Installation of pfSense on Soekris 6501

  • 2,384 views
Uploaded on

 

More in: Technology
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
    Be the first to like this
No Downloads

Views

Total Views
2,384
On Slideshare
0
From Embeds
0
Number of Embeds
1

Actions

Shares
Downloads
62
Comments
0
Likes
0

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. watchdoghttp://www.zomers eu/knowledge/pfSense/Pages/Configure-pfSense-2.0-RC1-to-use-Watchdog-functionality aspxhttp://www.tnpi net/wiki/Soekris_FirewallMemstick Installer and Serial Consolehttp://files pfsense org/jimp/pfSense-memstick-2 0.1-RELEASE-i386 img.gzMacbook Pro USB to Serial GUC232Ahttp://www.oramboston com/learning-center/blog/bid/75522/Macbook-Pro-USB-to-Serial-GUC232AMacbook Pro USB to Serial GUC232AThis is a pretty specific post. Ive recently purchased an Intel-based 17" MacBook Pro and have an IOGear GUC232A USB to Serial converter I use for my console connections to Cisco routersthat Ive had a heck of a time getting working. BUT, Ive finally conquered and wanted to write the steps I performed to alleviate the time spent if I have to do this again:1. Download the LATEST driver from Prolific (http://www.prolific com.tw/eng/downloads.asp?ID=31 - download the file md_pl2303H_HX_X_dmg_v1.2.1 zip)2. Run through the install, reboot3. The Prolific is a generic driver that works with the GUC232A, so you have to tweek it:Plug the GUC232A into any available USB port on your MacOpen the System Profiler, in /Application -> UtilitesClick USB in the Contents paneSelect the GUC232A in the Device Tree usually it will be listed under USB-Serial ControllerRemember the ProductID and VendorID, or keep the System Profiler window openOpen the Terminal, in /Application -> UtilitesUse the following command to open the Property List of the Prolific driver:sudo nano /System/Library/Extensions/ProlificUsbSerial kext/Contents/Info.plistEnter your admin password when asked. This is necessary the ProlificUsbSerial kernel extension is owned by root.Scroll down and find the ProductID and VendorID in the plist fileChange the ProductID and VendorID to match your GUC232As ProductID and VendorIDThe plist file needs the numbers as integer values, but System Profiler reports the numbers as hex. Use the Calculator to convert the numbers. For example, System Profiler reports the Product IDas 0x2008 and the Vendor ID as 0x0557. The integer value of ProductID is 8200 and the integer value of VendorID is 1367Save the changes (Control-W) and quit (Control-X) nanoUnplug the GUC232AUse the following command to load the kernel extension:sudo kextload /System/Library/Extensions/ProlificUsbSerial.kextPlug the GUC232A into any available USB port on your MacAccess the network properties window (network port configurations) to enable theusbtoserial device it foundPerform a ls /dev command - it should show the tty usbserial deviceminicomHow to stop Snort alerts from being generated / how to (not) ignore traffichttp://oinkmaster.sourceforge.net/avoiding_snort_alerts txtsuppress gen_id 111, sig_id 15The sqlite & MYSQL libraries are built in, just not active. Its already on the box, you just have to enable it. Actually now that I look mysql is there also.To enable, just do:
  • 2. Code:touch /etc/php_dynamodules/pdotouch /etc/php_dynamodules/pdo_sqliteANDCode:touch /etc/php_dynamodules/mysqlMobile IPsec on 2.0http://doc pfsense.org/index.php/Mobile_IPsec_on_2 0How to set up IPsec tunneling in PfSense 2.0-RELEASE for road warriorshttp://dekapitein.vorkbaard.nl/tech-1/how-to-set-up-ipsec-tunneling-in-pfsense-2-0-release-for-road-warriorspfSense 2.0 RC1 Configure Captive Portal for Guests with Local User Managementhttp://blog stefcho.eu/?p=754OpenVPN with RADIUS authentication on p Sense 2.0 RC1http //blog ste cho eu/?p 545p sense 2.0.1 OpenVPN Bridging guidehttp //hard orum com/showthread php?p 1038226511Install and Configure p Sense in Your Home Networkhttp //www iceflatline com/2010/08/install-and-configure-p sense-in-your-home-network/Linux Wireless Driver Support & Capabilitieshttp //www ab9il net/linuxwireless/wifidrivers2 htmlComparison o open-source wireless drivershttp //en wikipedia org/wiki/Comparison_o _open-source_wireless_driversFreeBSD Handbook: Chapter 32 Advanced Networkinghttp //www reebsd org/doc/en_US SO8859-1/books/handbook/network-wireless htmlOpenSoekrishttp //opensoekris source orge net/Install and Configure pfSense in Your Home Networkhttp //www iceflatline com/2010/08/install-and-configure-p sense-in-your-home-network/Bridging the pfSense 2.x wireless dividehttp //blog qcsitter com/BSDay/index php?/archives/2-Bridging-the-p Sense-2 x-wireless-divide htmlOS X Lion as a syslog serverhttp://wiki mikrotik com/wiki/OS_X_Lion_as_a_syslog_serverHowTo Configure Mac OS X Syslog To Forward Datahttp://wiki.splunk.com/Community:HowTo_Configure_Mac_OS_X_Syslog_To_Forward_DataEnable an Apple Mac OS X machine as a syslog serverhttp://meinit.nl/enable-apple-mac-os-x-machine-syslog-server10.7: Re-enable syslogd for incoming connectionshttp://hints macworld com/article php?story=20110724103552640Enable an Apple Mac OS X machine as a syslog serverhttp://meinit.nl/enable-apple-mac-os-x-machine-syslog-serversyslog -w -r host 192.168.3.1
