Router - PFSense: Difference between revisions

← Older edit

Router - PFSense (view source)

Revision as of 11:23, 22 June 2017

2,982 bytes added , 22 June 2017

→‎Addressing: Detailed NTp

Wishy

28

edits

Revision as of 09:59, 26 April 2014 (view source) Camlin (talk \| contribs) No edit summary ← Older edit		Latest revision as of 11:23, 22 June 2017 (view source) Wishy (talk \| contribs) (→‎Addressing: Detailed NTp)
(16 intermediate revisions by 4 users not shown)
This is a short guide on getting a pfSense 2.1.2+ system to connect to AAISP as a dual stack router and firewall (Note however this is just the way I have setup my system, and should be used only as guidance) . Before you start, it would be wise to read [[IPv6#IPv6 on AAISP Broadband\|IPv6 on AAISP]], which explains how IPv6 traffic will be routed to you by AAISP. Key point is that you should expect one /128 address to be assigned to your router, additional subnets will be routed to this address. = Introduction = At the time of writing this wiki page, the pfSense version used was 2.1.2 and it is recommended that you use that version (or a later one) as 2.1.0 and 2.1.1 are affected by heartbleed and some PPoE config bugs. Now, although pfSense 2.1 introduces a lot a very interesting new capabilities, it is admittedly still a bit buggy when it comes to PPoE (which can be a concern in the UK as it is quite common). In that regards, the old 2.0-[[IPv6]] beta range was a lot more stable, however it was its [[IPv6]] support that was in turn rather flaky. This is why the old wiki page (See [[~~Router_~~Router -~~_PFSense_~~ PFSense (~~beta_2~~beta 2.1)]]) could still be a valid option (unless your security rules dictates you must be on the latest). Finally, please note that this was tested on an A&A ADSL line connected via TalkTalk Wholesale. I would expect it to work the same when behind BT Wholesale, but your mileage may vary. = Hardware = As described in the previous version of this document (See [[~~Router_~~Router -~~_PFSense_~~ PFSense (~~beta_2~~beta 2.1)]]), a [[Vigor 120]] [[ADSL Modem]] was used alongside an ALIX board (although things like an old PC or embedded hardware will work too). It should also work similarly well with other ADSL/VDSL modem as long as you can push PPoE to it (and that it, in turns, pushes it over its own PPoA connection). = Software = As, indicated, at the time of writing (~~23rd of~~23 April 2014), you need a copy of pfSense 2.1.2 (embedded variant or not, just check the pfSense website to check which option will suit you best). = Addressing = For IPv4, note down the single /32 address and additional subnet range that you should have been assigned. The single address is the router's external address and the subnet is your LAN. AAISP will supply provider address space. For obvious reasons, this cannot be moved between suppliers. You may wish to consider NTp configuraration, which will allow you to use a private address internally. This will avoid the need to readdress should you move supplies, and will also make multi provider WAN easier to deploy, see [https://doc.pfsense.org/index.php/Multi-WAN_for_IPv6 Multi-WAN for IPv6 on PFSense documentation site] = Configuration = [[File:~~Vigor_120_Setup~~Vigor 120 Setup.png\|800px]] ''Note: Interestingly, I tried the RFC1483 mode and it seems to work ok too (although when I do, pfSense then seems to be taking to an Ericsson box instead of the usual Cisco one).'' Now, even in bridge mode, it will still be an idea to change the default admin password and disable management services on the WAN side. [[File:~~Dlink_DSL~~Dlink DSL-~~320B_Setup~~320B Setup.png\|800px]] ''Note: The default LAN address was changed to 192.168.100.1 in order to avoid any potential conflicts with the internal network that is behind pfSense.'' Follow one of the many guides out there. It can be tricky to work out which interface is which, so plug one in, configure it at the initial console based interface setup stage, give it an IPv4 address from your LAN range and set the mask. Then try and ping it after putting another address from the range temporarily on a PC or whatever. If it doesn't work then move the LAN cable into another NIC and see if that works. Once LAN is sorted, fire up a browser and point it at the LAN address and carry on the configuration from there. Username: admin, password: pfsense. I recommend you change the password, move the web GUI port to another port and enable SSL. The default firewall settings do not allow inbound access at all (for any protocol). Previous version of pfSense 2.1.2 also used to just discard [[IPv6]] traffic whatever its direction, but this is not true anymore and it should now be processed similarly to IPv4 (firewall rules, etc.). However, this is not always the case when doing an upgrade, so it is worthwhile to check that setting. That setting is available in the