Posts tagged pfsense

pfsense: traffic shaping

posted on 2016-03-20 18:12:20

why?

Over a small broadband connection, to a backend which is split physically into two networks, guarantee that one network can not eat up all the bandwidth. This shall be achieved by per-interface settings.

setup

On the PFSense, there are 3 port:

  • WAN
  • LAN
  • OPT1

LAN is the important network here, so the OPT1 interface shall be cut back.

how?

In the 2.x series, you have to do it like this:

  • Firewall >> Traffic Shaper
  • Click on OPT1 interface in the tree on the left
  • Checkbox 'enable', enter your available bandwidth (likely 1Gbit)
  • Button 'save'
  • Button 'apply new changes'
  • Button 'add new queue'
  • Enter a queue name (this is important to do before saving! Else you have to ssh into your PFS and fix the config via viconfig. Search for queue in there and remove the old setting. If you have trouble finding it, add another queue with a unique name and search for it then.)
  • Checkbox 'enable'
  • Checkbox 'default queue'
  • Bandwidth here is again '1 Gbit' then
  • Service Curve, checkbox 'upper limit' and enter your limit in the m2 field, i.e. '10Kb'
  • Button 'save'
  • Button 'apply new changes'

Then you should be done.

testing

On the main page of the PFS webgui, add the 'traffic graphs' to the front page dashboard. There you see your throughput easily.

Load a large HD video on youtube from a host on the limited subnet, to have a completely used connection. This will not work with mobile devices, since you cannot set the desired quality there. (!)

Changing the m2 value in a separate window (and applying the changes) should show its limiting capability rather nicely.

pfsense: iphone ipsec roadwarrior configuration

posted on 2015-12-13 16:47:01

Since this took me a while, but this took me a while, here is an incomplete write-up. (...) If the stars are lucky I will eventually get around to finish this properly.

software versions

  • PFSense 2.2.5
  • IOS 9.2

ios settings for phase 1 + 2

This is straight from the pfsense logs:

# phase 1
IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, 
IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1536,
IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024

# phase 2
ESP:AES_CBC_256/HMAC_SHA1_96/NO_EXT_SEQ, 
ESP:AES_CBC_256/HMAC_MD5_96/NO_EXT_SEQ, 
ESP:AES_CBC_128/HMAC_SHA1_96/NO_EXT_SEQ, 
ESP:AES_CBC_128/HMAC_MD5_96/NO_EXT_SEQ, 
ESP:3DES_CBC/HMAC_SHA1_96/NO_EXT_SEQ,
ESP:3DES_CBC/HMAC_MD5_96/NO_EXT_SEQ

which translates to these alternatives for each phase:

# phase 1 (you should choose the second one :))
enc: aes cbc 128bit
hash: sha1
dh: 1024bit / group 2

enc: aes cbc 256bit
hash sha256
dh: 1536bit / group 3

enc: 3des cbc
hash: sha1
dh: 1024bit / group 2


# phase 2 (basically aes 256/128 / aes 128 / 3des with sha1 / md5, no PFS)
enc: aes cbc 256
hash: sha1

enc: aes cbc 256
hash: md5

enc: aes cbc 128
hash: sha1

enc: aes cbc 128
hash: md5

enc: 3des cbc
hash: sha1

enc: 3des cbc
hash: md5

According to apple documentation here PFS is possible, too.

Network Stats on FreeBSD

posted on 2014-08-21 16:51:25

To see proper load and complete stats on a FreeBSD (i.e. a PFSense), use:

systat -ifstat 1

Which gives something like this:

                    /0   /1   /2   /3   /4   /5   /6   /7   /8   /9   /10
 Load Average

  Interface           Traffic               Peak                Total
     ovpns1  in      0.000 KB/s          1.714 KB/s           84.050 MB
             out     0.000 KB/s          3.965 KB/s          202.886 MB

        lo0  in      0.000 KB/s          0.000 KB/s          200.695 KB
             out     0.000 KB/s          0.000 KB/s          200.695 KB

       enc0  in      0.301 KB/s          0.618 KB/s          615.144 MB
             out     0.243 KB/s          0.483 KB/s          334.407 MB

        em2  in      0.095 KB/s          0.152 KB/s           28.847 MB
             out     0.095 KB/s          0.095 KB/s           28.016 MB

        em1  in    158.298 KB/s        206.448 KB/s          202.662 GB
             out    10.525 KB/s         71.434 KB/s           39.187 GB

        em0  in     11.428 KB/s         72.010 KB/s           41.853 GB
             out    49.342 KB/s         79.099 KB/s           88.548 GB

PFSense IPsec VPN problems

posted on 2014-07-03 10:37:51

When running a PFSense as Firewall and VPN Gateway, trouble might arise. (See here.)

From personal experience, using version 2.1.4 and running like a dozen different tunnels, random connection breaks occurred.

