[guide] pfsense VM on QNAP in 2020

[Moogle Stiltzkin]

Firstly, i'm a networking newb still learning. Not an expert on pfsense, but i've read up on it somewhat.

So the guide may not be 100% perfect, but i can get you close enough to setting it up from what i've learned so far. and perhaps others will share what i might have missed while going about doing this guide *cross fingers

notes: It's a bit long and winded, so i apologize for that. this isn't a proper clean step by step guide (although i do try to point out necessary things to do, to get pfsense to work on the qnap). It's closer to a project diary for my own testing for setting up pfsense. so skip ahead to useful sections relevant to what you need to know.. it's mostly about setting up pfsense on qnap nas using VM, but i will also be mentioning other networking setups to go with the pfsense router e.g. my wireless ap

Short version

TLDR: don't install pfsense from virtual station vm market. i couldn't get that to work right. Instead download pfsense from main website, then create a VM using virtual station using that downloaded file.

Setting up virtual switches is VERY VERY important. Refer to the guide for the details for how to set that up.

Once your pfsense vm router is online, just do the initial setup. by default firewall is up and you are protected, but you still need to setup a strong password, do your WAN to setup your broadband connection, and LAN for DHCP server.

I recommend pfblocker dev package :} doesn't use much resource. Suricata however does, so if not enough ram, or if you see cpu load too high, then don't use it.

Credits to the many people i learned from to get this figured out :} of particular note, someone on qnap reddit posted the proper setup for virtual switches in detail.

Code: Select all

https://www.reddit.com/r/qnap/comments/a8kq62/qnap_pfsense_vm_with_bridged_wan_interface_as/ecclv89/

*may edit the short version later with easier/clearer step by step instructions when i have time to spare for it. until then, you may refer to these other guides. and if they don't mention details or you aren't sure about their instructions you can come back here and check if those things were mentioned or not

Code: Select all

https://trainingrevolution.wordpress.com/2016/09/05/running-pfsense-on-qnap-ts-251/

Code: Select all

https://www.reddit.com/r/qnap/comments/a8kq62/qnap_pfsense_vm_with_bridged_wan_interface_as/

Code: Select all

https://www.qnap.com/en/how-to/tutorial/article/installing-pfsense-on-a-qnap-nas/

Code: Select all

https://poyu.co.uk/2020/06/12/how-to-setup-pfsense-for-qnap/

Code: Select all

https://nguvu.org/pfsense/pfsense-baseline-setup/

*update

Moogle's short edition guide


step1: install virtual station

step2: download pfsense community edition amd64

Code: Select all

https://www.pfsense.org/download/

note: yes qnap has pfsense for quick deploy through vm market. i tried it but it didn't work properly for me

step3: put that pfsense download onto your qnap. so you can select it later during the install. i put it in a share i use for vm.

step4: install virtual station from appcenter in qts. Make sure you install it onto a SSD volume. e.g i'm using a TBS-453DX with raid1 2 x 500gb Crucial mx500 M.2 SSDs. SSDs have good r/w, iops, low latency etc. make sure to use SSDs for your VMs.

notes: depending on how you are going to use pfsense, how much internet broadband speed, VPN, suricata, many many packages running; then you may need to have the appropriate cpu, ssd and ram to achieve your set target. use reddit, google to find our what specs you require. An intel celeron low power cpu , 4-8 gb, should be fine for the average home user, and SSD capacity sizes price wise 500gb is pretty affordable these days.

step5:

Go to QTS, virtual switches, and setup virtual switches according to rsted's guide (read the info he posted for the specifics for setting up the virtual switches)

Code: Select all

https://www.reddit.com/r/qnap/comments/a8kq62/qnap_pfsense_vm_with_bridged_wan_interface_as/ecclv89/

notes: qnap recommended setting up the virtual switches differently. you decide who is giving the right answer, i honestly don't know. but Rsted's virtual switch config worked for me

step6: go to virtual station, create a VM. OS: freebsd version: latest, allocate ram, hard drive space (make sure hard drive points to your SSD volume for performance reasons ), select the pfsense file you downloaded earlier. Then create the VM.

After creating the VM, check the settings for the VM. First thing you want to check is that you assigned the WAN and LAN ports correctly (make sure they are VIRTIO). Check virtual switches whether the settings are correct (refer to rsted's guide and virtual switch topology).

then check vm hard drive, also virtio. In addition, make sure you set to cache writethrough. This made a performance difference i found when using cache writethrough for hdd.


step7: in virtual station, go to pfsense vm console (click on it and the console will pop out in a new browser tab). You should be able to go through the normal pfsense setup





i used UFS. not sure about the other options

Code: Select all

https://docs.netgate.com/pfsense/en/latest/install/installing-pfsense.html

at some point you will get this screen



type "2" to configure set interface ip address to setup the wan and lan ports


set vtnet0 as your wan. and set vtnet1 as your lan. Remember, when you were setting up in pfsense vm in virtual station settings, make sure vtnet0 and vtnet1 are both pointing to the correct virtual switch in QTS

e.g. ethernet port1 = vtnet0 (this you will use for WAN), and ethernet port2 = vnet1 (LAN)

notes: If the adapters are em0 and em1 instead of vtnet0 and vtnet1 then you forgot to change the Device Model to Virtual Gigabit Ethernet.

for lan ip, "Y" to configure it. you can then put e.g. 192.168.0.1/24 (this is the pfsense gateway. you use this to login to the pfsense admin ui. also your client devices use this same gateway to connect to the pfsense network, so that their internet works).

note: the 24 just means 255.255.255.0

configure the DHCP server as well (assuming you will use dhcp server?) e.g. 192.168.0.60 - 192.168.0.200

notes: Probably a good idea to leave gaps at the early and ending parts of the the numbers. notice there is a gap 1-59 and 201-255 that is outside dhcp range? that is intentional. You can use those lan ips outside dhcp range, for your pfsense gateway, and other devices that have lan static ips.

pfsense at some point will be fully setup/running. You will know when it's done, when you see the shell options again.


at this point it means your pfsense router is fully up and working.

step8: login to pfsense admin web ui using the lan gateway you set earlier. it will then run you through the wizard config. change password obviously to something secure.

next you probably want to setup your WAN, so you can connect to your ISP broadband. For special isp requirements like mine, i had to go create PPPOE, then setup a vlan tag for PPPOE. then go interfaces and select that created PPPOE for my wan to connect to the isp correctly. This may not necessarily apply to you. depends on your ISP requirements for how they expect you to setup your WAN settings to connect to them


step9: you are done.




A few more things i'd like to explain that you should know

To update your pfsense, i recommend doing it from shell. i posted a guide for that here (scroll down)

Code: Select all

https://forum.qnap.com/viewtopic.php?f=45&t=155315&start=30#p755400

to install packages, go pfsense packages.

note: Do not update packages before upgrading pfSense! Either remove all packages or do not update packages before running the upgrade.

to backup your pfsense, you can go to pfsense > diagnostic > backup & restore , to generate a config you can backup/restore. But i found that virtual station pfsense vm snapshots is very reliable for restoring your pfsense vm back to an earlier snapshots when your pfsense might have worked correctly. I recommend preserving snapshots. perhaps even schedule snapshots of your pfsense vm. But if you do restore using snapshots, you probably should reboot your pfsense soon after as well.

to reboot pfsense, go to virtual station pfsense shell console, press "5" and select normal reboot.

pfsense default is good, but i would recommend you check out pfBlockerNG-devel, snort, suricata for better security for your pfsense.

