PFsense is killing me. SHould I go USG?

Discussion in 'Networking & Security' started by S-F, Dec 19, 2018.

  1. r00k

    r00k 2[H]4U

    Messages:
    2,647
    Joined:
    Aug 24, 2004
    I switched from pfsense at my office to untangle a few years ago. Pfsense is a great router distro, but once i tried untangle there was no looking back. Much easier to configure and just as solid. Adblocking is available.

    The openvpn support is there even in free version. You can try it out with a full featured trial, and if you'd like the full version for home use, its only 5 bucks a month for the full package. Very reasonable for what you get (and no headaches).
     
  2. acascianelli

    acascianelli [H]ardness Supreme

    Messages:
    6,773
    Joined:
    Feb 25, 2004
    The last time I used Untangle I remember there being a big difference feature-wise between the free version and pay version. Has that changed in the past 6-8 years? At the time it was clearly small-business grade solution.
     
  3. FNtastic

    FNtastic [H]ard|Gawd

    Messages:
    1,269
    Joined:
    Jul 6, 2013
    I got openvpn working without much fuss at all. I've heard it's much easier on opnsense. But, I haven't had the chance to compare them yet.
     
  4. S-F

    S-F Gawd

    Messages:
    646
    Joined:
    Aug 5, 2010
    Configuring the VPN in pfsense wasn't too difficult. I believe there's a really clear and concise guide on the PIA site about it. Pfsense has been fantastic in that respect.
     
  5. r00k

    r00k 2[H]4U

    Messages:
    2,647
    Joined:
    Aug 24, 2004

    Free version does routing, firewall, QoS, OpenVPN, TunnelVPN, basic gateway antivirus (clamwin, iirc), ad blocking, intrusion prevention.

    Paid version (business and home are the same features) also has IPSecVPN, Web Cache, load balancing / failover, email filtering, bandwidth control, additional gateway antivirus (bitdefender), content filtering, policy controls, config backup to google drive.

    https://www.untangle.com/untangle-ng-firewall/software-packages/
     
  6. The Lurker

    The Lurker [H]ardForum Junkie

    Messages:
    10,232
    Joined:
    Jul 1, 2001
    Just keep in mind you need to generate separate server and user certificates and then assigned the user certs to the user accounts and if you assign the certs wrong, nothing will connect. It will generate the packages correctly, but nothing will work. Thats what tripped me up.
     
  7. EniGmA1987

    EniGmA1987 Limp Gawd

    Messages:
    152
    Joined:
    May 2, 2017
    I believe they no longer do BitDefender in paid version
     
  8. S-F

    S-F Gawd

    Messages:
    646
    Joined:
    Aug 5, 2010

    It just happened again and I was able to go through this list looking at it on my phone.

    1: I can't ping a domain name.
    2: I can ping an ip address directly.
    3: Which logs should I look at? There are tons of them. I looked at most and didn't really see anything that stood out as pertinent.
    4: I went to the WAN tab and disabled it and then re enabled it. This resolved the issue.

    5 - 7: I wasn't able to try these as I sorted the issue in #4.


    Is this telling of anything? It's pretty clearly a DNS issue even to a networking moron such as myself.


    EDIT:

    I just found the status/interfaces tab and the ipv6 address discussed previously is listed as the ipv6 link local address. On the WAN tab ipv6 configuration type is set to none.
     
    Last edited: Dec 30, 2018
  9. acascianelli

    acascianelli [H]ardness Supreme

    Messages:
    6,773
    Joined:
    Feb 25, 2004
    Do you have a DNS forwarder or a DNS resolver enabled?

    I have a pfSense ignoring the DNS server it pulls in from the modem and forwarding to CloudFlare.

    Also, next time it happens try hard coding a public DNS on your workstation and try domain name resolution.
     
    IdiotInCharge likes this.
  10. S-F

    S-F Gawd

    Messages:
    646
    Joined:
    Aug 5, 2010
    I have DNS resolver enabled but not DNS forwarder. I have Enable DNSSEC Support checked, system domain local zone type set to transparent and this is custom options:


    server:
    forward-zone:
    name: "."
    forward-ssl-upstream: yes
    forward-addr: 1.1.1.1@853
    forward-addr: 1.0.0.1@853
    server:include: /var/unbound/pfb_dnsbl.*conf


    Good idea about setting up DNS on my desktop. I'll give that a try next time.
     
