Kitz ADSL Broadband Information
adsl spacer  
Support this site
Home Broadband ISPs Tech Routers Wiki Forum
 
     
   Compare ISP   Rate your ISP
   Glossary   Glossary
 
Please login or register.

Login with username, password and session length
Advanced search  

News:

Pages: 1 ... 6 7 [8] 9 10

Author Topic: LAN setup  (Read 63557 times)

Dray

  • Kitizen
  • ****
  • Posts: 2361
Re: LAN setup
« Reply #105 on: January 06, 2017, 04:34:04 PM »

I dont think pfsense supports custom ports in its GUI so in the dns resolver settings scroll down to where you see a box for custom options, and add this

Code: [Select]
forward-zone:
        name: "."
        forward-addr: 127.0.0.1@65053

now unbound will forward all internet queries to the tunnel after you save and apply the settings.
Unfortunately this causes my DNS to stop working :(

Is there any debugging I can do?
Logged

Chrysalis

  • Content Team
  • Addicted Kitizen
  • *
  • Posts: 7382
  • VM Gig1 - AAISP L2TP
Re: LAN setup
« Reply #106 on: January 06, 2017, 09:54:18 PM »

The commands I gave to set on bootup sadly wont be valid for pfsense.

You need to install the shellcmd addon package in the GUI.

system -> package manager -> available packages - select shellcmd

When its done goto services and select shellcmd

set shellcmd type to shellcmd and the command in left box and description in right box.

Regarding your broken dns lookups, you can check your live unbound.conf with the command 'cat /var/unbound/unbound.conf'  Stick the output on pastebin and if you want to keep it confidental pm me the link.
Logged

Chrysalis

  • Content Team
  • Addicted Kitizen
  • *
  • Posts: 7382
  • VM Gig1 - AAISP L2TP
Re: LAN setup
« Reply #107 on: January 07, 2017, 01:27:37 AM »

As I thought would happen the mini pcie Jetway card I got for intel ports is no longer sold.

this is what I put in the unit.

https://webcache.googleusercontent.com/search?q=cache:gy2pXys8PpMJ:https://linitx.com/product/13534+&cd=6&hl=en&ct=clnk&gl=uk
Logged

Dray

  • Kitizen
  • ****
  • Posts: 2361
Re: LAN setup
« Reply #108 on: January 07, 2017, 06:32:54 AM »

Unfortunately this causes my DNS to stop working :(
It seems I have to add another line to this to make it work, like this
Quote
do-not-query-localhost: no

forward-zone:
 name: "."
 forward-addr: 127.0.0.1@65053
I now have another problem in that OpenDNS servers don't support DNSSEC, so I have to turn that off
Logged

Dray

  • Kitizen
  • ****
  • Posts: 2361
Re: LAN setup
« Reply #109 on: January 07, 2017, 06:56:00 AM »

I've added Shellcmd with the following:

sysrc dnscrypt_proxy_enable=YES    shellcmd    dnscrypt start on bootup    
   
sysrc dnscrypt_proxy_flags='--ephemeral-keys --local-address=127.0.0.1:65053 --daemonize -R cisco'    shellcmd    set dnscrypt parameters on bootup    
   
Logged

Dray

  • Kitizen
  • ****
  • Posts: 2361
Re: LAN setup
« Reply #110 on: January 07, 2017, 11:58:07 AM »

It seems it's possible to tell if dnscrypt is working by doing
Quote
nslookup -querytype=txt debug.opendns.com
The answer includes the line
Quote
debug.opendns.com  text = "dnscrypt enabled (01234567890123456789)"
Logged

Chrysalis

  • Content Team
  • Addicted Kitizen
  • *
  • Posts: 7382
  • VM Gig1 - AAISP L2TP
Re: LAN setup
« Reply #111 on: January 07, 2017, 12:13:17 PM »

the command to add in shellcmd is this

Code: [Select]
/usr/local/sbin/dnscrypt-proxy --ephemeral-keys --local-address=127.0.0.1:65053 --daemonize -R cisco
Logged

Dray

  • Kitizen
  • ****
  • Posts: 2361
Re: LAN setup
« Reply #112 on: January 07, 2017, 04:37:09 PM »

