines and over 95% of the lines are...

Code: [Select]
Jul 18 17:30:46 unbound 82208:1 error: can't bind socket: Can't assign requested address for x.x.x.x
or replace the IPv4 address with an IPv6 address. The timestamp is the exact same to the minute, with a variance of 3 seconds over more than 4900 lines. That's some MAJOR log spamming going on while the connection is down.

Maybe it's always done that and I just haven't noticed (I don't tend to look at dns resolver logs often)... but that's pretty severe to be writing over 4900 lines to a log file in just three seconds. Possibly related? If not, please feel free to split this to a new topic.

webGUI / Re: CPU speed only shows on occasion.
« on: June 19, 2017, 08:40:15 am »
If I remember correctly, the "Current" CPU speed only shows if it is different from the full speed of the processor. So if you have a 1.8 GHz processor that has been throttled down to 1.3 GHz to save some power, then it would likely show the current speed. But if it's doing some processing and running at full speed, then it probably won't show up.

IPv6 / Re: Migrating to IPv6
« on: June 03, 2017, 06:19:44 am »
Indeed my ISP gave me a /48 for home use.

<sniff!> Mine only gave me a /56 </sniff!>     ;)
Quit complaining... mine only lets me get a /60. Not that I'm using 16 /64's... I'm not even using 8... but I am using more than one.

General Questions / Re: pfSense Box not using all of my SSD space
« on: June 03, 2017, 06:00:33 am »
Yes, because you're re-partitioning the storage, reinstalling is the only way to do it.

General Questions / Re: Cable Modem Ethernet Cable Bonding
« on: May 28, 2017, 05:31:12 am »
I believe that, like the Arris SB8200, the link aggregation functionality will need to be enabled by the ISP. In Arris' case, I don't even think the functionality exists in their firmware yet. But like johnpoz mentioned, there's no real need for it yet since most cable ISPs using DOCSIS 3.1 are only offering 1 Gbps down (about 940-960 Mbps down after overhead).

If from a redundancy standpoint, that's something else that would need to be enabled by the ISP... two different MAC Addresses connected to the modem (most ISPs only limit the modem to allowing one connected device, by MAC address). Of course, that would also allow two different IP addresses (or IP address blocks in the case of IPv6).

So either way here, you're at the mercy of your ISP and when they decide to roll out such features, if they ever do.

Packages / Re: Squid HTTPS Certificate using ACME
« on: May 26, 2017, 12:47:08 pm »
If will buying a genuiun certificate will allow me to have transprent proxy with SSL Man In the Middle Filtering?
Will this stop all the client to get certificate error?
SSL MITM requires a Root CA certificate, which no reputable and trusted certificate issuer will provide. The reason is because a trusted Root CA is able to create certificates for ANY domain in existence and present them as valid. This is why you need to create your own Root CA, then install your Root CA certificate on all devices that will be going through the SSL MITM proxy.

A regular SSL host certificate - whether from LetsEncrypt or any paid certificate issuer - will not allow you to do SSL MITM.

Pages: 1 2 3 [4] 5 6 7 8 ... 39