Extreme slowdown of download speed with Netgate SG-1000
-
I did get the one about the phone, I only saw my chance to play the wise, old nerd who longs for the days of WinMo... ;) But I have contacted the Norwegian reseller. They have had very good service and been nice people so far, so maybe I can upgrade to an SG-3100. We'll see.
-
The nice guy at the Norwegian reseller is letting me replace the unit with the (did I mention quite a bit more expensive? ;) ) 3100. So I guess that should work.
-
So he is charging you the extra money, or giving you as even exchange for what you paid for the sg-1000?
-
I'm getting back the money for the 1000 and getting an OK deal on the 3100. So no even exchange. I would have demanded that if I had told them that I was going to use it for a 300/300 line and they didn't say anything, but I never mentioned that in my mails to them.
-
Up and running (the postal service must recently have fed the tortoises they use to carry their packages through Norway, because it came over night in a recular package). The unit works perfectly, no problem pulling 300/300 (and I have read that it actually can do gigabit fibre speed), so I'm good. :) I see that it has an optical input, so I have to find out if I can actually use that instead of the fibre modem that my ISP gave me. That would be slick!
-
@mastiff said in Extreme slowdown of download speed with Netgate SG-1000:
I see that it has an optical input,
Huh? The sg-3100 has no fiber input... Or sfp or sfp+ port to add one.
https://www.netgate.com/solutions/pfsense/sg-3100.htmlDid you get some other model? Or some other box running pfsense?
-
Embarassing... I didn't look at the damn port, I only saw that OPT designation. I guess it's optional wan or something!
-
Yes its another router interface... Can use it for another wan, or another lan side network..
The switch ports can be isolated as well via vlans so those could all be other networks on the lan side or wan connections. The only limitation is the switch uplink into the soc is only 2.5gbps
-
Btw I was looking for how to do DMZ the easiest way (I want all ports from WAN to be routed to a single IP on the LAN), and I stumbled over this (which ironically enough seems to use the OPT1 port...):
https://www.ceos3c.com/pfsense/how-to-create-a-dmz-with-pfsense-2-4-2/
Is this the simplest/only way to do this or is there a simpler solution?
Oh, btw, I would like the rest of the LAN from the Netgate to be accesible from the DMZ as well, there's stuff there that I have to maintain.
-
Oh, almost syncronized posting. Much like syncronized swimming, except for not using a swimsuit. At least, I don't wear one now, but of course I don't know what you're wearing! ;)
-
Not sure why anyone would ever want to do something like that... Just forward the ports you NEED.. But that link is just creating another network and calling it dmz.. You can call your other network segments whatever you want.
-
heheheheehhe - ROFL... dude that is funny ;) To be honest I am wearing a bath robe since its very early in the morning here 4:44 am...
-
Well, then I wasn't all off... ;) But the reason is that I do home automation and I have 30-40 different ports that goes to different parts of the system, and I change them every now and then too. :) And at the same time it keeps the rest of the system totally safe, because all attacks will go to the same place. So what would be the easiest way to forward everything?
-
Yes I would suggest you put your Iot devices, home automation stuff into their own segment... And sure call it dmz... I have a segment called that.. Its where my ntp server sits since it serves up traffic ntp to the public ntp pool.. So I have 123 forwarded to it.
And this segment has no access into my other lan segments. I then have a segment that my amazon alexas are in, nest, harmony.. But there are no inbound ports to them.. But they are limited access into my other network segments..
If you need 30 or 40 ports then forward those 30 or 40 ports. But to be honest if your forwarding ports into your network to do home automation - your doing it wrong.. Your home automation should go outbound to creates its connection. You shouldn't need to do inbound..
-
This is my cabin, and I have 10 cameras (some internal security, some to keep an eye on the garden and some to watch the view when I'm not there). Three receivers with different ports for control. Then there's separate systems for NodeRED, Home Assistant and EventGhost and 15 different ports for different segments of the webserver for Girder (so I can log in to control AV in a particular room, for a group of rooms or the whole cabin). Everything is set up like this so I don't even have to go on the cabin's wifi, I can control it just as well from 4G. That's why I use so many ports. But I don't think it will work to use a separate segment because I need to be able to connect to stuff on the main segment too from the automation server, because I have some things there that are accessible only from inside the network. So using a separate segment is really not that good for me. Is there really no simple way to forward everything to one IP?
-
Oh, and I change them from time to time because I give guests access to AV for their room, and when the guest leaves, I change the port for that room, so they don't wake up the next guest in the middle of the night with Highway to Hell! ;)
-
Why would you not just vpn if you need to access multiple devices and multiple ports?
That doesn't sound like 1 IP, so how would you do it a forward or even a "dmz host" as you call it to that... Sure you can forward ALL the ports to an IP... But you can not forward all the ports to multiple IPs... You can forward port X to IPA and Y to IPB but those are different rules.
Why would your devices not be able to be on different network segments. Only thing that needs to be on the same layer 2 is shitty soho devices that use some L2 discovery protocol to find what they are looking for. As long as the application or device allows you to set an IP, and use IP or fqdn to get to whatever it is it needs to talk to. Then they can be on the internet, or different network segment.
You can then limit access to specific ports and protocols on the firewall between your segments.
Butt if your controlling this remote to your cabin, accessing your camera's etc.. Then you should VPN into this cabin and access it whatever it is you need to access without any need to port forward anything.
So your guests to control something while they are there - go out to the internet and back in. Or do you have wifi at this cabin they connect to?
