Installation of pfSense on Soekris 6501
•
2 likes•1,769 views
The document provides instructions for configuring a pfSense firewall to use a Clear Wireless 4G connection for primary internet access and failover to an existing office internet connection. It describes setting up the Clear Wireless WAN interface and a multi-WAN gateway group in pfSense. Traffic is configured to use the Clear Wireless gateway by default with failover to the office connection if the primary goes down. Initial tests of the Clear Wireless connection achieved speeds suitable for typical office use and zero packet loss. Configuring the Westell 6100 modem to bridge mode is also described to allow use of an external router.
Report
Share
Installation of pfSense on Soekris 6501
- 1. watchdog http://www.zomers eu/knowledge/pfSense/Pages/Configure-pfSense-2.0-RC1-to-use-Watchdog-functionality aspx http://www.tnpi net/wiki/Soekris_Firewall Memstick Installer and Serial Console http://files pfsense org/jimp/pfSense-memstick-2 0.1-RELEASE-i386 img.gz Macbook Pro USB to Serial GUC232A http://www.oramboston com/learning-center/blog/bid/75522/Macbook-Pro-USB-to-Serial-GUC232A Macbook Pro USB to Serial GUC232A This is a pretty specific post. I've recently purchased an Intel-based 17" MacBook Pro and have an IOGear GUC232A USB to Serial converter I use for my console connections to Cisco routers that I've had a heck of a time getting working. BUT, I've finally conquered and wanted to write the steps I performed to alleviate the time spent if I have to do this again: 1. Download the LATEST driver from Prolific (http://www.prolific com.tw/eng/downloads.asp?ID=31 - download the file md_pl2303H_HX_X_dmg_v1.2.1 zip) 2. Run through the install, reboot 3. The Prolific is a generic driver that works with the GUC232A, so you have to tweek it: Plug the GUC232A into any available USB port on your Mac Open the System Profiler, in /Application -> Utilites Click USB in the Contents pane Select the GUC232A in the Device Tree usually it will be listed under USB-Serial Controller Remember the ProductID and VendorID, or keep the System Profiler window open Open the Terminal, in /Application -> Utilites Use the following command to open the Property List of the Prolific driver: sudo nano /System/Library/Extensions/ProlificUsbSerial kext/Contents/Info.plist Enter your admin password when asked. This is necessary the ProlificUsbSerial kernel extension is owned by root. Scroll down and find the ProductID and VendorID in the plist file Change the ProductID and VendorID to match your GUC232A's ProductID and VendorID The plist file needs the numbers as integer values, but System Profiler reports the numbers as hex. Use the Calculator to convert the numbers. For example, System Profiler reports the Product ID as 0x2008 and the Vendor ID as 0x0557. The integer value of ProductID is 8200 and the integer value of VendorID is 1367 Save the changes (Control-W) and quit (Control-X) nano Unplug the GUC232A Use the following command to load the kernel extension: sudo kextload /System/Library/Extensions/ProlificUsbSerial.kext Plug the GUC232A into any available USB port on your Mac Access the network properties window (network port configurations) to enable the usbtoserial device it found Perform a ls /dev command - it should show the tty usbserial device minicom How to stop Snort alerts from being generated / how to (not) ignore traffic http://oinkmaster.sourceforge.net/avoiding_snort_alerts txt suppress gen_id 111, sig_id 15 The sqlite & MYSQL libraries are built in, just not active. It's already on the box, you just have to enable it. Actually now that I look mysql is there also. To enable, just do:
- 2. Code: touch /etc/php_dynamodules/pdo touch /etc/php_dynamodules/pdo_sqlite AND Code: touch /etc/php_dynamodules/mysql Mobile IPsec on 2.0 http://doc pfsense.org/index.php/Mobile_IPsec_on_2 0 How to set up IPsec tunneling in PfSense 2.0-RELEASE for road warriors http://dekapitein.vorkbaard.nl/tech-1/how-to-set-up-ipsec-tunneling-in-pfsense-2-0-release-for-road-warriors pfSense 2.0 RC1 Configure Captive Portal for Guests with Local User Management http://blog stefcho.eu/?p=754 OpenVPN with RADIUS authentication on p Sense 2.0 RC1 http //blog ste cho eu/?p 545 p sense 2.0.1 OpenVPN Bridging guide http //hard orum com/showthread php?p 1038226511 Install and Configure p Sense in Your Home Network http //www iceflatline com/2010/08/install-and-configure-p sense-in-your-home-network/ Linux Wireless Driver Support & Capabilities http //www ab9il net/linuxwireless/wifidrivers2 html Comparison o open-source wireless drivers http //en wikipedia org/wiki/Comparison_o _open-source_wireless_drivers FreeBSD Handbook: Chapter 32 Advanced Networking http //www reebsd org/doc/en_US SO8859-1/books/handbook/network-wireless html OpenSoekris http //opensoekris source orge net/ Install and Configure pfSense in Your Home Network http //www iceflatline com/2010/08/install-and-configure-p sense-in-your-home-network/ Bridging the pfSense 2.x wireless divide http //blog qcsitter com/BSDay/index php?/archives/2-Bridging-the-p Sense-2 x-wireless-divide html OS X Lion as a syslog server http://wiki mikrotik com/wiki/OS_X_Lion_as_a_syslog_server HowTo Configure Mac OS X Syslog To Forward Data http://wiki.splunk.com/Community:HowTo_Configure_Mac_OS_X_Syslog_To_Forward_Data Enable an Apple Mac OS X machine as a syslog server http://meinit.nl/enable-apple-mac-os-x-machine-syslog-server 10.7: Re-enable syslogd for incoming connections http://hints macworld com/article php?story=20110724103552640 Enable an Apple Mac OS X machine as a syslog server http://meinit.nl/enable-apple-mac-os-x-machine-syslog-server syslog -w -r host 192.168.3.1
- 3. pfsense 2 0 snort 2.9.5 Barnyard2 binary not exist http://forum pfsense org/index php/topic,42016 0 html FreeSwitch on PfSense Install http://doc.pfsense.org/index.php/FreeSWITCH http://wiki.fusionpbx.com/index.php?title=PfSense_Install http://wiki.freeswitch.org/wiki/Installation_Guide http://wiki.freeswitch.org/wiki/Freeswitch_Gui http://wiki fusionpbx com/index.php/PfSense_Install http://192.168.3.1/fusionpbx http://doc.pfsense.org/index.php/FreeRADIUS_2.x_package#FreeRADIUS_.2B_WLAN_.2B_PEAP_and_MSCHAPv2 pfSense 2.0 Multi-WAN Failover with Clear Wireless Internet http://www.bunkerhollow.com/blogs/matt/archive/2011/07/27/pfsense-2-0-multi-wan-failover-with-clear-wireless-internet aspx Our office has a fast internet connection but they charge for bandwidth overages and no matter what we do, we can’t seem to stay within our plan’s limits. These charges would amount to over $200/month, and with new hires on the way we decided it was time to fix the problem. We figured if we could find a solid WiMAX connection with an unlimited plan we could use that as our primary connection and save even more by dropping our office’s plan to the lowest tier. Requirements • Speed – reasonable browsing & web development speed for 5-10 employees. Large file transfers or even video streaming isn’t much of a concern, but employees shouldn’t notice a difference with everyday work. • Connection Strength – We’re on the top (11th) floor of a Manhattan office building, we have skylights, and our cell phone service is decent, but there’s no way to know if 4G will even work until we give it a try. • Failover – When the wireless connection fails or is flaky, which it will inevitably be at times, we want a seamless failover to our office connection as backup. Ideally, this won’t require any special configuration on the client machines. • Unchanged Incoming Connections – Our bandwidth problem is with our outgoing traffic only. We don’t want to change any of our NAT/firewall rules for incoming traffic, that should remain incoming over our office plan. Network Layout • Firewall/Router – Our existing Netgate Hamakua running pfSense 2 0 RC3. • WAN Connection 1 – Our existing office connection is the first of our multi-WAN configuration. We will configure this connection as backup. • WAN Connection 2 – Clear Wireless (http://clearwirelessinternet com) seemed to have the lowest prices, and they have a store just a few blocks away at 17th and Broadway. We picked up a 4G unit with unlimited bandwidth for $35/month. • LAN – Consists of several hardwired Windows workstations. pfSense Configuration 1. System –> Routing –> Gateways tab Add gateway for new WAN interface and ensure neither gateway is set as default. 2. Interfaces –> OPT1 Configure our new WAN interface (connected to our Clear 4G unit).
