Kitz ADSL Broadband Information
adsl spacer  
Support this site
Home Broadband ISPs Tech Routers Wiki Forum
 
     
   Compare ISP   Rate your ISP
   Glossary   Glossary
 
Please login or register.

Login with username, password and session length
Advanced search  

News:

Pages: 1 ... 5 6 [7] 8 9 10

Author Topic: LAN setup  (Read 63559 times)

Chrysalis

  • Content Team
  • Addicted Kitizen
  • *
  • Posts: 7382
  • VM Gig1 - AAISP L2TP
Re: LAN setup
« Reply #90 on: January 04, 2017, 05:32:58 PM »

using dnscrypt now, if anyone else using pfsense wants a guide to get it working I will print one.
Logged

Dray

  • Kitizen
  • ****
  • Posts: 2361
Re: LAN setup
« Reply #91 on: January 04, 2017, 09:36:53 PM »

That's good news. I would appreciate a guide  ;)
Logged

Chrysalis

  • Content Team
  • Addicted Kitizen
  • *
  • Posts: 7382
  • VM Gig1 - AAISP L2TP
Re: LAN setup
« Reply #92 on: January 04, 2017, 10:06:17 PM »

you on pfsense 2.2/2.3 or 2.4?
Logged

Dray

  • Kitizen
  • ****
  • Posts: 2361
Re: LAN setup
« Reply #93 on: January 04, 2017, 10:10:12 PM »

Currently on  2.3.2-RELEASE-p1 (amd64)
Logged

Chrysalis

  • Content Team
  • Addicted Kitizen
  • *
  • Posts: 7382
  • VM Gig1 - AAISP L2TP
Re: LAN setup
« Reply #94 on: January 05, 2017, 10:43:27 AM »

ok its cli setup 100% as there is no official pfsense package.  This relies on the FreeBSD package.

change to a working directory e.g. /root
Code: [Select]
cd /rootdownload the FreeBSD 10 dnscrypt-proxy package
Code: [Select]
fetch http://pkg.freebsd.org/FreeBSD:10:amd64/latest/All/dnscrypt-proxy-1.8.1.txzinstall the package
Code: [Select]
pkg install dnscrypt-proxy-1.8.1.txztest if there is no runtime errors, by running the binary with no arguments, should just see generic output telling you that syntax is needed
Code: [Select]
dnscrypt-proxynow the next bit is dependent on your own config, there is various dnscrypt guides around the web, We assume you will be using opendns dnscrypt servers. I cannot paste mine as its using my private dns server.
So run this command which will use the built in database to connect to opendns (cisco)
Code: [Select]
dnscrypt-proxy --ephemeral-keys --local-address=127.0.0.1:65053 --daemonize -R ciscoyou should see a warning that they do logging and also that opendns has no dnssec, but no other output aside from those 2 lines, you can verify if its running with this.
Code: [Select]
ps ax | grep dnsand look for this
Code: [Select]
dnscrypt-proxy --ephemeral-keys --local-address=127.0.0.1:65053 --daemonize -R ciscoif its running then you want it to startup auto on boot so the following 2 commands.
Code: [Select]
sysrc dnscrypt_proxy_enable=YES
sysrc dnscrypt_proxy_flags='--ephemeral-keys --local-address=127.0.0.1:65053 --daemonize -R cisco'

Now it is done but isnt actually been used.

You have created a encrypted tunnel for dns between your router and opendns, but you still need to tell the router to use that tunnel, and in this case to use the tunnel you need to forward dns queries to 127.0.0.1 port 65053

I dont think pfsense supports custom ports in its GUI so in the dns resolver settings scroll down to where you see a box for custom options, and add this

Code: [Select]
forward-zone:
        name: "."
        forward-addr: 127.0.0.1@65053

now unbound will forward all internet queries to the tunnel after you save and apply the settings.

That is finally done.

Notes

If you ever update pfsense to 2.4, the binary will stop working, you will need to uninstall the package, and then install the FreeBSD 11 package.
Pfsense wont manage the package meaning if you want to keep up with new versions of dnscrypt-proxy you need to keep an eye on the FreeBSD repo for updates.  An easy way is checking on freshports.org.
« Last Edit: January 05, 2017, 11:40:15 AM by Chrysalis »
Logged

Dray

  • Kitizen
  • ****
  • Posts: 2361
Re: LAN setup
« Reply #95 on: January 05, 2017, 11:10:45 AM »

Thanks Chrys I'll give it a go.

