Replacing pfSense with regular FreeBSD

B

balanga

After a pfSense failure (I suspect hardware) I'm thinking of setting up FreeBSD as a DHCP server and Internet Gateway router. Does anyone know of any howtos for getting this configured. I've been blissfully unaware about how things really work because things are generally hidden out of the way behind pfSense's GUI so I guess it's time to figure out how things actually work since I can't get pfSense working properly on my cobbled together 'emergency' system.

Any tips would be gratefully appreciated.
 
Here are some links to get you on the right track:
Basically you would start with enabling gatewaying in rc.conf(5):
Code: 
gateway_enable="YES"
ipv6_gateway_enable="YES"
and configuring your network interfaces. Depending on the type of your WAN connection this might require setting up net/mpd5 and/or dhcp6c(8) to do PPPoE/DHCPv6 on your WAN link.

For the remaining parts there are a number of choices you might want to investigate before making a decision.

DHCP server:
DNS services:
Available firewalls are described in the Handbook Chapter 31. Firewalls.
 
I can't offer any better help than mickey but I do want to say it's not difficult, try it. I'm posting this on day 1 with my new FreeBSD router and firewall. Working great and internet speed increased too.
 
What about opnsense?
I use it often (usually virtualized) and I really like it
 
SirDice said:
While those "canned" solutions are great, actually setting it all up "by hand" is an invaluable learning experience.
Click to expand...
Yes, I agree, and ONE DAY I will manage to get it working successfully...

Need to understand networking and routing a lot better.
 
Don't try to do everything at once. Take it step by step. If you try to do everything it'll be quite overwhelming. Start with some basic TCP/IP networking, routing, subnets and masks. That's the basis to work from. Then add DHCP and DNS. Learn how they work, how does DHCP get you an automatic IP address. Then step up to DNS, how does name resolving work. What is the relation and interaction between IP addresses and hostnames.

Get to know tools like tcpdump(1) and net/wireshark. It helps so much if you can look at the actual packets and understand the basics. The "three-way handshake"; SYN, SYN/ACK, ACK. Learn the basics of some of those flags (you don't need to know all of them, just the important ones). SYN, ACK, RST, FIN.
 
mickey said:
mickey said:
Here are some links to get you on the right track:
Basically you would start with enabling gatewaying in rc.conf(5):
Code: 
gateway_enable="YES"
ipv6_gateway_enable="YES"
and configuring your network interfaces. Depending on the type of your WAN connection this might require setting up net/mpd5 and/or dhcp6c(8) to do PPPoE/DHCPv6 on your WAN link.

For the remaining parts there are a number of choices you might want to investigate before making a decision.

DHCP server:
DNS services:
Available firewalls are described in the Handbook Chapter 31. Firewalls.
Click to expand...
Click to expand...
Something has got badly screwed up pfSense today and I can't access anything on my network. I'll have to install isc-dhcp somewhere just to be able access my files on my two NAS boxes, I think I'll need to change my LAN name to FUBAR.
 
balanga said:
Something has got badly screwed up pfSense today and I can't access anything on my network. I'll have to install isc-dhcp somewhere just to be able access my files on my two NAS boxes, I think I'll need to change my LAN name to FUBAR.
Click to expand...
Sounds to me like the perfect opportunity to dive in and go through with your plan to replace it with a FreeBSD router :p
 
Well thanks to an excellent write up by vermaden I was able to get started with dhcp...

vermaden.wordpress.com

Highly Available DHCP Server on FreeBSD

Today I would like to share a highly available DHCP server setup on FreeBSD system, but it should be similarly simple on other UNIX and Unix-like systems. I will use the most obvious choice here &#…
vermaden.wordpress.com vermaden.wordpress.com

It got a bit complicated for a simple home network so used this:-

gist.github.com

simple-dhcpd.conf

GitHub Gist: instantly share code, notes, and snippets.
gist.github.com gist.github.com

Well it's s start...:)
 
Your simple configuration looks good, you really don't need much for it to work. Just make sure it's the only DHCP server on your network. Things can get a little weird if you have two DHCP servers, each with a different configuration.
 
I'd like try out a few things on my FreeBSD dhcp server without interfering with pfSense which seems to be performing normally again. I presume there is some way of doing that without them interfering with each other.
 