It did not matter which interface was used, which hardware the other tunnel endpoint/gateway was on.

Only helpful solution so far was this:

System >> Advanced >> Tab Miscellaneous >> Section IP Security >> Checkbox Prefer older IPsec SAs

PFSense CLI commands

posted on 2014-07-01 15:34:00

CLI command                     Description
===========================================

pfctl -d                        Deactivate Firewall completely
pfctl -e                        Activate Firewall Rules again
pfctl -sn                       Show current NAT rules
pfctl -sr -vv (or pfctl -vvsr)  Show current filter rules with rule numbers
pfctl -ss                       Show the current state table
pfctl -sa                       Show everything it can show
viconfig                        Edit the actual config file in /conf/config.xml.

When editiing is finished the /tmp/config.cache file will be deleted, so the changes will be activated in the firewall after finishing editing.

/etc/rc.reload_all              Reload the Firewall with all the configuration.

Restarting sshd (keeping actual ssh session) and restarting webgui. It seems the rc.reload_all is also keeping the sessions up and running.

rm /tmp/config.cache
Remove the running config and reuse the /cf/config.xml (Firewall will reload the /cf/config.xml after delete)

There are also php scripts that can be used...

#!/usr/local/bin/php -q

## Manual Restart OpenVPN Processes.

<?php
require_once('openvpn.inc');

openvpn_resync_all();
?>


#!/usr/local/bin/php -q

## Manual Restart IPSEC VPN Tunnels>

<?php
require_once('vpn.inc');
require_once('util.inc');

vpn_ipsec_force_reload();
?>

PFSense log access

posted on 2014-06-03 14:30:08

To access the logs on a PFSense firewall, you have two options:

GUI

Status >> System Logs

Usually only the last 200 log entries are shown, but this can be set to a maximum of 2000. In the Settings tab change 'GUI Log Entries to Display'.

Shell access

  • ssh into the machine (of course SSH has to be enabled and set up)
  • cd /var/log
  • view the logs via clog <logname>

Piping the clog output into less may be a good idea ;)

tail -f?

Use clog -f <filename>. :)

FreeBSD/PFSense via Grub2

posted on 2014-05-23 17:21:18

After installing PFSense (which is based on FreeBSD) on a dedicated machine for firewalling, a debian install was decided to be set up along with it. This should enable shorter setup times in case PFSense would not suffice: Just boot debian and fix the firewall via iptables in /etc/init.d/firewall.

Long story short, after the debian install and the grub, PFSense was lacking a boot entry. (Who would have guessed.)

Output of fdisk -l from within debian gave this:

Disk /dev/sja: 4011 MB, 4011614208 bytes
16 heads, 63 sectors/track, 7773 cylinders, total 7835184 sectors
Units = sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disk identifier: 0x90909090

    Device  Boot      Start         End      Blocks     Id  System
/dev/sda1     *          63     1639999      818968+    a5  FreeBSD
/dev/sda2           1638000     7835183     3098592     83  Linux

So the first partition has the PFSense on it.

Putting the lower part of this into /etc/grub.d/40_custom in debian did the trick:

#!/bin/sh
exec tail -n +3 $0
# This file provides an easy way to add custom menu entries.  Simply type the
# menu entries you want to add after this comment.  Be careful not to change
# the 'exec tail' line above.
menuentry "PFSense" {
    # discern partition name easiest via grub shell
    set root=(hd0,1)
    chainloader +1
    # instead of `chainloader +1`, this should work, too
    #kfreebsd /boot/loader
}

Do update-grub afterwards, reboot, and be done.

