Kitz ADSL Broadband Information
adsl spacer  
Support this site
Home Broadband ISPs Tech Routers Wiki Forum
 
     
   Compare ISP   Rate your ISP
   Glossary   Glossary
 
Please login or register.

Login with username, password and session length
Advanced search  

News:

Pages: 1 [2] 3

Author Topic: Yet Another pfSense Build!  (Read 10320 times)

displaced

  • Reg Member
  • ***
  • Posts: 270
Re: Yet Another pfSense Build!
« Reply #15 on: February 08, 2017, 11:20:49 AM »

Interestingly, my Amazon order's showing tracking info which reads:

"Parcel has been handed over to the carrier and is in transit - NL".  So it seems my order's coming from the Netherlands too.  That might explain why my delivery charge was lower than that currently showing on the site, too.

...and with a bit of luck, perhaps I'll be getting it sooner than I'd prepared for!
Logged
YouFibre 1Gbit, OPNsense on Intel N100.  Ubiquiti UAPs.

displaced

  • Reg Member
  • ***
  • Posts: 270
Re: Yet Another pfSense Build!
« Reply #16 on: February 11, 2017, 11:34:13 AM »

I got impatient and set up pfSense in a VirtualBox VM on my MicroServer. 

I've shifted DHCP and DNS from the FreeBSD installation on the MicroServer itself over to the pfSense VM.

I like the presentation of active DHCP leases -- much better than the script I'd bodged together as a Webmin custom command.  DNS updating from the DHCP server was really simple to set up too. 

I need to figure out a way to override a DNS entry for a specific host.  I use PlexConnect to get my Plex library on my 3rd Gen Apple TV.  This works by redirecting DNS lookups for trailers.apple.com to the IP of my Plex server.  On my previous setup, I'd configured PowerDNS to perform this override only for the Apple TV and not for other clients. 

I'm toying with the idea of moving PPPoE and Gateway duties over from my Airport router to the pfSense box.  But I don't want to overwork the VM.  So perhaps I'll need to learn some patience!
Logged
YouFibre 1Gbit, OPNsense on Intel N100.  Ubiquiti UAPs.

Dray

  • Kitizen
  • ****
  • Posts: 2361
Re: Yet Another pfSense Build!
« Reply #17 on: February 11, 2017, 03:58:33 PM »

A simple way is to make it a static mapping then you can select which DNS servers to use for that device
Logged

displaced

  • Reg Member
  • ***
  • Posts: 270
Re: Yet Another pfSense Build!
« Reply #18 on: February 11, 2017, 04:02:37 PM »

A simple way is to make it a static mapping then you can select which DNS servers to use for that device

I've ended up doing just that!  My old DNS server (PowerDNS) allowed custom python scripts which could examine the client IP and the queried host/domain, then decide to return a different IP if needed.  That's perfect, since it meant my Apple TV resolved 'trailers.apple.com' to my internal machine, but all other hosts would resolve it as normal.

The 'unbound' DNS resolver in pfSense can do the same, but the feature isn't compiled in to the version pfSense includes.  So I'll stick a version of unbound on my MicroServer that supports those scripts, write one, then use a static lease in pfSense to tell my Apple TV to use that as its DNS server. 

Working on it now :)
Logged
YouFibre 1Gbit, OPNsense on Intel N100.  Ubiquiti UAPs.

displaced

  • Reg Member
  • ***
  • Posts: 270
Re: Yet Another pfSense Build!
« Reply #19 on: February 16, 2017, 11:24:24 PM »

Well, I got twitchy waiting for the hardware so I went ahead and made the pfSense virtual machine my network's gateway.  It's running fine!

My former router, the an AirPort 802.11ac is now running as just an access point.  I also went through the procedure to get stats from the HG612 on the same port as internet access.  The HG612 config change and the pfSense outbound NAT config worked fine.  My internal LAN is on 192.168.50.0/24, with pfSense and the modem forming a 2-host subnet at 10.0.50.0/30.  So that's an ethernet run I can remove from the modem to the lounge!

We had a brief power outage yesterday - a bulb blew that, for some reason, tripped the main breaker rather than just the lighting circuit. So I'm back to my 'normal' sync speed.  Still, with a bit of luck, the upcoming 3dB SNRM profile will boost it a bit.

I'm enjoying the ability to see what traffic's getting blocked, and to see which devices are opening ports via NAT-PMP and uPNP.  There's actually far fewer such ports than I'd expected -- I'm particularly surprised that my Nest Thermostat doesn't open itself up to the internet.  It's pretty much just my Plex server, my consoles and PC games (well, to be honest, only tested Elite Dangerous as that's all I'm playing these days!).

So all that's left is for the actual machine to arrive!  Next Wednesday appears to be the day...
Logged
YouFibre 1Gbit, OPNsense on Intel N100.  Ubiquiti UAPs.

nallar

  • Member
  • **
  • Posts: 55
    • Smokeping
Re: Yet Another pfSense Build!
« Reply #20 on: February 17, 2017, 12:21:36 AM »

Have you considered putting your networking gear on a UPS? It's nice to continue using the internet during power outages (or accidents :)).
Logged
Virgin Media cable, A&A ADSL. OPNsense router.

displaced

  • Reg Member
  • ***
  • Posts: 270
Re: Yet Another pfSense Build!
« Reply #21 on: February 17, 2017, 07:58:35 AM »

I'll get there eventually!

