pc engine – pfsense as router / firewall

download (1)Just built a pfsense router on  a pc engine to replace my aging 7390 fritzbox…. Very very awesome and fast!

Perfect for UFB (ultra fast broadband) here in New Zealand – FTTH has arrived :)

 

I’m currently running these services on it (2 x 1GHZ cpu, 4GB RAM, 16GB msata SSD);

  • dhcpd – DHCP server
  • miniupnpd – UPnP server
  • ntpd – NTP server
  • squid – Transparent Proxy & Reverse Proxy
  • snort – IDS (Intrusion Detection System) / IPS (Intrusion Prevention System)
  • ssd – SSH server
  • unbound – DNS Server
  • ipsec – IPsec VPN (site to site VPN)
  • openvpn – Open VPN (client VPN)

Check these links for some great advise…

https://mateh.id.au/2014/09/build-awesome-apu-based-pfsense-router/

http://www.smallnetbuilder.com/other/security/security-howto/31406-build-your-own-ids-firewall-with-pfsense

http://homeservershow.com/building-your-own-super-router-with-pfsense-and-untangle.html

Grab hardware here – http://www.pcengines.ch/apu.htm

IMG_5305

nsswitch.conf SMF config

# svccfg
svc:> select dns/client
svc:/network/dns/client> setprop config/search = astring: \
(“us.company.com” “eu.company.com” “companya.com” “companyb.com” “company.com” )
svc:/network/dns/client> setprop config/nameserver = net_address: \
( 138.2.202.15 138.2.202.25 )
svc:/network/dns/client> select dns/client:default
svc:/network/dns/client:default> refresh
svc:/network/dns/client:default> validate
svc:/network/dns/client:default> select name-service/switch
svc:/system/name-service/switch> setprop config/host = astring: “files dns”
svc:/system/name-service/switch> select system/name-service/switch:default
svc:/system/name-service/switch:default> refresh
svc:/system/name-service/switch:default> validate
svc:/system/name-service/switch:default>
# svcadm enable dns/client
# svcadm refresh name-service/switch
# grep host /etc/nsswitch.conf
hosts: files dns
# cat /etc/resolv.conf
#
# opyright (c) 2011, Oracle and/or its affiliates. All rights reserved.
#

#
# _AUTOGENERATED_FROM_SMF_V1_
#
# WARNING: THIS FILE GENERATED FROM SMF DATA.
# DO NOT EDIT THIS FILE. EDITS WILL BE LOST.
# See resolv.conf(4) for details.

search us.company.com eu.company.com companya.com companyb.com company.com
nameserver 138.2.202.15
nameserver 138.2.202.25

vmware – HA issues

Most of the time your HA issues are going to be DNS related. So ensure that your vcenter can ping all your hosts by FQDN without issue.  In some cases though a stubborn server may not want to play the game even when everything is configured properly.

This method is considered a “last effort” as you’ll need to run some CLI commands on the ESX box. But i have found it useful in a few situations.

This page has a great write up on which files HA uses and how to temporary stop the HA service. http://itknowledgeexchange.techtarget.com/virtualization-pro/vmware-ha-failure-got-you-down/

Remember to get to the console on ESXi you logon to the console press Alt-F1 then type “unsupported” (note: you cannot see what you are typing), then enter the root password.

The main bits are as follows;

Stop the HA service

service vmware-aam stop

Check that HA has stopped (if not then use kill command to kill them)

ps ax | grep aam | grep -v grep

Move the current HA config files to a backup directory (before restarting HA)

cd /etc/opt/vmware/aam

mkdir .old

mv * .old

mv .[a-z]* .old

Then back to your vcenter and select Reconfigure for VMware HA on the effected host. Fingers crossed that it starts up and reconfigures without any issues.

WPAD – Web Proxy Autodiscovery Protocol

When using wpad there are some things that you should take note of;

  • DHCP wpad will override DNS wpad
  • DHCP 252 option can in some cases be slightly slower to resolve than DNS – there may be a patch for WinInet to resolve this.
  • You should always use lower case – wpad.dat  (it is case sensitive)
  • DHCP will allow either a URL or a file location for wpad.dat

Within IE on the LAN settings tab if you have WPAD “automatically detect settings” enabled and also configure a proxy server the WPAD should override the manual proxy configuration.