Thanks  :)
Logged

Chrysalis

  • Content Team
  • Addicted Kitizen
  • *
  • Posts: 7382
  • VM Gig1 - AAISP L2TP
Re: LAN setup
« Reply #113 on: January 08, 2017, 10:50:30 PM »

As good as pfSense is their (core) developers seem to have attitude, I been wasting my time writing up detailed bug reports as they just seem intent on hitting the reject button to keep the bug count down.  So I will probably stop posting on the pfSense forum soon as well and just keep my discussion on here.
Logged

Chrysalis

  • Content Team
  • Addicted Kitizen
  • *
  • Posts: 7382
  • VM Gig1 - AAISP L2TP
Re: LAN setup
« Reply #114 on: January 09, 2017, 06:26:10 PM »

An update regarding my hardware.

When I was debugging some ALTQ stuff I was testing with the 2 realtek ports, at which time I discovered one of the ports is not working, someone else with the same unit has reported the same exact issue as well, so be wary if ordering the unit I purchased and are not adding extra ports.
Logged

Chrysalis

  • Content Team
  • Addicted Kitizen
  • *
  • Posts: 7382
  • VM Gig1 - AAISP L2TP
Re: LAN setup
« Reply #115 on: January 09, 2017, 10:12:09 PM »

this is with FAIRQ+codel

and a custom rule I added to prioritise all ack's.  I think this one was with a 93.5% cap of max upload bandwidth.

http://www.dslreports.com/speedtest/8577920

This one was set to 97%.

http://www.dslreports.com/speedtest/8574510
Logged

Chrysalis

  • Content Team
  • Addicted Kitizen
  • *
  • Posts: 7382
  • VM Gig1 - AAISP L2TP
Re: LAN setup
« Reply #116 on: January 10, 2017, 08:01:39 PM »

pfblockerng has a very nice feature which can be used for traffic classifying.

see this data

Code: [Select]
Alias Count Packets Updated
pfB_Dhshield24 40 1 Jan 10 18:15   (2)
pfB_Dshield 101 0 Jan 10 18:15   (2)
pfB_Emerging 1731 0 Jan 10 18:15   (2)
pfB_MalwareExploits 135 0 Jan 10 18:15   (2)
pfB_Netflix 36 0 Jan 10 18:15   (1)
pfB_RansomCryptoware 11548 0 Jan 10 18:15   (2)
pfB_Steam 64 0 Jan 10 18:15   (1)
pfB_bbc 41 0 Jan 10 18:15   (1)
pfB_blizzard 44 0 Jan 10 18:15   (1)
pfB_google 6759 5 Jan 10 18:15   (1)
DNSBL_MalwareExploits 213791 5 Jan 09 19:45:33
DNSBL_PrivacyFraud 191072 2 Jan 09 19:46:15
DNSBL_Cryptolocker 830095 0 Jan 08 23:49:34

Aside from malware lists you may notice I have entries like netflix, google,steam and bbc.

What I have done is entered the ASN information into pfblockerng and it can grab the ip ranges those companies manage into a firewall table.  I then used that information to add rules to send traffic based on those tables to the QoS queue I want.

For steam this is working perfect.  It also works on google services if I disable ipv6.  Netflix, iplayer are not that easy tho as the bbc is outsourcing to limelight networks and not using their own ip space for iplayer, netflix is coming over from local sky nodes.  Also when ipv6 is enabled google and netflix come over it and the ASN feature is ipv4 only.  But still I thought this was worth mentioning as it is a powerful tool.

I do have the traffic shaping working quite nicely now albeit after I had to configure it differently than how pfSense documention suggests and I caused a ruckus on the pfSense forum when trying to explain the issues I had with the default behaviour.

--edit--

ipv6 ASN's are supported, google now working good over this system as well :)
« Last Edit: January 12, 2017, 06:01:44 PM by Chrysalis »
Logged

Chrysalis

  • Content Team
  • Addicted Kitizen
  • *
  • Posts: 7382
  • VM Gig1 - AAISP L2TP
Re: LAN setup
« Reply #117 on: January 17, 2017, 02:01:24 AM »

Since steam downloads from port 80 I could not lower its priority in conventional ways, this is classified via ASN match.

