Netgate SG-1000 microFirewall

Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Messages - johnpoz

Pages: 1 2 [3] 4 5 6 7 ... 1033
That is just saying not to have pfsense point to itself.. Kind of stupid step that does nothing other than not allowing pfsense resolve its own entries..  That is not something I would do at all, unless you don't want pfsense to resolve any sort of overrides or static dhcp entries, etc..

I would not do that checkbox.

To be honest I can not think of a scenario at all that it would make sense to do such a setting...  Only time I would think that checkbox would make sense is if you were not going to run any dns at all on pfsense.

While it says to turn off dnssec.. If your forwarding this means nothing to be honest, so yeah when your forwarding you would normally turn off dnssec.

It does not say to turn off forwarder/resolver - it says clearly to enable forwarder mode in the resolver (unbound).  And then you set the dns your going to forward to in the general setup area.

And you setup unbound to only be able to use the vpn interface for dns lookups.

The resolver (unbound) does not only cache, it also actually resolves.. Unless you tell it to just use forwarder mode which is what that guide says to do.

Firewalling / Re: Blocking DNS on specific interfaces
« on: March 12, 2018, 10:27:53 am »
In your dhcpd setting on pfsense for your lan put in the dns you want your client to use..

General Discussion / Re: Bogons if ISP has private IP addresses
« on: March 12, 2018, 10:19:42 am »
Also doesn't pfsense pull rfc1918 out of the bogon?

if you look in the pfsense table bogon, the rf1918 networks are not there..
if [ $ENTRIES_MAX -gt $((2*ENTRIES_TOT-${ENTRIES_V4:-0}+LINES_V4)) ]; then
         egrep -v "^|^|^" /tmp/bogons > /etc/bogons
RESULT=`/sbin/pfctl -t bogons -T replace -f /etc/bogons 2>&1`

Firewalling / Re: Blocking DNS on specific interfaces
« on: March 12, 2018, 10:11:15 am »
Yeah with JKnott, there is no way netflix is only allowing googledns.  What the problem is more than likely is netflix is blocking your vpn.  Which yeah many of the streaming services do because a vpn is used to circumvent geo location restrictions.

So in your lan dhcp or static on your boxes set them to use whatever dns you want.  In your vpn lan, set clients to only use your vpn dns directly via dhcp or on them, or let them use pfsense as their dns and setup pfsense to only use your vpn dns.

Firewalling / Re: Firewall for Smart TV?
« on: March 12, 2018, 07:09:40 am »
hehehe.. Well said jahonix ;)

Firewalling / Re: Firewall for Smart TV?
« on: March 12, 2018, 03:46:53 am »
"receiving packets from there, so I should allow those."

Back in the days before stateful firewalls - ok that logic makes sense.. But if the case your rules to allow the return traffic in would need to be on the interface where the traffic actually enters the firewall.  Ie the wan..

But since its not early 1990's any longer...

For performance you should be running vmx3 vm nics... And you should always break your vmkern out from any other networks - that for sure is a performance hit.

What do you mean only 1 is connected?

3 nics are active in your pic and 3 of them (1 off) is connected to your vswitch you have your lan and vmkern on.

Firewalling / Re: Firewall for Smart TV?
« on: March 11, 2018, 10:51:21 am »
Please post up a screen shot of your rules..  ascii art can be easy to misread..

Also you do understand that all interfaces have default block so unless your looking to not log or log or etc.. with block rule on the bottom is kind of pointless.

Why would you have source of google listed?  How wold google be a source traffic entering your lan interface??

OpenVPN / Re: Cannot access LAN when bypassing VPN
« on: March 11, 2018, 09:56:12 am »
Your forcing traffic out your wan, so no your not going to be able to access other networks that route through pfsense..

Create a rule above where you force traffic out your vpn or wan that allows the traffic you wan to your other lans..

General Questions / Re: (Small) Home Network Setup advice
« on: March 11, 2018, 09:52:22 am »
2.5 is going to require it sure.. You can think about then once 2.5 comes out.. Not going to be next week ;)  And even then not like they will drop support for 2.4 line as soon as they release 2.5.. Sure 2.4 will be supported for a good year or so after 2.5 releases, etc.

So you have plenty of time to worry about that when the time comes.  If you were in the market for buying new hardware now then sure hardware support of aes-ni should be a factor for sure in picking said hardware..  A year or so down the road will brings all kinds of new hardware to market I am sure - and one thing for sure with IT stuff, price only drops going forward..

What vm interfaces are you running in pfsense vm.. e1000?

Also you have multiple nics listed.. Why would you not break your vmkern off the same vswitch and physical nics?

What nics are those from physical point of view, are they dual/quad - with what interface on the physical side?  If PCI then yeah your going to have an issue.

To the time it takes.. You understand you can copy a rule right, and then just need to change the interface and it moves over to that tab..

So creating your rule once and then copy to multiple vlans only takes a few seconds.  And if you used alias to list your ports for your dest and even your dest IPs.. You just need to modify those and all rules using those would auto get updated..

General Questions / Re: Blocking your ISP DNS
« on: March 11, 2018, 07:24:42 am »
"100% True !! I totally agree, I bet even all free DNS's are in it to. "

Then why don't you just resolve.. Are the root servers in in on too?  When you resolve you ask the roots for the NS of the domain your looking for, then you directly act the authoritative ns for that domain.. You do not forward all your queries to some specific name servers..

And you can limit your queries to the roots for only the specifics.. Ie you don't ask root for you ask for .com ns, then you ask .com ns for - but I found this to be very problematic with many domains that do delegation, etc.. microsoft technet had all kinds of problems if I recall.

there was a whole thread about turning this feature on..


If your interested in such a thing.

Firewalling / Re: Firewall for Smart TV?
« on: March 11, 2018, 07:11:15 am »
You do understand that youtube and netflix are served up from huge CDNs right - the address space is going to be quite large and changing..

You could create aliases and use those..  But those can cause issues as well.

Why don't you set a rule to log all the traffic the smart tv does, then using this log see where its going an determine if you want to allow that or block it, etc.

Pages: 1 2 [3] 4 5 6 7 ... 1033