Netgate SG-1000 microFirewall

Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Messages - johnpoz

Pages: [1] 2 3 4 5 ... 1033
DHCP and DNS / Re: Intermittent DNS timeouts - DNS Resolver
« on: Yesterday at 04:57:12 am »
" All other sites have the isp dns servers set like this and they don't have timeouts."

Maybe their isp dns doesn't suck ;)

There is ZERO reason to set isp dns if your going to resolve.  Pfsense out of the box resolves, and uses itself to resolve stuff it wants.  The stuff it resolves it caches and hands to clients from its cache. If your having problems resolving something you need to figure out where the problem is - more than likely its going to be talking to the authoritative servers directly since roots shouldn't be a problem, if they are then you have a overall network issue and nothing is going to resolve.

When you forward your at the mercy of how fast you forward wants to answer, and with what you have no idea it might be something they had cached and you get a 3 second ttl and then have to ask them again 3 seconds later.  Or they do no have it cached and it has to forward or resolve what your looking for, etc.

Unless your on a very high latency line or very limited bandwidth I don't see why anyone would forward vs resolve..

DHCP and DNS / Re: Override Outgoing Interface on DNS Resolver
« on: Yesterday at 04:49:44 am »
You would set a domain override... It would use whatever interface it is allowed to use per routing to get there... So if you have multiple wans and you have a route to to use gateway A then it should use that gateway to get there.

Resolving would work the same way based upon the route to get to the authoritative ns would determine which outgoing interface would be used.

DHCP and DNS / Re: Intermittent DNS timeouts - DNS Resolver
« on: Yesterday at 04:43:53 am »
your drill is just showing you what is cached... Not how long its taking to actual resolve something.  Once something is in the cache you do not have to go look it up again until the ttl expires

DHCP and DNS / Re: Intermittent DNS timeouts - DNS Resolver
« on: Yesterday at 04:09:46 am »
And now what is your +trace look like?

General Questions / Re: Connect from work to home with ssh tunnel ?
« on: March 15, 2018, 11:02:09 pm »
So you want us to help you circumvent your works policies... Yeah good luck with that.. Just want I love to help people do -- less work ;)

And like I would follow some youtube link from such a question.. For all I know could be 2 cats going at it in an alley.

Hint -- run the openvpn wizard.. Run the openvpn client at work..

DHCP and DNS / Re: Intermittent DNS timeouts - DNS Resolver
« on: March 15, 2018, 10:46:39 pm »
Yeah this is a problem...

couldn't get address for '': not found

;; Received 241 bytes from in 38 ms

See the 38 ms.. Not sure what your running but getting the roots should be ZERO ms.. since the roots should be local..

Code: [Select]
[2.4.2-RELEASE][root@sg4860.local.lan]/root: dig +trace

; <<>> DiG 9.11.2 <<>> +trace
;; global options: +cmd
.                       515010  IN      NS
.                       515010  IN      NS
.                       515010  IN      NS
.                       515010  IN      NS
.                       515010  IN      NS
.                       515010  IN      NS
.                       515010  IN      NS
.                       515010  IN      NS
.                       515010  IN      NS
.                       515010  IN      NS
.                       515010  IN      NS
.                       515010  IN      NS
.                       515010  IN      NS
.                       515010  IN      RRSIG   NS 8 0 518400 20180328200000 20180315190000 41824 . gZKff74Th31jl+jS470MQHNVnV0txz48FChiDL/brOf2CXl6XPyIRQ1C 22qzr69/S6pDoO8oPW0nS+2IBxXOhnbU8tfNjHSOVS6yvnmoP0SHEV+B yi5WUyJDF4GN+dS5aNW30RM1dtaQkunLpjY2jTIDkzstV9BmnQnKcYr0 2oltImSStLNxGxKwXzksXJ3rIAhBHKdc1bVSQyyLqbz9y7A8sLOiqUy5 yahLzv2zuIMcuMYvF7Sy72MwfQUnPZ4yR4DP2cvccVYbOox4V4smc9Uy 3Ncabk05gdceltRwgZ2t1c+8StNVR1oKLRUE9wkhyT1zVrBcQqy5pyB2 W9HBgQ==
;; Received 525 bytes from in 0 ms

Not sure what you have running, but I know for a fact its not out of the box default...  Somebody messed with the root hints on your unbound.

Seems you got them from here?????