KOM Mar 27, 2019

They don't do the same job so they're hard to directly compare. pfBlocker is good for geo-blocking and DNS blackholing, among other things. Snort/Suricata are true IDSes that inspect packet contents against a ruleset and then reject further traffic from bad hosts.

refer to the long version for more details on this subject.

is it safe to use pfsense vm on qnap for edge router?

An edge router is a specialized router located at a network boundary that enables an internal network to connect to external networks. They are primarily used at two demarcation points: the wide area network (WAN) and the internet.

QNAP reply: The pfSense VM OS should protect your NAS device when your NAS set virtual switch 1 with "do not assign IP address" this option & bundle it with pfSense LAN adapter 1 and NAS LAN adapter 1, but we still suggest you update the NAS latest version of firmware & APPs to protect your NAS device.

you can check elsewhere to find out/ ask someone else about that. i'm not an expert on this subject, so honestly i don't know either. but afaik it seems okay so far for my own usage. but if i get hacked, i will be sure to report here

long version


In 2020 (a bit earlier than that actually), QNAP made Pfsense a bit easier, by adding it as an install from virtual station VM market. It's still not quite a 1 click install deal ( a lot of other things need to be done by you as well), but a step they helped simplified.

Minimum Hardware Requirements
The minimum hardware requirements for pfSense® 2.4.5-RELEASE are:

CPU 600 MHz or faster

RAM 512 MB or more

4 GB or larger disk drive (SSD, HDD, etc)

One or more compatible network interface cards

Bootable USB drive or CD/DVD-ROM for initial installation

Code: Select all

https://docs.netgate.com/pfsense/en/latest/book/hardware/minimum-hardware-requirements.html

Hardware Sizing Guidance
When sizing hardware for pfSense® software, required throughput and necessary features are the primary factors that govern hardware selection.

Code: Select all

https://docs.netgate.com/pfsense/en/latest/book/hardware/hardware-sizing-guidance.html

these were the guides i was using to try setup pfsense on the qnap

Code: Select all

https://www.youtube.com/watch?v=5mJ0h6pvKKw

Code: Select all

https://www.youtube.com/watch?v=wXMkQQAu5Sg

Code: Select all

https://www.qnap.com/en/how-to/tutorial/article/installing-pfsense-on-a-qnap-nas/

Code: Select all

https://vshungry.com/hub-vs-switch-vs-router/

Code: Select all

https://www.dnsstuff.com/subnet-ip-subnetting-guide

Networking Basics Tutorial | IP Address | Subnet | Gateway

Code: Select all

https://www.youtube.com/watch?v=ozG8BWbYY0M

How to configure router and devices for subnetting?

You don't subnet a network, you subnet a network block. If you want to two devices to connect to each other without a router between them, they should be on the same network.

Code: Select all

https://superuser.com/questions/1350877/how-to-configure-router-and-devices-for-subnetting

various pfsense guides with pics and step by step instructions

Code: Select all

https://techexpert.tips/category/pfsense/

Code: Select all

https://www.youtube.com/watch?v=9kSZ1oM-4ZM

Code: Select all

https://www.youtube.com/watch?v=KRlbkG9Bh6I

My guess is that you need more physical NIC ports... basically NIC 1 & 2 are "Used" by PFSense, and you would need a NIC #3 for the "NAS" gateway.

Did you follow the directions from here? https://www.qnap.com/tr-tr/how-to/tutor ... -qnap-nas/

Hello there,

I confirm that this is working with two interfaces but not on a TBS-453a.

The virtual switch doesn't have an IP, this is not manageable and only layer 2. The NAS is reachable on all interfaces (Vswitch) by default at the exception of the external one. (External mode)

Your first interface is the External one. No IP !

The second is the local subnet. The NAS is having IP 192.168.0.5/24 ? The Pfsense connected to the two virtual switches must have an IP on the local subnet, in your case 192.168.0.100. (I recommend 192.168.0.254/24)

Is your NAS DHCP server of the PFsense? What is the DNS server?

If you put system default gateway on the virtual switch 2, you must configure the gateway of the virtual switch 2 (NAS) as 192.168.0.100.

You can make a dump on the internal interface of the PF to check incoming packets. What do you see?

Rgds
Laurent

Code: Select all

https://forum.qnap.com/viewtopic.php?t=143083

pfSense on QNAP virtualization center - QNAP can't use one of it's own virtual IPs as a gateway?

Disclaimer: this is a type-2 hypervisor issue or perhaps QNAP-centric. Cross-posting here as a last-ditch effort in case anyone has any expertise and advise to offer.

Installed in a VM on my QNAP NAS "Virtualization Center" type-2 hypervisor as a proof of concept using the network topology itemized below. Everything seemed fine until I discovered that the QNAP refused to assign its own default gateway to an IP allocated within a virtual switch config assigned to a VM (for the internal LAN interface to pfSense).

pfSense seems to be operating just fine, only problem came on the QNAP side of things where it is refusing to talk to it's gateway IP anymore, and wouldn't let me confirm/update the setting to the 192.168.4.1 IP since it belonged to a virtual device.

Any suggestions on how to maybe get this working without having to move pfSense to a separate HW device?

Physical Topology:

wan: cable modem -> QNAP eth4

lan: switch LAG (ports 21-23) -> QNAP bond0 (eth1+eth2+eth3)



QNAP switch config:

virtual switch 1: qnap bond0, static IP on 192.168.4.0/24, gw: 192.168.4.1

virtual switch 4: qnap eth4, no IP config, no dhcp... (assigned dhcp by modem in pfSense)



VM network config for pfSense:

vmeth0 (virtIO driver) <- QNAP virtual switch 4 (WAN), dhcp via cable-modem

vmeth1 (virtIO driver) <- QNAP virtual switch 1 (LAN), static IP 192.168.4.1



TIA,

-Fabrizio

Code: Select all

https://www.reddit.com/r/PFSENSE/comments/9z5reg/pfsense_on_qnap_virtualization_center_qnap_cant/

rsted-

Short setup instructions cause someone asked. Please note that some networking/pfsene knowledge is required to set this up.

​

Install pfsense using this guide.

Code: Select all

https://www.qnap.com/en/how-to/tutorial/article/installing-pfsense-on-a-qnap-nas/

I used the pfsense ovf provided by QNAP. The basic setup in the tutorial should be enough to get you going. (one WAN side NIC - one LAN side NIC)

Setup your network on the "network and virtual switch" Application on the QNAP according to this picture.



Do not use any NAT or DHCP features from QNAP - all is done by pfsense. When configuring the QNAP vSwitches don't set an IP adress on the pfsense WAN side virtual switch since pfsense WAN NIC will pull an IP from Modem/Gateway DHCP. The pfsense LAN side should be configured as static IP inside the pfsense LAN network range. The QNAP Webinterface should be accessable through this IP.

Connect your PC to the QNAP NIC Port 2 - you should also get an IP address from pfsense DHCP Server.

Set default gateway on QNAP to the Pfsense Internal Network Switch ((see picture).

all done

​

Additional hints:

* it's tricky to set this up without locking yourself temporarily out. Some networking knowledge is useful if that happens.

* KVM Switches behave a little slower then physical switches. Take your time and hit ipconfig /renew till you get an IP.

* don't forget to set pfsense VM to start when the QNAP starts. otherwise you won't get an IP adress when the QNAP reboots.

