Netgate SG-1000 microFirewall

Recent Posts

Pages: [1] 2 3 4 5 ... 10
I have yet to receive a connection on the LAN port. Not when I configured it and not after I reset it back to its defaults and changed nothing to start with.

Ok, we may have some confusion here. You have not been able to get a connection at any time on the LAN port?

In which case how were you reaching the webgui? How are you defining connection?

I expect that you connect your client either directly to the LAN port on the SG-1000 or via a switch and you will see link LEDs on both the client and the SG-1000. Then the client should receive an IP address.

Hardware / Re: Unofficial QOTOM Hardware Topic
« Last post by bingo600 on Today at 10:38:39 am »
  I just bought a 4-NIC J1900 box

A J1900 will not support pfSense 2.5 , where AES-NI is a requirement.
But might be a decent WiFi router, using some other OS/SW.

General Questions / Re: PFSense suddenly block all WAN traffic.
« Last post by stephenw10 on Today at 10:37:48 am »
That's always an option and it's usually fast to do but if it were me I would want to try and see why it was happening. Otherwise there is every chance it would do exactly the same thing after restoring the old config into it.

I am able to increase the size of the VHD in the virt settings, but am not sure how to go about getting the PFSense environment to see the additional space.

is someone able to point me in the right direction or is this not possible with out reinstalling?
General Questions / Re: Failover Switches using LAGG on PFsense
« Last post by stephenw10 on Today at 10:33:26 am »
You may be able to do that is the switches are stacked. It really depends how they are configured.

hey folks,

I'm in the process of moving away from —or at least having alternatives to— OpenVPN. On my PF boxes, I have my MacOS servers successfully set up as authentication servers using LDAP. (This is what I use for OpenVPN).

I'd like to replicate that setup for IPsec and am running into problems. I've attached screenshots of my setup. I followed the PF book for LDAP auth.

When I try and connect using the build in MacOS IPsec client and the Apple IPsec Profile from PF, I get the following errors:

Code: [Select]
Sep 24 15:25:30 charon 05[NET] <bypasslan|64> sending packet: from FIREWALL'S IP[4500] to[4500] (68 bytes)
Sep 24 15:25:30 charon 05[ENC] <bypasslan|64> generating IKE_AUTH response 1 [ N(AUTH_FAILED) ]
Sep 24 15:25:30 charon 05[IKE] <bypasslan|64> peer supports MOBIKE
Sep 24 15:25:30 charon 05[IKE] <bypasslan|64> received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
Sep 24 15:25:30 charon 05[CFG] <bypasslan|64> no alternative config found
Sep 24 15:25:30 charon 05[CFG] <bypasslan|64> selected peer config 'bypasslan' inacceptable: non-matching authentication done
Sep 24 15:25:30 charon 05[CFG] <bypasslan|64> constraint requires public key authentication, but pre-shared key was used
Sep 24 15:25:30 charon 05[IKE] <bypasslan|64> authentication of 'REMOVED FOR POSTING' with pre-shared key successful
Sep 24 15:25:30 charon 05[CFG] <bypasslan|64> selected peer config 'bypasslan'
Sep 24 15:25:30 charon 05[CFG] <64> looking for peer configs matching[REMOVED]...[REMOVED FOR POSTING]

For testing, I'm using the internal LAN IP of my PF box. I've replicated the same errors when trying to connect to the WAN side over cellular.

Interestingly, on MacOS the profile seems to set up auth to use a shared secret, not a user/pass. I've tried changing that with no success.

Anyone have any creative troubleshooting tips?
You may have a DNS issue here.

I agree. What do you find under System>General Setup "DNS Server Settings"?

And please ping from Diagnostics>Ping the site and report your results.

And to steal more great ideas from Stephen from another post...

Try going to Diag > DNS lookup and check from there.

Check Status > Services and make sure Unbound (the DNS resolver) is running. It should be by default.

Installation and Upgrades / Re: Prometheus/Node_Exporter On PFSense
« Last post by jdokoupil on Today at 10:22:26 am »
Do you still have those concept files? The link seems to be dead. I'm interested in picking this up and working on it.
Ok, so you previously had a connection on LAN but now you do not? Even after resetting it from the console?

When you tried the ping test was it by IP only or were you able to ping by url also? You may have a DNS issue here. If that was the case then trying to ping anything from a client attached would have reported 'unable to resolve host' or similar.


I may have not made myself clear and for that I apologize. I have yet to receive a connection on the LAN port. Not when I configured it and not after I reset it back to its defaults and changed nothing to start with. Just to see if it would work.

Again, sorry for not making myself clear. I was able to ping both IP and URL with a 100% success rate from the Diagnostics > Ping menu from the pfSense firewall's WebGUI

When I try to ping either IP or URL from a client attached I get the "Destination host could not be reached" error

If it is a DNS issue, which is something I thought might be the case. I did try to configure both DNS Forwarder and DNS Resolver respectively as you cannot have both running at the same time as I am sure you're more than well aware of. Again this was something I discovered through my travels through Google and any setting I made that did not work I changed back to its default before trying the next solution I found in regards to this or any other solution I found.
OpenVPN / Re: Registering OpenVPN clients in the DNS
« Last post by johnpoz on Today at 10:17:24 am »
Well you would need to allow them to register to a windows dns (even if not domain) or run bind that allows for it.  Unbound does not allow for such stuff AFAIK..  Unbound is not really designed to be an authoritative name server.. 
Pages: [1] 2 3 4 5 ... 10