pfSense 2.2 Released!

It’s been a while since I’ve been digging in pfSense. A lot of things had happened. The good news is that currently I’ve got a few projects related to the topic and will make a few posts about them. Next post will be related to upgrading to 2.2 from 2.1.5.

In the meantime you can check what are the new features in this release here:

2.2 New Features and Changes

The official article about the release:

pfSense 2.2-RELEASE Now Available!

and of course the Upgrade Guide




Hi guys,

As you probably noticed I haven’t post anything since October 2011. The reason for this is not absence of interesting topic or inspiration, but lack of time. Currently I’m in a MBA program and this consumes all my time and energy. Hopefully I will finish it around October 2012, and at that time I will be able to embark into some new endeavours. In the meantime you could share some topics that are of interest for you and I will try to replay as soon as I can, or will include them in my plans for future posts.

Until then good luck, have fun.

Windows Server 8 on VM Workstation 8 with Hyper-V Role

As you probably know, on the Build conference was announced the Developer Previews of Windows 8 and Windows Server 8.

Because of the numerous new features in Hyper-V 3.0 I want to check them personally. Because I do not have two spare boxes on which to install them, virtualization comes in play.

Before Hyper-V role is added to the server, there is configuration to be made on the Virtual Machine:

The best description of the process that I find is in this article:

Nesting Hyper-V with VMware Workstation 8 and ESXi 5

In the Processors configuration Virtualize Intel VT-x/EPT must be checked,

And one line must be added to the configuration file vmx:

hypervisor.cpuid.v0 = “FALSE”

That’s it, now you can add Hyper-V role and play with it.

Using your OpenVPN Road Warrior setup as a Secure Relay


If you are in a café or another place with free wireless Internet access you are under a security risk. Your traffic can be monitored, captured and analysed. Your sensitive data can be stolen or your laptop infected with malicious application.

To avoid as much as possible of the above we can route all your traffic through the internet connection at home or in your office.


As a base configuration you can use pfSense 2.0 RC1 configuration of OpenVPN Server for Road Warrior with TLS and User Authentication

up until the Tunnel Settings section of the OpenVPN Configuration.

There tick the Redirect Gateway.


Under Client Settings enter DNS Server 1 as the IP address of you LAN interface.


By doing so you will redirect all your traffic through the VPN connection and avoid the risks related to the publicly available Internet access hotspots. The addition of DNS server address is needed in order to use you own device to resolve web sites IPs instead of the publicly available DNS server of the hotspot.


As a test you can trace route (tracert for example) a popular internet site with or without established VPN Connection.


At the cost of building just another VPN Server on your device you are gaining a little peace of mind while surfing the net from insecure location.

Upgrade Alix board with pfSense 1.2.3 to pfSense 2.0 RC3


After having  enough of tests with the RC3 in virtual environment, I decide to upgrade my pfSense 1.2.3 appliance running on Alix2d13. Considering my Dual WAN setup with load balancing and some other rules, I didn’t really want to lose any of my configurations during this process.

If I made in-place upgrade what is my rollback strategy?!

If I performed clean install and just restored configuration backup what are the guaranties that is will work. Of course I can test it in my virtual lab, but there are risks with the physical scenario that I can’t predict using this method. So I needed and alternative.


I want to test upgrade my pfSense 1.2.3 to 2.0 RC3. For that purpose I need a reliable rollback plan with no data loss, and minimal operations required. How did I achieve it you can find in the Explanation section.


The setup is described in this post: SoHo Firewall Appliance with Alix2d13 and pfSense

,noting change there since.


First I made a backup of the full configuration of the 1.2.3, you know just in case.

Then download the image file: pfSense-2.0-RC3-4g-i386-20110621-1821-nanobsd-upgrade.img.gz

And extract the image from the archive.

Now as it is described here: Installation on a standard PC (CF/IDE version)

We need the physdiskwrite tool to write the image to the Compact Flash (CF). I’ve used the

physdiskwrite 0.5.2 + PhysGUI

Then I plug in the new CF in the card reader make sure there are no portions on it using the Disk Management Console (Start > Run> diskmgmt.msc), otherwise you will receive error message like the one in the Issue section below.