Code: Select all

https://www.reddit.com/r/qnap/comments/a8kq62/qnap_pfsense_vm_with_bridged_wan_interface_as/

and if you accidentally misconfigured and got locked out, you need to soft reset

Code: Select all

https://www.qnap.com/en/how-to/knowledge-base/article/the-different-ways-of-resetting-your-nas-explained/

Out of all these guides, rsted's comment from reddit is probably the best and simplified guide for setting up the pfsense on the QNAP. His config can manage to cope using only 2 physical ethernet ports. He even has a piehole in his vm setup, but he sadly did not elaborate on that

notes: The QNAP guide is a bit outdated

Code: Select all

https://www.qnap.com/en/how-to/tutorial/article/installing-pfsense-on-a-qnap-nas/

There has been a change in virtual station, with the introduction of vm marketplace. the pfsense from there is a 1 click deployment. You still have to make other setting configurations (setting up virtual switches, configuring pfsense settings), but at least this is 1 less step to do made easier.

QNAP-
23 May 2019

QNAP released the new VM Marketplace. Located inside the Virtualization Station app, the VM Marketplace allows users to install several prepackaged virtual machine (VM) images for rapid deployment and greater application potential.

Another thing, they didn't bother to explain the finer points in regards to virtual switch creation for use with pfsense like rsted did.

My progress so far (setting up pfsense vm on the QNAP), i got the internet to work using vlan tagging (this is a special requirement for my ISP, so may not necessarily apply to you). But i don't think i setup correctly, because i could not access other lan devices on network (probably a subnet misconfiguration on my part). I also may have incorrectly set the virtual switches as well (but using rsted's info, i'll try again)


i did however test grc shields up to check that ports are shielded behind firewall, and it seemingly worked

Code: Select all

https://www.grc.com/

Make sure your firewall is working
BY FRANCIS NAVARRO, KOMANDO.COM
SEPTEMBER 9, 2018


One essential tool that keeps hackers from seeing your computer online is a firewall. Even if they manage to know your computer’s location and IP address, the firewall keeps them from accessing your system and your network.

Not sure if you have a firewall in place? Well, newer Windows and Mac systems all have built-in software firewalls for configuring your outgoing and incoming internet ports. Although useful for certain applications, you have to be careful when tweaking your firewall port settings.

A wrong port setting can leave your computer vulnerable to port scanners, giving hackers an opportunity to slip past.

Also, if your computer has been exposed to a virus, it might have changed your port settings without you knowing.

Code: Select all

https://www.komando.com/tech-tips/test-your-firewall-to-make-sure-its-working/410026/

This is a complete test of your standard service ports 1-1056.

Why these ports? Internet ports are numbered from 1 through 65535, but according to GRC, ports 1 through 1023 are generally reserved as listening ports for services waiting for incoming connections running on the receiving system.

GRC also added an additional 33 ports due to the “insecure behavior of Microsoft’s Windows operating systems,” bringing this number to 1056. Again, unless done for a specific purpose, these ports should always be scanned as “Stealth” or “Closed.”

On a side note, seems you can use pfsense vm with quwan. But there is still no guide yet how to get pfsense vm to setup/work with quwan :/ it's a bit complicated ..... (and from the looks of their example, seems that may require 3 ethernet physical ports, but the device i was testing on was a tbs-453dx which only had 2 ports) . stand alone setups (either quwan or pfsense) might be simpler to setup, but quwan had issues for people with isp special requirements. because without being able to do the pppoe internet login, get stuck and it won't proceed further.

So for now i'm sticking with getting pfsense to work. Maybe once they fix quwan's issue i'm having with it, i can try that out again.




I may have to postpone the pfsense testing, because i'm expecting my new seagate hard drives to arrive today. So i will be busy with that project first
viewtopic.php?t=155142

[Moogle Stiltzkin]

From my brief testing using pfsense, this is what i found out so far

1. pfsense knowledge is a must. Even after watching the guides online to get a rough idea how it works, i was still overwhelmed by the pfsense settings. this is coming from an off the shelf Asus router with RT merlin firmware. Yes there are some complicated settings there as well, but not to the extent of pfsense. Feels like you can easily misconfigure something on pfsense due to an inappropriate setting. Pfsense is very powerful and feature rich, but also a lot more complexity in configuring especially for laymans such as myself.

2. if you need to reboot your qnap nas, the downtime roughly 5-10 minutes to full boot up, can be a slight nuisance. So hopefully keep the NAS reboots to a minimum (probably only for qts firmware updates).

3. during initial setup for pfsense, you can get easily locked out. worse case scenario you have to soft reset. so make sure you get the lan configurations and virtual switch setup right. make sure to use same subnet so your devices can communicate with each other.

4. KVM Switches behave a little slower then physical switches. Take your time and hit

Code: Select all

ipconfig /renew

till you get an IP.

5. don't forget to set pfsense VM to start when the QNAP starts. otherwise you won't get an IP adress when the QNAP reboots.

6. read rsted's mini guide especially about the part about how to configure the virtual switches for pfsense to use. this is very important during the setup process.

7. in the event you may have issues, windows 10 network troubleshoot MAY help somewhat. This was when i was trying to set this all up from a desktop pc, and i was rolling back to the old router, but had connectivity issues (no internet, couldn't detect other devices even if they were on the same subnet already), so i ran the network troubleshoot, and that helped me get back connectivity. Clearly there are other things you need to check on, but this might help somewhat.

Run the Network troubleshooter. The Network troubleshooter can help diagnose and fix common connection problems.

1. To run the Network troubleshooter
2. Select the Start button > Settings > Network & Internet > Status.
3. Open Network & Internet Status settings
4. Under Change your network settings, select Network troubleshooter.
5. Follow the steps in the troubleshooter, and see if that fixes the problem.

https://support.microsoft.com/en-my/hel ... ion-issues

8. out of the box, the pfsense settings is secure (e.g. firewall). but how you configured the virtual switch part, that is on you The correct setup was like rsted explained.

Port1 physical > virtual switch 1 (wan) < pfsense wan (virtual switch) *DO NOT use DHCP or static ip for this. Just set it as NO IP.

Port2 physical > virtual switch 2 (lan) < pfsense lan (virtual switch) *set static ip for this ( this should be configured as static IP inside the pfsense LAN network range.) The QNAP Webinterface should be accessable through this IP.

You connect your PC to the QNAP NIC Port 2 - you should also get an IP address from pfsense DHCP Server.

Set default gateway on QNAP to the Pfsense Internal Network Switch ((see picture).

9. if all goes right, i plan on winding down my ac68u to run as wireless ap mode (to provide the wifi access). maybe once the latest wireless standard matures i might upgrade, but not right now. i'm pretty okay with my existing wireless gear for now.

ASUS : How to set up Access Point mode
https://www.youtube.com/watch?v=dG3uzfwL-MM

10. pfsense command line explained
https://docs.netgate.com/pfsense/en/lat ... asics.html

to temporarily disable firewall

Code: Select all

pfctl -d

to-re-enable (firewall cannot be persistently disabled. it will re-enable at some point)

Code: Select all

pfctl -e

11. when entering the pfsense admin web page, make sure it's http:// not https:// these days when you enter a url, it defaults to https://

12. during pfsense admin webui setup, it is important that you disable hardware checksum offloading






13. Default login for pfsense router is

username: admin
password: pfsense

14. to setup cloudflare DOT, follow lawrence' video guide. also you can test that it works using this test site
https://www.cloudflare.com/ssl/encrypted-sni/

see i got mine to work on pfsense (using lawrence's guide for cloudflare dot) *note: you have to use firefox if you want the SNI to pass as well.

