Router - PFSense: Difference between revisions
Content deleted Content added
m clean up, typos fixed: etc) → etc.) |
|||
| Line 4: | Line 4: | ||
At the time of writing this wiki page, the pfSense version used was 2.1.2 and it is recommended that you use that version (or a later one) as 2.1.0 and 2.1.1 are affected by heartbleed and some PPoE config bugs. |
At the time of writing this wiki page, the pfSense version used was 2.1.2 and it is recommended that you use that version (or a later one) as 2.1.0 and 2.1.1 are affected by heartbleed and some PPoE config bugs. |
||
Now, although pfSense 2.1 introduces a lot a very interesting new capabilities, it is admittedly still a bit buggy when it comes to PPoE (which can be a concern in the UK as it is quite common). In that regards, the old 2.0-[[IPv6]] beta range was a lot more stable, however it was its [[IPv6]] support that was in turn rather flaky. This is why the old wiki page (See [[ |
Now, although pfSense 2.1 introduces a lot a very interesting new capabilities, it is admittedly still a bit buggy when it comes to PPoE (which can be a concern in the UK as it is quite common). In that regards, the old 2.0-[[IPv6]] beta range was a lot more stable, however it was its [[IPv6]] support that was in turn rather flaky. This is why the old wiki page (See [[Router - PFSense (beta 2.1)]]) could still be a valid option (unless your security rules dictates you must be on the latest). |
||
Finally, please note that this was tested on an A&A ADSL line connected via TalkTalk Wholesale. I would expect it to work the same when behind BT Wholesale, but your mileage may vary. |
Finally, please note that this was tested on an A&A ADSL line connected via TalkTalk Wholesale. I would expect it to work the same when behind BT Wholesale, but your mileage may vary. |
||
= Hardware = |
= Hardware = |
||
As described in the previous version of this document (See [[ |
As described in the previous version of this document (See [[Router - PFSense (beta 2.1)]]), a [[Vigor 120]] [[ADSL Modem]] was used alongside an ALIX board (although things like an old PC or embedded hardware will work too). |
||
It should also work similarly well with other ADSL/VDSL modem as long as you can push PPoE to it (and that it, in turns, pushes it over its own PPoA connection). |
It should also work similarly well with other ADSL/VDSL modem as long as you can push PPoE to it (and that it, in turns, pushes it over its own PPoA connection). |
||
| Line 16: | Line 16: | ||
= Software = |
= Software = |
||
As, indicated, at the time of writing ( |
As, indicated, at the time of writing (23 April 2014), you need a copy of pfSense 2.1.2 (embedded variant or not, just check the pfSense website to check which option will suit you best). |
||
= Addressing = |
= Addressing = |
||
| Line 34: | Line 34: | ||
[[File: |
[[File:Vigor 120 Setup.png|800px]] |
||
''Note: Interestingly, I tried the RFC1483 mode and it seems to work ok too (although when I do, pfSense then seems to be taking to an Ericsson box instead of the usual Cisco one).'' |
''Note: Interestingly, I tried the RFC1483 mode and it seems to work ok too (although when I do, pfSense then seems to be taking to an Ericsson box instead of the usual Cisco one).'' |
||
| Line 44: | Line 44: | ||
Now, even in bridge mode, it will still be an idea to change the default admin password and disable management services on the WAN side. |
Now, even in bridge mode, it will still be an idea to change the default admin password and disable management services on the WAN side. |
||
[[File: |
[[File:Dlink DSL-320B Setup.png|800px]] |
||
''Note: The default LAN address was changed to 192.168.100.1 in order to avoid any potential conflicts with the internal network that is behind pfSense.'' |
''Note: The default LAN address was changed to 192.168.100.1 in order to avoid any potential conflicts with the internal network that is behind pfSense.'' |
||
| Line 51: | Line 51: | ||
Follow one of the many guides out there. It can be tricky to work out which interface is which, so plug one in, configure it at the initial console based interface setup stage, give it an IPv4 address from your LAN range and set the mask. Then try and ping it after putting another address from the range temporarily on a PC or whatever. If it doesn't work then move the LAN cable into another NIC and see if that works. Once LAN is sorted, fire up a browser and point it at the LAN address and carry on the configuration from there. Username: admin, password: pfsense. I recommend you change the password, move the web GUI port to another port and enable SSL. |
Follow one of the many guides out there. It can be tricky to work out which interface is which, so plug one in, configure it at the initial console based interface setup stage, give it an IPv4 address from your LAN range and set the mask. Then try and ping it after putting another address from the range temporarily on a PC or whatever. If it doesn't work then move the LAN cable into another NIC and see if that works. Once LAN is sorted, fire up a browser and point it at the LAN address and carry on the configuration from there. Username: admin, password: pfsense. I recommend you change the password, move the web GUI port to another port and enable SSL. |
||
The default firewall settings do not allow inbound access at all (for any protocol). Previous version of pfSense 2.1.2 also used to just discard [[IPv6]] traffic whatever its direction, but this is not true anymore and it should now be processed similarly to IPv4 (firewall rules, etc). However, this is not always the case when doing an upgrade, so it is worthwhile to check that setting. |