Then start physdiskwrite with PhysGUI, select the CF disk.

Right click on the disk select Image laden (Load Image), Offnen (Open). Brows to the extracted image and select it.

You will see this warning message window, tick the check box next to Remove 2GB restriction, mine is 8 Gigs, if your CF is smaller then don’t.

Yet another warning message windows, asking you if you really want to overwrite the disk with the image.

No you have about 20 – 30 minutes of waiting, so be patient, do some other stuff.

We are ready.



Finally I get it, instead of changing the content of my original Compact Flash, why not get second one and use is for the tests instead? This way I can retain my original configuration and with just a swap of the cards be right back where I started.


After successful installation I’ve just swap the CFs and configured pfSense 2.0 RC3 using console cable.

Then using the WebGUI restored the backup configuration from the 1.2.3. Now it is time to check the functionality.

The Interface configuration like interfaced configuration was in place but the Load Balancing configuration was gone. Also my OpenVPN configurations were restored but in a non-working state. The firewall rules were applied but with the missing Load Balancer there was little use of them. After about half hour of checks, I decided to roll back to 1.2.3. Swap the CFs again and everything works the old way.


Writing to the CF card, As stated in Special considerations for Windows Vista/7

If you get write errors shortly after physdiskwrite has begun writing to the target disk (usually after 65536 bytes), this may be caused by existing partitions on the disk. Use the Disk Management utility (right-click on the “Computer” icon on the desktop and select Manage, then navigate to Computer Management (Local)/Storage) to delete all partitions on the target disk before starting physdiskwrite.

If you are unable to delete all the partitions with the Disk Management utility, try the following procedure:

1.     Open a command window as admin (“cmd”)

2.     Type “diskpart” and hit enter.

3.     Type “list disk” and hit enter to find out the number of your drive.

4.     Type “select disk X” (where you replace X with the number of your drive) and hit enter.

5.     Type “clean” and hit enter.


So I had to clean the disk first but it was a breezy task. Then everything was alright.


Up until the restoration of the configuration backup everything is ok. Now I have to test the restoration in my lab, or better yet reproduce my original configuration there. I ought to think for the second alternative more.

To configure everything in the lab and then just backup and restore the configuration from the same one and the same version sound reasonable to me. Better yet I will know that it works.

I’ll have to test Dual WAN in fail-over configuration, then test recreate my OpenVPN configurations, and test all the rules that I have applied.

OpenVPN on pfSense 2.0 RC3 with OpenLDAP Authentication on CentOS 5.6


After writing OpenVPN with LDAP authentication on pfSense 2.0 RC1, a reader of my blog shared some problems with configuring OpenLDAP on CentOS.  So I decide to build such a setup and test.


The scenario is as follows, authenticating users requiring access to the OpenVPN server against OpenLDAP service running on CentOS.


I’ve spent most time in preparing the CentOS server. Initially my decision was to use CentOS 6.0, but after a few failed attempts to configure it and the absence of how to guides for this purpose, I’ve decided to fall back to 5.6.

For this version there is a wonderful how to guide here:

OpenLDAP on CentOS 5.6

Install And Configure OpenLDAP 2.4.25 On CentOS 5.6

Following this instructions I’ve managed to setup OpenLDAP very fast.  The only comment that I have is in this section:

All data loaded is in LDIF format. Create a file to initialize the LDAP database:

# vi ldap-init.ldif

dn: dc=mycompany,dc=com

objectclass: dcObject

objectclass: organization

o: Example

dc: mycompany

dn: cn=Admin,dc=mycompany,dc=com

objectclass: organizationalRole

cn: Admin


you have to have one new row, otherwise the import in the next step fails. So the above should look like:

# vi ldap-init.ldif

dn: dc=mycompany,dc=com

objectclass: dcObject

objectclass: organization

o: Example

dc: mycompany


dn: cn=Admin,dc=mycompany,dc=com

objectclass: organizationalRole

cn: Admin



Next step is to create a few test users.  For that purpose I’ve used :

LDAP Admin

Ldap Admin is free Win32 administration tool for LDAP directory management. This application lets you browse, search, modify, create and delete objects on LDAP server. It also supports more complex operations such as directory copy and move between remote servers and extends the common edit functions to support specific object types (such as groups and accounts).