[Moogle Stiltzkin]

bonus guides

Remote offsite backup with QNAP and pfSense
https://www.youtube.com/watch?v=pyL6Aqa1lcU


how to setup vlan tagging in pfsense
https://forum.lowyat.net/index.php?show ... ry96926695


pfsense With Suricata Intrusion Detection System: How & When it works and What It Misses
https://www.youtube.com/watch?v=7gZYbIr_Qj4

The Common pfsense Packages / Plugins We Use and Why
https://www.youtube.com/watch?v=oOWjHeqbWUE

a good reference video to help understand qnap's pfsense transparent bridge guide

Kirk Steinklauber

Thanks for this guide!!! very useful.! One of the use cases that I am thinking to use this mode is to introduce it as Layer 2 IPS solution to complement and existing edge router / firewall that doesn't have these capabilities and the client doesn't want to replace this layer but we want enhanced security. It will be in an scenario like this: ISP <--> Edge Router / Firewall <--> PFSense Transparent Bridge <--> L3 Core Switch(es) <--> Access Switches and Wireless Access Points

How To Setup A Transparent Bridge & Firewall With pfsense and Suricata
https://www.youtube.com/watch?v=1EXgyvwJZ6k

Setup Guide / Tutorial for pfBlockerNG 2.2.5 on pfsense with DNSBL & GeoIP Blocking
https://www.youtube.com/watch?v=OJ8HHwpGxHw

DNS Over TLS On pfSense 2.4.5
https://www.youtube.com/watch?v=5mygS-TiT9c

DNS over TLS vs. DNS over HTTPS | Secure DNS
https://www.youtube.com/watch?v=5mygS-TiT9c

Security & Intrusion Detection With pfsense, Suricata, pfblocker and blocking what's missed
https://www.youtube.com/watch?v=nwYCEl287Fw

This video lawrence describes how he uses this setup in pfsense, so he can use the certificate on the router, rather than the one on the NAS, and other devices on the lan. He also shows how he accesses his office offsite over the internet and how he configured his NAT firewall rules for that.



How To Setup ACME, Let's Encrypt, and HAProxy HTTPS offloading on pfsense
https://www.youtube.com/watch?v=gVOEdt-BHDY

[Moogle Stiltzkin]

my progress so far.

in one of my attempts, i got the internet to work. but now i can't get it to work. only difference i set was that the virtual switch 1 wan no ip, also no nat or dhcp (since pfsense does that).

and the virtual switch 2 lan had a static ip. This is how i access the qnap qts using this ip.


Another hurdle i got stuck at is getting dhcp to work. I know it doesn't work, because when i use the commandline on desktop pc, it says problem with dhcp server

Code: Select all

ipconfig /renew

i even tried disable/re-enable ethernet port see if that did anything.


@33:15
https://www.youtube.com/watch?v=5mJ0h6pvKKw


I create the transparent bridge.


Then on the next part it asks to do change to dhcp. But i can't. Specifically "4." interfaces > lan > dhcp


so i refer to the troubleshoot. it says to disable dhcp here and hit apply. As soon as i do that, i can no longer access the pfsense web admin interface. Not quite sure how proceed from this point. anyone have any ideas?

[Trexx]

You may want to look at the free pfSense guide here:

https://docs.netgate.com/manuals/pfsens ... e-book.pdf

[Moogle Stiltzkin]

You may want to look at the free pfSense guide here:

https://docs.netgate.com/manuals/pfsens ... e-book.pdf

i'll check that out. seems there is a troubleshooting portion, maybe i might find some clues there?

Code: Select all

7.9.1 Cannot access WebGUI from LAN

Client Gateway Issue
In order for a pfSense firewall to properly route Internet traffic for client PCs, it must be their gateway. If client PCs are
configured using the DHCP server built into pfSense firewalls, this will be set automatically. However, if the clients
receive DHCP information from an alternate DHCP server, or their IP addresses have been entered manually, double
check that their gateway is set for the IP address of the interface to which they connect on the pfSense firewall. For
example, if the clients are on the pfSense LAN interface and the IP address for the LAN interface is 192.168.1.1,
then the gateway address on the client PCs must be set to 192.168.1.1.

Troubleshooting tips by Moogle for how to recover or re-enter pfsense admin webui

I found some methods to back track if you get locked out.

1. Good idea to go to the pfsense UI and create a backup of your config.

2. but if you get locked out of pfsense admin web ui, how to load config? no problem. Go to the virtual station pfsense console, there is an option there to recover from backup. It has a timestamp of changes made (15. restore from recent configuration) . Select from one of those (ideally the one before you made the last change at which point you got locked out). Then you have to reboot the router. There is also an option for the reboot as normal in the command line as well. Pfsense web ui should then work.

3. If your issue is due to firewall locking you out, you can temporarily disable it by going to virtual station pfsense console, then go to the commandline option and enter the following code. Disabling firewall is only temporary, as it may revert at some point (not sure the timing, except this isn't a persistent state).

to temporarily disable firewall

Code: Select all

pfctl -d

to-re-enable (firewall cannot be persistently disabled. it will re-enable at some point)

Code: Select all

pfctl -e

4. in the commandline there is an option for a factory reset (i tried it), but i don't suggest using that. instead there is a wizard initial configurator in command line "2", which you can reconfigure if you got that part wrong. But if that couldn't resolve your issue to access pfsense admin webui, and recover via time stamp method (15. restore from recent configuration) didn't work, then you probably should just remove the pfsense vm, and just reploy again. At most you just have to double check the virtual switches are linked, set the pfsense to boot up when qnap reboots, and to run the "2" in command line for the initial setup. Then once you are back inside admin pfsense webui, you can setup from scratch, or you can immediately restore from your backed up config. easy.


Here is a screencap of commandline options



Update: out of all these methods, i found using virtual station snapshot revert being the most reliable and quickest method to recover back to a stable setting. just make sure you snapshot and preserve everytime BEFORE you plan to make significant changes you aren't sure of.

Anyway, in my case, even if i got back inside the pfsense web ui, i still couldn't figure out what went wrong and how to proceed further with the setup


Also as useful as the official pfsense book is, the narated guide helps to setup in context for the pfsense vm to work in the QNAP. So i'm not sure that the manual takes that in mind. More likely they expect you to extrapolate from that and apply to your setup.

anyway i made a ticket for helpdesk to see if they can help on the part i'm stuck at. i'm also checking the manual to see if i can find something on this topic.

[Moogle Stiltzkin]

ok i double checked.

i followed the guide but the part when it begins to ask to do a transparent bridge, now i skipped all that.







The only reason i was trying to do the transparent, because i assumed it was the required setting in order to get the virtual switches setup in qnap to work like such



So right now i'm just gonna setup as the nat mode, and ASSUME that the virtual switch would work like in that example above, but without having to configure the transparent mode.

even Rsted's explanation didn't mention any need to setup a transparent mode either for it to work like that.





Anyhow, i also confirmed that DHCP server is working.


First go to pfsense, Diagnostics >ARP Table.

You can view the list of all the connected devices here.

So i see a device which i suspect is my pc desktop. but how to know? simple (find out your mac address for your desktop pc ethernet port). In desktop pc do the following.

Windows 10, 8, 7, Vista:

1. Click Windows Start or press the Windows key.
2. In the search box, type cmd.
3. Press the Enter key. A command window displays.
4. Type ipconfig /all.
5. Press Enter. A physical address displays for each adapter. The physical address is your device's MAC address.