Originally I had the modem in the hall, the Airport router doing pppoe in the lounge and my dhcp/dns server under the stairs, so a UPS would be tricky.

The modem's now power-over-Ethernet'd so it's powered from under the stairs and soon I'll have the pfSense box in the same place.  Once it's all set up there, I'll get a UPS 😄
Logged
YouFibre 1Gbit, OPNsense on Intel N100.  Ubiquiti UAPs.

displaced

  • Reg Member
  • ***
  • Posts: 270
Re: Yet Another pfSense Build!
« Reply #22 on: February 21, 2017, 01:49:57 PM »

Hmm.  It looked like the Qotom machine would arrive tomorrow... but the UPS tracking has taken a strange direction: Eastwards.

After leaving the Netherlands, it arrived just inside Germany.  It's now travelled as far as Nurnberg and is leaving central Germany, heading towards Austria.

Last time I checked, I didn't live in Austria.

I'm hoping Qotom had a fat-finger moment when sending me my tracking number and I'm just looking at the wrong parcel.  The delivery address showing against the order on Amazon's correct. 

Anyway, a bit more on pfSense running as a VM...

It's been handling my day-to-day traffic superbly.  Dynamic DNS for my hostname and HE.net IPv6 tunnel are working fine.  Interestingly, pfSense's gateway monitor shows my IPv6 tunnel gateway as responding faster than the 'parent' IPv4 link to my ISP.  (~9-10ms for the ISP, 7-9ms for HE.net IPv6).  I'm wondering if ICMPv6 pings are quicker/more efficient than v4 ones.

Logged
YouFibre 1Gbit, OPNsense on Intel N100.  Ubiquiti UAPs.

nallar

  • Member
  • **
  • Posts: 55
    • Smokeping
Re: Yet Another pfSense Build!
« Reply #23 on: February 21, 2017, 02:16:28 PM »

It's been handling my day-to-day traffic superbly.  Dynamic DNS for my hostname and HE.net IPv6 tunnel are working fine.  Interestingly, pfSense's gateway monitor shows my IPv6 tunnel gateway as responding faster than the 'parent' IPv4 link to my ISP.  (~9-10ms for the ISP, 7-9ms for HE.net IPv6).  I'm wondering if ICMPv6 pings are quicker/more efficient than v4 ones.

This typically occurs when the ICMP ping replies from your gateway are handled by a low priority software process, but packets routed further on are handled with hardware acceleration.
Logged
Virgin Media cable, A&A ADSL. OPNsense router.

displaced

  • Reg Member
  • ***
  • Posts: 270
Re: Yet Another pfSense Build!
« Reply #24 on: February 22, 2017, 03:22:31 PM »

Thanks -- that makes sense!

Well, the Qotom box arrived today at work.  Quickly opened it up to fit the mSATA SSD and RAM and stuck it in my bag to take home tonight.  With a bit of luck it'll be up and running later.

Just in time too.  My virtual pfSense installation froze yesterday with a load of 'achi0 timeout' errors.  Seems I pushed the lil' N40L a bit too hard and the VM wasn't able to read/write to disk quick enough to prevent the guest OS from seeing timeouts.

I'll run the physical pfSense box for a couple of days and check CPU/disk load before deciding on things like Snort and ntopng.
Logged
YouFibre 1Gbit, OPNsense on Intel N100.  Ubiquiti UAPs.

displaced

  • Reg Member
  • ***
  • Posts: 270
Re: Yet Another pfSense Build!
« Reply #25 on: February 22, 2017, 10:46:42 PM »

Well, that was a bit of a let-down!

The box itself is great!  The RAM I'd bought, however, is not.

I tried installing pfSense and was getting all kinds of weird crashes during the installer's boot process.  Crash dumps, kernel panics, the lot.

I tried a few flash drives and re-wrote the image files from my PC and my Mac.  Each time it seemed to crash in some different spectacular way.  Eventually I found my high-quality Patriot flash drive and it still failed. 

So then I wrote a memtest86 installation to a flash drive and booted that up.  RAM errors galore.

I've got another stick arriving tomorrow, so hopefully I'll have more luck then.  In 25+ years of building PCs I've never had a bad DIMM (or even SIMM back in the day!).  I suppose it was about time!

Still, here's a quick mini-review of the Qotom box:

It's solid.  Really solid.  The fully-metal case is great.  I checked the PSU with my multimeter and the voltage was spot-on.  The mounting bracket, designed to attach to the VESA mount on the back of a monitor, is a great idea.  The computer comes with four metal stand-off screws which you screw into the base of the PC.  These stand-offs have a little 'nub' at the top that slot into four keyholes in the bracket.  So the machine is easily attached and detached from it.  I'm planning on screwing the mount to the inside wall of the cupboard under the stairs, alongside a gigabit switch and a multi-way mains extension.  The bracket will also provide a nice bit of airflow underneath the case.

