pfsense tutorial mega thread!

jadams

2[H]4U
Joined
Mar 14, 2010
Messages
4,086
I'm a huge supporter of the pfsense project. I will be putting together how-to's on the various functions that pfsense has to offer. I'd also like some feedback on which how-to's you'd like to see next. Also if you would like to put some tutorials together and have them linked here let me know!


I've already put together an OpenVPN how-to thread which I'll be updating in the next week or so with screenshots as well as for v2.1.3. That thread is already the #2 google hit when searching for TAP mode of OpenVPN. That thread can be found here:

http://hardforum.com/showthread.php?t=1663797


The next tutorial will be Postfix and Mailscanner for email filtering. I've configured my production pfsense at work to be just as functional as the Baraccuda spam filter in current testing and I'm going to share it all with you.


So WHATS NEXT?
 

wizdum

[H]ard|Gawd
Joined
Sep 22, 2010
Messages
1,943
I'm starting a small community WISP, with PFSense as the central router. Right now we're bandwidth limiting our customers with settings on their CPE. If you know of a way to centralize that within PFSense, i'd be interested.

Basically, we're giving members of the community access to some of the resources on our LAN, and we'd like to give them higher speed access to our internal resources than we give them to the outside internet.

Also, I will be eagerly awaiting the Spam filtering tutorial. Right now, our largest expense in "Purchased services" is a SpamTitan license.
 
Joined
Apr 29, 2012
Messages
47
I found your TAP mode OpenVPN tutorial to be a great help - needed TAP to work around a softphone issue and its working great :) Thanks!

Looking forward to seeing the mail filtering one - like Wizdum we're paying out for anti spam and its ridiculous.
 

jadams

2[H]4U
Joined
Mar 14, 2010
Messages
4,086
http and https filtering

While http filtering is possible, https filtering is not based on actual content. Thats just the nature of https. Its encrypted, and cannot be filtered because of it. You can filter by DNS blacklists, which I'll put in a web filtering tutorial. Just wanted to make that distinction.

I'm starting a small community WISP, with PFSense as the central router. Right now we're bandwidth limiting our customers with settings on their CPE. If you know of a way to centralize that within PFSense, i'd be interested.

Basically, we're giving members of the community access to some of the resources on our LAN, and we'd like to give them higher speed access to our internal resources than we give them to the outside internet.

Also, I will be eagerly awaiting the Spam filtering tutorial. Right now, our largest expense in "Purchased services" is a SpamTitan license.

Limiting bandwidth in pfsense per IP is pretty easy. I don't have much experience with the QoS, but I think I can do some research and make a writeup which would include bandwidth per IP.

I found your TAP mode OpenVPN tutorial to be a great help - needed TAP to work around a softphone issue and its working great :) Thanks!

Looking forward to seeing the mail filtering one - like Wizdum we're paying out for anti spam and its ridiculous.

Thanks, that OpenVPN tutorial is a little out of date. It was made for v2.0.1 and we're now on 2.1.3 and I'm pretty sure 2.1.4 is coming out soon due to another discovered vulnerability with OpenSSL. No doubt more vulnerabilities will be found after the code is now being scrutinzed more after heartbleed.

I'm going to be re-doing that guide with screenshots, and I may have other methods in there rather than just TAP. TAP isnt a very popular method, but is required in some situaitons. The lack of tutorials out there for and actual bugs in the earlier interfaced is what prompted me to write that up.

Whats interesting about the ant-spam is that the CEO of our company is the one that caused the spam attack. He gets spam'd 100x more than anyone else. Not really sure why. But he saw an ad somewhere about Baracuda and wanted to implement it. And I did. They have a 30 day trial. It works great, it really does a very good job. But its expensive. 3k for the box and $1700/yr if I remember correctly. I knew pfsense had email filtering capabilities and after looking at how it does it I determined pfsense can be configured to filter out messages in the way the Barracuda does it. It uses a reputation list, which Barracuda has a public one as does MANY other email blacklists. 95% of the spam that came in was bouncing off Barracuda's reputation list. Thats easy peasy in pfsense. Stay tuned!
 
Last edited:

Herushan

Limp Gawd
Joined
Jun 13, 2006
Messages
161
HTTPS filtering is possible with Squid 3 dev version from what I read as it does a man in the middle with a certificate you make on your pfsense box. I have not gotten it to work yet with dansguardian on my machine (I think it is something with my machine), but there is a tutorial online on how to do it if you search. It would be nice to get a going tutorial list here for extra reference.
 

stormy1

[H]ard|Gawd
Joined
Apr 3, 2008
Messages
1,053
HTTPS filtering is possible with Squid 3 dev version from what I read as it does a man in the middle with a certificate you make on your pfsense box. I have not gotten it to work yet with dansguardian on my machine (I think it is something with my machine), but there is a tutorial online on how to do it if you search. It would be nice to get a going tutorial list here for extra reference.
This.
There are several different packages starting to do this but the reports are not all work and I haven't found instructions that were 100% working for everyone.
Diladele Web Safety is another possibility I found but a free solution is even better.
Someone working out the bugs on an install and posting a good tutorial would be helpful.
 

Ur_Mom

Fully [H]
Joined
May 15, 2006
Messages
20,560
I'm interested in QoS for different applications/protocols. I have multiple PC's and gaming consoles. I'd like the gaming traffic as #1, WWW as #2, and torrents last. Every time I try and set it up, it never really works. Gaming stutters, torrents are still hauling ass and WWW starts going slow.... I've tried many times.