- 4. 3. System –> Routing –> Groups –> Add Group Create a Gateway Group for Multi-WAN failover. 4. Firewall –> Rules –> LAN tab –> Edit Default LAN Rule –> Advanced Features –> Gateway –> MULTIWAN Add the new Gateway Group to the default LAN rule that allows all traffic out. 5. Done! Clear Wireless Review So now that we’ve had our 4G failover configured for a few days, let’s take a look at the results. • Speed Test – pretty good results for $35 a month. Our 6 users hardly notice any difference in their day-to-day browsing. • Multi-WAN Traffic Graphs – The two graphs below represent the traffic over our office WAN (top) and Clear Wireless WAN (bottom). You can see the switchover occurred on Wednesday, and since, not a single packet has traveled over the office network. That’s 6GB of data in only 3 days that won’t be factored in to our office bandwidth. I think lowering our office plan to the bottom tier is a real possibility.
- 5. • Packet Loss Quality – I’m happy to report 0 packet loss and < 20ms delay over Clear Wireless so far! (The packet loss that occurred on Wednesday was our failover testing by unplugging the Clear unit). ---- pfSense 2.0 RC1 configuration of OpenVPN Server for Road Warrior with TLS and User Authentication http://blog stefcho.eu/?p=492 How do I use a router with the Westell 6100? http://members.verizon net/~res08lyg/6100.htm you will most likely need to get the MAC address of the 6100 and clone that to your router. http://www.dslreports com/faq/13600 How do I use a router with the Westell 6100? The 6100 is a modem/router combination unit, meaning it contains a DSL modem and a general purpose NAT (Network Address Translation) router. "Bridging" means disabling both the public and private side of the NAT router, thereby turning the 6100 into a simple DSL-to-Ethernet bridge, or "dumb modem". If you are already using a router, or want to, (examples: if you already have your LAN set up and simply need to connect it to the internet or you want to add wireless connectivity to your connection or you want to use an optimised-for-gaming router or you want to add a VoIP router), you will want to bridge the 6100. For optimum performance and reliability the connection should only be going through one NAT router. When the connection goes through multiple NAT routers, troubles like NAT conflicts will cause router lock ups and loss of connectivity, and configuring access for things like game consoles, VPN tunnels, remote access, server applications, security cameras, or high-end multiplayer games will be difficult if not impossible. Virtually all Westells with a GUI used the white & blue "Westell" branded firmware until sometime in 2007. I believe version 4 was the last white & blue firmware. The red & black "Verizon" branded firmware was rolled out in 2007. You may be running version 5 or 6. When the Westell is bridged, it will have no router functions at all, no subnet, no IP, and no default gateway. The router connected to the Westell will acquire and hold the Public IP address and will determine the LAN IP addresses and subnet. The Westell 6100 modem/router supplied by Verizon can be used in either Router or Bridge mode. If you are already using a router, or want to, you need to put the modem in Bridge mode or you'll have problems. These instructions apply to the Westell 2200, 6100, 6100F, 327W, and 7500 models. • You should follow these instructions with one PC connected to the Westell using the supplied Ethernet cable (CAT5 or CAT5e) and that you are online and able to browse to various web sites. If you already had a LAN setup and were online but needed to replace your modem, temporarily connect one PC directly to the Westell using the supplied Ethernet cable before continuing.