I had a nose around the American Megatrends BIOS.  Seems to have all the requisite weirdly-named knobs to twiddle.

The USB ports are rather close to each other.  So if you've got a chunky flash drive, you'll need a USB extension cable to fit it in beside the keyboard plug.

The power button doubles as a power LED in the usual retina-searing blue.  There's also a green power LED on the other side of the machine which is a bit calmer.

One last point on disassembly: You only need to undo the four screws on the bottom, NOT the four on the sides.  If you do all eight, it rapidly disassembles itself into lots of pieces and you need at least two-and-a-half hands free to keep everything lined-up to get it back together again.

So, until tomorrow!
Logged
YouFibre 1Gbit, OPNsense on Intel N100.  Ubiquiti UAPs.

Ronski

  • Helpful
  • Kitizen
  • *
  • Posts: 4300
Re: Yet Another pfSense Build!
« Reply #26 on: February 22, 2017, 10:54:52 PM »

It's a great little box isn't it, I also took the wrong screws out.
Logged
Formerly restrained by ECI and ali,  now surfing along at 390/36  ;D

displaced

  • Reg Member
  • ***
  • Posts: 270
Re: Yet Another pfSense Build!
« Reply #27 on: February 23, 2017, 09:31:19 PM »

It is indeed.

And, IT'S ALIVE!

Replacement RAM did the trick.  pfSense installed fine, then I backed up the config from my VM-based pfSense and restored it to the physical box.

It was nice to see that the interface names in pfSense matched those printed on the case - so LAN1-4 are interfaces em0-3. 

The config restoration got most things right.  It did lose the PPPoE login info and the interface for the modem stats.  Easy fixes though.

I've installed ntopng, but reduced the data retention periods to a max. of 30 days.  CPU and RAM usage are pleasantly low.

I'm looking forward to pfSense 2.4's introduction of ZFS.  I've got a 12TB ZFS pool on my Microserver (6x4TB drives arranged as 3 two-disk mirrors) and have been really impressed with how it tolerates all kinds of bad events (power cuts, failing/failed disks). 

I'll get it properly installed over the weekend, but pretty happy with it so far!
Logged
YouFibre 1Gbit, OPNsense on Intel N100.  Ubiquiti UAPs.

displaced

  • Reg Member
  • ***
  • Posts: 270
Re: Yet Another pfSense Build!
« Reply #28 on: February 25, 2017, 07:15:03 PM »

My pfSense box (heimdall.home) has now been up for 2 days and it's been solid!

Core temps have been about 40ºC with the box itself being no more than slightly-above-ambient to the touch.

I'm pretty impressed with the feature-set of pfSense (and that it all works!).  I've set it up to:
  • Provide DHCP and DNS to the LAN
  • Register DHCP names in DNS
  • Perform dynamic DNS updates for my ISP connection and my HE.net ipv6 tunnel
  • Do ipv6 router advertisement for the LAN
  • Give access to my HG612's stats by routing to a different private network containing the modem
  • Act as an NTP time server for my LAN and for the HG612 (so its log entries are correctly timestamped
  • Run an OpenVPN server on port 443, with OpenVPN's port-sharing feature to forward non-VPN, normal HTTPS connections to my internal webserver
  • Handle UPnP/NAT-PMP port-forward requests from apps and devices
  • Generate and manage OpenVPN users and their certificates, and provide downloadable .ovpn config files for clients
  • Renew HTTPS certificates for my internal server via Let's Encrypt
I've done all this stuff manually on a FreeBSD server in the past.  It's amazing how much time and effort pfSense saves, although it's always good to know how it all works under-the-hood.  I've nosed around a bit via a shell on the pfSense system and happily it does seem to do things the right way.

If anyone's got any questions, please ask!

Cheers,
Chris

[Moderator edited to re-site the misplaced [/list] tag.]
« Last Edit: February 25, 2017, 09:17:00 PM by burakkucat »
Logged
YouFibre 1Gbit, OPNsense on Intel N100.  Ubiquiti UAPs.

AciidSn3ak3r

  • Just arrived
  • *
  • Posts: 2
Re: Yet Another pfSense Build!
« Reply #29 on: May 10, 2018, 08:10:33 PM »

Hi Chris,

Was reading through this and noticed you have Vodafone FTTC.
I've been using pfSense for a while with Sky FTTC and then Virgin.
I've just moved to Vodafone today but been having all kinds of problems.

Would you be able to share the type of settings you have configured for VF?

I'm currently using pfSense in a Hyper-V box and I setup the PPPoE username and password and added a VLAN tag of 101.
Now here's the weird bit. I could access all sites on my Android phone with no issue.
But my Macbook, iPad, Wife's iPhone or directly connected server could not browse any website other than what it seemed to be Google owned. I.e. YouTube, Google search etc.

Now I have directly connected my HG612 to my Asus Access Point (now in router mode) and everything works fine.
So I can only see the pfSense being the issue.

I'd appreciate any help you can give.

Thanks
Logged
Pages: 1 [2] 3