Upgrade from pfSense 2.1.5 to 2.2 on Hyper-V

Posted on 26/01/2015 - 28/10/2018 by Stefan

After the release of pfSense 2.2 it was time to upgrade some installations. They resides on Windows Server 2012 R2 Hyper-V. After the first reboot my test machine did not come up. The screen looks like this:

The error message is quite interesting at first:

Mounting from ufs:/dev/ad0s1a failed with error 19.

After little goggling I’ve found this article:

Mounting from ufs:/dev/adaxs1a failed with error 19.

and after simple entering of one ? the answer to the problem was in front of me:

The disk names were change from

ad0s1a

da0s1a

So to boot I’ve typed:

and voilà

Now the only thing that is left if to make changes to the boot configuration

You have the option to for form console

8) Shelland edit the file Mine looked like this:and after the change like this

Of if you will you can make the change using the web gui

go in the Diagnostics menu and selecting the Edit FileFrom there you just naviage to the “/etc/fstab” and edit the text.After changes test that the system is booting from the correct partition.

pfSense 2.2 Released!

Posted on 24/01/2015 - 28/10/2018 by Stefan

It’s been a while since I’ve been digging in pfSense. A lot of things had happened. The good news is that currently I’ve got a few projects related to the topic and will make a few posts about them. Next post will be related to upgrading to 2.2 from 2.1.5.

In the meantime you can check what are the new features in this release here:

2.2 New Features and Changes

The official article about the release:

pfSense 2.2-RELEASE Now Available!

and of course the Upgrade Guide

MBA

Posted on 11/02/2012 - 28/10/2018 by Stefan

Hi guys,

As you probably noticed I haven’t post anything since October 2011. The reason for this is not absence of interesting topic or inspiration, but lack of time. Currently I’m in a MBA program and this consumes all my time and energy. Hopefully I will finish it around October 2012, and at that time I will be able to embark into some new endeavours. In the meantime you could share some topics that are of interest for you and I will try to replay as soon as I can, or will include them in my plans for future posts.

Until then good luck, have fun.

Windows Server 8 on VM Workstation 8 with Hyper-V Role

Posted on 09/10/2011 - 18/02/2019 by Stefan

As you probably know, on the Build conference was announced the Developer Previews of Windows 8 and Windows Server 8.

Because of the numerous new features in Hyper-V 3.0 I want to check them personally. Because I do not have two spare boxes on which to install them, virtualization comes in play.

Before Hyper-V role is added to the server, there is configuration to be made on the Virtual Machine:

The best description of the process that I find is in this article:

Nesting Hyper-V with VMware Workstation 8 and ESXi 5

In the Processors configuration Virtualize Intel VT-x/EPT must be checked,

And one line must be added to the configuration file vmx:

hypervisor.cpuid.v0 = “FALSE”

That’s it, now you can add Hyper-V role and play with it.

pfSense 2.0 Release Now Available!

Posted on 25/09/2011 - 18/02/2019 by Stefan

The 2.0 release is finally available.

Here is the news:

2.0 Release Now Available!

My experience so far is good, I’ve already upgrade some of my machines.

You can take a look at the upgrade process from RC3 to RTM here:

Before performing any kind of upgrade read carefully the Upgrade Guide!!!

Using your OpenVPN Road Warrior setup as a Secure Relay

Posted on 07/09/2011 - 18/02/2019 by Stefan

Introduction

If you are in a café or another place with free wireless Internet access you are under a security risk. Your traffic can be monitored, captured and analysed. Your sensitive data can be stolen or your laptop infected with malicious application.

To avoid as much as possible of the above we can route all your traffic through the internet connection at home or in your office.

Configuration

As a base configuration you can use pfSense 2.0 RC1 configuration of OpenVPN Server for Road Warrior with TLS and User Authentication

up until the Tunnel Settings section of the OpenVPN Configuration.

There tick the Redirect Gateway.

Under Client Settings enter DNS Server 1 as the IP address of you LAN interface.

Explanation

By doing so you will redirect all your traffic through the VPN connection and avoid the risks related to the publicly available Internet access hotspots. The addition of DNS server address is needed in order to use you own device to resolve web sites IPs instead of the publicly available DNS server of the hotspot.

Testing

As a test you can trace route (tracert bbc.co.uk for example) a popular internet site with or without established VPN Connection.

Conclusion

At the cost of building just another VPN Server on your device you are gaining a little peace of mind while surfing the net from insecure location.