page "System: Advanced: Networking": [[File:~~IPv6_Enabled~~IPv6 Enabled.png\|800px]] Once this is checked, proceed to setup the WAN interface and then update the LAN settings to enable [[IPv6]]. You should get a configuration screen similar to this: [[File:Interface Setup ~~Interface_Setup_~~-~~_WAN~~ WAN.png\|800px]] Note that you should not use the prefix delegation configuration; AAISP will issue you a single /128 and then route additional subnets to this address. Finally, click on the save button. You should end up with a configuration screen similar to this one: [[File:Interface Setup ~~Interface_Setup_~~-~~_LAN~~ LAN.png\|800px]] Finally, click the save button. So, select "Services -> DHCPv6 Server/RA" and then enter the appropriate information. Once done and saved, the screen should look like this: [[File:Services ~~Services_~~-~~_DHCPv6~~ DHCPv6.png\|800px]] I suspect there will be no real need to reserve a part of this range as if you need to create fancy subnetworks then you just need to use another one of your /64 blocks (and you have been given 65536 of them, that should be enough!). But in any case, pfSense allows to subdivide the block further if you need to (see the "subnets" options). The configuration screen will be similar to this (don't forget to save!): [[File:Services ~~Services_~~-~~_DHCPv6~~ DHCPv6-RA.png\|800px]] Once this is done, you should see that your machine has now acquired a nice and shinny new routable [[IPv6]] address. In fact, it will often acquire more than one depending of the RA mode you have selected and the privacy modes activated by the client machine. Yeaahhh!! Victory! [[File:Client ~~Client_Computer~~Computer.png]] ''Note: On some old hardware/OS it is not impossible you could have to unplug/plug the network cable for the machine to pick up the change.'' If I remember correctly, pfSense will by default create the outgoing rules for the LAN (especially if you used the wizard). But just in case, go into the "Firewall -> Rules" page and check that you have at least the following entries: [[File:Default ~~Default_LAN_Rules~~LAN Rules.png]] Now, an easy way to fix this is to force pfSense to use specific DNS servers. This is done in the "System -> General Setup" page. Ideally you should set your ISP DNS server in there and/or some public ones like Google (8.8.8.8) or OpenDNS (208.67.220.220). [[File:~~System_~~System -~~_General_setup~~ General setup.png\|800px]] === Testing internet access === You can now fire a browser and check your public IPv4 and [[IPv6]] address by going to the http://ip4.me or http://ip6.me websites. * http://ip4.me/ * http://ip6.me/ === Fix the Gateway monitoring problems === Although you can now go on the internet fine, If you look at the RRD graphs or consult the gateway status page you will notice the status is either marked as offline or unknown. ~~Section still to be done.~~ This is a case because the script currently configuring apinger (the process that monitors the gateways) is buggy and currently does not cope very well with PPoE (when it used to be perfectly fine in pfSense 2.0.x). Another problem is that for [[IPv6]] the AAISP gateway will currently not reply to pings on its local link address (and it is the one used for routing the traffic, so it is reachable!). So you have to manually set the monitor address to be 2001:8b0:0:81::51bb:51bb (which is the [[IPv6]] address of clueless.aa.net.uk). But even that won't initially work because even if you set the routable address, apinger is told to use the local link address as the source, meaning you will never get the response... (This seems to be fixed in 2.3.3, however you will still need to configure the monitoring address to [[Server List\|bottomless]]. It's also possible simply to disable monitoring if you do not have multiple IPv6 lines coming into the PFSense box) So it is necessary to change /etc/inc/gwlb.inc with these two fixes and then it will work. These fixes have been added to pfSense (See https://github.com/pfsense/pfsense/pull/1098) so they will make it in a future version but in the meantime they are described here: https://forum.pfsense.org/index.php?topic=69533.msg411732#msg411732 Once this is done, you will just have to go in "System->Routing" and then edit the WAN_DHCP6 gateway settings to make them as follow: [[File:WAN DHCP6 Gateway settings.png\|800px]] If successful in the script and settings changes you will then get a Gateway Status screen similar to this: [[File:Status - Gateways.png\|800px]] Note: Sometimes, after link failure, the script will still fail to setup apinger properly (especially for [[IPv6]]. IPv4 will typically be ok). This seems to be caused by some timing issues whereby pfSense calls the script too early. Fixing this will probably require a more serious rework of that area in pfSense. [[Category:~~IPv6]]~~3rd ~~[[Category:Router~~Party Routers\|PFSense]]