  • 3. pfsense 2 0 snort 2.9.5 Barnyard2 binary not existhttp://forum pfsense org/index php/topic,42016 0 htmlFreeSwitch on PfSense Installhttp://doc.pfsense.org/index.php/FreeSWITCHhttp://wiki.fusionpbx.com/index.php?title=PfSense_Installhttp://wiki.freeswitch.org/wiki/Installation_Guidehttp://wiki.freeswitch.org/wiki/Freeswitch_Guihttp://wiki fusionpbx com/index.php/PfSense_Installhttp://192.168.3.1/fusionpbxhttp://doc.pfsense.org/index.php/FreeRADIUS_2.x_package#FreeRADIUS_.2B_WLAN_.2B_PEAP_and_MSCHAPv2pfSense 2.0 Multi-WAN Failover with Clear Wireless Internethttp://www.bunkerhollow.com/blogs/matt/archive/2011/07/27/pfsense-2-0-multi-wan-failover-with-clear-wireless-internet aspxOur office has a fast internet connection but they charge for bandwidth overages and no matter what we do, we can’t seem to stay within our plan’s limits.  These charges would amount to over$200/month, and with new hires on the way we decided it was time to fix the problem.  We figured if we could find a solid WiMAX connection with an unlimited plan we could use that as ourprimary connection and save even more by dropping our office’s plan to the lowest tier.Requirements • Speed – reasonable browsing & web development speed for 5-10 employees.  Large file transfers or even video streaming isn’t much of a concern, but employees shouldn’t notice a difference with everyday work. • Connection Strength – We’re on the top (11th) floor of a Manhattan office building, we have skylights, and our cell phone service is decent, but there’s no way to know if 4G will even work until we give it a try. • Failover – When the wireless connection fails or is flaky, which it will inevitably be at times, we want a seamless failover to our office connection as backup.  Ideally, this won’t require any special configuration on the client machines. • Unchanged Incoming Connections – Our bandwidth problem is with our outgoing traffic only. We don’t want to change any of our NAT/firewall rules for incoming traffic, that should remain incoming over our office plan.Network Layout • Firewall/Router – Our existing Netgate Hamakua running pfSense 2 0 RC3. • WAN Connection 1 – Our existing office connection is the first of our multi-WAN configuration.  We will configure this connection as backup. • WAN Connection 2 – Clear Wireless (http://clearwirelessinternet com) seemed to have the lowest prices, and they have a store just a few blocks away at 17th and Broadway.  We picked up a 4G unit with unlimited bandwidth for $35/month. • LAN – Consists of several hardwired Windows workstations.pfSense Configuration 1. System –> Routing –> Gateways tab Add gateway for new WAN interface and ensure neither gateway is set as default.     2. Interfaces –> OPT1 Configure our new WAN interface (connected to our Clear 4G unit).  
  • 4.   3. System –> Routing –> Groups –> Add Group Create a Gateway Group for Multi-WAN failover.     4. Firewall –> Rules –> LAN tab –> Edit Default LAN Rule –> Advanced Features –> Gateway –> MULTIWAN Add the new Gateway Group to the default LAN rule that allows all traffic out.     5. Done!Clear Wireless ReviewSo now that we’ve had our 4G failover configured for a few days, let’s take a look at the results. • Speed Test – pretty good results for $35 a month.  Our 6 users hardly notice any difference in their day-to-day browsing.     • Multi-WAN Traffic Graphs – The two graphs below represent the traffic over our office WAN (top) and Clear Wireless WAN (bottom).  You can see the switchover occurred on Wednesday, and since, not a single packet has traveled over the office network.  That’s 6GB of data in only 3 days that won’t be factored in to our office bandwidth.  I think lowering our office plan to the bottom tier is a real possibility.  
  • 5.   • Packet Loss Quality – I’m happy to report 0 packet loss and < 20ms delay over Clear Wireless so far!  (The packet loss that occurred on Wednesday was our failover testing by unplugging the Clear unit).  ----pfSense 2.0 RC1 configuration of OpenVPN Server for Road Warrior with TLS and User Authenticationhttp://blog stefcho.eu/?p=492How do I use a router with the Westell 6100?http://members.verizon net/~res08lyg/6100.htmyou will most likely need to get the MAC address of the 6100 and clone that to your router. http://www.dslreports com/faq/13600How do I use a router with the Westell 6100?The 6100 is a modem/router combination unit, meaning it contains a DSL modem and a general purpose NAT (Network Address Translation) router. "Bridging" means disabling both the publicand private side of the NAT router, thereby turning the 6100 into a simple DSL-to-Ethernet bridge, or "dumb modem".If you are already using a router, or want to, (examples: if you already have your LAN set up and simply need to connect it to the internet or you want to add wireless connectivity to yourconnection or you want to use an optimised-for-gaming router or you want to add a VoIP router), you will want to bridge the 6100.For optimum performance and reliability the connection should only be going through one NAT router. When the connection goes through multiple NAT routers, troubles like NAT conflicts willcause router lock ups and loss of connectivity, and configuring access for things like game consoles, VPN tunnels, remote access, server applications, security cameras, or high-end multiplayergames will be difficult if not impossible.Virtually all Westells with a GUI used the white & blue "Westell" branded firmware until sometime in 2007. I believe version 4 was the last white & blue firmware. The red & black "Verizon"branded firmware was rolled out in 2007. You may be running version 5 or 6.When the Westell is bridged, it will have no router functions at all, no subnet, no IP, and no default gateway. The router connected to the Westell will acquire and hold the Public IP address and willdetermine the LAN IP addresses and subnet.The Westell 6100 modem/router supplied by Verizon can be used in either Router or Bridge mode. If you are already using a router, or want to, you need to put the modem in Bridge mode or youllhave problems. These instructions apply to the Westell 2200, 6100, 6100F, 327W, and 7500 models.