Announcement

Collapse
No announcement yet.

PFSense Firewall Group purchase interest

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

    Good news James!!!

    VPN configurations have remained similar throughout the years. Only the GUI has changed mostly.

    The base of PFSense left alone functions fine. Its the options or changing the options sometimes that get a little tricky. Next is the plugins which by default work fine and then later setting the options for those.

    One of the PFSense QOS things relate to lowering your buffer bloat numbers as shown on the DSL reporting stuff. There are many step by step's to do this posted around. I still have not been able to get my numbers down over here. Right now it's just shutting off the buffer bloat value on the DSL reports dot com testing. I then get an A grade on the testing.
    - Pete

    Auto mator
    Homeseer 3 Pro - 3.0.0.548 (Linux) - Ubuntu 18.04/W7e 64 bit Intel Haswell CPU 16Gb
    Homeseer Zee2 (Lite) - 3.0.0.548 (Linux) - Ubuntu 18.04/W7e - CherryTrail x5-Z8350 BeeLink 4Gb BT3 Pro
    HS4 Lite - Ubuntu 22.04 / Lenovo Tiny M900 / 32Gb Ram

    HS4 Pro - V4.1.18.1 - Ubuntu 22.04 / Lenova Tiny M900 / 32Gb Ram
    HSTouch on Intel tabletop tablets (Jogglers) - Asus AIO - Windows 11

    X10, UPB, Zigbee, ZWave and Wifi MQTT automation-Tasmota-Espurna. OmniPro 2, Russound zoned audio, Alexa, Cheaper RFID, W800 and Home Assistant

    Comment


      So, of course now the VPN works via IP, next step was to make it stick through ISP DNS changes.

      I have been using a very reliable DDNS service on my HS machine to update my Sitelutions DNS records for a couple of years now - all good. Dug around in pfSense and saw that (not surprisingly) pfSense can act as a DDNS updater also. Created a DNS-O-Matic account to update Sitelutions (as Sitelutions isn't natively supported by pfSense) then configured dns-o-matic in pfSense. DNS is updating (forced from pfSense and visible in DNS-O-Matic and Sitelutions) and over time I will probably kill the service on my HS machine - all good.

      Where I am stumped is how to get OpenVPN to accept connections when using the DNS-O-Matic host name resolution in the vpn Client Export defaults. Google suggests "all.dnsomatic.com" along with my DNS-O-Matic credentials. Those appear to take, but when I import a newly created .opvn config to my iPhone, I can't get it to connect. Seems to be DNS resolve error on UDP at all.dnsomatic.com. UDP port 1194 is what I have working for the IP configured setup, but that's coming direct to me of course.

      Does anyone know what I need to tweak in the main OpenVPN or client export defaults to allow the DNS lookup at DNS-O-Matic to succeed?

      Cheers
      cheeryfool

      Comment


        Originally posted by rprade View Post
        Another advantage is that I can have HomeSeer running on its low power server chassis, the firewall on an 8-watt appliance and can shut the big server down. I am always trying to minimize my energy footprint. This keeps my steady state network energy at 200-watts or less. The bulk of the energy is a POE switch at 120-watts during the day and 165-watts at night when the camera IR illuminators are active. The POE switch powers all of my cameras, Arduinos, Ubiquiti APs and Z-Nets.
        Like you Randy, I too want to minimize my energy footprint. So what are you using as an 8-watt firewall appliance?

        Robert
        HS3PRO 3.0.0.500 as a Fire Daemon service, Windows 2016 Server Std Intel Core i5 PC HTPC Slim SFF 4GB, 120GB SSD drive, WLG800, RFXCom, TI103,NetCam, UltraNetcam3, BLBackup, CurrentCost 3P Rain8Net, MCsSprinker, HSTouch, Ademco Security plugin/AD2USB, JowiHue, various Oregon Scientific temp/humidity sensors, Z-Net, Zsmoke, Aeron Labs micro switches, Amazon Echo Dots, WS+, WD+ ... on and on.

        Comment


          stick through ISP DNS changes

          You mean ISP DHCP changes?

          Here configured a custom MAC address on my WAN interface. I do change the MAC address every couple on months to force a DHCP IP change.

          For Dynamic DNS here utilize no ip dot com (over 10 years) with the configuration in PFSense. I typically start up testing VPN with the home IP address. For dynamic DNS I do a port forward name.

          I am not familiar with DNS-O-matic.

