pfSense Archives - Page 4 of 4 - Stefcho's Tech Blog

My Network Laboratory

Posted on 29/03/2011 - 18/02/2019 by Stefan

The easiest way to learn is by practice. This is especially true in IT. I have to lab out the migration from pfSense 1.2.3 to 2.0 RC1. Furthermore I have a site-to-site VPN setup that must be tested too.

I decided to expand my laboratory setup to house not just the two versions of pfSense, but DD-WRT and OpenWrt also. This will give me a opportunity to expand my test with alternatives. That is not enough, so let’s add two of each as virtual machines. Now we need a router in the middle to move the traffic between different subnets. Using any of the above will be redundant, so after browsing the VMware market for router appliance, as first option came Untangle, but I have already played around with it, and it is not appropriate for my purposes. As reasonable alternative is Vyatta. I had no experience with this appliance, and decide to check it out.

My finale network diagram looks like this:

The Console and Client are a simple Windows XP workstation from which to manage all the routers remotely by SSH and Web Interface.

As you can imagine if all the routers WAN addresses were in one sub-net, the Vyatta would be unnecessary, but my decision was based on the need to be able to test load balancing, fail over, and other scenarios in future.

In the following post I will discuss in details the configuration of each type of route. As a brief impression from the installation and configuration starting from the easiest to setup and going to the hardest ones.

PfSense have a Live CD, and is a breeze to install and configure on x86 virtual machine.

Then is the Vyatta, also available on Live CD that can be installed on virtual machine. For the configuration I have used the shell, only later to discover that there is a web interface that is somewhat helpful.

DD-WRT is hard to get on x86 virtual machine. I have opt out to find ready-made virtual machine and only to restore it to default configuration, and then to configure it to my preferences.

OpenWrt is even harder. On the forums the recommended way is to compile it for this architecture, and then install it. There is a wonderful tutorial here how to set it up on virtual box, but it does not work on VMware workstation. My guess is if you reconfigure the hard disk portions it will work. But yet again, my decision was to use ready-made virtual machine with the latest version, and configure it to my likings.

The easiest way to learn is by practice. This is especially true in IT. So now I have to lab out the migration from pfSense 1.2.3 to 2.0 RC1. Furthermore I have a site-to-site VPN setup that must be tested too.

I decided to expand my laboratory setup to house not just the two versions of pfSense, but DD-WRT and OpenWrt also. That is not enough, so let’s add two of each as virtual machines. Now we need a router in the middle to move the traffic between different subnets. Using any of the above will be redundant, so after browsing the VMware market for router appliance, as first option came Untangle, but I have already played around with it, and it is not appropriate for my purposes. As alternative to Untangle, Vyatta pop up from the result. I had no experience with this appliance, and decide to check it out.

My finale network diagram is like this:

The console and Client are a simple Windows XP workstation from which to manage all the routers remotely by SSH and Web Interface.

As you can imagine if all the routers WAN addresses were in one subnet, the Vyatta would be unnecessary, but my decision was based on the need to be able to test load balancing, failover, and other scenarios in future.

In the following post I will discuss in details the configuration of each type of route. Now let’s go from the fore a brief impression from the installation and configuration starting from the easiest to setup and going to the hardest ones.

PfSense have a live cd, and is a breeze to install and configure on x86 virtual machine. The only interesting this here is how to publish the web interface and the SSH on the WAN.

Then is the Vyatta, also available on live cd that can be installed on virtual machine. For the configuration I have used the shell, only later to discover that there is a web interface that is somewhat helpful.

DD-WRT is hard to get on x86 virtual machine. I have opt out to find ready-made virtual machine and only to restore it to default configuration, and then to configure it to my preferences.

The easiest way to learn is by practice. This is especially true in IT. I have to lab out the migration from pfSense 1.2.3 to 2.0 RC1. Furthermore I have a site-to-site VPN setup that must be tested too.