• You should follow these instructions with one PC connected to the Westell using the supplied Ethernet cable (CAT5 or CAT5e) and that you are online and able to browse to various web sites. Ifyou already had a LAN setup and were online but needed to replace your modem, temporarily connect one PC directly to the Westell using the supplied Ethernet cable before continuing.
  • 6. • Temporarily turn off all firewalls and pop-up blockers on the PC.• In your browsers address box, type 192.168.1.1 to access the Modem Configuration utility. When asked for user name and password, enter your routers username and password (the default forthe Verizon issued routers is typically "user=admin, password=password").• Here you may get a screen titled User Settings, this is asking you to change the username and password for the Westell, invent and enter a username and a password, (record these somewhere soyou dont forget them).If your Westell uses the white and blue Westell firmware:• Now, from the Configuration menu, choose VC configuration, hit the top Edit button. In the popup, set protocol to Bridge.• Then below in VC 1 Bridge Settings set the mode to Bridge Early 6100• Hit Set VC. Save.• Then, again in the Configuration menu, select DHCP Configuration and set the dropdown to OFF. Hit save and log off the utility.• Most people dont need any more complex procedures, so try these first. However, on occasion, you will need some additional steps, including cloning MAC addresses. If you have trouble, checkout the diagrams and instructions here: »mysite.ncnetwork net/res08lyg/6100.htmIf your Westell uses the red and black Verizon firmware:(Wireless Settings wont be there on the 6100 or 6100F, the left panel may be called "My Modem")• Select the My Network icon, then select Network Connections from the left menu.(Only the top two connections will be listed in the 6100 and 6100F)• On the Broadband Connection screen click on the words "(Broadband Connection DSL)".• PPPoE customers will see this screen. If you use a DHCP type Internet connection the screen will be different, you will have a "release" button in the top section - use it now to release your publicIP. Then, locate the VCs section, locate the line " Enabled, VPI 0, and VCI 35 ..." and click the notepad icon under Edit on the right to get to the VC 1 Configuration screen.• In the VC 1 Configuration screen open the drop down box beside "Protocol" and choose "Bridge". If your connection type is DHCP the Protocol should already be "Bridge". Once Bridge ischosen, the screen will change – open the drop down box beside "Bridge Mode" and choose "Bridge", then click the Apply button at the bottom. This has disabled the Public side of the 6100srouter.• The modem will reset. Next you need to disable the Private side, the DHCP server - click the My Network icon again, click Network Connections from the left menu again. On the BroadbandConnection screen, click the word "Lan", on the next screen remove the topmost checkmark (Private LAN DHCP Server enable), click apply or save settings.
  • 7. • The same page will return. The Westell is now bridged, the Internet light will no longer light, log off the utility.Back to common steps:• Power down and disconnect the PC from the Westell.• Connect the Ethernet cable from the Westell to the port on your router labeled WAN, (or Internet). Connect an Ethernet cable from one of the LAN ports of your router to your PC. Power up theWestell, wait for the DSL light to stop blinking then power up your router, then the PC. When the PC boots up your firewalls and pop-up blockers may be re-enabled, it may be necessary to turnthem off again.• Skip this next step if youve already been using your router to supply PPPoE with your username and password.• If your router came with a setup disk insert it now, otherwise open a web browser and access the Routers GUI, usually at 192.168.0.1, or 192.168.1.1, or 192.168.2.1. If the router has a SetupWizard use it, otherwise manually configure the router for your Internet connection type. (Note: most routers default to "Automatic" which is DHCP). If you connect via PPPoE you will need tosupply your Verizon Username and Password so the router can acquire a Public IP address, if you connect via DHCP you may also need to use the routers MAC cloning feature, enter the MACaddress from the Westells label and your router will use it to acquire a Public IP address.• Test that you can browse to some safe web pages, then turn your firewalls and pop-up blockers back on.System: Advanced: Admin Access