I was going to give up of pfSense, honestly. I love it, but I feel the investment in hardware and power costs really don't give me much of a ROI.
 

diizzy

2[H]4U
Joined
Nov 6, 2008
Messages
2,602
If torrents saturate your downlink there's nothing pfsense or anything other can do to fix it and you can't do layer 7 filtering.. That said, without known what you've tried its impossible to give you advice. OpenWRT have a pretty good setup out of the box, no idea what pfsense's looks like if there's one.
//Danne
 

jadams

2[H]4U
Joined
Mar 14, 2010
Messages
4,086
If torrents saturate your downlink there's nothing pfsense or anything other can do to fix it and you can't do layer 7 filtering.. That said, without known what you've tried its impossible to give you advice. OpenWRT have a pretty good setup out of the box, no idea what pfsense's looks like if there's one.
//Danne

The biggest defense against this is state table size. Though its not really preventing anything. Consumer routers and even lower level commercial grade routers have small state tables. Torrents will fill up your state table lickity split with connections out Yin yang regardless of bandwidth being used. When your state table fills up, new connections can't be made

Pfsense though has a configurable state table size and its directly linked to ram. 1 state = 1KB of ram. That's ~1 million connections per gig. Pfsense handles this like a champ.
 

jadams

2[H]4U
Joined
Mar 14, 2010
Messages
4,086
HTTPS filtering is possible with Squid 3 dev version from what I read as it does a man in the middle with a certificate you make on your pfsense box. I have not gotten it to work yet with dansguardian on my machine (I think it is something with my machine), but there is a tutorial online on how to do it if you search. It would be nice to get a going tutorial list here for extra reference.

This.
There are several different packages starting to do this but the reports are not all work and I haven't found instructions that were 100% working for everyone.
Diladele Web Safety is another possibility I found but a free solution is even better.
Someone working out the bugs on an install and posting a good tutorial would be helpful.

I'll look into this but I don't want to promise anything. This is new to me and I don't know how comfortable I feel implementing a man in the middle even if I control it.
 

stormy1

[H]ard|Gawd
Joined
Apr 3, 2008
Messages
1,053
I'll look into this but I don't want to promise anything. This is new to me and I don't know how comfortable I feel implementing a man in the middle even if I control it.
I don't like it either but it is going to have to be done with some business networks/clients.
I have heard that PCI is likely going to require http/https filtering in the next version.
 

wizdum

[H]ard|Gawd
Joined
Sep 22, 2010
Messages
1,943
I'll look into this but I don't want to promise anything. This is new to me and I don't know how comfortable I feel implementing a man in the middle even if I control it.

This is my feeling as well. We're trying to convince our administration (with some success), that this is an HR issue. Its not the job of I.T to run around and make sure people aren't wasting time on Facebook or browsing "inappropriate content" at work.
 
D

Deleted member 12106

Guest
HTTPS filtering is possible with Squid 3 dev version from what I read as it does a man in the middle with a certificate you make on your pfsense box. I have not gotten it to work yet with dansguardian on my machine (I think it is something with my machine), but there is a tutorial online on how to do it if you search. It would be nice to get a going tutorial list here for extra reference.

I believe you need to install a new cert on each client...I was reading about it with https inspector on untangle and said f-that.
 

diizzy

2[H]4U
Joined
Nov 6, 2008
Messages
2,602
@ jadams
What are you talking about? Table size isn't an issue at all and no decent consumer router (today) have an issue with this.

The slowness is caused by down/uplink being saturated, please read up on QoS/shaping and their algorithms. You probably need to read up a bit on TCP/IP too given your claim...
 

jadams

2[H]4U
Joined
Mar 14, 2010
Messages
4,086
This is my feeling as well. We're trying to convince our administration (with some success), that this is an HR issue. Its not the job of I.T to run around and make sure people aren't wasting time on Facebook or browsing "inappropriate content" at work.

This is why I mentioned filtering by content. As in filtering text on a page for the word "porn". Keeping people off Facebook can be done via DNS/ip filtering which is pretty easy regardless of http or https.
 

goodcooper

[H]F Junkie
Joined
Nov 4, 2005
Messages
9,768
how about something on pfsense monitoring.... anybody have a nice pfsense observium setup?

it'd really be nice to pull some logs from an edgerouter and see where a lot of the bandwidth is being used...

my pfsense router is the internet gateway for ~ 250 employees in ~20 locations, so i've been meaning to figure this out but havn't spent the time...
 

jadams

2[H]4U
Joined
Mar 14, 2010
Messages
4,086
how about something on pfsense monitoring.... anybody have a nice pfsense observium setup?

it'd really be nice to pull some logs from an edgerouter and see where a lot of the bandwidth is being used...

my pfsense router is the internet gateway for ~ 250 employees in ~20 locations, so i've been meaning to figure this out but havn't spent the time...

RRD graphs can give an overall look and the package BandwidthD will break it down by IP. If you have pfsense set to use internal DNS servers it can resolve those to hostnames in the report. It can then break it down by some traffic types.

BandwidthD tracks usage of TCP/IP network subnets and builds html files with graphs to display utilization. Charts are built by individual IPs, and by default display utilization over 2 day, 8 day, 40 day, and 400 day periods. Furthermore, each ip address's utilization can be logged out at intervals of 3.3 minutes, 10 minutes, 1 hour or 12 hours in cdf format, or to a backend database server. HTTP, TCP, UDP, ICMP, VPN, and P2P traffic are color coded.

Also there is a new package called Sarg that looks like it does some interesting stuff. I think this is new between 2.0.1 and 2.1.3:

Sarg - Squid Analysis Report Generator is a tool that allow you to view "where" your users are going to on the Internet.
Sarg provides many informations about Proxy(squid,squidguard or dansguardian) users activities: times, bytes, sites, etc...
 

jadams

2[H]4U
Joined
Mar 14, 2010
Messages
4,086
Started adding the screen shots to the OpenVPN thread with a spare few minutes I had before work. Will be adding more throughout the week. Then I'll be starting on spam.
 
Top