pc engine – pfsense as router / firewall

download (1)Just built a pfsense router on  a pc engine to replace my aging 7390 fritzbox…. Very very awesome and fast!

Perfect for UFB (ultra fast broadband) here in New Zealand – FTTH has arrived :)

I’m currently running these services on it (2 x 1GHZ cpu, 4GB RAM, 16GB msata SSD);

  • dhcpd – DHCP server
  • miniupnpd – UPnP server
  • ntpd – NTP server
  • squid – Transparent Proxy & Reverse Proxy
  • snort – IDS (Intrusion Detection System) / IPS (Intrusion Prevention System)
  • ssd – SSH server
  • unbound – DNS Server
  • ipsec – IPsec VPN (site to site VPN)
  • openvpn – Open VPN (client VPN)

Check these links for some great advise…

https://mateh.id.au/2014/09/build-awesome-apu-based-pfsense-router/

http://www.smallnetbuilder.com/other/security/security-howto/31406-build-your-own-ids-firewall-with-pfsense

http://homeservershow.com/building-your-own-super-router-with-pfsense-and-untangle.html

Grab hardware here – http://www.pcengines.ch/apu.htm

IMG_5305

opensolaris – setting up dhcp

You’ll need these two packages installed;

SUNWdhcs, SUNWdhcm

First ensure that the DHCP service is running. Go into the “services” gui and tick the box to enable the DHCP server.

now from commandline run…

dhcpmgr
  1. From edit menu choose “network wizard”, step through the wizard (defautls are o.k i you have a fixed IP already assigned to your opensolaris box)
  2. From edit menu choose “address wizard”

If you step through the wizard (the following is an example of what i have choosen)

  1. Choose Text files
  2. Leave default path of /var/dhcp
  3. Do not manage hosts records
  4. Default lease of 1 day (clients can renew their leases)
  5. DNS Domain “yourdomainname”, also add your DNS here
  6. Network Address & subnet (should be pre populated if you have fixed IP on your host)
  7. Network Type (LAN), Routing (leave as default)
  8. I have left NIS blank
  9. I have left NIS+ blank

WPAD – Web Proxy Autodiscovery Protocol

When using wpad there are some things that you should take note of;

  • DHCP wpad will override DNS wpad
  • DHCP 252 option can in some cases be slightly slower to resolve than DNS – there may be a patch for WinInet to resolve this.
  • You should always use lower case – wpad.dat  (it is case sensitive)
  • DHCP will allow either a URL or a file location for wpad.dat

Within IE on the LAN settings tab if you have WPAD “automatically detect settings” enabled and also configure a proxy server the WPAD should override the manual proxy configuration.

There is some good detail at the usual places http://en.wikipedia.org/wiki/Web_Proxy_Autodiscovery_Protocol

I’ve done a bit of work around WPAD, but have yet to write up a decent “how-to”. I’ll update this the next time i dabble in the area.

If you are using DNS you may have to remove the globalqueryblock for the wpad entry : http://support.microsoft.com/kb/968732/en-us

Here is a quick example of the syntax of a typical wpad.dat file…

   function FindProxyForURL(url, host) {
      // our local URLs from the domains below example.com don't need a proxy:
      if (shExpMatch(url,"*.example.com/*"))                  {return "DIRECT";}
      if (shExpMatch(url, "*.example.com:*/*"))               {return "DIRECT";}

      // URLs within this network are accessed through 
      // port 8080 on fastproxy.example.com:
      if (isInNet(host, "10.0.0.0",  "255.255.248.0"))    {
         return "PROXY fastproxy.example.com:8080";
      }

      // All other requests go through port 8080 of proxy.example.com.
      // should that fail to respond, go directly to the WWW:
      return "PROXY proxy.example.com:8080; DIRECT";
   }

Linux – Add DHCP and DNS

How to install DHCP and DNS on Fedora / Centos / Redhat box;

yum -y install dhcp.i386 bind.i386

Set services to auto start using ntsysv — services are called “dhcpd” and “named”.

How to configure dhcp;

nano /etc/dhcpd.conf — configure as per sample provided. The sample is usually located in the same directory.
service dhcpd restart – should start without problem if done correctly

Note: dhcp range has to be on the same network as your adapter. You can run dhcpd from the command line to diagnose any issues.

How to configure bind (DNS);

I usually just forward DNS requests to my internal router. To do this just edit /etc/resolve.conf and place the following line in the file;

nameserver 192.168.9.1

Use your ip above then all should be good. Test by pinging a domain like www.yahoo.com etc… You should get an ip back even if you don’t get successful pings (due to firewall etc). nslookup is also another quick and easy way to check DNS requests.