PfSense

From Docunext Tech Stuff

Contents 1 Summary 2 pfSense Load Balancer 3 pfSense VPN Server 4 pfSense DHCP Server 4.1 pfSense DNS Settings 5 pfSense Errors 5.1 rrd Graphs 5.2 NFS and MTU 5.3 Namespace Collisions 6 Related Pages 7 Related Pages 8 External Links

Summary

pfSense is similar to m0n0wall but has a different underbelly and thus a much different set of features and functions.

Some notable differences:

• Uses lighttpd instead of mini_httpd
• Uses the FreeBSD PF packet filter, and the ALTQ traffic management system
• Uses FreeBSD 6.2 - newer versions use FreeBSD 7.1

I'm planning to try out some more tests with this setup soon. Right now I'm just setting up two pfSense machines so that I can test out carp failover as well.

pfSense Load Balancer

The pfSense load balancer is nice in that it is simple - you add the servers you want to balance across, and you are pretty much done. However, I've run into some issues with it:

• too many firewall states
• incorrect "down status" from time to time
• can't figure out how and if the server down ip to be on another network

Granted, these issues are the result of my own limited knowledge of how slbd works, so hopefully I can work them out.

Additional load balancing topics:

• pfSense Carp

pfSense VPN Server

Supports:

• IPSec
• PPTP? Does it just redirect to a real PPTP server?
• OpenVPN

pfSense DHCP Server

The pfSense DHCP server provides the capability to direct DHCP PXE Boot clients to a different host for their storage. Very cool!

pfSense DNS Settings

For pfSense DNS, I set the two addresses on the General page to our two private unbound servers which are on external public ip addresses. Then I set the DHCP server to use the private LAN address as the first DNS entry, and the first unbound server as the second. I think this is a good setup for our networks.

pfSense Errors

rrd Graphs

In my experience, if a pfSense machine is simply shutoff without being shutdown, the RRD graphs will not work until the machine is properly rebooted.

The graphs are awesome anyway. Here's an example:

NFS and MTU

This isn't specific to pfSense, but since I use pfSense, it rears its ugly head. I'm not exactly sure, but I think it has to do with IP fragments. I use FIOS which, like PPP, uses a WAN MTU of 1492. IPSec also adds to IP overhead, reducing the data capacity of each packet. pfSense docs suggest but do not confirm that NFS on GNU/Linux sends fragmented packets that also have the do not fragment bit on the packet header. Confusing? Yes. Ultimately, I do stuff like this:

And this in my Fstab:

192.0.2.1:/ /mnt/point nfs4    _netdev,noauto,noatime,rsize=512,wsize=512,user 0 0

Namespace Collisions

I keep getting a warning about a namespace collision in the default ruleset. I have no idea what this is about - just started happening recently...

Related Pages

• pfSense test results of the padlock kernel driver on a VIA C7 - Based on the positive, yet a little odd, results published in the link above, I added padlock_load="YES" to my loader.conf file.

Related Pages

• m0n0wall
• FreeNAS

External Links

• pfSense Homepage
• http://www.vpnzen.com/blog/