pc engine – pfsense as router / firewall

download (1)Just built a pfsense router on  a pc engine to replace my aging 7390 fritzbox…. Very very awesome and fast!

Perfect for UFB (ultra fast broadband) here in New Zealand – FTTH has arrived :)

 

I’m currently running these services on it (2 x 1GHZ cpu, 4GB RAM, 16GB msata SSD);

  • dhcpd – DHCP server
  • miniupnpd – UPnP server
  • ntpd – NTP server
  • squid – Transparent Proxy & Reverse Proxy
  • snort – IDS (Intrusion Detection System) / IPS (Intrusion Prevention System)
  • ssd – SSH server
  • unbound – DNS Server
  • ipsec – IPsec VPN (site to site VPN)
  • openvpn – Open VPN (client VPN)

Check these links for some great advise…

https://mateh.id.au/2014/09/build-awesome-apu-based-pfsense-router/

http://www.smallnetbuilder.com/other/security/security-howto/31406-build-your-own-ids-firewall-with-pfsense

http://homeservershow.com/building-your-own-super-router-with-pfsense-and-untangle.html

Grab hardware here – http://www.pcengines.ch/apu.htm

IMG_5305

vyatta as a virtual router

Some very nice examples by Gene on how to setup vyatta as a router on this page;

http://www.sonoracomm.com/support/19-inet-support/233-vyatta-cable

Masquerade Natting;

set service nat rule 10 source address 192.168.77.0/24
set service nat rule 10 outbound-interface eth0
set service nat rule 10 type masquerade

set service nat rule 20 source address 10.200.88.0/24
set service nat rule 20 outbound-interface eth0
set service nat rule 20 type masquerade

Essentially every thing leaving from these two networks will be natted via the eth0 interface. i.e. they will be using the same IP as eth0 for their requests.

Static Nat Route (pinhole);

set service nat rule 2 inbound-interface eth0
set service nat rule 2 protocol tcp
set service nat rule 2 type destination
set service nat rule 2 description “Web Server1”
set service nat rule 2 destination address 192.168.109.254
set service nat rule 2 destination port 81
set service nat rule 2 inside-address address 10.200.88.45
set service nat rule 2 inside-address port 80

This rule takes everything that hits port 81 on 192.168.109.254 and sends it through to 10.200.88.45 (which is another routeable network) — in this case a directly attached network on eth1.

commit

Corporate Firewall – SSH and port 443 goodness

Things you’ll need; (basic instructions)
SSH – either Linux or Open SSH for windows (set this up first and ensure its working!). I have only used Linux, so i do not know the details of setting up a Open SSH box on windows (good luck).

Router with pinhole or port forwarding abilities. — forward your external 443 port to internal 22 on your SSH box

Putty.exe – use this to test your SSH connection locally (you should be able to connect on port 22 locally or 443 externally)

Your home IP – setup a dyndns account on one of the free services available on the web (either use your router if it has it or get a dyndns client that runs on your ssh box) — i use dyndns.org

Putty is the client side device that you will use when you are not local to your network. If you are connecting to your SSH box from external (i.e. at work) then you’ll need to configure a SSH connection profile to connect on port 443. If you have a proxy at work (which you will most probably have) you need to ensure you have filled out your proxy address and authentication details — select HTTP then enter your username / password. Then try to connect.

When you can successfully connect to your SSH box from work via 443 you can then create SSH tunnels. Under SSH on putty there is a tunnels option. This is where you can forward local ports to your remote ports… for example – 127.0.0.1:82 –> 192.168.0.10:3389. Then if you fire up RDC you can connect to your remote machine via 127.0.0.1:82

Simple? — if i haven’t made a specific part clear please ask any questions and i’ll try to make it easier to follow