Incidentally I saw some of your posts on the pfSense forums (there are so many forums there), that fellow who was droning on about dnscrypt being unnecessary clearly lives in the USA and has no clue what life is like in other parts of the world. I doubt he's travelled outside his home town.
Logged

roseway

  • Administrator
  • Senior Kitizen
  • *
  • Posts: 43467
  • Penguins CAN fly
    • DSLstats
Re: LAN setup
« Reply #96 on: January 05, 2017, 11:19:51 AM »

One small comment: it's not necessary to fetch the package before installing it. Just type (as root)

Code: [Select]
pkg install dnscrypt-proxy
which will fetch and install the latest version of dnscrypt-proxy in the repositories.
Logged
  Eric

Chrysalis

  • Content Team
  • Addicted Kitizen
  • *
  • Posts: 7382
  • VM Gig1 - AAISP L2TP
Re: LAN setup
« Reply #97 on: January 05, 2017, 11:32:21 AM »

no it wont eric as it doesnt exist on the pfsense repos.

pkg install without a local package in the syntax will only install packages on the pfsense repositories.

Code: [Select]
root@PFSENSE pfblockerng # pkg install dnscrypt-proxy
Updating pfSense-core repository catalogue...
Fetching meta.txz: 100%    940 B   0.9kB/s    00:01   
Fetching packagesite.txz: 100%    2 KiB   1.7kB/s    00:01   
Processing entries: 100%
pfSense-core repository update completed. 7 packages processed.
Updating pfSense repository catalogue...
Fetching meta.txz: 100%    940 B   0.9kB/s    00:01   
Fetching packagesite.txz: 100%  121 KiB 123.7kB/s    00:01   
Processing entries: 100%
pfSense repository update completed. 444 packages processed.
pkg: No packages available to install matching 'dnscrypt-proxy' have been found in the repositories
« Last Edit: January 05, 2017, 11:34:57 AM by Chrysalis »
Logged

roseway

  • Administrator
  • Senior Kitizen
  • *
  • Posts: 43467
  • Penguins CAN fly
    • DSLstats
Re: LAN setup
« Reply #98 on: January 05, 2017, 11:54:51 AM »

Fair enough, I failed to see your comment that it isn't in the pfSense repos.
Logged
  Eric

Chrysalis

  • Content Team
  • Addicted Kitizen
  • *
  • Posts: 7382
  • VM Gig1 - AAISP L2TP
Re: LAN setup
« Reply #99 on: January 05, 2017, 11:57:18 AM »

No worries.  Obviously if it was in the repos that would be the way to install it, but when I requested it to be added, as dray mentioned I had hostile responses telling me there is no point in the package.

I also think adding the FreeBSD repo in the pfsense config (meaning pkg install would search the FreeBSD repo) is a bad idea as that could cause issues for other packages, this method I feel is the safest way.

If one wanted to remove one step of the dns processing, then they could disable the dns resolver and bind the proxy to port 53, however you then lose dns caching as well as other benefits of the unbound resolver such as been able to filter with pfblockerNG.
« Last Edit: January 05, 2017, 12:06:38 PM by Chrysalis »
Logged

Chrysalis

  • Content Team
  • Addicted Kitizen
  • *
  • Posts: 7382
  • VM Gig1 - AAISP L2TP
Re: LAN setup
« Reply #100 on: January 05, 2017, 12:09:11 PM »

Incidentally how often should the CRON job run for pfBlockerNG?


I have made my cron more frequent now at every 2 hours, the reason is at midnight for some reason 3 of the feeds couldnt download, and so it auto retries to the next cron, but with my cron been every 12 hours it meant 12 hours to wait for a new attempt.

So the update frequency in the feed settings controls how often updates will happen for the feed, but the cron setting is how often it will 'check' if updates are needed, so a cron every 2 hours will not do updates every 2 hours if the feed is set to once a day.