There is some good detail at the usual places http://en.wikipedia.org/wiki/Web_Proxy_Autodiscovery_Protocol

I’ve done a bit of work around WPAD, but have yet to write up a decent “how-to”. I’ll update this the next time i dabble in the area.

If you are using DNS you may have to remove the globalqueryblock for the wpad entry : http://support.microsoft.com/kb/968732/en-us

Here is a quick example of the syntax of a typical wpad.dat file…

   function FindProxyForURL(url, host) {
      // our local URLs from the domains below example.com don't need a proxy:
      if (shExpMatch(url,"*.example.com/*"))                  {return "DIRECT";}
      if (shExpMatch(url, "*.example.com:*/*"))               {return "DIRECT";}

      // URLs within this network are accessed through 
      // port 8080 on fastproxy.example.com:
      if (isInNet(host, "10.0.0.0",  "255.255.248.0"))    {
         return "PROXY fastproxy.example.com:8080";
      }

      // All other requests go through port 8080 of proxy.example.com.
      // should that fail to respond, go directly to the WWW:
      return "PROXY proxy.example.com:8080; DIRECT";
   }

squid – your transparent proxy friend

Still my favourite light and fast web proxy is Squid. Its very easy to setup and get running on almost all flavours of linux. You can find it here http://www.squid-cache.org/ but will probably find it in your local package manager…

This is for more my own reference… as i don’t think too many people have the need for a transparent proxy. You only need one NIC configured on your VM / machine as its most probably on the same subnet as your dsl etc…

1. Setup squid working as a proxy first!

Set the default gateway on the NIC to your router. I also added a default route 0.0.0.0 sub 0.0.0.0 to the router also just in case the default route didn’t work. But seemed to!

Setup DNS! remember you should be able to resolve a name to an IP without issues (can cause most of the problems) Point your default DNS to your router (most have built in DNS forwarders), else you can just use your ISP’s DNS’s

2. Change the squid.config to have the necessary changes to act as a transparent proxy;

nano /etc/squid/squid.conf

http_port 3128 transparent

3. Put this into the startup script; (usually in rc.d under etc) rc.local

iptables -t nat -A PREROUTING -i eth0 -p tcp –dport 80 -j REDIRECT –to-port 3128

This redirects standard tcp requests to 3128 (squid’s port)… transparent to user

4. Ensure that IP forwarding is ENABLED;

change ip_forward from 0 to 1 (usually a txt file somewhere with 0 in it), do a search and you will find it… most probably in the ipv4 directory. This way all 443 (https and other apps) can forward to the web without issue…

echo 1 > /proc/sys/net/ipv4/ip_forward

Should be it…. else good luck!

Update: I have done an updated post about configuring open solaris as a transparent proxy here : http://sigtar.com/2009/04/22/opensolaris-configuring-squid-as-transparent-proxy/

OpenSolaris – Manual Network DNS issue

If you have tried to setup a manual IP on your opensolaris box you may find that DNS is not working as you would expect in some cases. nslookup resolves the name to an ip, but pinging doesnt make it to the box…

How to fix;

Edit your /etc/nsswitch.conf file and add the word “dns to the hosts and ipnodes lines
If you make a backup of /etc/nsswitch.conf you can also just copy /etc/nsswitch.dns over it…

cp /etc/nsswitch.dns /etc/nsswitch.conf

You may also want to check that auto-magic mode has been disabled when setting up your networking manually;

svcs -a | grep nwam

If it is enabled type;

svcadm disable svc:/network/physical:nwam

Linux – Add DHCP and DNS

How to install DHCP and DNS on Fedora / Centos / Redhat box;

yum -y install dhcp.i386 bind.i386

Set services to auto start using ntsysv — services are called “dhcpd” and “named”.

How to configure dhcp;

nano /etc/dhcpd.conf — configure as per sample provided. The sample is usually located in the same directory.
service dhcpd restart – should start without problem if done correctly

Note: dhcp range has to be on the same network as your adapter. You can run dhcpd from the command line to diagnose any issues.

How to configure bind (DNS);

I usually just forward DNS requests to my internal router. To do this just edit /etc/resolve.conf and place the following line in the file;

nameserver 192.168.9.1

Use your ip above then all should be good. Test by pinging a domain like www.yahoo.com etc… You should get an ip back even if you don’t get successful pings (due to firewall etc). nslookup is also another quick and easy way to check DNS requests.