Upgrade Alix board with pfSense 1.2.3 to pfSense 2.0 RC3

Posted on 20/08/2011 - 18/02/2019 by Stefan

Introduction

After having enough of tests with the RC3 in virtual environment, I decide to upgrade my pfSense 1.2.3 appliance running on Alix2d13. Considering my Dual WAN setup with load balancing and some other rules, I didn’t really want to lose any of my configurations during this process.

If I made in-place upgrade what is my rollback strategy?!

If I performed clean install and just restored configuration backup what are the guaranties that is will work. Of course I can test it in my virtual lab, but there are risks with the physical scenario that I can’t predict using this method. So I needed and alternative.

Scenario

I want to test upgrade my pfSense 1.2.3 to 2.0 RC3. For that purpose I need a reliable rollback plan with no data loss, and minimal operations required. How did I achieve it you can find in the Explanation section.

Setup

The setup is described in this post: SoHo Firewall Appliance with Alix2d13 and pfSense

,noting change there since.

Configuration

First I made a backup of the full configuration of the 1.2.3, you know just in case.

Then download the image file: pfSense-2.0-RC3-4g-i386-20110621-1821-nanobsd-upgrade.img.gz

And extract the image from the archive.

Now as it is described here: Installation on a standard PC (CF/IDE version)

We need the physdiskwrite tool to write the image to the Compact Flash (CF). I’ve used the

physdiskwrite 0.5.2 + PhysGUI

Then I plug in the new CF in the card reader make sure there are no portions on it using the Disk Management Console (Start > Run> diskmgmt.msc), otherwise you will receive error message like the one in the Issue section below.

Then start physdiskwrite with PhysGUI, select the CF disk.

Right click on the disk select Image laden (Load Image), Offnen (Open). Brows to the extracted image and select it.

You will see this warning message window, tick the check box next to Remove 2GB restriction, mine is 8 Gigs, if your CF is smaller then don’t.

Yet another warning message windows, asking you if you really want to overwrite the disk with the image.

No you have about 20 – 30 minutes of waiting, so be patient, do some other stuff.

We are ready.

Explanation

Finally I get it, instead of changing the content of my original Compact Flash, why not get second one and use is for the tests instead? This way I can retain my original configuration and with just a swap of the cards be right back where I started.

Testing

After successful installation I’ve just swap the CFs and configured pfSense 2.0 RC3 using console cable.

Then using the WebGUI restored the backup configuration from the 1.2.3. Now it is time to check the functionality.

The Interface configuration like interfaced configuration was in place but the Load Balancing configuration was gone. Also my OpenVPN configurations were restored but in a non-working state. The firewall rules were applied but with the missing Load Balancer there was little use of them. After about half hour of checks, I decided to roll back to 1.2.3. Swap the CFs again and everything works the old way.

Issues

Writing to the CF card, As stated in Special considerations for Windows Vista/7

If you get write errors shortly after physdiskwrite has begun writing to the target disk (usually after 65536 bytes), this may be caused by existing partitions on the disk. Use the Disk Management utility (right-click on the “Computer” icon on the desktop and select Manage, then navigate to Computer Management (Local)/Storage) to delete all partitions on the target disk before starting physdiskwrite.

If you are unable to delete all the partitions with the Disk Management utility, try the following procedure:

1.     Open a command window as admin (“cmd”)

2.     Type “diskpart” and hit enter.

3.     Type “list disk” and hit enter to find out the number of your drive.

4.     Type “select disk X” (where you replace X with the number of your drive) and hit enter.

5.     Type “clean” and hit enter.

So I had to clean the disk first but it was a breezy task. Then everything was alright.

Conclusion

Up until the restoration of the configuration backup everything is ok. Now I have to test the restoration in my lab, or better yet reproduce my original configuration there. I ought to think for the second alternative more.

To configure everything in the lab and then just backup and restore the configuration from the same one and the same version sound reasonable to me. Better yet I will know that it works.

I’ll have to test Dual WAN in fail-over configuration, then test recreate my OpenVPN configurations, and test all the rules that I have applied.

OpenVPN on pfSense 2.0 RC3 with OpenLDAP Authentication on CentOS 5.6

Posted on 13/08/2011 - 18/02/2019 by Stefan

Introduction

After writing OpenVPN with LDAP authentication on pfSense 2.0 RC1, a reader of my blog shared some problems with configuring OpenLDAP on CentOS. So I decide to build such a setup and test.

Scenario

The scenario is as follows, authenticating users requiring access to the OpenVPN server against OpenLDAP service running on CentOS.

Setup

I’ve spent most time in preparing the CentOS server. Initially my decision was to use CentOS 6.0, but after a few failed attempts to configure it and the absence of how to guides for this purpose, I’ve decided to fall back to 5.6.