I decided to expand my laboratory setup to house not just the two versions of pfSense, but DD-WRT and OpenWrt also. This will give me a opportunity to expand my test with alternatives. That is not enough, so let’s add two of each as virtual machines. Now we need a router in the middle to move the traffic between different subnets. Using any of the above will be redundant, so after browsing the VMware market for router appliance, as first option came Untangle, but I have already played around with it, and it is not appropriate for my purposes. As reasonable alternative is Vyatta. I had no experience with this appliance, and decide to check it out.

My finale network diagram looks like this:

The Console and Client are a simple Windows XP workstation from which to manage all the routers remotely by SSH and Web Interface.

As you can imagine if all the routers WAN addresses were in one subnet, the Vyatta would be unnecessary, but my decision was based on the need to be able to test load balancing, failover, and other scenarios in future.

In the following post I will discuss in details the configuration of each type of route. As a brief impression from the installation and configuration starting from the easiest to setup and going to the hardest ones.

PfSense have a live cd, and is a breeze to install and configure on x86 virtual machine.

Then is the Vyatta, also available on live cd that can be installed on virtual machine. For the configuration I have used the shell, only later to discover that there is a web interface that is somewhat helpful.

DD-WRT is hard to get on x86 virtual machine. I have opt out to find ready-made virtual machine and only to restore it to default configuration, and then to configure it to my preferences.

OpenWrt is even harder. On the forums the recommended way is to compile it for this architecture, and then install it. There is a wonderful tutorial here how to set it up on virtual box, but it does not work on VMware workstation. My guess is if you reconfigure the hard disk portions it will work. But yet again, my decision was to use ready-made virtual machine with the latest version, and configure it to my likings.

pfSense 2.0 RC1 released, on Hyper-V

Posted on 01/03/2011 - 18/02/2019 by Stefan

Today pfSense 2.0 RC1 was officially released. So I’ve quickly downloaded it and setup one test VM in VMWare. The new interface reveals a lot more features than the previous version 1.2.3. For full list of improvements look here: http://doc.pfsense.org/index.php/2.0_New_Features_and_Changes

What I was more interested in was the performance on Hyper-V VM. Recently I’ve setup a Hyper-V VM with 1.2.3 version and legacy network interface cards. Make a few quick file transfer tests and did not like the performance.

I’ve repeat the tests, and there is a 25% improvement over 1.2.3. This is encouraging. Unfortunately event with the new version, it is necessary to use Legacy NIC for the Hyper-V VM.

As it is stated in the Digest this is considered a stable release suitable for production use. I will continue the testing in production environment to get more realistic results.

pfSense 1.2.3 as Virtual Machine on Windows Server 2008 R2 Hyper-V

Posted on 27/02/2011 - 18/02/2019 by Stefan

After seeing pfSense working more than half year flawlessly on Alix, recently I’ve test it as virtual machine.

To avoid some compatibility issues a “Legacy Network Adapters” must be used.

For my surprise even with that trick, there was no network connectivity. The work around for this problem is explained in this thread: Pfsense 2.0-BETA4 in Hyper-V: Throughput not as expected

Open shell from the console, create new document

vi /usr/local/etc/rc.d/startup.sh

and type in

ifconfig de1 down
ifconfig de0 down
ifconfig de0 up
ifconfig de1 up

Just check before that the names of your interfaces, mine were de0,1.

For now it is stable, no issues, with very basic configuration. On the forums there are topics about possible problems with VLANs, but I didn’t need this functionality.

SoHo Firewall Appliance with Alix2d13 and pfSense

Posted on 24/07/2010 - 18/02/2019 by Stefan

След като прочетох този пост Armor Your Palace, се позамислих, хареса ми идеята, и се хванах за работа.

Тъй като това си е цяла система, ще разгледам различните елементи отделно, този пост е посветен firewall-a

И така Как да си направим един приличен Firewall / Router за вкъщи? С каква операционна система да е той, и за какви функции ще го ползваме.

Незнам от къде намерих един много добър документ с тази таблица в него:

Firewall Comparison.pdf

Хареса ми pfSense. Поиграх си с него на виртуална машина, не изглежда зле, може да му се добавят доста полезни пакети(проложения), и да прави Dual WAN с Load Balancing.

