Kitz ADSL Broadband Information
adsl spacer  
Support this site
Home Broadband ISPs Tech Routers Wiki Forum
 
     
   Compare ISP   Rate your ISP
   Glossary   Glossary
 
Please login or register.

Login with username, password and session length
Advanced search  

News:

Pages: 1 2 3 [4] 5 6 ... 19

Author Topic: Ronski's Pfsense router build  (Read 63811 times)

Ronski

  • Helpful
  • Kitizen
  • *
  • Posts: 4300
Re: Ronski's Pfsense router build
« Reply #45 on: December 10, 2016, 08:36:14 AM »

I'm not yet using it as a router, I've disabled DHCP and added a gateway pointing at my current one, I disabled the other two for good measure. Not sure what packages I will be using yet, I've not looked into them yet, I certainly will be using one to block much of the worlds IP addresses.

All the command line stuff is solely related to making sure that the SSD is 4K aligned, trim is setup, SUJ (I don't even know what that is!) is disabled and a swap file is created. Pfsense would run fine if you just went ahead and did a straight forward install, I'm not sure what the affects would be of not doing the above, reads and writes to the drive would be slower and the drive may wear out quicker, but whether any of that would make a difference given what the drives being used for I doubt it. Any sign of your hardware yet?

Anyway I've written a step by step guide to help you and as a record for myself.

A some point Pfsense will install aligned and enable Trim on SSD's, I've no idea when though, Chrysalis said he'd been told in the next release, that could well mean the next major release rather than minor incremental releases.

I still don't have the swap file enabled, although I probably will never need it with 8GB ram, and I still have that strange name in gpart show, but it doesn't look like that's causing any problems.
Logged
Formerly restrained by ECI and ali,  now surfing along at 390/36  ;D

d2d4j

  • Kitizen
  • ****
  • Posts: 1103
Re: Ronski's Pfsense router build
« Reply #46 on: December 10, 2016, 09:11:52 AM »

Hi ronski

I would check your fstab, as I think you have not added or added wrongly

I could be wrong so apologies in advance

Many thanks

John
Logged

Chrysalis

  • Content Team
  • Addicted Kitizen
  • *
  • Posts: 7382
  • VM Gig1 - AAISP L2TP
Re: Ronski's Pfsense router build
« Reply #47 on: December 10, 2016, 01:31:15 PM »

yes is next major release not maintenance releases.

you can use pfsense using its built in functions without touching the command line, the only initial bit would be when booting up the first time and telling it which ports to use for lan.

Asuswrt is similar, it has command line but a gui frontend, you can use with just the UI only but of course UI only means you not utilising the full potential, but the UI has a lot of core functions in place.

PFsense is definitely UI focused, you can add plugins via the UI and those almost all have UI elements.

There is cli packages but none are required for core operation, they just useful for nix fluent users who want specific tools for advanced stuff.

If you leave the ssd misaligned and with trim disabled, the affects are lower performance (but the performance would still be fine for typical router use) and faster wear on the flash storage.

An example of what can only be done via cli is enabling checksum offloading on a per device basis, the UI lets you turn it on and off but the setting applies to all nic ports, whilst in the CLI it can be toggled per port.  However for the majority of situations the UI on/off globally is enough.

I have applied various tweaks to loader.conf and sysctl.conf but this is from my knowledge of FreeBSD, some of these tweaks are configurable in the UI tho as well so can be done via point and click.

Ronski now pfsense is installed, another suggestion.

In the GUI you should find reference to powerd, you will want to enable that to allow the cpu to fluctuate its clock speed for better temps and power consumption, also select either adaptive or hiadaptive mode.  hiadaptive is adaptive but will increase the clock speed with less load than adaptive and also take longer to reduce clock speed when idle. There is also options to enable advanced temp sensors so can monitor temp of each cpu core.

