Netgate SG-1000 microFirewall

Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Messages - johnpoz

Pages: 1 [2] 3 4 5 6 ... 1035
Firewalling / Re: Access from LAN to DMZ(OPT1)
« on: March 21, 2018, 02:57:09 pm »
your mask is /16 so 192.168.3 is on the same network...  So no never going to sent traffic to pfsense to get there.

Firewalling / Re: Access from LAN to DMZ(OPT1)
« on: March 21, 2018, 02:39:14 pm »
well do a netstat -nr on it..

So you can see your routes... This will also validate what mask you have... When you ping you an IP on a different network you sure shouldn't be getting back from a different host

From icmp_seq=1 Destination Host Unreachable

On your own network that is not your gateway that it can not get there.

Firewalling / Re: Access from LAN to DMZ(OPT1)
« on: March 21, 2018, 02:31:33 pm »
your /32 is BROKEN...  Set that to /24 how it normally would be..

Firewalling / Re: Access from LAN to DMZ(OPT1)
« on: March 21, 2018, 02:28:19 pm »
Why would you be getting back that from .105?  pfsense lan IP was .1 you stated.


Do you have some host routes setup on this lan box?

you sure your lan mask is /24 and not maybe say /22 or larger?  Is this lan device windows box?  If so post output of ipconfig /all and route print.

Firewalling / Re: Access from LAN to DMZ(OPT1)
« on: March 21, 2018, 02:24:51 pm »
well if you can not ping the dmz IP of pfsense from lan - then your never going to get to a device on the dmz.  Ae you using a vpn client on pfsense and sending all traffic out the vpn?

Did you set a /32 on the dmz IP?

Are you using a vpn client on the lan device?

Post up the interface settings of your lan and dmz in pfsense.  This really is clickity clickity worky sort of stuff.

Did you put some rule in your floating tab that would be blocking it?

Firewalling / Re: Access from LAN to DMZ(OPT1)
« on: March 21, 2018, 02:21:03 pm »
Is your device on lan using pfsense as gateway?  Can you ping the dmz interface IP of pfsense?

Did you maybe set a /32 mask on the pfsense dmz IP vs say /24?

Firewalling / Re: Access from LAN to DMZ(OPT1)
« on: March 21, 2018, 02:12:37 pm »
You would need zero rules on the dmz interface for something from lan with the default any any to get there.

If your not able to ping the dmz device even.  Points to firewall on the dmz device if you ask me.  Do a simple sniff on the dmz interface on pfsense.. ping from your lan to your dmz IP.  Do you see the icmp go to the dmz IP you pinged..  If so pfsense did its job and the box not answering has nothing to do with pfsense.

DHCP and DNS / Re: DHCP IPV4 Subnet configuration
« on: March 21, 2018, 12:41:53 pm »
Here I took an interface not really using currently because my downstream router is offline. 

So see its original network was 172.31.0/30

Changed it to 172.31.2/30, see the notice when I do that not to forget the dhcp server range.  I even got a alert when I applied that my range was invalid for the new network.

Went to dhcp server for that interface - changed the range to be within the netblock of the mask I put on the interface and all is good.

DHCP and DNS / Re: DHCP IPV4 Subnet configuration
« on: March 21, 2018, 11:17:38 am »
Also screen shots of your interface settings and your dhcp server showing this wrong default network..  Been running pfsense for a very long time and have never seen that happen.

"I do know how to troubleshoot DNS even if it does not look as if I do."
"Then in Services/DNS Resolver/General Settings I checked DNSSEC and DNS Query Forwarding"

From your 2nd statement, sorry but I tend to disagree with the 1st statement.  Form where your forwarding in your output also makes that 1st statement suspect - sorry.  But I do not believe you actually understand how this stuff is suppose to function.  If you want pfsense to be able to resolve internal, then point it to internal and let those internal resolve the public stuff pfsense might need.  If they can not resolve external, then setup pfsense to use those when only wanting to resolve those specific domains they are authoritative for or can resolve via forwarding.   And setup pfsense to be able to resolve public stuff for you, etc.

"   5066 msec"

Where is that ns in respect to you?  The Space Station? ;)

So does 10.6.x.x support dnssec?  Do they resolve internal and external?  Does this 212.113 box support dnssec?

I show they do not
;  IN      A


;; Query time: 133 msec

They for sure will not be able to resolve internal stuff.

You can not and hope to not have problems point a system to different NS that can not resolve the same stuff.  Pointing to public dns like google and level3 thinking they will resolve your internal stuff not going to work.  You can not be sure which order NS will be queried..  And if they return a NX for something you query even if you go down the line in order you dns client after getting back an NX would not ask another NS for the same thing until the neg cache set when getting that expires, etc.

Using NS that can not all resolve the same stuff is asking for nothing but problems.

I would assume those 10.6.x.x are your internal NS, which can resolve your internal stuff.  Can they also resolve public - where they forward, do they resolve - do they support dnssec.

While google does...l that level 3 resolver sure doesn't

;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 34373
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

; EDNS: version: 0, flags:; udp: 512
;  IN      A

;; Query time: 285 msec
;; WHEN: Tue Mar 20 10:37:38 Central Daylight Time 2018
;; MSG SIZE  rcvd: 57

See how level 3 answers even those the sig is bad..

;  IN      A


;; Query time: 133 msec
;; WHEN: Tue Mar 20 10:34:50 Central Daylight Time 2018
;; MSG SIZE  rcvd: 73

I think he means the switches SVI is

If your switch is L3 and doing the routing between your downstream vlsns, then it would need an interface with IP in each of these vlans.  This SVI becomes the gateway devices in these vlans.

The network between pfsense and this downstream router now is just transit. 

A /24 is a huge transit - you do not have hosts on these network do you.  If so you going to have asymmetrical routing unless you create routes on each host.

For pfsense to be an upstream router the interface that is the transit needs to allow for the downstream networks.  And if you changed the outbound nat rules from auto you will have to adjust those after you create your gateway and route(s) on pfsense telling it which networks are downstream.

webGUI / Re: CA/Certificate generation REQUIRES email address?
« on: March 20, 2018, 04:35:16 am »
What CA only gives its CN and is in the trust providers out of the box.. Could you please give an example of one of these..

I was under the impression that O and C were required..

NAT / Re: Outbound nat/port forwarding between two routers
« on: March 20, 2018, 04:22:37 am »
Please draw your network.

That you state you have to /16 networks tells me your doing it wrong for starters ;)  Do you mean you have summary routes to how to get to these networks via 2 different transit networks.

And since your obfuscating them clearly they are public space?

Firewalling / Re: Communication between devices
« on: March 19, 2018, 07:22:39 pm »
"Only issue i had was with port forwarding, but i had to change the firewall from auto to hybrid under Outbound."

Huh?? what out outbound nat have to do with port forwarding?  Only reason you would have to switch out hybrid is if you were using a vpn or something?

Wireless / Re: wireless-based vlans across unmanaged switch>
« on: March 19, 2018, 03:20:11 pm »
Fair enough... If its something that is in a home/lab for a while waiting for the new switch to get here is one thing.  Making compromise after it works and never updating is another ;)

Pages: 1 [2] 3 4 5 6 ... 1035