Kitz Forum
Computers & Hardware => Networking => Topic started by: displaced on February 05, 2017, 10:12:41 PM
-
Must be something in the tap-water here, but I've been inspired to do a pfSense build too.
I've gone for one of these Qotom (https://www.amazon.co.uk/gp/product/B01LEVCUII/ref=oh_aui_detailpage_o02_s00?ie=UTF8&psc=1) boxes, adding my own 4GB RAM and a 64GB mSATA board.
I currently have my Apple AirPort 802.11ac router performing gateway and PPPoE duties, with a home server (an HP MicroServer N40L) running DHCP and DNS (as well as a ton of other stuff).
I'm planning to shift all my 'infrastructure' services onto the pfSense box. I'll also be able to simplify my cabling somewhat. At the very least, with the pfSense taking over from the AirPort, I'll be able to do the fancy routing needed to get stats and WAN access from the HG612 over a single Ethernet cable instead of the two needed now.
My MicroServer's been running FreeBSD for years, and I've hand-configured isc-dhcpd, powerdns and all that gubbins on it. But it seems much tidier and dare I say secure to have specific hardware for these sorts of things. Doesn't sit quite right having my DHCP server on the same machine as my Minecraft server ;)
I'm playing with pfSense in a VM on my Mac until the hardware arrives. I'm very, very impressed. It's rare to find a GUI that logically presents even the most advanced options for configuration. Plus, I'm a big fan of FreeBSD, so it's nice that it uses all the software I know well under the hood.
So, if anyone's interested, I'll keep updating this thread as and when stuff arrives and gets built. Currently pondering the mission required to clean out and organise the cupboard under the stairs. And picturing the pfSense box and the gigabit switch being mounted to the underside of one of the stair risers. Nifty.
(small things, small minds, etc... ;))
Chris
-
Oh, a quick thought: Can anyone remember if changing port settings/network configuration on an HG612 causes a reboot/resync? I'm currently enjoying a stable line about 8Mbit faster than my alleged attainable rate due to a quick sync after a local power cut. I'd like to keep that if possible, naturally :)
-
Changing the port settings doesn't trigger a reboot (as far as I can remember), but beware of making a change to the port you're using to access the GUI, because that may lock you out. If that happens you'll have to do a factory reset of the modem.
-
Got it -- thanks roseway. Measure twice, cut once :)
-
I know it's not something you would really like to read but I always advise caution when changing the configuration of any of the Huawei EchoLife HG6xx family (HG610, HG612 & HG622) via the GUI. Hence I recommend that the HG612 is disconnected from the xDSL circuit (and any other LAN doings) before it is reconfigured.
-
Thanks, burakkucat!
Without wishing to sound more foolish than usual, what's the worst that can happen? :)
I'm naively thinking that if I mess something up I'll just do a factory reset (or even a reflash if needed) and carry on. If I end up dropping the VDSL link then so be it, I suppose -- I'll need to make sure it doesn't happen too often and that there's 30 mins between drops.
It'd be nice to keep the extra Mbits from my fortunate sync, but nothing lasts forever :)
-
Without wishing to sound more foolish than usual, what's the worst that can happen? :)
Either you are totally locked out, as Roseway has mentioned, above, or the connection is subjected to multiple "bounces", to which the DLM process takes exception and so it then attempts to "stabilise" the circuit.
I have always made a point of configuring/re-configuring a modem (or a modem/router) with it disconnected from the xDSL circuit.
-
Makes perfect sense!
I'll take the hit on losing my ill-gotten extra megabits and do it the proper way as you suggest!
The 64GB mSATA storage arrived today. I hadn't expected it to be quite so small! RAM's arriving Wednesday and the Qotom PC will get here when it gets here.
-
. . . and the Qotom PC will get here when it gets here.
Shipped directly from China, I believe. :-\
-
Must be something in the tap-water here, but I've been inspired to do a pfSense build too.
I've gone for one of these Qotom (https://www.amazon.co.uk/gp/product/B01LEVCUII/ref=oh_aui_detailpage_o02_s00?ie=UTF8&psc=1) boxes, adding my own 4GB RAM and a 64GB mSATA board.
Great choice! I hope you didn't have to pay £36.51 shipping thought, seems a bit steep.
