Netgate SG-1000 microFirewall

Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Messages - johnpoz

Pages: 1 2 3 [4] 5 6 7 8 ... 1035
DHCP and DNS / Re: Intermittent DNS timeouts - DNS Resolver
« on: March 16, 2018, 04:09:46 am »
And now what is your +trace look like?

General Questions / Re: Connect from work to home with ssh tunnel ?
« on: March 15, 2018, 11:02:09 pm »
So you want us to help you circumvent your works policies... Yeah good luck with that.. Just want I love to help people do -- less work ;)

And like I would follow some youtube link from such a question.. For all I know could be 2 cats going at it in an alley.

Hint -- run the openvpn wizard.. Run the openvpn client at work..

DHCP and DNS / Re: Intermittent DNS timeouts - DNS Resolver
« on: March 15, 2018, 10:46:39 pm »
Yeah this is a problem...

couldn't get address for '': not found

;; Received 241 bytes from in 38 ms

See the 38 ms.. Not sure what your running but getting the roots should be ZERO ms.. since the roots should be local..

Code: [Select]
[2.4.2-RELEASE][root@sg4860.local.lan]/root: dig +trace

; <<>> DiG 9.11.2 <<>> +trace
;; global options: +cmd
.                       515010  IN      NS
.                       515010  IN      NS
.                       515010  IN      NS
.                       515010  IN      NS
.                       515010  IN      NS
.                       515010  IN      NS
.                       515010  IN      NS
.                       515010  IN      NS
.                       515010  IN      NS
.                       515010  IN      NS
.                       515010  IN      NS
.                       515010  IN      NS
.                       515010  IN      NS
.                       515010  IN      RRSIG   NS 8 0 518400 20180328200000 20180315190000 41824 . gZKff74Th31jl+jS470MQHNVnV0txz48FChiDL/brOf2CXl6XPyIRQ1C 22qzr69/S6pDoO8oPW0nS+2IBxXOhnbU8tfNjHSOVS6yvnmoP0SHEV+B yi5WUyJDF4GN+dS5aNW30RM1dtaQkunLpjY2jTIDkzstV9BmnQnKcYr0 2oltImSStLNxGxKwXzksXJ3rIAhBHKdc1bVSQyyLqbz9y7A8sLOiqUy5 yahLzv2zuIMcuMYvF7Sy72MwfQUnPZ4yR4DP2cvccVYbOox4V4smc9Uy 3Ncabk05gdceltRwgZ2t1c+8StNVR1oKLRUE9wkhyT1zVrBcQqy5pyB2 W9HBgQ==
;; Received 525 bytes from in 0 ms

Not sure what you have running, but I know for a fact its not out of the box default...  Somebody messed with the root hints on your unbound.

Seems you got them from here?????

;; ANSWER SECTION: 86400 IN      PTR

DHCP and DNS / Re: Intermittent DNS timeouts - DNS Resolver
« on: March 15, 2018, 11:17:22 am »
I would suggest you do a

dig +trace

vs using drill - you will get way more info.  Like where in the resolve tree you timeouts are happening full path or just part of it.

Firewalling / Re: granting certain wanadress acces to local lan
« on: March 15, 2018, 11:07:05 am »
""source" wan ipv4 friends / family house, destination= lan subnet,  and allow all"

That would not work if you were doing nat... If your lan net was a public net routed to you then that would work.

But you can for sure port forward the traffic you want into your lan and allow specific IPs as the source.

"watchguard firebox x750 loaded with pfsense 2.1?"

With the talk of monowall and 2.1 - thought this was a OLD thread.. 2.1 was late 2013, 2014... its now 2018 why would you still be running that?  Monowall last release was in 2014... Talk about keeping your security updated <rolleyes>

Routing and Multi WAN / Re: Help with routes on múltiples pFsense
« on: March 15, 2018, 07:46:08 am »
yeah can be done with just 1.. Not sure why you think it couldn't?

Your using a reverse proxy from the outside into your dmz.

It wouldn't be WAN on his router, it would just be another interface... He his another interface on that router for wan that would go to internet.

See my drawing I first posted, that is a transit network.  The 172.16.0/30

Box in 192.168.1 wants to get to 192.168.50.x - So hits his gateway, router says oh to get to 192.168.50/20 I send the traffic to  That router says oh this traffic want to go to 192.168.50.x... I have that network attached let me send it to him..