          I do not have any ISP DNS servers configured.
          - Pete

          Auto mator
          Homeseer 3 Pro - 3.0.0.548 (Linux) - Ubuntu 18.04/W7e 64 bit Intel Haswell CPU 16Gb
          Homeseer Zee2 (Lite) - 3.0.0.548 (Linux) - Ubuntu 18.04/W7e - CherryTrail x5-Z8350 BeeLink 4Gb BT3 Pro
          HS4 Lite - Ubuntu 22.04 / Lenovo Tiny M900 / 32Gb Ram

          HS4 Pro - V4.1.18.1 - Ubuntu 22.04 / Lenova Tiny M900 / 32Gb Ram
          HSTouch on Intel tabletop tablets (Jogglers) - Asus AIO - Windows 11

          X10, UPB, Zigbee, ZWave and Wifi MQTT automation-Tasmota-Espurna. OmniPro 2, Russound zoned audio, Alexa, Cheaper RFID, W800 and Home Assistant

          Comment


            Originally posted by Pete View Post
            stick through ISP DNS changes

            You mean ISP DHCP changes?

            Here configured a custom MAC address on my WAN interface. I do change the MAC address every couple on months to force a DHCP IP change.

            For Dynamic DNS here utilize no ip dot com (over 10 years) with the configuration in PFSense. I typically start up testing VPN with the home IP address. For dynamic DNS I do a port forward name.

            I am not familiar with DNS-O-matic.

            I do not have any ISP DNS servers configured.
            Pete

            Thanks for your reply. Yes, of course (doh!) I mean ISP DHCP change

            So it's the Dynamic DNS config in pfSense that I am struggling with. Mine essentially is DNS-O-Matic (in place of your no ip dot com) . How do you have no ip dot com configured in your pfSense config? Is it only in the Client Export side of things? Do you still use a UDP port (e.g. 1194) in the main config?

            I am sure that I am missing something basic

            Still Googling...

            Cheers
            cheeryfool

            Comment


              How do you have no ip dot com configured in your pfSense config?

              Only thing I have configured for the the no ip configuration in first tab is:

              login name = email address
              password = password

              Hostname = here use one of 16 hostnames.

              Is it only in the Client Export side of things?

              I do not utilize any dynamic dns name stuff for VPN configuration in PFSense VPN configuration.

              On the client side I first test with the wan IP, then I change it to the DNS name.

              Here utilize IPSec rather than OpenVPN.

              Do you still use a UDP port (e.g. 1194) in the main config?

              Thinking the UDP port for openVPN is configured automatically.

              It is recommended using the iPhone that you change UDP port 1194 to TCP port 443 such that the UDP port doesn't get blocked.

              Have a look see here:

              iPhone OpenVPN Setup
              - Pete

              Auto mator
              Homeseer 3 Pro - 3.0.0.548 (Linux) - Ubuntu 18.04/W7e 64 bit Intel Haswell CPU 16Gb
              Homeseer Zee2 (Lite) - 3.0.0.548 (Linux) - Ubuntu 18.04/W7e - CherryTrail x5-Z8350 BeeLink 4Gb BT3 Pro
              HS4 Lite - Ubuntu 22.04 / Lenovo Tiny M900 / 32Gb Ram

              HS4 Pro - V4.1.18.1 - Ubuntu 22.04 / Lenova Tiny M900 / 32Gb Ram
              HSTouch on Intel tabletop tablets (Jogglers) - Asus AIO - Windows 11

              X10, UPB, Zigbee, ZWave and Wifi MQTT automation-Tasmota-Espurna. OmniPro 2, Russound zoned audio, Alexa, Cheaper RFID, W800 and Home Assistant

              Comment


                Originally posted by langenet View Post
                Like you Randy, I too want to minimize my energy footprint. So what are you using as an 8-watt firewall appliance?

                Robert
                It is the same box as this eBay listing, but I sourced it from China early this year. J1900 Celeron Quad core, 32GB MSata SSD 4GB ram. I may have understated the power a little, it is drawing 9.2 watts today. It is rated at 10-watts. I think I paid ~$200 shipped.
                HS4 Pro, 4.2.19.0 Windows 10 pro, Supermicro LP Xeon

                Comment


                  Originally posted by Pete View Post
                  How do you have no ip dot com configured in your pfSense config?

                  Only thing I have configured for the the no ip configuration in first tab is:

                  login name = email address
                  password = password

                  Hostname = here use one of 16 hostnames.

                  Is it only in the Client Export side of things?

                  I do not utilize any dynamic dns name stuff for VPN configuration in PFSense VPN configuration.

                  On the client side I first test with the wan IP, then I change it to the DNS name.

                  Here utilize IPSec rather than OpenVPN.

                  Do you still use a UDP port (e.g. 1194) in the main config?

                  Thinking the UDP port for openVPN is configured automatically.

                  It is recommended using the iPhone that you change UDP port 1194 to TCP port 443 such that the UDP port doesn't get blocked.

                  Have a look see here:

                  iPhone OpenVPN Setup
                  Got it!

                  In the Client Connection Behaviour section of the Client Export Utility I needed to set the Host Name Resolution to "Other", then specify my domain name in the "Host Name' field. Then re-export the config to my iPhone and it now connects via domain instead of IP.