The issue I have with frequent cron runs is if the dnsbl feeds get staggered at different intervals since each dnsbl feed update reload's unbound.  So I will keep an eye on it and if I find they get staggered then will revert to infrequent crons again.
Logged

Dray

  • Kitizen
  • ****
  • Posts: 2361
Re: LAN setup
« Reply #101 on: January 06, 2017, 07:12:50 AM »

ok its cli setup 100% as there is no official pfsense package.  This relies on the FreeBSD package.

change to a working directory e.g. /root
Code: [Select]
cd /rootdownload the FreeBSD 10 dnscrypt-proxy package
Code: [Select]
fetch http://pkg.freebsd.org/FreeBSD:10:amd64/latest/All/dnscrypt-proxy-1.8.1.txzinstall the package
Code: [Select]
pkg install dnscrypt-proxy-1.8.1.txztest if there is no runtime errors, by running the binary with no arguments, should just see generic output telling you that syntax is needed
Code: [Select]
dnscrypt-proxy

I have a problem at this point, this command just returns "Command not found" so I tried
Quote
/usr/local/sbin/dnscrypt-proxy
which gives the error "Undefined symbol crypto_core_hchacha20"

I think crypto_core_hchacha20 is part of libsodium, but I'm stuck now.
Logged

Chrysalis

  • Content Team
  • Addicted Kitizen
  • *
  • Posts: 7382
  • VM Gig1 - AAISP L2TP
Re: LAN setup
« Reply #102 on: January 06, 2017, 12:10:19 PM »

yeah you need to check if these files exist

Code: [Select]
root@PFSENSE inc # ldd /usr/local/sbin/dnscrypt-proxy
/usr/local/sbin/dnscrypt-proxy:
        libltdl.so.7 => /usr/local/lib/libltdl.so.7 (0x80123a000)
        libsodium.so.18 => /usr/local/lib/libsodium.so.18 (0x801443000)
        libkvm.so.7 => /lib/libkvm.so.7 (0x8016b3000)
        libexecinfo.so.1 => /usr/lib/libexecinfo.so.1 (0x8018c1000)
        libm.so.5 => /lib/libm.so.5 (0x801ac4000)
        libc.so.7 => /lib/libc.so.7 (0x800823000)
        libthr.so.3 => /lib/libthr.so.3 (0x801cef000)
        libelf.so.2 => /lib/libelf.so.2 (0x801f16000)
        libgcc_s.so.1 => /lib/libgcc_s.so.1 (0x80212a000)

run ldd on your own system tho as since I have FreeBSD 11 my /lib ones will be different.

Code: [Select]
root@PFSENSE inc # pkg which /usr/local/lib/libsodium.so.18
/usr/local/lib/libsodium.so.18 was installed by package libsodium-1.0.11_1

I think you right, I must have had it already installed as a dependency of another pfsense package.

So
Code: [Select]
pkg install libsodium should fix it.
Logged

Dray

  • Kitizen
  • ****
  • Posts: 2361
Re: LAN setup
« Reply #103 on: January 06, 2017, 01:39:32 PM »

yeah you need to check if these files exist

Code: [Select]
root@PFSENSE inc # ldd /usr/local/sbin/dnscrypt-proxy
/usr/local/sbin/dnscrypt-proxy:
        libltdl.so.7 => /usr/local/lib/libltdl.so.7 (0x80123a000)
        libsodium.so.18 => /usr/local/lib/libsodium.so.18 (0x801443000)
        libkvm.so.7 => /lib/libkvm.so.7 (0x8016b3000)
        libexecinfo.so.1 => /usr/lib/libexecinfo.so.1 (0x8018c1000)
        libm.so.5 => /lib/libm.so.5 (0x801ac4000)
        libc.so.7 => /lib/libc.so.7 (0x800823000)
        libthr.so.3 => /lib/libthr.so.3 (0x801cef000)
        libelf.so.2 => /lib/libelf.so.2 (0x801f16000)
        libgcc_s.so.1 => /lib/libgcc_s.so.1 (0x80212a000)

run ldd on your own system tho as since I have FreeBSD 11 my /lib ones will be different.
I ran ldd but not all of the files you listed were there
Quote
So
Code: [Select]
pkg install libsodium should fix it.
I tried that and it installed from the pfsense repository but it didn't work so I had a look on pkg.freebsd.org/FreeBSD:10:amd64/latest/All/ and I saw libsodium-1.0.11_1.txz there which i fetched and installed and now /usr/local/sbin/dnscrypt-proxy runs  :)
Logged

Chrysalis

  • Content Team
  • Addicted Kitizen
  • *
  • Posts: 7382
  • VM Gig1 - AAISP L2TP
Re: LAN setup
« Reply #104 on: January 06, 2017, 02:40:40 PM »

ok but I find that odd as I never had to do that and mine did work when I was on pfsense 2.2.  But it works for you now which is good :) but just hope that dependency been installed from FreeBSD doesnt break any pfsense packages that have the same dependency.
Logged
Pages: 1 ... 5 6 [7] 8 9 10