So i confirmed this. The next thing to do, i changed that temporary dhcp lan ip, into a permanent one. To do this, go to

Services > DHCP Server >LAN

from here, right at the bottom there is a "DHCP Static Mappings for this Interface". You can set a static DHCP lan ip for your devices.

I use the DHCP for my desktop pc. For guest devices, they can just be random. But for any other devices where i want to set a static DHCP, then i add them here.

For QNAP NAS i set the static ip within QTS virtual switch. The reason i do this instead of DHCP, is because if the router for whatever reason gets taken offline, the NAS static lan ip remains intact. I also did similarly for my netgear switch. So if router is down, the NAS and switch will continue to operate still. Could be problematic if the lan ip changes, then all my access suddenly doesn't work because the old lan ip got released which is a headache X_X:


Just to check if i can access other devices on my network,

i went to diagnostic > traceroute


then i double check arp table, and sure enough it's now a detected device entry for my hardware switch





some things i'm looking at now

Problem is if I look in "Diagnostics -> ARP Table" for the WAN gateway IP I see "incomplete" for the MAC address and "expired" for the status. When I try to ping 8.8.8.8 from a LAN machine I get "Destination Host Unreachable".

What am I doing wrong? Did I miss a setting or am I not understanding how this should work? Thanks.

https://www.reddit.com/r/PFSENSE/commen ... ully_when/


In pfsense arp entries are not populating in arp table for some host machines

Arp entries are normally found in the arp tables of devices that have had communications with. That is if computer A contacts B, then A will be in B's arp cache and B will be in A's cache. Also, arp entries expire after a while, so there's a good chance there will not be an arp cache entry anywhere for a device. Try pinging another computer and see if there is an arp entry in that device. It should make no difference whether you use DHCP or static addresses, so long as it's a valid address for the network.

https://forum.netgate.com/topic/128711/ ... machines/2


For example, on my asus router, it detects the qnap ts-877. but on the pfsense it's not even detected in arp table, unless i ping it with trace route. why is that



Interface Bridges

It is normally best to avoid such configurations as they can be problematic, but they can also be useful for several types of configurations, such as:

1. Bridging a wireless interface to a LAN

2. Transparent firewall (WAN/LAN bridge)

3. Filtering between portions of a single subnet

https://docs.netgate.com/pfsense/en/lat ... idges.html



Help clarify my understanding of the net.link.bridge.pfil* tunables please.

ryanjaeb-
Hi,

I have a question about bridging interfaces and changing the net.link.bridge.pfil_member and net.link.bridge.pfil_bridge system tunables.

The docs for the mentioned tunables say:

By default, traffic is filtered on the member interfaces and not on the bridge interface itself. This behavior may be changed by toggling the values of net.link.bridge.pfil_member and net.link.bridge.pfil_bridge under System > Advanced on the System Tunables tab. With them set at 0 and 1, respectively, then filtering would be performed on the bridge only.

https://forum.netgate.com/topic/90384/h ... les-please

[Moogle Stiltzkin]

ok i did more testing.

i got the internet to work again on the pfsense vm kinda.....


1. shutdown old router. remove ethernet wan cable, and put into pfsense wan port. The old router is configured with DHCP server, but didn't want that intefering with the pfsense dhcp server, so another reason i didn't leave it connected to the network. Later i will disable dhcp server for the asus, and switch it to wireless ap mode. But for now, removing it from network is one less thing to worry about during the initial setup.

2. in qts virtual switch, make sure port 2 lan uses gateway set for router (this is the lan ip for the pfsense router). also make sure the gateway for the qnap pfsense is fixed to use lan port.

3. in pfsense wan, configure for your ISP e.g. DHCP, PPPOE, etc, whatever is specific to your ISP login.

4. for special isp requirements like mine, also additionally create the vlan tagging in pfsense > interfaces > vlan. This is optional and only if your ISP has such a requirement.

5. now you also need to make sure all your lan devices renew. the way i do this, for switch, i power down, wait 20 or so seconds, then power up. For pc, don't need to do that. Instead i go windows 10 CMD, enter ipconfig /renew

if that doesn't work, i would also disable my ethernet port, then re-enable.

and if that doesn't work, i use the windows 10 ethernet port troubleshoot, then use their suggested fix. It MAY require rebooting the pc.


6. reboot pfsense. the way to do this is to go to qnap qts, then pfsense vm console. there is a option to reboot. select the reboot normally.

7. after it rebooted, login to pfsense. at this point i confirmed that wan is working in pfsense.

i even tested downloading pfsense packages which requires an internet connection. another confirmation that internet wan works.


i installed a couple of useful packages
- iperf

- pfblockerNG

I just found out the pfblocker wizard is only available in the pfblockerdev version. So i installed the wrong package Need that wizard since it's easier for newbies like me.

New #pfBlockerNG-devel Installation Wizard tool!

4 clicks to an entry level installation of IP and DNSBL blocking protection!

https://twitter.com/BBcan177/status/1051280063201710080


Some guides for setting up pfblocker

https://www.youtube.com/watch?v=OJ8HHwpGxHw

https://linuxincluded.com/block-ads-mal ... rng-dnsbl/

I however couldn't install the latest pfsense update. it seems to fail, anyone have any ideas why that is?

just a note, when i first tried to install iperf, it said i should update pfsense first. So i update pfsense, but one of the items in the list for it failed, then it says pfsense fail update. but oddly at that point, i could now successfully install the iperf package that i couldn't before.




However i had issues. desktop pc and other network devices including the qnap nas qts, don't seem to have working internet. only the pfsense vm has internet working.

all i can think of is that either
a) i setup virtual switch in qts incorrectly
b) pc needs to configure to detect the change in gateway. but i don't think this is the case, since other devices are also similarly affected. i also checked windows 10 cmd to confirm it is correctly using the pfsense gateway.
c) maybe i need to setup as transparent mode as qnap suggested for this to work?


bottomline
for my isp requirement, a vlan tagging for port is a must for the internet connection. If i were to do this step in pfsense, the internet would work just fine. But the problem here is, how do i get that to work for VM on QNAP ? i'm trying to mesh a hardware pfsense setup with a VM setup unique to the QNAP. there is no other people who i can refer to on this to get it to work. All i could find for vlan specific to the qnap is the vlan tagging on physical port. i tried that before but that didn't do anything. setting vlan tagging in pfsense does get the internet to work, but it's limited to only the pfsense vm having internet access (but none of my other devices on network is able to get internet through the pfsense router gateway). I suspect this has something to do with something with VM that is preventing this, but i haven't figured out what setting to change





Another bug i found, was when i saved pfsense config. i deleted VM, re-create VM. Login to pfsense router, then restore from config. It then reboots. But now i get some sort of error

Code: Select all

Europe/Germany PHP Warning:  PHP Startup: Unable to load dynamic library '/usr/local/lib/php/20131226/intl.so' - Cannot open "/usr/local/lib/php/20131226/intl.so" in Unknown on line 0

i tried going to pfsense > Localization >Timezone and change it to another selection save. then change back to original, save. but that didn't fix it Makes me feel like the pfsense config backup may not quite restore it flawlessly. Do i then need to rely on VM backup instead?

[Moogle Stiltzkin]

okay here is another test.

the virtual station vm market is using a slightly older pfsense. installing from vm market is useful because it's a quicker deployment. they already configure the virtual station settings, and added the pfsense virtual switches (you still have to create virtual switches for wan and lan, as well as bind them to the vm switches still).


i just wanted to test how that setup worked and whats different (especially since i couldn't update to latest pfsense via the UI when doing via vm market).