The default firewall settings do not allow inbound access at all (for any protocol). Previous version of pfSense 2.1.2 also used to just discard [[IPv6]] traffic whatever its direction, but this is not true anymore and it should now be processed similarly to IPv4 (firewall rules, etc.). However, this is not always the case when doing an upgrade, so it is worthwhile to check that setting. |
||
That setting is available in the page "System: Advanced: Networking": |
That setting is available in the page "System: Advanced: Networking": |
||
[[File: |
[[File:IPv6 Enabled.png|800px]] |
||
Once this is checked, proceed to setup the WAN interface and then update the LAN settings to enable [[IPv6]]. |
Once this is checked, proceed to setup the WAN interface and then update the LAN settings to enable [[IPv6]]. |
||
| Line 76: | Line 76: | ||
You should get a configuration screen similar to this: |
You should get a configuration screen similar to this: |
||
[[File: |
[[File:Interface Setup - WAN.png|800px]] |
||
| Line 100: | Line 100: | ||
You should end up with a configuration screen similar to this one: |
You should end up with a configuration screen similar to this one: |
||
[[File: |
[[File:Interface Setup - LAN.png|800px]] |
||
Finally, click the save button. |
Finally, click the save button. |
||
| Line 119: | Line 119: | ||
So, select "Services -> DHCPv6 Server/RA" and then enter the appropriate information. Once done and saved, the screen should look like this: |
So, select "Services -> DHCPv6 Server/RA" and then enter the appropriate information. Once done and saved, the screen should look like this: |
||
[[File: |
[[File:Services - DHCPv6.png|800px]] |
||
I suspect there will be no real need to reserve a part of this range as if you need to create fancy subnetworks then you just need to use another one of your /64 blocks (and you have been given 65536 of them, that should be enough!). But in any case, pfSense allows to subdivide the block further if you need to (see the "subnets" options). |
I suspect there will be no real need to reserve a part of this range as if you need to create fancy subnetworks then you just need to use another one of your /64 blocks (and you have been given 65536 of them, that should be enough!). But in any case, pfSense allows to subdivide the block further if you need to (see the "subnets" options). |
||
| Line 127: | Line 127: | ||
The configuration screen will be similar to this (don't forget to save!): |
The configuration screen will be similar to this (don't forget to save!): |
||
[[File: |
[[File:Services - DHCPv6-RA.png|800px]] |
||
Once this is done, you should see that your machine has now acquired a nice and shinny new routable [[IPv6]] address. In fact, it will often acquire more than one depending of the RA mode you have selected and the privacy modes activated by the client machine. |
Once this is done, you should see that your machine has now acquired a nice and shinny new routable [[IPv6]] address. In fact, it will often acquire more than one depending of the RA mode you have selected and the privacy modes activated by the client machine. |
||
| Line 133: | Line 133: | ||
Yeaahhh!! Victory! |
Yeaahhh!! Victory! |
||
[[File: |
[[File:Client Computer.png]] |
||
''Note: On some old hardware/OS it is not impossible you could have to unplug/plug the network cable for the machine to pick up the change.'' |
''Note: On some old hardware/OS it is not impossible you could have to unplug/plug the network cable for the machine to pick up the change.'' |
||
| Line 142: | Line 142: | ||
If I remember correctly, pfSense will by default create the outgoing rules for the LAN (especially if you used the wizard). But just in case, go into the "Firewall -> Rules" page and check that you have at least the following entries: |
If I remember correctly, pfSense will by default create the outgoing rules for the LAN (especially if you used the wizard). But just in case, go into the "Firewall -> Rules" page and check that you have at least the following entries: |
||
[[File: |
[[File:Default LAN Rules.png]] |
||
| Line 156: | Line 156: | ||
Now, an easy way to fix this is to force pfSense to use specific DNS servers. This is done in the "System -> General Setup" page. Ideally you should set your ISP DNS server in there and/or some public ones like Google (8.8.8.8) or OpenDNS (208.67.220.220). |
Now, an easy way to fix this is to force pfSense to use specific DNS servers. This is done in the "System -> General Setup" page. Ideally you should set your ISP DNS server in there and/or some public ones like Google (8.8.8.8) or OpenDNS (208.67.220.220). |
||
[[File: |
[[File:System - General setup.png|800px]] |
||
| Line 176: | Line 176: | ||
Once this is done, you will just have to go in "System->Routing" and then edit the WAN_DHCP6 gateway settings to make them as follow: |
Once this is done, you will just have to go in "System->Routing" and then edit the WAN_DHCP6 gateway settings to make them as follow: |
||
[[File: |
[[File:WAN DHCP6 Gateway settings.png|800px]] |
||
If successful in the script and settings changes you will then get a Gateway Status screen similar to this: |
If successful in the script and settings changes you will then get a Gateway Status screen similar to this: |
||
[[File: |
[[File:Status - Gateways.png|800px]] |
||
Note: Sometimes, after link failure, the script will still fail to setup apinger properly (especially for [[IPv6]]. IPv4 will typically be ok). This seems to be caused by some timing issues whereby pfSense calls the script too early. Fixing this will probably require a more serious rework of that area in pfSense. |
Note: Sometimes, after link failure, the script will still fail to setup apinger properly (especially for [[IPv6]]. IPv4 will typically be ok). This seems to be caused by some timing issues whereby pfSense calls the script too early. Fixing this will probably require a more serious rework of that area in pfSense. |
||