Look forward to hearing how it goes, I finished mine not too long ago and love pfSense
Chunks
-
If it's coming from China you'd better watch out you don't get charged import duty :fingers:
I ordered mine from a different seller on Amazon (https://www.amazon.co.uk/dp/B01GBHC62K/ref=pe_385721_37986871_TE_item) and it shipped from the Netherlands so no import duty. If using this seller you need to mention whether you want the SATA or mSATA version.
-
I didnt pay import duty on my delivery from china.
-
Shhhh, don't tell customs and excise. It really depends what the seller puts on the goods (description/value), and whether it gets picked up, they can't physically check every single parcel.
-
yeah I figured I got lucky :)
-
Hehe -- yeah, the delivery cost's gone up a bit since I ordered. They were quoting the quickest delivery date on Amazon at the time. Hope I have a bit of luck with customs!
Apparently Apple are getting out of the router business, which is a shame since I've found them to perform well and be really reliable. Sure, there's no fancy feature set, but it does the job. Plus, they've historically been rather secure.
But I don't fancy having a network edge device which isn't actively supported. And there's been so many router hacks recently that I thought I'd go for pfSense.
Mostly, I'm interested to get a look at what UPNP and NAT-PMP forwards are being established by my home devices. We've got a couple of 'black-box' gadgets on our LAN now which need legitimate port forwards, but I'd like to see what they're up to and have the option of blocking them if necessary.
-
Interestingly, my Amazon order's showing tracking info which reads:
"Parcel has been handed over to the carrier and is in transit - NL". So it seems my order's coming from the Netherlands too. That might explain why my delivery charge was lower than that currently showing on the site, too.
...and with a bit of luck, perhaps I'll be getting it sooner than I'd prepared for!
-
I got impatient and set up pfSense in a VirtualBox VM on my MicroServer.
I've shifted DHCP and DNS from the FreeBSD installation on the MicroServer itself over to the pfSense VM.
I like the presentation of active DHCP leases -- much better than the script I'd bodged together as a Webmin custom command. DNS updating from the DHCP server was really simple to set up too.
I need to figure out a way to override a DNS entry for a specific host. I use PlexConnect (https://github.com/iBaa/PlexConnect) to get my Plex library on my 3rd Gen Apple TV. This works by redirecting DNS lookups for trailers.apple.com to the IP of my Plex server. On my previous setup, I'd configured PowerDNS to perform this override only for the Apple TV and not for other clients.
I'm toying with the idea of moving PPPoE and Gateway duties over from my Airport router to the pfSense box. But I don't want to overwork the VM. So perhaps I'll need to learn some patience!
-
A simple way is to make it a static mapping then you can select which DNS servers to use for that device
-
A simple way is to make it a static mapping then you can select which DNS servers to use for that device
I've ended up doing just that! My old DNS server (PowerDNS) allowed custom python scripts which could examine the client IP and the queried host/domain, then decide to return a different IP if needed. That's perfect, since it meant my Apple TV resolved 'trailers.apple.com' to my internal machine, but all other hosts would resolve it as normal.
The 'unbound' DNS resolver in pfSense can do the same, but the feature isn't compiled in to the version pfSense includes. So I'll stick a version of unbound on my MicroServer that supports those scripts, write one, then use a static lease in pfSense to tell my Apple TV to use that as its DNS server.
Working on it now :)
-
Well, I got twitchy waiting for the hardware so I went ahead and made the pfSense virtual machine my network's gateway. It's running fine!
My former router, the an AirPort 802.11ac is now running as just an access point. I also went through the procedure to get stats from the HG612 on the same port as internet access. The HG612 config change and the pfSense outbound NAT config worked fine. My internal LAN is on 192.168.50.0/24, with pfSense and the modem forming a 2-host subnet at 10.0.50.0/30. So that's an ethernet run I can remove from the modem to the lounge!
We had a brief power outage yesterday - a bulb blew that, for some reason, tripped the main breaker rather than just the lighting circuit. So I'm back to my 'normal' sync speed. Still, with a bit of luck, the upcoming 3dB SNRM profile will boost it a bit.
I'm enjoying the ability to see what traffic's getting blocked, and to see which devices are opening ports via NAT-PMP and uPNP. There's actually far fewer such ports than I'd expected -- I'm particularly surprised that my Nest Thermostat doesn't open itself up to the internet. It's pretty much just my Plex server, my consoles and PC games (well, to be honest, only tested Elite Dangerous as that's all I'm playing these days!).