  11. IdiotInCharge

    IdiotInCharge [H]ardForum Junkie

    Messages:
    8,391
    Joined:
    Jun 13, 2003
    If you can ping something external but can't hit google.com, you have a DNS issue.

    [This is also a meme: it's almost always DNS...]
     
  12. S-F

    S-F Gawd

    Messages:
    646
    Joined:
    Aug 5, 2010

    Yeah. I'm with you. It's a DNS issue. What kind of DNS issue? Why does it only rear it's ugly head from time to time? What's triggering the problem?


    Sorry. I'm not up on my memes. Maybe I should spend more time looking at instagram to un-fuck my router?
     
  13. IdiotInCharge

    IdiotInCharge [H]ardForum Junkie

    Messages:
    8,391
    Joined:
    Jun 13, 2003
    Router's fine ;)
     
  14. Biznatch

    Biznatch 2[H]4U

    Messages:
    2,151
    Joined:
    Nov 16, 2009
    If we know it's a DNS issue, now check the firewall logs for outbound packets to port 53. Are they going out or being blocked? Delayed? You might have to enable logging on the allow DNS firewall rule.

    Try adding a few additional dns providers to your list as well. Google and opendns are a couple good options to have. Can also try disabling dnssec to see if that makes any difference.
     
  15. S-F

    S-F Gawd

    Messages:
    646
    Joined:
    Aug 5, 2010

    OK. It appears to only keep logs from the current day so I can't see anything from yesterday when I had the issue.

    I do have alternate DNS providers. I have, in this order, 1.1.1.1, 1.0.0.1, 8.8.8.8 and 4.4.4.4.

    Should I disable dnssec now or wait until the issue appears again?

    Thanks for the input!
     
  16. TechLarry

    TechLarry Can't find the G Spot

    Messages:
    30,025
    Joined:
    Aug 9, 2005
    As a home user, I've always used NAT. It's pretty cheap too :)

    This is an honest question. Are you guarding something that would not be protected by a standard high end router and a good AV package? Or are you doing this for the fun of it and the practice/knowledge (the reason I used to run Windows Servers in my house, but don't any more) ?

    If the latter, cool for you. Have fun :)

    If the former, my goodness man. Why?
     
  17. S-F

    S-F Gawd

    Messages:
    646
    Joined:
    Aug 5, 2010

    I think that the protection offered by most routers would be sufficient. The reason I went with the hardware I did was because Super Micro has served me well. I've never had any of their hardware die and every single consumer motherboard I've owned has died. I wanted something that could handle the VPN and ad blocking. It's overkill. I was planning on running squid but since most traffic is HTTPs now that turned into a PITA. To be honest I would really love to learn all of the ins and outs of networking, I just don't really have the time at the moment. I am learning a bit through this thread though.

    So any router/firewall that could meet these four criteria would work for me: The firewall does it's job, VPN, ad blocking and reliable.

    I'm not following you NAT comment.
     
  18. TechLarry

    TechLarry Can't find the G Spot

    Messages:
    30,025
    Joined:
    Aug 9, 2005
  19. S-F

    S-F Gawd

    Messages:
    646
    Joined:
    Aug 5, 2010

    Come again?
     
  20. TechLarry

    TechLarry Can't find the G Spot

    Messages:
    30,025
    Joined:
    Aug 9, 2005
    I'm just saying I"m glad he's having fun with it, whether it's needed or not. Fun is good :)
     
  21. Biznatch

    Biznatch 2[H]4U

    Messages:
    2,151
    Joined:
    Nov 16, 2009

    You can increase the log retention range in the settings. I believe it just defaults to 24 hours.

    I would say it can't hurt to try disabling dnssec temporarily to see if the problem still occurs. The goal is to make minor changes to try an narrow down specifically where the issue is occurring.