SUJ is soft updates journaling, soft updates itself is complex and not a great system, SUJ adds some journaling to the soft updates but its not the same as traditional journaling as seen in ext3/4 and gjournal, SUJ adds extra writes to the ssd, and the track record of SUJ is also not great in terms of filesystem stability.  Its main purpose is to try and avoid long fsck after a improper shutdown, but fsck is very fast on ssd's anyway and not to mention the filesystem usage on a router will be very small so the benefits of skipping fsck is minimal.
« Last Edit: December 10, 2016, 01:46:41 PM by Chrysalis »
Logged

Ronski

  • Helpful
  • Kitizen
  • *
  • Posts: 4300
Re: Ronski's Pfsense router build
« Reply #48 on: December 10, 2016, 10:38:55 PM »

@John, you was not wrong, I deleted the line and pasted it in as per Chrysalis example and this time it worked, thanks very much. Much easier via Putty.
@Chrysalis Made the adjustments you suggested, thanks.


 
Logged
Formerly restrained by ECI and ali,  now surfing along at 390/36  ;D

Ronski

  • Helpful
  • Kitizen
  • *
  • Posts: 4300
Re: Ronski's Pfsense router build
« Reply #49 on: December 10, 2016, 11:02:26 PM »

Well here's my step by step guide of what I've done so far (with a lot of help - thanks)

Quote
You can download the latest version of Pfsense from https://www.pfsense.org/download/
See this link https://doc.pfsense.org/index.php/Writing_Disk_Images to create a bootable USB drive - I used Rufus

The following install guide includes correct 4K alignment for an SSD, enabling Trim, create a Swap File instead of Swap Partition, disabling SUJ.
In the future some of the above may not be required as Pfsense will support SSD's properly, so these steps could be skipped.

Enter into BIOS and make sure it boots from your USB stick
On the options screen select 2 - Boot Single User mode
After a while you will need to press enter to get to the shell
If there are existing partitions on your drive you can use gpart to delete/destroy them http://www.freebsdonline.com/content/view/731/506/
The command "gpart show" will display whats setup
To create the partition with the correct offset issue the following two commands
gpart create -s mbr ada0
gpart add -t freebsd -b 504 ada0
Then you can use "gpart show ada0"
Your results should look similar to picture SSD Info-1
Now enter Exit, you may have to do this twice
It will then after a short while return to the installers Configure Console
I chose to accept these settings
Choose Custom Install
One the next screen select the disk to install to.
I chose to skip formatting
I chose to skip partitioning
I chose to install bootblocks
I selected the primary partition of ada0 - there was only one anyway
Choose OK on the Are You SURE screen!
Got an information message that Primary partition one was formatted
Select Subpartitions - I deleted the swap one, then proceeded to create
Got a warning about not having a swap partition, just OK'd this

At this point I got an error.

I chose to skip and the install continued.
Once you get to Reboot you can hit Crtl-C to get back into the shell, pressing Return to fully enter it.

You can use the following two commands to check things look correct

gpart show ada0
tunefs -p /dev/ada0s1a

Then issue the following two commands to enable trim and disable soft updates journaling

tunefs -t enable /dev/ada0s1a
tunefs -j disable /dev/ada0s1a

You can then check the changes have taken affect with the following commands

tunefs -p /dev/ada0s1a

Now type Reboot - you may have to press enter twice.
Now is the time to remove your USB drive, and it will boot into PFsense hopefully!

After reboot

At this point you can change the LAN IP of the router using option 2 to set the interface IP

I set it up as an address on my local network and disabled DHCP.
I then logged into the Pfsense web interface, doing as little as possible through the setup Wizard
I added a Gateway (System > routing) which pointed to my current router, and disabled any other gateways whilst fiddling - you'll need to change this back when using as a router.
I also checked that DHCP was disabled.
Pfsense should now have internet access.