So all that's left is for the actual machine to arrive! Next Wednesday appears to be the day...
-
Have you considered putting your networking gear on a UPS? It's nice to continue using the internet during power outages (or accidents :)).
-
I'll get there eventually!
Originally I had the modem in the hall, the Airport router doing pppoe in the lounge and my dhcp/dns server under the stairs, so a UPS would be tricky.
The modem's now power-over-Ethernet'd so it's powered from under the stairs and soon I'll have the pfSense box in the same place. Once it's all set up there, I'll get a UPS 😄
-
Hmm. It looked like the Qotom machine would arrive tomorrow... but the UPS tracking has taken a strange direction: Eastwards.
After leaving the Netherlands, it arrived just inside Germany. It's now travelled as far as Nurnberg and is leaving central Germany, heading towards Austria.
Last time I checked, I didn't live in Austria.
I'm hoping Qotom had a fat-finger moment when sending me my tracking number and I'm just looking at the wrong parcel. The delivery address showing against the order on Amazon's correct.
Anyway, a bit more on pfSense running as a VM...
It's been handling my day-to-day traffic superbly. Dynamic DNS for my hostname and HE.net IPv6 tunnel are working fine. Interestingly, pfSense's gateway monitor shows my IPv6 tunnel gateway as responding faster than the 'parent' IPv4 link to my ISP. (~9-10ms for the ISP, 7-9ms for HE.net IPv6). I'm wondering if ICMPv6 pings are quicker/more efficient than v4 ones.
-
It's been handling my day-to-day traffic superbly. Dynamic DNS for my hostname and HE.net IPv6 tunnel are working fine. Interestingly, pfSense's gateway monitor shows my IPv6 tunnel gateway as responding faster than the 'parent' IPv4 link to my ISP. (~9-10ms for the ISP, 7-9ms for HE.net IPv6). I'm wondering if ICMPv6 pings are quicker/more efficient than v4 ones.
This typically occurs when the ICMP ping replies from your gateway are handled by a low priority software process, but packets routed further on are handled with hardware acceleration.
-
Thanks -- that makes sense!
Well, the Qotom box arrived today at work. Quickly opened it up to fit the mSATA SSD and RAM and stuck it in my bag to take home tonight. With a bit of luck it'll be up and running later.
Just in time too. My virtual pfSense installation froze yesterday with a load of 'achi0 timeout' errors. Seems I pushed the lil' N40L a bit too hard and the VM wasn't able to read/write to disk quick enough to prevent the guest OS from seeing timeouts.
I'll run the physical pfSense box for a couple of days and check CPU/disk load before deciding on things like Snort and ntopng.
-
Well, that was a bit of a let-down!
The box itself is great! The RAM I'd bought, however, is not.
I tried installing pfSense and was getting all kinds of weird crashes during the installer's boot process. Crash dumps, kernel panics, the lot.
I tried a few flash drives and re-wrote the image files from my PC and my Mac. Each time it seemed to crash in some different spectacular way. Eventually I found my high-quality Patriot flash drive and it still failed.
So then I wrote a memtest86 installation to a flash drive and booted that up. RAM errors galore.
I've got another stick arriving tomorrow, so hopefully I'll have more luck then. In 25+ years of building PCs I've never had a bad DIMM (or even SIMM back in the day!). I suppose it was about time!
Still, here's a quick mini-review of the Qotom box:
It's solid. Really solid. The fully-metal case is great. I checked the PSU with my multimeter and the voltage was spot-on. The mounting bracket, designed to attach to the VESA mount on the back of a monitor, is a great idea. The computer comes with four metal stand-off screws which you screw into the base of the PC. These stand-offs have a little 'nub' at the top that slot into four keyholes in the bracket. So the machine is easily attached and detached from it. I'm planning on screwing the mount to the inside wall of the cupboard under the stairs, alongside a gigabit switch and a multi-way mains extension. The bracket will also provide a nice bit of airflow underneath the case.
I had a nose around the American Megatrends BIOS. Seems to have all the requisite weirdly-named knobs to twiddle.
The USB ports are rather close to each other. So if you've got a chunky flash drive, you'll need a USB extension cable to fit it in beside the keyboard plug.
The power button doubles as a power LED in the usual retina-searing blue. There's also a green power LED on the other side of the machine which is a bit calmer.