I downloaded from here
https://www.pfsense.org/download/

then extract the file, then upload to your qnap. i use filestation to drag and drop. Or you can just browse to the location and copy using windows explorer, whatever works for you.

Then in virtual station, because you didn't use vm market pfsense, now you got to configure everything there yourself. I had the leftover pfsense virtual switch created when trying out vmware previously, so i didn't have to set that at least. (I guess that's a trick, install vmware pfsense, then delete it, now you got that part created for you. then you can back track and install pfsense the other method.)

Anyhow, i remembered how the vmware pfsense configured the vm settings, so i just redid roughly the same e.g. 2 network interfaces, for wan and lan, and set them to virtio. I couldn't remember exactly the settings for hard drive, so i did virtio. But i recall i had some bad performance earlier, so i set it to use cache writethrough (i don't have ups and i'm using SSDs, so i figured is the best option for me).




then run the VM. One thing that is different, is that now you got to do this blue screen setup part (which the vm market pfsense did for you auto)


There is a guide how to do the step by step for this portion

@18:10
https://www.youtube.com/watch?v=EPz2bbfUb2U



I don't know what other changes vm market pfsense does by comparison, but anyway, eventually i managed to get to the full installation using the latest pfsense 2.4.5



I did the simple initial config as i did before. After doing the WAN setting, save, i rebooted (go to the virtual station pfsense vm commandline, select "5" reboot, then normal reboot.

At this point there was a big difference. Internet now works fully, for all devices on my network.



I also snapshot my pfsense vm. But i wasn't sure that was going to be sufficient, so i did a VM backup as well, which i am scheduling to do weekly. My pfsense vm backups go to my other NAS located on the same network. So if my TBS-453DX goes kapoot, i'd still have the backup on the TS-877



Having already spent 3 days on this and having to redo setup until i figured stuff out, or when i had to start from scratch due to some bug i found or misconfiguration...... just do yourself a favor and snapshot/backup the pfsense VM. It will save you from so much hassle if you do mess things up You can also do a config backup within pfsense, but from my previous testing trying to recover, it sorta felt buggy, so i will be relying more on VM snapshot revert/restore more.



My solution for getting the internet to work for all devices on the network (may differ depending on your own ISP requirements)

part1: in qts

Make sure your virtual switch setup is like this. Refer to rsted's mini guide i posted earlier for the FULL details (very important)

part2: in pfsense


vnet0 (wan)

vnet1 (lan)

create vlan port tagging (for ISP special requirement. only if it applies to you)

Create a PPPOE, and make sure you select/highlight (vnet0 + v500).


in assignments for WAN, select PPPOE (vnet0 + v500)

reboot pfsense router via cmd line "5" normal reboot

another thing i noticed doing the new method (NOT installing pfsense via vm market. instead i download pfsense img from main website, and installing using that img doing manual setup), was that now the hard drive performance is WAY way faster. before it was very slow, for example, when installing packages from package manager. But i reckon the reason for that was the hard drive setup in virtual station. I suspect that was what made the difference. So if you notice slow performance, check there.

But what i don't get is, why setting up using pfsense own img got the internet to work, while the pfsense vm market didn't ??? does anyone know was the problem that or the pfsense version? I also ran into other issues before with vm market pfsense, where it had trouble writting certain files, not sure why. The next time there is a new pfsense, i'll try using update pfsense and see if that works in comparison (i can't test that atm).


Now i replaced my old dying asus router, and gonna switch that to a wireless ap mode instead




benchmarks

FTTH broadband: 100 mbps download / 50 mbps upload


local test



international test



iperf test from pfsense router to ts-877 nas




doing a VPN performance test would be useful but i will have to do that much later when i'm free. basically just testing what kind of performance you can get using vpn on this kind of hardware. but if you google, there should be some results already posted out there on a pfsense router using similar specs (cpu).



hardware:

TBS-453DX (i posted a review)
viewtopic.php?t=149616

Intel Celeron J4105 quad-core 1.5 GHz processor (burst up to 2.5 GHz)
4gb DDR4 ram (recommend more ram if you intend to use suricata)

Desktop pc: Ivy bridge i7-3770 (intel nics)


TS-877 (to backup the pfsense VM to. You don't need a 2nd full blown nas although that is neat if you do, you can also just use an external storage device connected to the QNAP nas running the pfsense).


8 x 1gbe port managed switch.


Asus ac68U (wireless ap mode)



in summary this is now my network layout

Modem > tbs-453dx (pfsense VM router) > switch ( ac68u for wireless ap + desktop pc + ts-877 + another switch for more ports in a different room using wired networking through the walls [ more devices connected, like hdtv, laptops, android box, etc )

later i will add the asus router to one of the switches, and configure as wireless ap mode. that will be for wireless access.



With the ts-877, i do have a wireless adapter card installed, so it's possible that you could setup wireless ap from pfsense to that installed wireless adapter. But i'm perfectly happy using the tbs-453dx for the pfsense, rather than my main nas, in case something goes wrong. I need 24/7 uptime on main nas, so i don't want to put my router on it, although you can if you want to.

[AlastairStevenson]

Well done for getting there, and for sharing your journey (as you always do ...) for the benefit of others.

another thing i noticed doing the new method (NOT installing pfsense via vm market. instead i download pfsense img from main website, and installing using that img doing manual setup), was that now the hard drive performance is WAY way faster. before it was very slow, for example, when installing packages from package manager. But i don't think the reason for that was the hard drive setup in virtual station. I suspect that was what made the difference. So if you notice slow performance, check there.

On the non-VM market installation - have you check out your ISP upload speed and how does it compare to what was previously achieved?
I did a PFsense install a couple of months back on a TVS-473 and am pretty happy with it.
The ISP download speed lost about 5%, which I was OK with.
But the upload speed lost nearly 50%, which I wasn't.
The fix was to disable the 'Hardware checksum offload' in the Advanced Networking settings.
That fixed it - now only about 5% down on what it used to be.

Screenshot_2020-06-07 pfSense kinkell - System Advanced Networking.png

[Moogle Stiltzkin]

thx steve

yeah i was fedup that the guides weren't quite cutting it for me (i'm sorry qnap, but you need to get a better mic for your youtube channel. also no offense but the thick accents is a bit hard to listen at times), so i had to make my own. the devils in the details

Well done for getting there, and for sharing your journey (as you always do ...) for the benefit of others.

another thing i noticed doing the new method (NOT installing pfsense via vm market. instead i download pfsense img from main website, and installing using that img doing manual setup), was that now the hard drive performance is WAY way faster. before it was very slow, for example, when installing packages from package manager. But i don't think the reason for that was the hard drive setup in virtual station. I suspect that was what made the difference. So if you notice slow performance, check there.

On the non-VM market installation - have you check out your ISP upload speed and how does it compare to what was previously achieved?
I did a PFsense install a couple of months back on a TVS-473 and am pretty happy with it.
The ISP download speed lost about 5%, which I was OK with.
But the upload speed lost nearly 50%, which I wasn't.
The fix was to disable the 'Hardware checksum offload' in the Advanced Networking settings.
That fixed it - now only about 5% down on what it used to be.
Screenshot_2020-06-07 pfSense kinkell - System Advanced Networking.png

that is very insightful, thx for the share. all i knew was, they told us to disable it, but not sure what the effects were if you didn't. guess we know now




i found out more nuggets of gold to share from tinkering with pfsense (loving it to death now that i discovered revert snapshots is easy peasy lemon squeezy to recover from a misconfig )



during pfblocker update, i noticed some failed list updates. but fret not, this is not due to your own fault. TLDR: easylist and others are using outdated ssl certs.... so the problem is on their end.... they need to update those certs
https://forum.netgate.com/topic/154044/ ... ed-cert/20

sishgupta

This is to be expected.