;; ANSWER SECTION: 86400 IN      PTR

DHCP and DNS / Re: Intermittent DNS timeouts - DNS Resolver
« on: March 15, 2018, 11:17:22 am »
I would suggest you do a

dig +trace

vs using drill - you will get way more info.  Like where in the resolve tree you timeouts are happening full path or just part of it.

Firewalling / Re: granting certain wanadress acces to local lan
« on: March 15, 2018, 11:07:05 am »
""source" wan ipv4 friends / family house, destination= lan subnet,  and allow all"

That would not work if you were doing nat... If your lan net was a public net routed to you then that would work.

But you can for sure port forward the traffic you want into your lan and allow specific IPs as the source.

"watchguard firebox x750 loaded with pfsense 2.1?"

With the talk of monowall and 2.1 - thought this was a OLD thread.. 2.1 was late 2013, 2014... its now 2018 why would you still be running that?  Monowall last release was in 2014... Talk about keeping your security updated <rolleyes>

Routing and Multi WAN / Re: Help with routes on múltiples pFsense
« on: March 15, 2018, 07:46:08 am »
yeah can be done with just 1.. Not sure why you think it couldn't?

Your using a reverse proxy from the outside into your dmz.

It wouldn't be WAN on his router, it would just be another interface... He his another interface on that router for wan that would go to internet.

See my drawing I first posted, that is a transit network.  The 172.16.0/30

Box in 192.168.1 wants to get to 192.168.50.x - So hits his gateway, router says oh to get to 192.168.50/20 I send the traffic to  That router says oh this traffic want to go to 192.168.50.x... I have that network attached let me send it to him..

On the way back follow the exact same path back... Symmetrical vs Asymmetrical ;)

No concerns with dhcp since your not on the same layer 2.. And you wouldn't run dhcp on the transit interfaces.  You may need to run something larger than /30 if you want to be able to get to your wireless bridge devices to manage them which would also have IPs on this 172.16 network.  Or maybe they have a management vlan or interface?

Routing and Multi WAN / Re: Help with routes on múltiples pFsense
« on: March 15, 2018, 03:31:03 am »
What do you get in such a scenario other than complexity?  Why can you not just run proxy on fw 1?

Firewalling / Re: Invert match doesn't work
« on: March 14, 2018, 11:12:44 am »
managed switch where?  That rules says you can go anywhere you want as long as not lan net which is what nat network?  you have a bunch of other networks there..

So if say network of lan was that rule says you can go anywhere you want as long as dest is not It could be some downstream network that you get to via lan net even, etc.  Maybe you are running vip with different layer 3 on lan net... Have seen lots of people think its ok to run multiple layer 3 on the same layer 2..

If you were running say 192.168.2/24 on your lan network that would of be allowed since lan net just expands to the network you have on your lan interface nothing more.

a transit or transfer network is networking 101..  It would be any network that connects "routers"

yes you created a route on his router, but the traffic is asymmetrical in flow since pfsense will not send the traffic back to his router since its interface is directly connected to that network and can see all the hosts directly via arp.

On one of his pc create a route that points 192.168.1/24 to your address  - that would remove the asymmetrical routing..  if still having issues and you can ping then most likely the device in your trying to talk to has a firewall that doesn't all whatever your trying to do from this 192.168.50 network.

Firewalling / Re: Invert match doesn't work
« on: March 14, 2018, 10:32:22 am »
states might of been active when you put in a rule that blocks you have to kill any active states.

Firewalling / Re: Invert match doesn't work
« on: March 14, 2018, 09:47:00 am »
so your wlan net would allow anything that is NOT lan net.

I use the same sort rules and have no issues with them.. Derelict would suggest you just change that to a specific block/reject that you put above your allow any..  And this is cleaner way to look at rules.. But the ! lan net should work... I use them on all my vlans that I block access to any of my other vlans with a ! rfc1918 alias I created.. So this allows access to internet but blocks all access to any of my other vlans which are all in rfc1918 space.

Keep in mind states could still be active that would allow traffic, and if your using vips there were some issues with ! rules I do believe..

If your concerned with the ! rule, just put a block/reject rule above it that specifically blocks access to lan net.

Rules are evaluated top down, first rule to trigger wins, no other rules are evaluated as traffic enters an interface.

Do you have anything in floating that might allow the traffic before the wlan rules are even evaluated?

Pages: [1] 2 3 4 5 ... 1033