One last point on disassembly: You only need to undo the four screws on the bottom, NOT the four on the sides. If you do all eight, it rapidly disassembles itself into lots of pieces and you need at least two-and-a-half hands free to keep everything lined-up to get it back together again.
So, until tomorrow!
-
It's a great little box isn't it, I also took the wrong screws out.
-
It is indeed.
And, IT'S ALIVE!
Replacement RAM did the trick. pfSense installed fine, then I backed up the config from my VM-based pfSense and restored it to the physical box.
It was nice to see that the interface names in pfSense matched those printed on the case - so LAN1-4 are interfaces em0-3.
The config restoration got most things right. It did lose the PPPoE login info and the interface for the modem stats. Easy fixes though.
I've installed ntopng, but reduced the data retention periods to a max. of 30 days. CPU and RAM usage are pleasantly low.
I'm looking forward to pfSense 2.4's introduction of ZFS. I've got a 12TB ZFS pool on my Microserver (6x4TB drives arranged as 3 two-disk mirrors) and have been really impressed with how it tolerates all kinds of bad events (power cuts, failing/failed disks).
I'll get it properly installed over the weekend, but pretty happy with it so far!
-
My pfSense box (heimdall.home) has now been up for 2 days and it's been solid!
Core temps have been about 40ºC with the box itself being no more than slightly-above-ambient to the touch.
I'm pretty impressed with the feature-set of pfSense (and that it all works!). I've set it up to:
- Provide DHCP and DNS to the LAN
- Register DHCP names in DNS
- Perform dynamic DNS updates for my ISP connection and my HE.net ipv6 tunnel
- Do ipv6 router advertisement for the LAN
- Give access to my HG612's stats by routing to a different private network containing the modem
- Act as an NTP time server for my LAN and for the HG612 (so its log entries are correctly timestamped
- Run an OpenVPN server on port 443, with OpenVPN's port-sharing feature to forward non-VPN, normal HTTPS connections to my internal webserver
- Handle UPnP/NAT-PMP port-forward requests from apps and devices
- Generate and manage OpenVPN users and their certificates, and provide downloadable .ovpn config files for clients
- Renew HTTPS certificates for my internal server via Let's Encrypt
I've done all this stuff manually on a FreeBSD server in the past. It's amazing how much time and effort pfSense saves, although it's always good to know how it all works under-the-hood. I've nosed around a bit via a shell on the pfSense system and happily it does seem to do things the right way.
If anyone's got any questions, please ask!
Cheers,
Chris
[Moderator edited to re-site the misplaced [/list] tag.]
-
Hi Chris,
Was reading through this and noticed you have Vodafone FTTC.
I've been using pfSense for a while with Sky FTTC and then Virgin.
I've just moved to Vodafone today but been having all kinds of problems.
Would you be able to share the type of settings you have configured for VF?
I'm currently using pfSense in a Hyper-V box and I setup the PPPoE username and password and added a VLAN tag of 101.
Now here's the weird bit. I could access all sites on my Android phone with no issue.
But my Macbook, iPad, Wife's iPhone or directly connected server could not browse any website other than what it seemed to be Google owned. I.e. YouTube, Google search etc.
Now I have directly connected my HG612 to my Asus Access Point (now in router mode) and everything works fine.
So I can only see the pfSense being the issue.
I'd appreciate any help you can give.
Thanks
-
@AciidSn3ak3r Welcome to the forums.
Although not with Vodafone I thought I'd chip in as I want to ask you something as I've just moved to Virgin.
I was with Plusnet on FTTC and used a HG612, I never set up any VLAN in Pfsense, just had the interface configured as PPPoE for IPv4, had my username and password filled out, configure Null service name checked, and periodic reset set to disabled, everything under advanced was blank.
The problem I'm having with Virgin is explained here (https://forum.pfsense.org/index.php?topic=147585.0), if you have any thoughts or suggestions please post in my thread here (https://forum.kitz.co.uk/index.php/topic,18987.105.html), thanks.
-
Will have a quick look in a moment.
For anyone who is in my position. I fixed my issue.
It was the MTU setting in the WAN interface.
Was set as 1500, changed to 1492 and fixed all my issues.
-
yeah zfs is a beast for data tolerance. Compared to ufs its in an entirely different league and I think its significantly more durable than ext as well.
The qotom units come shipped with a note about ram compatibility.
Which qotom unit did you buy?