For this version there is a wonderful how to guide here:

OpenLDAP on CentOS 5.6

Install And Configure OpenLDAP 2.4.25 On CentOS 5.6

Following this instructions I’ve managed to setup OpenLDAP very fast. The only comment that I have is in this section:

All data loaded is in LDIF format. Create a file to initialize the LDAP database:

# vi ldap-init.ldif

dn: dc=mycompany,dc=com

objectclass: dcObject

objectclass: organization

o: Example

dc: mycompany

dn: cn=Admin,dc=mycompany,dc=com

objectclass: organizationalRole

cn: Admin

you have to have one new row, otherwise the import in the next step fails. So the above should look like:

# vi ldap-init.ldif

dn: dc=mycompany,dc=com

objectclass: dcObject

objectclass: organization

o: Example

dc: mycompany

dn: cn=Admin,dc=mycompany,dc=com

objectclass: organizationalRole

cn: Admin

Next step is to create a few test users. For that purpose I’ve used :

LDAP Admin

Ldap Admin is free Win32 administration tool for LDAP directory management. This application lets you browse, search, modify, create and delete objects on LDAP server. It also supports more complex operations such as directory copy and move between remote servers and extends the common edit functions to support specific object types (such as groups and accounts).

You can use it to manage Posix groups and accounts, Samba accounts and it even includes support for Postfix MTA. Ldap Admin is free Open Source software distributed under the GNU General Public License.

Configuration

It is time to configure the pfSense. I will skip all the steps described in the previous posts. You can find them here:

pfSense 2.0 RC1 configuration of OpenVPN Server for Road Warrior with TLS and User Authentication

OpenVPN with LDAP authentication on pfSense 2.0 RC1

Now let’s get straight to System > User Manager and on the Servers leaf.

Hostname or IP address: this it the address of the CentOS server

Base DN: this is the domain name

Authentication container: after insterted the Bind credentials, it was visible, but when I’ve click on the Save button, nothing happen. So I’ve typed it in manually.

Bind Credentials: enter User DN and Password. , I’ve tested it and with Use anonymous binds to resolve distinguished names, it works also.

Group Member Attribute: you can modify this with the Uid=%s, if you need.

Testing

Just for reference this is my test user.

After preforming the OpenVPN configuration, enter the user name and the password.

If everything is OK, you should be successfully connected and see something similar in the OpenVPN logs:

You can also test the connection using the Diagnostics > Authentication, Select the Authentication Server, in my case the CentOS OpenLDAP connection is named Test. Enter Username and Password, and see the result.

If you get error, you can check the Status> System Logs on the System leaf for errors.

I’ve got this error when the CentOS server was turn off.

Issues

The issues that I faced was the problem with selecting the OU in which my users resides. Hope this will be fixed in future versions. On the CentOS side the problems were releted with the changes of OpenLDAP in the 6.0 version.

Conclusion

That’s it. Thank you for reading.

pfCenter

Posted on 06/08/2011 - 18/02/2019 by Stefan

These days I’ve looked at the tweets of Scott Ullrich and what catch my attention is the mentioning of pfCenter several times.

As written here:

pfCenter is the product we are working on to allow administration of multiple pfSense boxen from one GUI / Appliance.

and here

pfCenter now supports tags! Later this summer we will change how large scale deployments of pfSense are managed.

After I have took a look at the shred screen shots from his image gallery.

There is even a thread in the forum with obscure information: Next Gen of pfSense <—> pfCenter

My suspicion is that this center will perform tasks similar to Astaro Command Center.

There will be a Real-Time Monitoring, Site-to-Site VPN configuration for multiple sites made quick and easy. We can hope for centralisation of Device Maintenance tasks such as firmware upgrades and configurations propagation, some kind of Inventory Management component that can show us what, where and in what state we have. Access Management so you must know only one set of credentials to manage all hooked up devices. I really do hope that there will be some form of Aggregated Reporting functionality, RRD is great for some purposes, but alone is not enough and NTOP is great but a dedicated appliance is better suited for it alone.

The next logical question is where you would you place such thing?

On a pfSense box, might be, but a dedicate Appliance sounds more reasonable, taking into account the amount of data and load, that such a solution could generate. As alternative a Virtual Appliance sounds as a good idea. Last but not least as an option is a service in the cloud, a hosted multi-tenant installation of the pfCenter. Which of these alternatives will be the one we’ll see?

Until then, take a look at the teasers:

The source of these images is Scott Ullrich twitpic gallery.