Now to enable SSH so you can telnet in using something like Putty

This can be done via the GUI or via console - see https://doc.pfsense.org/index.php/HOWTO_enable_SSH_access

Now on to making the swap file - this needs to be done from the console, so telnet in from your PC using port 22 unless you've changed it.
If using Putty you can paste with a right mouse click, don't forget to press enter when pasting passwords like I did!
Chose option 8 from the console menu, to enter the shell

Now enter the following commands

mkdir /usr/swap

I got no confirmation, just another line

Now enter the following command for a 2Gig swap file

dd if=/dev/zero of=/usr/swap/swap bs=128k count=16384

After a long pause I got some info displayed as follows

16384+0 records in
16384+0 records out
2147483648 bytes transferred in 25.284832 secs (84931695 bytes/sec)

I then entered the following command

ee /etc/fstab

and added the following line (use copy and paste), I also inserted a carriage return (enter) at the end so the cursor dropped down the next line

md99            none            swap    sw,file=/usr/swap/swap,late     0       0

When you've added the above hit Ctrl C and type exit to save the changes

Then enter the following command

swapon -aL

If you get an error check you've entered the line correctly in fstab

If that all went well, you can now Exit back to the console menu and get on with exploring!

Settings that you may want to make from the GUI.

Setup PowerD, Thermal Sensors and Cryptographic hardware if applicable, all of which are located in System - Advanced - Miscellaneous

Hopefully I've documented it fairly accurately, if there are any mistakes please let me know.
Logged
Formerly restrained by ECI and ali,  now surfing along at 390/36  ;D

Ronski

  • Helpful
  • Kitizen
  • *
  • Posts: 4300
Re: Ronski's Pfsense router build
« Reply #50 on: December 10, 2016, 11:22:21 PM »

Added some pictures to the first post.
Logged
Formerly restrained by ECI and ali,  now surfing along at 390/36  ;D

Ronski

  • Helpful
  • Kitizen
  • *
  • Posts: 4300
Re: Ronski's Pfsense router build
« Reply #51 on: December 17, 2016, 05:44:00 PM »

Have now got my Pfsense box running live  ;D

Have switched to using the HG612 as my modem, rather than the Zyxel, I've lost 7.2Mbps on the downstream (attainable was slightly lower than the sync on the Zyxel), but have gained 2Mbps on the upstream (attainable was pretty much the same as the sync). I shall probably stick to using the HG612 given the boost in upstream, and it makes for a tidier set up.

I still have a lot of work to do, have setup some port forwards to cover my extremly basic website, and WHS2011 access. Have also set up a firewall rule so that only pings from TBB ping monitor are responded to.

Currently I can't access my website from within my own network, which also means update checks for the GUI fail, which is not a problem but I would like to fix it. I roughly know whats wrong (https://doc.pfsense.org/index.php/Why_can%27t_I_access_forwarded_ports_on_my_WAN_IP_from_my_LAN/OPTx_networks) but I'm not sure how to fix it.
Logged
Formerly restrained by ECI and ali,  now surfing along at 390/36  ;D

d2d4j

  • Kitizen
  • ****
  • Posts: 1103
Re: Ronski's Pfsense router build
« Reply #52 on: December 17, 2016, 05:58:38 PM »

Hi ronski

Sounds good, well done

I would use dns to allow access and the link you posted tells you how to do this, split dns

In simple terms, you have dns for external WAN side and internal LAN side dns

If you still have not managed it, I'll see if I can post a pic tommorow from one of our pfsense firewalls for you

Many thanks

John
Logged

Ronski

  • Helpful
  • Kitizen
  • *
  • Posts: 4300
Re: Ronski's Pfsense router build
« Reply #53 on: December 18, 2016, 08:51:31 AM »

Thanks John, was in a bit of a rush yesterday and should have mentioned that the website runs on a non standad port.

The link says that Method 2: Split DNS is the more elegant solution, but that gives no option to enter port numbers, perhaps nat reflection is the way to go.

