Putting together a cut down version of pfSense

B

balanga

I have been a satisfied user of pfSense in the past but am currently in a situation where I need some of the basic functionality of pfSense but need to include it in an installed version of FreeBSD. Can anyone suggest what additional pkgs I need to install to set up FreeBSD for routing purposes, or is it simply a matter of confguration because the essentials are already there?
 
If you defined what you need it may help others offer suggestions.
Example if its simply firewall/NAT stuff; lots of people have set up pf on vanilla FreeBSD to do that. I did before my first pfSense device.
If you run "pfctl -sr" on your pfSense you can see how the rules wind up which is a good place for understanding how to write them by hand. there are other options on the "-s" to get more information.
Other packages that do more IDS stuff are probably in ports you would just need to edit text config files.

Web interfaces are convenient but for hide the details.
 
MrBSD said:
Yes. They did. Its called pfSense/OPNSense/DynFI.
Click to expand...
and it always comes with a huge abstraction layer that always gets in the way everywhere...

If you want fancy, colorful graphs for traffic etc, have a look at grafana. if you want something proper for monitoring (that can also show some graphs), use e.g. zabbix.
 
After bricking my router, I'm quickly trying to hack together a means of providing Internet access to my small LAN so have never deeply delved into how a router provides various paths.

At the moment I have my main server set up statically as 192.168.1.1 and it has access to the Internet via a USB tether to my phone.
Unfortunately I can't access the Internet from my LAN. I guess it must be a routing problem.
One host is statically set up as 192.168.1.5 with a default route of 192.168.1.1 and I can ping that system, but I can't ping 8.8.8.8.
What have I overlooked?
 
That title is very misleading - that chapter 34.2 is absolute basic routing; nothing 'advanced' to find here.

And yes, you have to set that rc option or the associated sysctls to enable routing.
 
sko said:
That title is very misleading - that chapter 34.2 is absolute basic routing; nothing 'advanced' to find here.

And yes, you have to set that rc option or the associated sysctls to enable routing.
Click to expand...


I have added gateway_enable="YES" to /etc/rc.conf and run service netif restart but that in itself does not allow access to the Internet from my LAN.

running sysctl net.inet.ip.forwarding=1 has no effect either.

I must have missed out something else.
 
Start with ifconfig ue0 and see what the status is. I am assuming ue0 is your WAN connection. Is it set to DHCP? Has it got in IP from phone?
Can you ping phone?
 
I would say forget the router function.
First get the connection to phone network working on new router box.
balanga said:
One host is statically set up as 192.168.1.5 with a default route of 192.168.1.1 and I can ping that system, but I can't ping 8.8.8.8.
Click to expand...
So don't worry about setting up network first. Get your new router box connected first. Make sure that has access and can ping sites on internet.
Then add 192.168.1.1 to your LAN interface and setup a network.
Everything else will fall into place.
 
I have had troubles with USB ue0 interfaces and have to add wait time for connections at bootup. It is a solid solution.

/etc/rc.conf settings:
Code: 
netwait_enable="YES"            # Enable rc.d/netwait (or NO)
netwait_if="ue0"                      # Wait for active link on each intf in t
netwait_if_timeout="30"         # Total number of seconds to monitor link state.

I think you should consider a DHCP/DNS server like dnsmasq for your LAN clients. It is the only port I require on my router.
 
Phishfry said:
Start with ifconfig ue0 and see what the status is. I am assuming ue0 is your WAN connection. Is it set to DHCP? Has it got in IP from phone?
Can you ping phone?
Click to expand...
My only Internet access at the moment is via my phone.

I connect a cable between my phone and laptop, switch on USB tethering, and after some msg about URNDIS I run dhclient ue0.

This provides Internet access on the system which I am designating as my main server for my LAN, and is configured with a static IP address, as are all the other hosts until I get a router set up. From there I ping each host on the LAN as well as the Internet and each host can ping this system.

What I can't work out is how to make this system a gateway for the LAN.

Thinking about installing pfSense to simplify the whole thing since it looks as though it's beyond me...
 
I have never had to mess with routes. Flush them and start over maybe a few times.

So you have a laptop as 192.168.1.1 with ethernet interface? usb interface to phone for WAN.
Client machine at 192.168.1.5.
Client can ping internet but you have no WWW?
Does that sound right?
What does the LAPTOP's file /etc/resolv.conf have for settings inside?
Same for client. Is the resolv.conf file properly populated?

I have a feeling you are saying GATEWAY but mean RESOLVER.
A Resolver points a computer to a proper DNS nameserver that resolves addresses... From google.com to 172.253.115.101

You should be able to spot a resolver problem with ping.
Ping a "domain name" and see if it resolves to an IP.
ping google.com
 
Its usually only 2 things you need to make a system with working internet connection a router:
1. forwarding needs to be enabled (gateway_enable / net.inet.ip.forwarding)
2. NAT

1 makes sure the system forwards traffic according to its routing tables; 2 makes sure the outside world can respond to traffic originating from behind that system.

A local DNS resolver is nice, but not strictly necessary - the hosts can use some public resolver (e.g. quad 9). However, setting up unbound as a caching resolver is trivial; so if you also intend to set up a dhcp-server[*] you may as well add a local DNS.

[*] Since ISC abandoned net/isc-dhcp and it's intended replacement net/kea is a textbook-example of the second-system-effect, I recommend net/dhcpd, which is essentially a fork of the isc server and pretty much a drop-in replacement, so the classic, simple configuration still applies.
 
mer said:
grab yourself a copy of "The book of PF" It's a very good starting point
Click to expand...
Can highly recommend! There's a 4th edition coming soon which is available as early access at a discount.
It is pretty much the standard work for PF and covers essentially everything there is to know about PF, while at under 250 pages it's still quite compact - especially in comparison to various other tomes about networking or firewalling.
 
  • Like
Reactions: mer
Before investing in books, you can try NAT with following (change eth0 to name of your external interface and eth1 to internal interface):
put into /etc/pf.conf
nat on eth0 from {eth1:network} to any -> (eth0)

and run
sysrc pf_enable="YES"
service pf start
 
You must log in or register to reply here.
Back
Top