Currently, there is little you can do due to the nature of HTTPS.

You're trying to visit the HTTPS version of a blocked site, so the URL stays HTTPS. You then connect to the DNSBL web server (for the block) instead of the real web server. Your browser is expecting the real SSL cert for the site, but instead gets DNSBL's SSL cert, so throws the error.

The next version of PFBlockerNG will have an option to not forward https sites to the DNSBL and just return nothing.

If its a huge problem for you for specific users (some people HATE looking at this stuff, but i find im rarely affected), you can set manual DNS returns per site and point them to 0.0.0.0 or some other non returning IP.

I usually like to be WAY MORE SPECIFIC with my help but I've locked myself out of my home network today and I can't view my UI.

https://www.reddit.com/r/pfBlockerNG/co ... b_address/

BBCan177

Dev of pfBlockerNG-

No, that will not fix that issue... The browser will see the the cert doesn't match the blocked domain. Otherwise you would have to MITM the connection which the pkg doesn't do.

You can create a new DNSBL Feed in DNSBL, and add those specific domains to the Custom list at the bottom of the page, and set the Logging to Disabled, and the Group Order to Primary. Follow that will a Force reload. This will null block (0.0.0.0) instead of using the DNSBL VIP address and avoid those cert errors.

The upcoming python integrations will have more improvements for this.

https://www.reddit.com/r/pfBlockerNG/co ... ver_https/




If you misconfigured your pfsense router settings ( something went wrong for me , when i blocked inbound to africa, asia etc....), the only way i could recover from this, was to use the snapshot, revert in virtual station. When router was fully booted, it took a couple of minutes before my desktop pc confirmed that the internet was working again.

so keep a couple of snapshots
- a clean install
- a stable config
- and every couple of steps, create a snapshot. and when you are done, you can delete them. then do a final stable snapshot and PRESERVE it, so it doesn't accidentally get deleted.

On the non-VM market installation - have you check out your ISP upload speed and how does it compare to what was previously achieved?

Yes i checked for NON-vm market installation pfsense. those screenshots were for that.

However for VM MARKET installation pfsense, i was having big issues getting the internet to work right when i was setting pfsense up with that method.

The method that ultimately worked for me, was downloading pfsense manually from pfsense website (non-VM market installation), and installing using that image file. I have no idea why that worked differently. Is it because of the pfsense version difference? or something that vm market pfsense does not configure correctly, that just messes things up (i'm suspecting the later. need more verification from others).

But the results from the benchmarks i did do, i have zero complaints because it achieved close to my max. doesn't seem like there is any bottleneck on my pfsense router hardware at least. seems the problem is based on server location and ISP throttling (if any) for those international servers.

[Moogle Stiltzkin]

Okay i completed phase 2. Turn previous asus ac68u router into access point mode (for wirelesss).



after googling, i found one guide that actually worked

Peet1345 May 19, 2015

Asus in ap mode.

Cable from pfsense lan(or switch on network) to 1 of the 4 switch ports on asus(not the wan port).

Example: Pfsense lan network 192.168.1.1 , asus static ip 192.168.1.2

This works on my asus and pfsense.

If it is safe i still am investigating, it is stil new to me.

Now your lan and wifi is on the same network.

I think it is better to put the asus router on it's own networkcard(or usb to networkcard cable).

https://forum.pfsense.org/index.php?topic=81014.0

hda May 18, 2015

Give the AP a static and on the pfSense-LAN(switch), outside the DHCP pool. Do not use the dhcp of the AP. Kill it.

just to clarify a few points.

i setup the static ip on the asus admin ui. i did not reserve any ip on pfsense, doesn't seem like that was needed. however he was correct that you should keep the asus wireless ap outside of the pfsense dhcp range.

e.g. 192.168.1.90 - 192.168.1.200 (pfsense DHCP range)

pfsense router gateway (192.168.1.40)

asus wireless ap (192.168.1.50)


notice that both the router and the wireless ap are both outside the dhcp range. do that also for any other device on your network with a static lan ip.

In some scenarios, you can reserve dhcp lan ips for connected device. probably not do that for the asus wireless ap setup


the only con for this setup, is that now i am running 2 different pieces of equipment running up an electricity bill. but on the plus side, i can repurpose my old asus router, and use it exclusively as a wireless ap. Because the tbs-453dx nas does not have any wireless ap capability. Saves me from having to purchase a ubiquiti wireless ap (although that would be nice )


in an ideal setup, you would have like a ubiquiti wireless ap, on the roof. the ethernet wiring would have to be installed through the walls, going there. it's a POE device, so it would also need a POE switch to power it via the ethernet as well.


https://www.youtube.com/watch?v=4QHrS-Rm9MQ

*there is a poe convertor as well. maybe poe switch not required.
https://www.youtube.com/watch?v=jwa2FN44rFk



Wi-Fi 6 Is Here: Should You Upgrade to Wi-Fi 6 in 2020?

What Is Wi-Fi 6, and Why Should You Care?
Wi-Fi 6 is the latest generation of the Wi-Fi standard. The Wi-Fi Alliance retroactively renamed older standards, so 802.11ac is Wi-Fi 5 and 802.11n is Wi-Fi 4. Wi-Fi 6 is also known as 802.11ax, but version numbers make things much simpler. It’s easy to understand which versions of Wi-Fi are faster and newer.

When using a router with just a single device, Wi-Fi 6 could offer up to 40% faster data transfer speeds. But Wi-Fi 6 should really shine in crowded areas where the airwaves are congested. Intel claims Wi-Fi 6 will improve each user’s average speed by “at least four times” in such areas. Whether it’s the public Wi-Fi in a busy café or your own home Wi-Fi in a dense apartment building, Wi-Fi 6 could improve speeds.

https://www.howtogeek.com/525698/wi-fi- ... 6-in-2020/

[Moogle Stiltzkin]

hm.... ran into a issue where i couldn't access a website kinda.

Mudah.my

problem is,once i sign in (if you are not signed in, it works fine for that), i cannot click "post free ad".

i cannot figure out what in pfsense may be causing this. this is a recent issue, and i suspect it might be pfsense related x_x; any ideas?

But these fixes in react app will not be enough, because codesandbox uses https and login api is using http. This will give the following error:

Mixed Content: The page at 'https://hkj22.csb.app/Login' was loaded over HTTPS, but requested an insecure resource 'http://***/api/authenticate'. This request has been blocked; the content must be served over HTTPS.

And only way to resolve this problem seems to use https for the api as described in this answer.

You can contact api owner to host his api using https.

https://stackoverflow.com/questions/592 ... login-page

[AlastairStevenson]

i cannot figure out what in pfsense may be causing this. this is a recent issue, and i suspect it might be pfsense related x_x; any ideas?

Dumb question, for which apologies :
Have you checked the PFsense firewall logs to see what it didn't like?

[Moogle Stiltzkin]

Issue resolved. i suspect the website itself was the one at fault. because i barely made any changes but now it works. very odd.

i cannot figure out what in pfsense may be causing this. this is a recent issue, and i suspect it might be pfsense related x_x; any ideas?