I'll take a look later when my heads a bit clearer from last night's Christmas works do.
Logged
Formerly restrained by ECI and ali,  now surfing along at 390/36  ;D

d2d4j

  • Kitizen
  • ****
  • Posts: 1103
Re: Ronski's Pfsense router build
« Reply #54 on: December 18, 2016, 08:59:00 AM »

Hi ronski

Many thanks, were you at elland road football stadium. It was our works do last night and had a 1920 theme

The split dns does not need port setup. If using different ports, you input this into your browser as normal. Split dns just resolves the URL to either external or internal, so that gives you as an example

Mydomain.url:8080 - external 5.5.5.5

Mydomain.url:8080 - internal 192.168.1.1

Obviously the above is an example using made up information, so it's easier to understand

If it helps, the only dns records which use ports, are srv records

I hope that helps a little

Many thanks

John
Logged

Ronski

  • Helpful
  • Kitizen
  • *
  • Posts: 4300
Re: Ronski's Pfsense router build
« Reply #55 on: December 18, 2016, 10:45:19 AM »

Winter Gardens Margate - Winter Wonderland theme, very nice but far too much to eat.

Just looking into this now, it seems that DNS Resolver is the replacement for DNS Forwarder, although the latter is still present, but disabled.

Not sure what you mean by If using different ports, you input this into your browser as normal, I just enter www.ronski.me.uk into my browser, my domain name provider has a redirect which then incorperates the port number IIRC.
Logged
Formerly restrained by ECI and ali,  now surfing along at 390/36  ;D

d2d4j

  • Kitizen
  • ****
  • Posts: 1103
Re: Ronski's Pfsense router build
« Reply #56 on: December 18, 2016, 11:04:56 AM »

Hi ronski

Sounds good, the food this year was not as good as last year I'm sorry to say.

The dns hosting records for a domain.url cannot have port numbers attached, i.e. Cname, A or AAA records. I would guess they have a php or Java script in place

You could do the same on your hosting platform (IIS or Apache or whatever your platform is) and the above would work or you can just add the port to the domain.url in your browser.

I hope that explains it more, as I said, only SRV records allow a port to be assigned to the records

Many thanks

John
Logged

Ronski

  • Helpful
  • Kitizen
  • *
  • Posts: 4300
Re: Ronski's Pfsense router build
« Reply #57 on: December 18, 2016, 11:56:55 AM »

Thanks John, I opted to use Nat Reflection, and have enabled the options as per this link and it now all works, the website is of no real use, it just something I played about with, but it also incorperates the updates for the HG612 stats GUI so I do need it to work for testing that.

My domain host just forwards to my IP address and port number.
Logged
Formerly restrained by ECI and ali,  now surfing along at 390/36  ;D

d2d4j

  • Kitizen
  • ****
  • Posts: 1103
Re: Ronski's Pfsense router build
« Reply #58 on: December 18, 2016, 12:01:20 PM »

Hi Ronski

Glad you resolved it, and either would work.

Here is a pic for dns in pfsense, to help others if needed, and also, a link to a site to explain over DNS and port numbers better (though a quick google brings many sites up to explain).

Many thanks and wishing everyone a lovely Christmas, and happy New Year

John

http://support.simpledns.com/kb/a35/can-i-specify-a-tcp-ip-port-number-for-my-web-server-in-dns-other-than-the-standard-port-80.aspx
Logged

Ronski

  • Helpful
  • Kitizen
  • *
  • Posts: 4300
Re: Ronski's Pfsense router build
« Reply #59 on: December 18, 2016, 12:22:53 PM »

Is it possible to name devices that are attached, I can look in Status / DHCP Leases or Diagnostic / ARP Table and see whats attached, but many have meaningless host names such as android-23bb9a0efce1a2dc. In my old router I could assign names and it was easy to then see what was on my network.

I can enter a description for devices which are issued a static address, but I dont want to give everything a static address.

Perhaps there's a plug in that could do this, it would just need to keep a record of the MAC address and corresponding name of the device? It could even email me when a new device appears thats not in the list, kind of like an alarm system.
Logged
Formerly restrained by ECI and ali,  now surfing along at 390/36  ;D
Pages: 1 2 3 [4] 5 6 ... 19