-
This isn't multiple IP's. They are all running on the same virtual machine (except for Node-RED and Hass, wich runs on a Rasberry PI, but they don't change their ports, and they go through the home automation VM with MQTT). And I don't want to be rude, but I don't really need these suggestions and questions, I only need a simple answer to the simple question of how I route all ports to one IP, if you have that answer. I have been running a system like this for several years without problems, before I came to the first device I've had that does not have a dedicated DMZ.
-
Create a port forward and forward the range you want 1 to 65k if you want all the ports... Its that simple..
https://www.netgate.com/docs/pfsense/nat/forwarding-ports-with-pfsense.html
or just do a 1:1 Nat..
https://www.netgate.com/docs/pfsense/nat/1-1-nat.html -
Thanks! :)
-
@mastiff @johnpoz
I really need to learn more about my device so I can move my IOT devices into their own network. I use Philips Hue, Ecobee, Lutron, Nest...I still want to see the devices inside the Home app with a device that belongs on the main network. Just don’t know how yet so eveything is on the one network currently. Works great but not secure. -
I see my devices on my phone..
Here are 2 things that use lutron, and I have both nest thermo and protect.. These devices create outbound connections and you control them from their connection to the internet. They do not use local connectivity.
I can not speak to philips or ecobee but anything that requires you to allow unsolicited inbound traffic would be a problem if you ask me..
These devices of mine are NOT on the same network my phone is on.. My phone uses a eap-tls wifi network, that is isolated to only my trusted devices. My phone, my wifes phone, our laptops, tablet, etc. Other devices are on different wifi vlans.
-
@johnpoz
My main issue is lack of knowledge. I admit that and I’m working on it and will commit to learning what I need so I can segment the devices. I forgot really that most of my devices are accessed via their service and not directly. Their local IP is just so they have a path to the internet in order to call home. I can do this. -
Here to help so fire up your own threads with any sort of specific questions you have. Its best if your ? is specific to how to do X.. Or if a general question then put in the general section and say you have this and that, and what to accomplish X giving as much detail of the this and that as possible.
Then can discuss the best way to skin the cat to get you to your goal.
There really should be zero issues in isolating your iot devices on to their own segment. Problem with moving things to their own segment happen when whatever application or whatever you use to interact with them expect them to be on your typical home flat network everything on the same layer 2 and they use layer 2 discovery to find and talk to whatever else your wanting to do... Most smart home devices are not like that - and just want to get to the internet...
Where you might have problems is music related stuff, dlna stuff like a player and your plex server, etc. I have my plex box on different network than my roku player, etc.. But I allow roku device to talk to plex on 32400 so there is no issue.. They play everything direct and don't go through internet to stream stuff.
Yes it can be a bit of a learning curve - lots of help here.. Just ask!
-
Hey, Johnpoz? I started to think here. I have been doing networks for 20+ years, but only for myself (and friends and family), and I have never done anything which sounds like you are suggesting a bit up for the Opt1 plug. So let me get this straight: I have two separate networks, one private and one for somebody who rents 2/3 of my house. I'm 52, and my wife's 51, and our kids have moved out. So we only needed the small appartment in the house and prefer to let the main part of the house pay our mortgage. ;) What I have now is like this:
I hope that's understandable. I have used it this way so that I can go out from my router to mangage the renter's router, smart tv and stuff (which belongs to me, I rent it out with everything, and rent it to tourists in the summer) on the 10.0.0.x segment (the things are open for WAN managment, with extremely strong passwords). Would it be possible for me to use the Opt 1 for my own network, so I could drop the virtual machine firewall and have my 10.10.10.x segment there but STILL be able to log on to the 10.0.0.x segment from my opt 1 10.10.10.x segment? Please don't ask me to draw a flow chart, I'm hopeless with that stuff!
EDIT: Idiotic system on this board, I had to make a screenshot into a picture, it insisted on splitting what I had into different bits of code! Se picture at the bottom. Seems like the same system that the Home Assistant board is using, and I really, really, really hate it! ;)
-
Trying to make sense of that somewhat of a diagram?
You can create as many networks/vlans you want on the sg3100. Be using the opt1 as native or with vlans on it and then your 4 ports can all be broken up into individual networks.
Seems like your wanting to break up say a 10.10.10 network in ranges. But keep in mind you have all of rfc1918 space to deal with.... So keep your networks simple if you want to use 10.10.10, ok then create your other networks 10.10.11/24, 10.10.12/24 or 192.168.1/24 and 192.168.2/24
You can then isolate or control access in and out of these different networks via firewall rules on pfsense.
What switches do you have if anything? Do they support vlans? Can you not draw up how you have stuff connected currently? Here is a site you could use to do a network diagram.
https://www.draw.io/
-
Sorry I've been slow, but I've been fighting with my other system (I have one at my cabin and one at my house). In the house I have an Atom based pfSense, and I can't get it to port forward everything there! I have set up the NAT rule:
And the firewall rule should be there too:
So shouldn't this have sendt eveything to 10.10.10.10? As it is nothing's going there. :(
-
I have tried 1:1 NAT too, but I guess I'm not doing that correctly either:
The .4 address is the WAN address of the system. I tried with .1 which is the adress of my modem (I haven't had a chance to bridge that yet), but it didn't change anything.
-
If your external address is rfc1918.. Means you have a nat in front - so you would have to forward it there first. Also out of the box pfsense blocks rfc1918 on its wan. So you would have to turn that off.
-
Thanks! That gave me the idea that solved it. I checked the broadband modem/router that was going to send it on to the pfSense, and it turned out that the damn thing had lost the DMZ settings when I changed the static IP from the old Asus router to the pfSense box (I had DMZ setup for the 10.0.0.4 IP address, but something must have happened, because that was wiped out)! So I spent the minutes it took and set the modem to bridge mode. That should prevent that ever happening again.