                  As I suspected, I was missing something simple.

                  Thanks!
                  cheeryfool

                  Comment


                    Good news cheeryfool!!!!

                    A while back a Cocoontech user asked me to post a comparison between using IPSec and OpenVPN speeds.

                    I never did compare the two. Supposition was that throughput would be the same using VPN.

                    So in the DIY section above when I write will do a comparison of using IPSec and OpenVPN. PFSense will do both at the same time.

                    This will be testing multiple crypto sessions (pushing a bit on the CPU / memory stuff).

                    To date I have only created one VPN configuration on PFSense and have configured internal VPN devices / tunnels.
                    Last edited by Pete; September 7, 2017, 08:29 AM.
                    - Pete

                    Auto mator
                    Homeseer 3 Pro - 3.0.0.548 (Linux) - Ubuntu 18.04/W7e 64 bit Intel Haswell CPU 16Gb
                    Homeseer Zee2 (Lite) - 3.0.0.548 (Linux) - Ubuntu 18.04/W7e - CherryTrail x5-Z8350 BeeLink 4Gb BT3 Pro
                    HS4 Lite - Ubuntu 22.04 / Lenovo Tiny M900 / 32Gb Ram

                    HS4 Pro - V4.1.18.1 - Ubuntu 22.04 / Lenova Tiny M900 / 32Gb Ram
                    HSTouch on Intel tabletop tablets (Jogglers) - Asus AIO - Windows 11

                    X10, UPB, Zigbee, ZWave and Wifi MQTT automation-Tasmota-Espurna. OmniPro 2, Russound zoned audio, Alexa, Cheaper RFID, W800 and Home Assistant

                    Comment


                      Originally posted by Pete View Post
                      Good news cheeryfool!!!!

                      A while back a Cocoontech user asked me to post a comparison between using IPSec and OpenVPN speeds.

                      I never did compare the two. Supposition was that throughput would be the same using VPN.

                      So in the DIY section above when I write will do a comparison of using IPSec and OpenVPN. PFSense will do both at the same time.

                      This will be testing multiple crypto sessions (pushing a bit on the CPU / memory stuff).

                      To date I have only created one VPN configuration on PFSense and have configured internal VPN devices / tunnels.
                      I will watch with interest this comparison. Not that I expect any issues with OpenVPN with my hardware and Gig internet.

                      Unfortunately my corporate environment closed out another route to home this weekend as Domotz.com remote access came into an excluded list (I think based on a Symantec perceived threat). My Corp Wifi blocks outbound VPN, even on the guest networks and my corporate laptop is locked down so hard that I can't install anything on it. I guess it's all for good reason, but frustrating none the less. Going to have to bring in an old Mac and tether it to my phone hotspot and keep track of data usage. Or perhaps I go back to the Nokia banana phone (the one in The Matrix) and Compaq iPaq, communicating together over infrared - late '90s style.
                      cheeryfool

                      Comment


                        I really don't think there is much of a difference in using IPSec VPN or OpenVPN these days.

                        Enterprise wise many years ago got involved in the cost savings measure of switching over from secureID to an easy to access on the internet VPN.

                        I do not even know today if it is being utilized....vpn.ual.com...also built a public network for vendors and employees (although it did go thru a firewall and we did allow VPN connections)...

                        I am noticing now the massage of internet connectivity by cellular telco's (T-Mobile). Probably soon it may block VPN connections. I can envision large ISP's here starting to do that which would be a bad thing.

                        Last few short vacations here did only utilize my cell phone tethering / VPN to connect back to home.

                        Yeah here wife works for a bank and they have upped their security (no remote email access anymore) and doing DR scenarios more often than not lately.

                        There is a lot of Internet paranoia lately and VPN paranoia. Both Russia / China mentioned something about restricting VPN use just in the last couple of weeks.

                        Here in the US it's relating to the free untethered Internet access versus what it is that is wanted to be seen on a stifled internetlandia. (or which way will it be to make the most money?) .

                        Weird because these issues have been around since the beginning of the Internet and lately with the use of many cloud applications.