Dumb question, for which apologies :
Have you checked the PFsense firewall logs to see what it didn't like?

no i haven't yet.

at first i thought maybe pfblocker sync holed an ad or something. but when i check report, nothing. in the end i revert to an older snapshots with pfblocker removed, so one less thing out of the equation during troubleshoot.

still same.

i'll try looking firewall


right now it's just a suspicion it may be related to pfsense, because the site worked fine on the asus router.

i checked "isitdown", i check the social site comments in case the site had issues that day or recently.

also check if site is broken
http://validator.w3.org/checklink?uri=h ... heck=Check



hopefully i figure this out.

RESOLVED. fdm youtube download works.

Another odd thing i noticed was, free download manager. Before i could add youtube links and download. But now i can't and i'm not sure why.


another download manager, maybe is a clue?

Internet Download Manager behind pfsense
https://forum.netgate.com/topic/45519/i ... -pfsense/8
https://forum.netgate.com/topic/144538/blocking-idm/6

I'll try reboot the router later and test again. could be because a reboot was overdue because of changing settings, i'm not sure.



Other than those 2 quirks which i haven't figured out yet,

i'm pretty surprised at how efficient and fully featured pfsense is. the usage of qnap's virtual station snapshots and vm backup feature makes this whole process of trial and error very convenient also updating router via UI is a cinch. also installing useful packages, and great ones like pfblocker among others.

I hear good things about suricata, but i've partitioned 2gb out of 4gb for use for pfsense. i'm guessing this is not going to be nearly enough for suricata.

KOM Mar 27, 2019

pfBlocker is good for geo-blocking and DNS blackholing, among other things.

Snort/Suricata are true IDSes that inspect packet contents against a ruleset and then reject further traffic from bad hosts.

I don't use either so I have no guidance about installation sequence.

Raffi_ Mar 27, 2019,

I would suggest looking at this thread.
https://forum.netgate.com/topic/141743/ ... -interface

Bill lays out great advice for a start with IDS/IPS. I think this pretty much applies to both Snort and Suricata.

I personally started out using Snort, but ran into an error which caused Snort to fail starting up. If I remember, I think it was due to typos in a set of rules during an update. So it was not technically an issue with Snort, but Snort wasn't able to handle it very well. I don't know if that has changed since then, but to me that was a deal breaker. I switched to Suricata and it has been great since. Suricata does not support all the different lists that Snort does such as the OpenAppID, but to me having an IPS running is more important than having one that does not run at all due to a mistake in a rule.

bmeeks Mar 27, 2019

There is no security significant difference between Snort and Suricata. Both do essentially the same thing, and both do it well. Each package has its own "selling points", but some of them are more fluff than anything else. For example, Suricata is multi-threaded while Snort is not, but that really makes about zero difference in the actual throughput under real-world traffic conditions. Under limited laboratory test setups, yes multi-threaded can be slightly better; but with the mix of packet types you get with real-world network traffic some of the multi-threaded advantages disappear because at some point in the processing chain those threads need to all get back out to the same place (the network stack). Snort does offer their OpenAppID Layer 7 inspection engine and associated stub rules. Suricata has nothing like that. Suricata, on the other hand, will simply log an error and reject any rule with a syntax error when loading rules. Snort will totally barf and refuse to continue startup when it encounters a rule syntax error.

kashifz Apr 22, 2019
Hi, Aljames, To answer your first part of question, yes IPS/IDS necessary if you want to protract your data, pfBlockerNG is a simple tool works with list of IP addresses, a good tool to prevent bad IP addresses to communicate with your network but IPS perform much more than that, it make decisions of allow or deny using defined rule sets.
You can use PfBlockNG along with snort or Suricata initially but eventually it will cost you more hardware, for better performance you can use PfBlocker ACL's in SNORT or Suricata both use multitheads and equally good.
I hope you will get your answer, please let me if you want me to add more.

johnpoz-

Sorry but NO IT ISN'T!!

Nor is pfblocker a requirement...

Only thing you mention that might have any sort of inbound traffic would be your nextcloud... Where exactly are you going to be accessing this nextcloud from? Who will be using it an how? If you want to access your nextcloud data while your remote - you can just vpn in.

Saying you need a IDS/IPS to secure your data is like saying you can not be safe in your home without seal team six guarding it..

bmeeks Apr 22, 2019

@johnpoz is correct. Having an IDS/IPS or pfBlockerNG is not mandatory to secure your data. They are just two of many different tools that when used in the right context for the right reason can enhance security. But they are not required. It all depends on the specific network that needs protection and what constitutes "normal" traffic on that network.

My personal opinion is that most small home networks really don't need either package. The very best security practice is simply being committed to keeping your software packages updated. This means the firewall itself and of course any client applications on PCs, tablets, phones, etc. That simple practice goes a very long way towards enhancing security.

If you have network users at home that are what I call "free clickers" (meaning they will click on any link anywhere .. ), then it might be helpful to have some additional tool such as an IDS/IPS or pfBlockerNG to help protect those users from themselves. On the other hand, if you have responsible, alert and careful users (that watch what they click), you very well need nothing else besides maybe the built-in anti-virus that comes with Windows just so you can scan any files you download.

In a business network, there are other considerations where using an IDS/IPS or a tool such as pfBlockerNG with its geo-blocking capability is helpful to security. A great use of an IDS/IPS in a business network is to let it scan outbound traffic using rules that look for malware CNC server and botnet destinations, traffic destined to known untrusted countries, or any other traffic that should not normally be exiting your network. For example, if you have internal DNS servers that clients are configured to use, you could have a rule that would alert on any outbound DNS request that did not originate from your internal DNS server. Another handy thing for business networks would be using Snort's OpenAppID technology to identify non-work related traffic that violates a business policy.

I am not a fan of having a list of say a couple of million IP addresses that my firewall is actively blocking. I would instead turn that around and be much more specific with what I allow in and then let the default deny rule take care of everything else. Your firewall will sweat a lot less and you won't have memory and stability issues caused by having huge IP block lists. Do a quick search here on the forum for users posting about Unbound problems that are frequently the result of having huge DNS blacklists enabled. I know some folks use this feature for ad blocking, but I prefer to do ad blocking at the client level using tools like uBlock Origin in the browser. Between that and AdBlock for YouTube I don't see a single add on any web site I visit or any YouTube video I watch. Granted I'm an old fart and do my web browsing on a PC where the screen is big enough for me to see it ... . Maybe if all my browsing was on my iPad or iPhone, where ad blockers are not as prolific, I might go for something like Pi-Hole or DNSBL.

Just my two cents worth for the debate ...
Bill

https://forum.netgate.com/topic/141946/ ... fblocker/4





more tips to share

i was watching about pfsense packages, and spotted some useful info

Matheson Steplock

I installed arpwatch on my server a couple of weeks ago, the first couple of days it way annoying but now it has all my devices in its database and now its useful since it gives me the ip of new devices I usually have to manually find in the dhcp and if I don't know what the device is it will alert me so I know there is a problem

https://www.youtube.com/watch?v=oOWjHeqbWUE


Because the thing is, with pfsense, it didn't seem to fully detect all my devices, whereas my asus router did. but i suspect using arpwatch may solve that.


another one i liked was "Traffic Totals". very useful for keeping a history on your bandwidth usage


Which one is better and the difference between Pi-Hole and pfBlockerNG
https://www.youtube.com/watch?v=6wToQrcvkF8