Опитах на направя нещо такова с dd-wrt, но е доста елементарно решения и му липсват доста фикции. Има доста опътвания по въпроса тук ,но бих ви препоръчал да изчетете дъъъъългите теми по въпроса във форума.

След като го разгледах и нямах никакво желание да го оставям на виртуална машина.

Трябваше да му намеря подходящ хардуер, в сайт-а на pfsense има доста препоръки в това отношение.

Един бърз поглед в hardwarebg, ме убеди че подходящ за мен варят е платка на PC Engines.

Харесах си Alix2d3, има си 3 Ethernet порта, 500 MHz AMD процесор, и 256 MB RAM.

В този прекрасен пост обясняват точно такъв setup, какъвто имах намерение да направя.

Building A Firewall: pfSense on an ALIX 2D3

В него се цитират един друг изключително полезен пост за embedded

Installing pfSense on the alix2c1

По – конкретно как се flash-ва последната версия на биос на такова дъно, как се правят настройки на BIOS-a му през null modem cable.

Идеята да си имам пълноценен Dual WAN router, с читав FireWall и IDS (Snort), ми харесваше все повече и повече.

PC Engines в Българя се предлага от няколко фирми, аз си намерих моята платка в reloadbg.

В електронния им магазин има и кутия (enclosure) за дъното. Няма да го оставя платката гола я.
Не намерих подходящо захранване, и след бърза консултация в skype с някой от reloadbg, ме насочи към едно за microtik-ски платки, което предлагат.

Имаха в наличност null modem cable, за да мога да работя с платката.

Единственото което оставаше да намеря и Compact Flash карта на която да го инсталирам. След сравнение на цените реших че 4 GB pqi 150 X ще ми свърши работа. В момента се разработва версия 1.2.3 на pfSense и тя ще има img за такава.

alix2d3	188	MB
Alix 3d3	25	Case
CF 4 GB	32	Hdd
Null modem cable	8
Power Supply	15

Total:	268
with VAT	321.6

в лева без доставката.

Нямах време да ходя и да купувам всичко на място за това си ги поръчах с доставка.

Приятно ме изненада факта че не получих Alix2d3 a Alix2d13

И така вече имах всичките необходими компоненти.

Сега трябваше да запиша примерно
http://88.198.81.53/downloads/pfSense-1.2.2-Embedded.img.gz
на CF (Compact Flash Card).

Тук идва въпроса с какво, как?
Това tutorial-che ми даде всичките отговори.

Преди да го следвате е добре все пак да обновите BIOS-a на дъното до последната версия.
Така се избягват неприятни ситуации.

И така слагаме CF в дъното и сме готови, не съвсем.

незнам защо но трябва с ей такива големи букви да го напишат:

Embedded installation do not support packages!!!

Тоест не можеш да си добавяш пакети към инсталацията, ако си я направил както е описано по – горе. Супер тъпо, нали?

Смешното обяснение е че CF имат малко цикли за четене / писане, и така се щадяло максимално.
На кой му пука?!?, при сегашните цени на CF, можеш да си я сменяш достатъчно често за да не ми пречи така наречения flash wearout .

Какво правим сега?

Тук PCEngines ALIX boards and pfSense, StarScream казва как да преодолеем проблема.

В общи линии, инсталираме от LiveCD на CF в VMWare. Единственото което мога да допълня е че с 1.2.2 става и без да се слози GRUB. Даваше ми някаква грешка при инсталация, и го прескочих.

И о чудо, имаме си pfSense с възможност за пакети, върху Alix-a.
Boot-на си нормално. Сега е в тестов период. Тоест една седмица нонстоп работа.

Добрите новини не свършват до тук.
Next generation of pfSense embedded now available

Добрите новини са че няма да е необходимо да правя такива маймонджулъци, за да го подкарам както си искам, а пакетите ще са достъпни в 1.2.3. Прегледайте го, има още доста интересни неща.
За забавление се оказа че enclosure-a дето съм взел трябва леко да се модне. Нямаше подходяща отвор за двата USB конектора. След половин час с дремела и няколко пили имаше.