Extreme slowdown of download speed with Netgate SG-1000
-
So he is charging you the extra money, or giving you as even exchange for what you paid for the sg-1000?
-
I'm getting back the money for the 1000 and getting an OK deal on the 3100. So no even exchange. I would have demanded that if I had told them that I was going to use it for a 300/300 line and they didn't say anything, but I never mentioned that in my mails to them.
-
Up and running (the postal service must recently have fed the tortoises they use to carry their packages through Norway, because it came over night in a recular package). The unit works perfectly, no problem pulling 300/300 (and I have read that it actually can do gigabit fibre speed), so I'm good. :) I see that it has an optical input, so I have to find out if I can actually use that instead of the fibre modem that my ISP gave me. That would be slick!
-
@mastiff said in Extreme slowdown of download speed with Netgate SG-1000:
I see that it has an optical input,
Huh? The sg-3100 has no fiber input... Or sfp or sfp+ port to add one.
https://www.netgate.com/solutions/pfsense/sg-3100.htmlDid you get some other model? Or some other box running pfsense?
-
Embarassing... I didn't look at the damn port, I only saw that OPT designation. I guess it's optional wan or something!
-
Yes its another router interface... Can use it for another wan, or another lan side network..
The switch ports can be isolated as well via vlans so those could all be other networks on the lan side or wan connections. The only limitation is the switch uplink into the soc is only 2.5gbps
-
Btw I was looking for how to do DMZ the easiest way (I want all ports from WAN to be routed to a single IP on the LAN), and I stumbled over this (which ironically enough seems to use the OPT1 port...):
https://www.ceos3c.com/pfsense/how-to-create-a-dmz-with-pfsense-2-4-2/
Is this the simplest/only way to do this or is there a simpler solution?
Oh, btw, I would like the rest of the LAN from the Netgate to be accesible from the DMZ as well, there's stuff there that I have to maintain.
-
Oh, almost syncronized posting. Much like syncronized swimming, except for not using a swimsuit. At least, I don't wear one now, but of course I don't know what you're wearing! ;)
-
Not sure why anyone would ever want to do something like that... Just forward the ports you NEED.. But that link is just creating another network and calling it dmz.. You can call your other network segments whatever you want.
-
heheheheehhe - ROFL... dude that is funny ;) To be honest I am wearing a bath robe since its very early in the morning here 4:44 am...
-
Well, then I wasn't all off... ;) But the reason is that I do home automation and I have 30-40 different ports that goes to different parts of the system, and I change them every now and then too. :) And at the same time it keeps the rest of the system totally safe, because all attacks will go to the same place. So what would be the easiest way to forward everything?
-
Yes I would suggest you put your Iot devices, home automation stuff into their own segment... And sure call it dmz... I have a segment called that.. Its where my ntp server sits since it serves up traffic ntp to the public ntp pool.. So I have 123 forwarded to it.
And this segment has no access into my other lan segments. I then have a segment that my amazon alexas are in, nest, harmony.. But there are no inbound ports to them.. But they are limited access into my other network segments..
If you need 30 or 40 ports then forward those 30 or 40 ports. But to be honest if your forwarding ports into your network to do home automation - your doing it wrong.. Your home automation should go outbound to creates its connection. You shouldn't need to do inbound..
-
This is my cabin, and I have 10 cameras (some internal security, some to keep an eye on the garden and some to watch the view when I'm not there). Three receivers with different ports for control. Then there's separate systems for NodeRED, Home Assistant and EventGhost and 15 different ports for different segments of the webserver for Girder (so I can log in to control AV in a particular room, for a group of rooms or the whole cabin). Everything is set up like this so I don't even have to go on the cabin's wifi, I can control it just as well from 4G. That's why I use so many ports. But I don't think it will work to use a separate segment because I need to be able to connect to stuff on the main segment too from the automation server, because I have some things there that are accessible only from inside the network. So using a separate segment is really not that good for me. Is there really no simple way to forward everything to one IP?
-
Oh, and I change them from time to time because I give guests access to AV for their room, and when the guest leaves, I change the port for that room, so they don't wake up the next guest in the middle of the night with Highway to Hell! ;)
-
Why would you not just vpn if you need to access multiple devices and multiple ports?
That doesn't sound like 1 IP, so how would you do it a forward or even a "dmz host" as you call it to that... Sure you can forward ALL the ports to an IP... But you can not forward all the ports to multiple IPs... You can forward port X to IPA and Y to IPB but those are different rules.
Why would your devices not be able to be on different network segments. Only thing that needs to be on the same layer 2 is shitty soho devices that use some L2 discovery protocol to find what they are looking for. As long as the application or device allows you to set an IP, and use IP or fqdn to get to whatever it is it needs to talk to. Then they can be on the internet, or different network segment.
You can then limit access to specific ports and protocols on the firewall between your segments.
Butt if your controlling this remote to your cabin, accessing your camera's etc.. Then you should VPN into this cabin and access it whatever it is you need to access without any need to port forward anything.
So your guests to control something while they are there - go out to the internet and back in. Or do you have wifi at this cabin they connect to?
-
This isn't multiple IP's. They are all running on the same virtual machine (except for Node-RED and Hass, wich runs on a Rasberry PI, but they don't change their ports, and they go through the home automation VM with MQTT). And I don't want to be rude, but I don't really need these suggestions and questions, I only need a simple answer to the simple question of how I route all ports to one IP, if you have that answer. I have been running a system like this for several years without problems, before I came to the first device I've had that does not have a dedicated DMZ.
-
Create a port forward and forward the range you want 1 to 65k if you want all the ports... Its that simple..
https://www.netgate.com/docs/pfsense/nat/forwarding-ports-with-pfsense.html
or just do a 1:1 Nat..
https://www.netgate.com/docs/pfsense/nat/1-1-nat.html -
Thanks! :)
-
@mastiff @johnpoz
I really need to learn more about my device so I can move my IOT devices into their own network. I use Philips Hue, Ecobee, Lutron, Nest...I still want to see the devices inside the Home app with a device that belongs on the main network. Just don’t know how yet so eveything is on the one network currently. Works great but not secure. -
I see my devices on my phone..
Here are 2 things that use lutron, and I have both nest thermo and protect.. These devices create outbound connections and you control them from their connection to the internet. They do not use local connectivity.
I can not speak to philips or ecobee but anything that requires you to allow unsolicited inbound traffic would be a problem if you ask me..
These devices of mine are NOT on the same network my phone is on.. My phone uses a eap-tls wifi network, that is isolated to only my trusted devices. My phone, my wifes phone, our laptops, tablet, etc. Other devices are on different wifi vlans.