                        It's sort of like coming up with a recovery scenario for Homeseer after the fact.
                        Last edited by Pete; September 7, 2017, 02:36 PM.
                        - Pete

                        Auto mator
                        Homeseer 3 Pro - 3.0.0.548 (Linux) - Ubuntu 18.04/W7e 64 bit Intel Haswell CPU 16Gb
                        Homeseer Zee2 (Lite) - 3.0.0.548 (Linux) - Ubuntu 18.04/W7e - CherryTrail x5-Z8350 BeeLink 4Gb BT3 Pro
                        HS4 Lite - Ubuntu 22.04 / Lenovo Tiny M900 / 32Gb Ram

                        HS4 Pro - V4.1.18.1 - Ubuntu 22.04 / Lenova Tiny M900 / 32Gb Ram
                        HSTouch on Intel tabletop tablets (Jogglers) - Asus AIO - Windows 11

                        X10, UPB, Zigbee, ZWave and Wifi MQTT automation-Tasmota-Espurna. OmniPro 2, Russound zoned audio, Alexa, Cheaper RFID, W800 and Home Assistant

                        Comment


                          Was testing PFsense to see if it would work on my system, but decided to go the Sophos route instead. Have a clean one owner Qotom box (back to factory default) that I'll let go for $200 (shipping included), usually $320 + shipping if anyone is interested. All loaded up with PFsense and ready to go. I believe this is the box Logbuilder is using.

                          QOTOM Core i5 Fanless Mini PC with 4 Intel LAN ports, 8GB RAM 64GB SSD, HD Video port, 4 USB, 1 COM, Linux Mini PC PFSENSE Router firewall

                          PM me if interested.

                          You can return to your regularly scheduled program now.

                          Thanks,
                          Z

                          Already spoken for. Thanks!
                          Last edited by vasrc; September 8, 2017, 05:33 AM.

                          Comment


                            That is a great deal Z!

                            Still probing the Pacific Rim here (well not in China anymore)....letting my fingers do the walking....

                            I have read good things about them Sophos router / firewalls.

                            And now a brevity break...



                            A bit curious here went to the Sophos website and got in to a chat about Sophos XG wares with a Sophos sales representative. Interesting almost AI stuff...(modular pricing and sandbox free testing).
                            Last edited by Pete; September 7, 2017, 10:22 PM.
                            - Pete

                            Auto mator
                            Homeseer 3 Pro - 3.0.0.548 (Linux) - Ubuntu 18.04/W7e 64 bit Intel Haswell CPU 16Gb
                            Homeseer Zee2 (Lite) - 3.0.0.548 (Linux) - Ubuntu 18.04/W7e - CherryTrail x5-Z8350 BeeLink 4Gb BT3 Pro
                            HS4 Lite - Ubuntu 22.04 / Lenovo Tiny M900 / 32Gb Ram

                            HS4 Pro - V4.1.18.1 - Ubuntu 22.04 / Lenova Tiny M900 / 32Gb Ram
                            HSTouch on Intel tabletop tablets (Jogglers) - Asus AIO - Windows 11

                            X10, UPB, Zigbee, ZWave and Wifi MQTT automation-Tasmota-Espurna. OmniPro 2, Russound zoned audio, Alexa, Cheaper RFID, W800 and Home Assistant

                            Comment


                              Originally posted by Pete View Post
                              That is a great deal Z!

                              Still probing the Pacific Rim here (well not in China anymore)....letting my fingers do the walking....

                              I have read good things about them Sophos router / firewalls.

                              And now a brevity break...



                              A bit curious here went to the Sophos website and got in to a chat about Sophos XG wares with a Sophos sales representative. Interesting almost AI stuff...(modular pricing and sandbox free testing).
                              Other than the price (which for me is actually less since I'm replacing two cisco routers and a firewall), it's pretty nifty stuff... XG stumbled for awhile on release, but seems pretty stable now. I suspect Ubiqutiy will have something shortly as well since the lead PFsense designer moved there.
                              Firewalls are the new Orange

                              Z

                              Comment


                                So I officially moved over to PFSense yesterday... that was very nerve racking, but very calming when I plugged it in place of my edge router... and it worked

                                One thing that was throwing me for a loop and almost made me scrap the whole project was the VLAN setup. I have 3 vlans for security purposes and for some reason I could only get an IP address from my main vlan dhcp. No matter what, I was unable to get an IP on my other vlans.

                                So I share the resolution with you here in hopes that you don't run into the same problem (it was kinda silly what the problem was once seen, but that is usually the case with anything computers). I setup my PFSense on a ESXi host, purchased a 4 port intel NIC that I have tied directly to the router in the ESXi host. The problem was the LAN port configuration on the host. I didn't set it to allow vlan ID's to be passed through, so because of this only ID 1 was allowed and the reason I was seeing the results I was seeing. Once I change this to 4095 (allow all VLANS), I started to magically get IP's on all my vlans.

                                Got all my pinholes put in place between the vlans (things like allow camera access from its vlan back to the main one, disable any internet connectivity on the camera vlan. You want a network scare, look at the traffic coming from your cams on the internet, back to china. You'll lock yours down too).

                                Overall, once I got it setup finally, I am happy with it and its much easier to manage than my ubiquiti edge router, with a lot more features.

                                Time will tell if the move was really worth it.

                                Thanks Pete for sparking interest in a project for me.

                                Comment

                                Working...
                                X