Has anyone experience setting up NAT in the WAN interface when the WAN IP is set using DHCP? (Is this a wrong question under this subject.) I've had the same problems and actually dhclient does not have interface "up" and "down" scripts like many Linux distributions have. I've used NAT from pf as the pfSense does. If the interface is not up when the rules are read, there are no firewall rules either. Separating in an own file is simple but how to run the NAT pf rules after the interface is up by the dhclient?

Actually ipfw and ipf have rc.conf settings to use the NAT. How to set up if.up and if.down? dhclient-script is going to be replaced in the pkg upgrade.
 
Maby I will need to write it more clearly, the following will stop the firewall rules and there will be no rules set if the WAN link is not up:
Code: 
nat on if0 inet from ! if0 to any -> if0
nat on if0 inet6 from ! if0 to any -> if0
 
SirDice said:
Just make sure it's the only DHCP server on your network
Click to expand...
I have such bad experience ― cellular modems usually have DHCP server enabled, I had one on the network with psSense, but it took awhile before realized that it "intercepts" DHCP requests.
 
aragats said:
I have such bad experience
Click to expand...
I remember a story from a long time ago. I was working as a network admin for a large insurance company. Suddenly we get a whole bunch of calls from people that couldn't work anymore. After some investigation it turned out to be someone that hooked up his personal laptop to our network (not allowed) and he was running some Windows application (forgot the name of it) to share an Internet connection. That tool was also running a DHCP service and was dishing out IP addresses to our workstations in a completely different subnet. All those people that couldn't work any more got an 192.168.0.x address while our entire network was based on 10.x.x.x addresses. He had a LAN party that weekend, came to work on Monday and forget that the software was still running.
 
SirDice said:
I remember a story from a long time ago. I was working as a network admin for a large insurance company. Suddenly we get a whole bunch of calls from people that couldn't work anymore. After some investigation it turned out to be someone that hooked up his personal laptop to our network (not allowed) and he was running some Windows application (forgot the name of it) to share an Internet connection. That tool was also running a DHCP service and was dishing out IP addresses to our workstations in a completely different subnet. All those people that couldn't work any more got an 192.168.0.x address while our entire network was based on 10.x.x.x addresses. He had a LAN party that weekend, came to work on Monday and forget that the software was still running.
Click to expand...
ROFLMAO. A common-sense policy would be to do NT Active Directory domain registration, and any machine that's not registered with your workplace's NT domain would be simply not allowed to access anything. Any machine within the NT domain should not use intranet services that originate from a place that is not registered on the NT domain. NT domains have been around since like 1995.
 
balanga said:
So how do you go about setting up a test dhcp server? Keep it on it's own separate physical circuit?
Click to expand...
Yeah, separate physical is best. Next best option is to figure out available subnets - but that takes doing your homework so that you don't accidentally step on somebody else's toes like in SirDice's story.
 
astyle said:
Yeah, separate physical is best. Next best option is to figure out available subnets - but that takes doing your homework so that you don't accidentally step on somebody else's toes like in SirDice's story.
Click to expand...
Separate subnet will not work -- don't do this. Separate VLAN will.
 
Jose said:
Separate subnet will not work -- don't do this. Separate VLAN will.
Click to expand...
I couldn't figure out separate subnets would work since when a system boots up it isn't part of any subnet, it is just looking for an IP address from whichever subnet a dhcp server is on... or have I got that wrong. If VLANs are a possible solution I may try that. Been meaning to set up a VLAN but never really figure out how they work. I did buy a smart switch some time ago with the idea of using a VLAN.
 
balanga said:
I couldn't figure out separate subnets would work since when a system boots up it isn't part of any subnet, it is just looking for an IP address from whichever subnet a dhcp server is on... or have I got that wrong. If VLANs are a possible solution I may try that. Been meaning to set up a VLAN but never really figure out how they work. I did buy a smart switch some time ago with the idea of using a VLAN.
Click to expand...
Exactly. You need an IP address to be a part of a subnet and the purpose of a DHCP server is to give you an IP address (and netmask, which determines the subnet.)

I don't know exactly how VLANs work, but I've heard some rumours about tagging packets. I'm guessing this tagging happens at the data link layer and determines which VLAN you're in.
 
You must log in or register to reply here.
Back
Top