You can use it to manage Posix groups and accounts, Samba accounts and it even includes support for Postfix MTA. Ldap Admin is free Open Source software distributed under the GNU General Public License.


It is time to configure the pfSense. I will skip all the steps described in the previous posts. You can find them here:

pfSense 2.0 RC1 configuration of OpenVPN Server for Road Warrior with TLS and User Authentication

OpenVPN with LDAP authentication on pfSense 2.0 RC1

Now let’s get straight to System > User Manager and on the Servers leaf.

Hostname or IP address: this it the address of the CentOS server

Base DN: this is the domain name

Authentication container: after insterted the Bind credentials, it was visible, but when I’ve click on the Save button, nothing happen. So I’ve typed it in manually.

Bind Credentials: enter User DN and Password. , I’ve tested it and with Use anonymous binds to resolve distinguished names, it works also.

Group Member Attribute: you can modify this with the Uid=%s, if you need.


Just for reference this is my test user.

After preforming the OpenVPN configuration, enter the user name and the password.

If everything is OK, you should be successfully connected and see something similar in the OpenVPN logs:

You can also test the connection using the Diagnostics > Authentication, Select the Authentication Server, in my case the CentOS OpenLDAP connection is named Test. Enter Username and Password, and see the result.

If you get error, you can check the Status> System Logs on the System leaf for errors.

I’ve got this error when the CentOS server was turn off.


The issues that I faced was the problem with selecting the OU in which my users resides. Hope this will be fixed in future versions. On the CentOS side the problems were releted with the changes of OpenLDAP in the 6.0 version.


That’s it. Thank you for reading.


These days I’ve looked at the tweets of Scott Ullrich and what catch my attention is the mentioning of pfCenter several times.

As written here:

pfCenter is the product we are working on to allow administration of multiple pfSense boxen from one GUI / Appliance.

and here

pfCenter now supports tags! Later this summer we will change how large scale deployments of pfSense are managed.

After I have took a look at the shred screen shots from his image gallery.

There is even a thread in the forum with obscure information: Next Gen of pfSense <—> pfCenter


My suspicion is that this center will perform tasks similar to Astaro Command Center.

There will be a Real-Time Monitoring, Site-to-Site VPN configuration for multiple sites made quick and easy. We can hope for centralisation of Device Maintenance tasks such as firmware upgrades and configurations propagation, some kind of Inventory Management component that can show us what, where and in what state we have. Access Management so you must know only one set of credentials to manage all hooked up devices. I really do hope that there will be some form of Aggregated Reporting functionality, RRD is great for some purposes, but alone is not enough and NTOP is great but a dedicated appliance is better suited for it alone.

The next logical question is where you would you place such thing?

On a pfSense box, might be, but a dedicate Appliance sounds more reasonable, taking into account the amount of data and load, that such a solution could generate. As alternative a Virtual Appliance sounds as a good idea. Last but not least as an option is a service in the cloud, a hosted multi-tenant installation of the pfCenter. Which of these alternatives will be the one we’ll see?

Until then, take a look at the teasers:


The source of these images is Scott Ullrich twitpic gallery.

Install Open VM Tools package on pfSense 2.0 RC3 for VMWare

In my previous posts we’ve Install pfSense 2.0 RC1 on VMWare Workstation 7 and adjusted the memory of the Virtual Machines in pfSense 2.0 RC1 on VMware Workstation 7.1.4 – RAM size.

Now let’s continue with the setup of the Virtual Machine with the installation of VMware Tools for pfSense.

For that purpose go to System > Packages

, and on the Available Packages find Open-VM-Tools. Click on the “+” next to it and start the installation.

Wait it to finish, and on the Installed packages you should see it listed. Click on the link below Package Info, to see the instructions how to verify successful installation.

The operation boils down to connecting to the console and executing first and monitor the output.

ps ax|grep vmware



That's it.