This blog covers .csv, .htaccess, .pfx, .vmx, /etc/crypttab, /etc/network/interfaces, /etc/sudoers, /proc, 10.04, 14.04, AS, ASA, ControlPanel, DS1054Z, GPT, HWR, Hyper-V, IPSEC, KVM, LSI, LVM, LXC, MBR, MTU, MegaCli, PHP, PKI, R, RAID, S.M.A.R.T., SNMP, SSD, SSL, TLS, TRIM, VEEAM, VMware, VServer, VirtualBox, Virtuozzo, XenServer, acpi, adaptec, algorithm, ansible, apache, apachebench, apple, applet, arcconf, arch, architecture, areca, arping, asa, asdm, autoconf, awk, backup, bandit, bar, bash, benchmarking, binding, bitrate, blackarmor, blockdev, blowfish, bochs, bond, bonding, booknotes, bootable, bsd, btrfs, buffer, c-states, cache, caching, ccl, centos, certificate, certtool, cgdisk, cheatsheet, chrome, chroot, cisco, clamav, cli, clp, clush, cluster, coleslaw, colorscheme, common lisp, configuration management, console, container, containers, controller, cron, cryptsetup, csync2, cu, cups, cygwin, d-states, database, date, db2, dcfldd, dcim, dd, debian, debug, debugger, debugging, decimal, desktop, df, dhclient, dhcp, diff, dig, display manager, dm-crypt, dmesg, dmidecode, dns, docker, dos, drivers, dtrace, dtrace4linux, du, dynamictracing, e2fsck, eBPF, ebook, efi, egrep, emacs, encoding, env, error, ess, esx, esxcli, esxi, ethtool, evil, expect, exportfs, factory reset, factory_reset, factoryreset, fail2ban, fbsd, fdisk, fedora, file, filesystem, find, fio, firewall, firmware, fish, flashrom, forensics, free, freebsd, freedos, fritzbox, fsck, fstrim, ftp, ftps, g-states, gentoo, ghostscript, git, git-filter-branch, github, gitolite, global, gnutls, gradle, grep, grml, grub, grub2, guacamole, hardware, haskell, hdd, hdparm, hellowor, hex, hexdump, history, howto, htop, htpasswd, http, httpd, https, i3, icmp, ifenslave, iftop, iis, imagemagick, imap, imaps, init, innoDB, innodb, inodes, intel, ioncube, ios, iostat, ip, iperf, iphone, ipmi, ipmitool, iproute2, ipsec, iptables, ipv6, irc, irssi, iw, iwconfig, iwlist, iwlwifi, jailbreak, jails, java, javascript, javaws, js, juniper, junit, kali, kde, kemp, kernel, keyremap, kill, kpartx, krypton, lacp, lamp, languages, ldap, ldapsearch, less, leviathan, liero, lightning, links, linux, linuxin3months, lisp, list, livedisk, lmctfy, loadbalancing, locale, log, logrotate, looback, loopback, losetup, lsblk, lsi, lsof, lsusb, lsyncd, luks, lvextend, lvm, lvm2, lvreduce, lxc, lxde, macbook, macro, magento, mailclient, mailing, mailq, manpages, markdown, mbr, mdadm, megacli, micro sd, microsoft, minicom, mkfs, mktemp, mod_pagespeed, mod_proxy, modbus, modprobe, mount, mouse, movement, mpstat, multitasking, myISAM, mysql, mysql 5.7, mysql workbench, mysqlcheck, mysqldump, nagios, nas, nat, nc, netfilter, networking, nfs, nginx, nmap, nocaps, nodejs, numberingsystem, numbers, od, onyx, opcode-cache, openVZ, openlierox, openssl, openvpn, openvswitch, openwrt, oracle linux, org-mode, os, oscilloscope, overview, parallel, parameter expansion, parted, partitioning, passwd, patch, pct, pdf, performance, pfsense, php, php7, phpmyadmin, pi, pidgin, pidstat, pins, pkill, plasma, plesk, plugin, posix, postfix, postfixadmin, postgres, postgresql, poudriere, powershell, preview, profiling, prompt, proxmox, ps, puppet, pv, pveam, pvecm, pvesm, pvresize, python, qemu, qemu-img, qm, qmrestore, quicklisp, quickshare, r, racktables, raid, raspberry pi, raspberrypi, raspbian, rbpi, rdp, redhat, redirect, registry, requirements, resize2fs, rewrite, rewrites, rhel, rigol, roccat, routing, rs0485, rs232, rsync, s-states, s_client, samba, sar, sata, sbcl, scite, scp, screen, scripting, seafile, seagate, security, sed, serial, serial port, setup, sftp, sg300, shell, shopware, shortcuts, showmount, signals, slattach, slip, slow-query-log, smbclient, snmpget, snmpwalk, software RAID, software raid, softwareraid, sophos, spacemacs, spam, specification, speedport, spi, sqlite, squid, ssd, ssh, ssh-add, sshd, ssl, stats, storage, strace, stronswan, su, submodules, subzone, sudo, sudoers, sup, swaks, swap, switch, switching, synaptics, synergy, sysfs, systemd, systemtap, tar, tcpdump, tcsh, tee, telnet, terminal, terminator, testdisk, testing, throughput, tmux, todo, tomcat, top, tput, trafficshaping, ttl, tuning, tunnel, tunneling, typo3, uboot, ubuntu, ubuntu 16.04, udev, uefi, ulimit, uname, unetbootin, unit testing, upstart, uptime, usb, usbstick, utf8, utm, utm 220, ux305, vcs, vgchange, vim, vimdiff, virtualbox, virtualization, visual studio code, vlan, vmstat, vmware, vnc, vncviewer, voltage, vpn, vsphere, vzdump, w, w701, wakeonlan, wargames, web, webdav, weechat, wget, whois, wicd, wifi, windowmanager, windows, wine, wireshark, wpa, wpa_passphrase, wpa_supplicant, x11vnc, x2x, xfce, xfreerdp, xmodem, xterm, xxd, yum, zones, zsh


Unless otherwise credited all material Creative Commons License by sjas