PfSense


From Docunext Technology Wiki

Jump to: navigation, search

Contents

PfSense 2

This page provides an overview of pfSense, and since a major pfSense release is underway, visit pfSense 2 for more recent information.


Summary

pfSense is similar to m0n0wall but has a different underbelly and thus a much different set of features and functions.

Some notable differences:

I'm planning to try out some more tests with this setup soon. Right now I'm just setting up two pfSense machines so that I can test out carp failover as well.

pfSense Install

Linux 

zcat pfsense-embedded.img.gz | dd of=/dev/sd[a] bs=16k

pfSense Load Balancer

The pfSense load balancer is nice in that it is simple - you add the servers you want to balance across, and you are pretty much done. However, I've run into some issues with it:

  • too many firewall states
  • incorrect "down status" from time to time
  • can't figure out how and if the server down ip to be on another network

Granted, these issues are the result of my own limited knowledge of how slbd works, so hopefully I can work them out.

Additional load balancing topics:

pfSense VPN Server

Supports:

pfSense DHCP Server

The pfSense DHCP server provides the capability to direct DHCP PXE Boot clients to a different host for their storage. Very cool!

pfSense DNS Settings

For pfSense DNS, I set the two addresses on the General page to our two private unbound servers which are on external public ip addresses. Then I set the DHCP server to use the private LAN address as the first DNS entry, and the first unbound server as the second. I think this is a good setup for our networks.

pfSense Errors

rrd Graphs

In my experience, if a pfSense machine is simply shutoff without being shutdown, the RRD graphs will not work until the machine is properly rebooted.

The graphs are awesome anyway. Here's an example:

pfSense traffic graphs

NFS and MTU

This isn't specific to pfSense, but since I use pfSense, it rears its ugly head. I'm not exactly sure, but I think it has to do with IP fragments. I use FIOS which, like PPP, uses a WAN MTU of 1492. IPSec also adds to IP overhead, reducing the data capacity of each packet. pfSense docs suggest but do not confirm that NFS on GNU/Linux sends fragmented packets that also have the do not fragment bit on the packet header. Confusing? Yes. Ultimately, I do stuff like this:

pfSense MTU Setting of 1440

And this in my Fstab: 

192.0.2.1:/ /mnt/point nfs4    _netdev,noauto,noatime,rsize=512,wsize=512,user 0 0

Namespace Collisions

I keep getting a warning about a namespace collision in the default ruleset. I have no idea what this is about - just started happening recently...

TSIG DNS Updates

I had to change /etc/inc/services.inc for version 1.2.x: 

			/* generate update instructions */
			$upinst =  "server update.dyndns.com\n";
			$upinst .= "zone intra.savonix.com\n";
			$upinst .= "key {$config['dnsupdate']['keyname']} {$config['dnsupdate']['keydata']}\n";
			$upinst .= "update add {$config['dnsupdate']['host']} {$config['dnsupdate']['ttl']} A {$wanip}\n";
			$upinst .= "send\n";
			$upinst .= "\n";	/* mind that trailing newline! */

And this for version 2.x (see services.inc): 

			$upinst .= "zone intra.savonix.com\n";
			$upinst .= "key {$dnsupdate['keyname']} {$dnsupdate['keydata']}\n";
			$upinst .= "update add {$dnsupdate['host']} {$dnsupdate['ttl']} A {$wanip}\n";
			$upinst .= "send\n";
			$upinst .= "\n";	/* mind that trailing newline! */

				$fd = fopen("{$g['varetc_path']}/nsupdatecmds{$i}", "w");
				fwrite($fd, $upinst);
				fclose($fd);

				/* invoke nsupdate */
				$cmd = "/usr/bin/nsupdate -k {$g['varetc_path']}/K{$i}{$keyname}+157+00000.key";

Ideally the form should also have the server address for updates and a zone selector, see:

https://www.dyndns.com/support/kb/ddns_updates_and_tsig.html

See Also

Links

Retrieved from "http://www.docunext.com/wiki/PfSense"
Personal tools