On the way back follow the exact same path back... Symmetrical vs Asymmetrical ;)

No concerns with dhcp since your not on the same layer 2.. And you wouldn't run dhcp on the transit interfaces.  You may need to run something larger than /30 if you want to be able to get to your wireless bridge devices to manage them which would also have IPs on this 172.16 network.  Or maybe they have a management vlan or interface?

Routing and Multi WAN / Re: Help with routes on múltiples pFsense
« on: March 15, 2018, 03:31:03 am »
What do you get in such a scenario other than complexity?  Why can you not just run proxy on fw 1?

Firewalling / Re: Invert match doesn't work
« on: March 14, 2018, 11:12:44 am »
managed switch where?  That rules says you can go anywhere you want as long as not lan net which is what nat network?  you have a bunch of other networks there..

So if say network of lan was that rule says you can go anywhere you want as long as dest is not It could be some downstream network that you get to via lan net even, etc.  Maybe you are running vip with different layer 3 on lan net... Have seen lots of people think its ok to run multiple layer 3 on the same layer 2..

If you were running say 192.168.2/24 on your lan network that would of be allowed since lan net just expands to the network you have on your lan interface nothing more.

a transit or transfer network is networking 101..  It would be any network that connects "routers"

yes you created a route on his router, but the traffic is asymmetrical in flow since pfsense will not send the traffic back to his router since its interface is directly connected to that network and can see all the hosts directly via arp.

On one of his pc create a route that points 192.168.1/24 to your address  - that would remove the asymmetrical routing..  if still having issues and you can ping then most likely the device in your trying to talk to has a firewall that doesn't all whatever your trying to do from this 192.168.50 network.

Firewalling / Re: Invert match doesn't work
« on: March 14, 2018, 10:32:22 am »
states might of been active when you put in a rule that blocks you have to kill any active states.

Firewalling / Re: Invert match doesn't work
« on: March 14, 2018, 09:47:00 am »
so your wlan net would allow anything that is NOT lan net.

I use the same sort rules and have no issues with them.. Derelict would suggest you just change that to a specific block/reject that you put above your allow any..  And this is cleaner way to look at rules.. But the ! lan net should work... I use them on all my vlans that I block access to any of my other vlans with a ! rfc1918 alias I created.. So this allows access to internet but blocks all access to any of my other vlans which are all in rfc1918 space.

Keep in mind states could still be active that would allow traffic, and if your using vips there were some issues with ! rules I do believe..

If your concerned with the ! rule, just put a block/reject rule above it that specifically blocks access to lan net.

Rules are evaluated top down, first rule to trigger wins, no other rules are evaluated as traffic enters an interface.

Do you have anything in floating that might allow the traffic before the wlan rules are even evaluated?

ESXI 4.1?

Why?  Dude freebsd 10.x not support until esxi 6.0u2 at min..

Also where is your lan side of psfsense.. You running vlan top of the vnic you installed in pfsense?  Why add another vnic on your pfsense vm and connect to proper vswitch or portgroup on vswitch to connect it to your lan network?

In such a setup your going to be asymmetrical.

You are going to want to create a transit network.. Use a router on his so you can create an actual transit network.

device on 192.168.50/24 wanting to go to 192.168.1 is going to hit its gateway Which will just send traffic back down the wifi link, but when you answer you are not going to send the traffic back to since pfsense is directly connected to 192.168.50 so it would just send the traffic direct to those devices.

if you want to do it that way, you would need to create host routes on the devices in the 192.168.50 telling them to get to 192.168.1/24 talk to pfsense opt1 interface

Also - if you ping ping, but can not get into a server on that device could have a firewall not allowing access from 192.168.50.. Keep in mind even if you allow that on the firewall of the devices in 192.168.1 your still asymmetrical which can cause other issues.   

if your going to have devices on a transit network, then you need to do host routing on those devices in the transit network.

Firewalling / Re: Invert match doesn't work
« on: March 14, 2018, 09:01:36 am »
Nope don't see any ! or inverted rules..

Pages: 1 2 3 [4] 5 6 7 8 ... 1035