Logged

Chrysalis

  • Content Team
  • Addicted Kitizen
  • *
  • Posts: 7382
  • VM Gig1 - AAISP L2TP
Re: LAN setup
« Reply #118 on: January 25, 2017, 02:49:03 PM »

I am planning to install 2.4 fresh using ZFS so I can ditch UFS.  Will post here when I do the work.
Logged

Chrysalis

  • Content Team
  • Addicted Kitizen
  • *
  • Posts: 7382
  • VM Gig1 - AAISP L2TP
Re: LAN setup
« Reply #119 on: January 26, 2017, 08:48:36 AM »

Ok I have now successfully migrated to zfs since I am not confident of using ufs for reliability, there is some gotchas that occured which I will mention here.

Please read everything before you consider doing this as is some gotchas.

So the process I did was as follows.

1 - Run the backup wizard under diagnostics menu to make a backup, make sure everything is included in the backup, a box is ticked by default which doesnt backup traffic usage data, I unticked it.
2 - If you have any custom files anywhere on the filesystem then back them up as they will be lost.  Also if you want to preserve any logs back them up also.
3 - Download the pfsense 2.4 installer, which is on the development download section, pfsense 2.4 is required if you want native support for 4k alignment, trim and zfs.
4 - Put the installer files on your install media, in my case is a usb stick and I used rufus usb tool.
5 - Reboot the pfsense unit and boot of the install media.
6 - Choose zfs (guided) install
7 - select striped and pick your storage device
8 - enable forced 4k alignment option.
9 - GPT enable if you have UEFI bios or disable if you dont.
10 - proceed with install and let it finish and reboot
11 - after reboot access the web UI with default admin/pfsense login details.
12 - when the wizard appears ignore it and instead access the diagnostics menu and choose backup and restore.
13 - restore your backup and making sure the option to also restore packages is enabled (was enabled by default on my unit).
14 - Watch the console as it restores your packages to see if any issues.
15 - When completed the core pfsense system and all official plugins should be restored.

Gotchas

The first issue I had is after restoring my backup and it rebooted, it could not get internet access to redownload and install the packages, the reason for this is unbound was not working for 2 reasons (I initially thought was just one reason).  This was because in my case dnscrypt was missing and as such I had no working dns tunnel, and also that unbound didnt start due to missing pfblockerng files causing a syntax error.  I noticed on the console it was retrying every minute or so so I simply edited /etc/resolv.conf as follows to make the router use google dns temporarily.

Code: [Select]
nameserver 8.8.8.8
The restore packages process then successfully finished.
I then had to pkg install dnscrypt again, but that was all I had to do for that as the earlyshell cmd configuration was intact so on a reboot it started properly.
Unbound however was down still because it was trying to load pfblockerng dnsbl files that were missing, so again I had to temporarily enable google dns on the router manually, and then in the pfblockerng gui I manually ran the cron process, which downloaded all the lists and created its configuration files, after that unbound runs normally.

People who dont use pfblockerng dnsbl lists and dont use dnscrypt wouldnt have this problem.

I restored my custom files like custom loader.conf and services.inc (to fix unbound restarts) and all seemed well.

One final gotcha.

The traffic totals plugin is missing at this point, it was not restored when the restore wizard ran, I also forgot to backup its data when I backed up my custom files.  So this plugin has to be reinstalled manually post restore.

Also I enabled a zfs feature that makes extra copies of every stored file, the command to do so is this.

Code: [Select]
zfs set copies=3 zroot
Bear in mind tho this will not make copies of existing files unless they get rewritten, only new writes have the automated copies, it is also nowhere near as good as a zfs mirror setup but is better than a plain single copy on a single drive setup.  the reason to make 3 copies instead of 2 is so when zfs detects corruption in a copy it can determine the correct copy by a majority rules system where by where 2 copies match, they will be determined to be the correct copy.
« Last Edit: January 26, 2017, 08:54:26 AM by Chrysalis »
Logged
Pages: 1 ... 6 7 [8] 9 10