- 6. • Temporarily turn off all firewalls and pop-up blockers on the PC. • In your browser's address box, type 192.168.1.1 to access the Modem Configuration utility. When asked for user name and password, enter your router's username and password (the default for the Verizon issued routers is typically "user=admin, password=password"). • Here you may get a screen titled User Settings, this is asking you to change the username and password for the Westell, invent and enter a username and a password, (record these somewhere so you don't forget them). If your Westell uses the white and blue Westell firmware: • Now, from the Configuration menu, choose VC configuration, hit the top Edit button. In the popup, set protocol to Bridge. • Then below in VC 1 Bridge Settings set the mode to Bridge Early 6100 • Hit Set VC. Save. • Then, again in the Configuration menu, select DHCP Configuration and set the dropdown to OFF. Hit save and log off the utility. • Most people don't need any more complex procedures, so try these first. However, on occasion, you will need some additional steps, including cloning MAC addresses. If you have trouble, check out the diagrams and instructions here: »mysite.ncnetwork net/res08lyg/6100.htm If your Westell uses the red and black Verizon firmware: (Wireless Settings won't be there on the 6100 or 6100F, the left panel may be called "My Modem") • Select the My Network icon, then select Network Connections from the left menu. (Only the top two connections will be listed in the 6100 and 6100F) • On the Broadband Connection screen click on the words "(Broadband Connection DSL)". • PPPoE customers will see this screen. If you use a DHCP type Internet connection the screen will be different, you will have a "release" button in the top section - use it now to release your public IP. Then, locate the VCs section, locate the line " Enabled, VPI 0, and VCI 35 ..." and click the notepad icon under Edit on the right to get to the VC 1 Configuration screen. • In the VC 1 Configuration screen open the drop down box beside "Protocol" and choose "Bridge". If your connection type is DHCP the Protocol should already be "Bridge". Once Bridge is chosen, the screen will change – open the drop down box beside "Bridge Mode" and choose "Bridge", then click the Apply button at the bottom. This has disabled the Public side of the 6100's router. • The modem will reset. Next you need to disable the Private side, the DHCP server - click the My Network icon again, click Network Connections from the left menu again. On the Broadband Connection screen, click the word "Lan", on the next screen remove the topmost checkmark (Private LAN DHCP Server enable), click apply or save settings.
- 7. • The same page will return. The Westell is now bridged, the Internet light will no longer light, log off the utility. Back to common steps: • Power down and disconnect the PC from the Westell. • Connect the Ethernet cable from the Westell to the port on your router labeled WAN, (or Internet). Connect an Ethernet cable from one of the LAN ports of your router to your PC. Power up the Westell, wait for the DSL light to stop blinking then power up your router, then the PC. When the PC boots up your firewalls and pop-up blockers may be re-enabled, it may be necessary to turn them off again. • Skip this next step if you've already been using your router to supply PPPoE with your username and password. • If your router came with a setup disk insert it now, otherwise open a web browser and access the Router's GUI, usually at 192.168.0.1, or 192.168.1.1, or 192.168.2.1. If the router has a Setup Wizard use it, otherwise manually configure the router for your Internet connection type. (Note: most routers default to "Automatic" which is DHCP). If you connect via PPPoE you will need to supply your Verizon Username and Password so the router can acquire a Public IP address, if you connect via DHCP you may also need to use the router's MAC cloning feature, enter the MAC address from the Westell's label and your router will use it to acquire a Public IP address. • Test that you can browse to some safe web pages, then turn your firewalls and pop-up blockers back on. System: Advanced: Admin Access