====== Scrape PFSense DHCP Leases Status Page and Export Results to JSON ======
From: https://gist.github.com/pletch/037a4a01c95688fff65752379534455f
# This python (2.7) script provides a function to query the pfsense (v2.3) dhcp leases status page and
store the results for # ip, hostname, and mac as lists. A second function is also provided to export
the results in json to the file /tmp/dhcp_list.
====== Firewall Rule Basics ======
From: https://doc.pfsense.org/index.php/Firewall_Rule_Basics
any - 0.0.0.0 to 255.255.255.255, or all IPv6 addresses
Single host or alias - Select this and enter one IP address (1.2.3.4, aa:bb:cc:dd::1) or type the name of an Alias that has already been configured (Firewall > Aliases)
Network - Select this and enter a network and mask (10.99.0.0/16, aa:bb:cc:dd::0/64)
LAN net - The subnet configured on the LAN interface under Interfaces > LAN. On pfSense 2.2+, this also includes IP alias networks on that interface.
LAN address - The IP address configured on the LAN interface under Interfaces > LAN
zzz Net / zzz address - Works the same as LAN above but for other interfaces (WAN, OPT1, OPT2, etc.)
PPTP clients - Automatically locate and use the addresses of PPTP clients
L2TP clients - Automatically locate and use the addresses of L2TP clients
This Firewall (self) - Any IP address assigned to any interface on this firewall (pfSense 2.2+)
====== Installing the Ubiquiti UniFi Controller Software on pfSense 2.2 ======
From: http://www.robpeck.com/2015/03/installing-the-ubiquiti-unifi-controller-software-on-pfsense-2.2/#.VqPwMlLMa6E
Note: I am leaving this here for the reference and posterity, but for a variety of reasons,
I no longer recommend doing this. It is a neat hack, but tends to be a bit of a pain to live
with as you end up having to troubleshoot or reinstall it every time you update pfSense or
Unifi. When you can install it on a Raspberry Pi for less than $50, there's really no need
to do this.
====== Automatically backup Pfsense configuration files ======
From: https://www.outsideopen.com/pfmb/
The script is secure and will only connect via SSH using SSH key authentication instead of passwords.
We use pfMb on Mac and Linux but it should work on any *nix under bash.
From: https://knowledge.zomers.eu/pfsense/Pages/How-to-automate-pfSense-backup.aspx
It is very lightweight and easy to use this tool. It requires the Microsoft .NET framework 2.0 to be
installed on the machine from which you are running it. Extract the executable in the ZIP and run it
without parameters to see the help text which explains the options you have to run it:
From: https://doc.pfsense.org/index.php/Configuration_Backup_and_Restore
pfSense keeps its configuration in one convenient XML document. A backup of this document can be saved
by going to Diagnostics > Backup/Restore, and clicking Download Configuration.
Before downloading, review the options available such as only backing up certain areas, or excluding the
RRD data from the backup file.
Restoring a configuration is just as easy, click Browse, locate the backup configuration file, then click
Restore Configuration
From: https://www.proteansec.com/linux/pfsense-automatically-backup-configuration-files/
From: http://www.gremwell.com/node/397
From:
====== PFSENSE BEHIND A ROUTER ======
From: http://hakology.co.uk/2014/02/pfsense-behind-a-router/
Trouble shooting:
Can pfsense ping router – NO WAN config error
Can pfsense ping pfsense client – NO – LAN config error / Client firewall
Can pfsense client ping pfsense – NO – LAN config error / Client firewall
Can pfsense ping 8.8.8.8 – NO – ASDL/CABLE router config error
Can pfsense client ping router – NO – NAT error
Can pfsense client ping 8.8.8.8 – NO – NAT error / ADSL / CABLE config error
Can pfsense client ping 8.8.8.8 – YES – All good
Can pfsense client load a website – NO – DNS Error – Check everything above is OK
Can pfsense client load a website – YES – Everything is working
====== PFsense System Advanced Notification SMTP configuration ======
From: https://forum.pfsense.org/index.php?topic=72015.0
Now - guess what ... Exchange does support plaintext-logins when configured correctly,
but only using the method "LOGIN" ...
Re: Cannot send mails using office365 smtp server
« Reply #14 on: November 22, 2014, 10:05:07 pm »
Got it working! Issue was STARTTLS (and save before Test).
Thanks!
{{ :software:pfsensenotificationconfigurationforoffice365-2015-08-29_14_29_41-system_advanced_notifications.png?300 |Office365 Configuration}}
Office365 SMTP Configuration for PFsense to relay mail to notification e-mail address. Note for testing always reenter the password.
====== pfsense ipv6 with comcast ======
From: http://undergroundmod.com/2016/08/25/pfsense-ipv6-with-comcast/
From: https://r.wundrd.net/article/pfsense-ipv6-comcast/
[[systems:ipv6#pfsense ipv6 with comcast]]
go to Status: Interfaces page.
Under your WAN interface section, you should see an IPv6 address (in addition to link local),
a subnet mask ipv6 of 64, and a gateway ipv6.
Note the ISP DNS Servers section should contain ipv6 addresses. Record one of those for later testing.
Under the LAN interface section, you should see an IPv6 address (in addition to link local), and a
subnet mask ipv6 of 64
From: https://forum.pfsense.org/index.php?topic=83576.0
Comcast will let you request no more than a /60. 16 /64 subnets on a personal network should be
more than enough for most people.
Business class service may be able to request larger allocations, but consumer service can request
anything from /64 to /60 only, depending on how many subnets you need (1 to 16, based on number of bits).
Because of pfSense's IPv6 implementation with DHCPv6 on the WAN, there is no way to set up a static
IPv6 address for your router on your LAN. You set up "Track Interface", "WAN", then select which subnet
you want to use (which will only be 0 if you request a /64, could be 0-F if you request a /60). The LAN
interface gets a SLAAC address based on the interface's MAC address.
{{ :software:2018-01-02_15_33_50-_diagnostics_edit_file.png?direct&600 |}}
{{ :software:2018-01-02_15_36_37-_interfaces_wan.png?direct&600 |}}
{{ :software:2018-01-02_15_38_34-_interfaces_lan-general.png?direct&600 |}}
{{ :software:2018-01-02_15_39_25-_interfaces_lan-track.png?direct&600 |}}
{{ :software:2018-01-02_15_43_02-_services_dhcpv6_server_ra_lan_dhcpv6_server.png?direct&600 |}}
====== CONFIGURING DHCP SERVER AND DYNAMIC DNS SERVICES ======
Configure PFSENSE to serve DNS names for Local Lan
If the DNS Forwarder is enabled, every DNS request from every interface will be processed by pfSense.
Individual host records are checked first, and if a match is found, the associated IP address is
immediately returned.
By enabling the Register DHCP Static Mappings option, you won’t have to worry about creating DNS records
for those devices. This is my preferred method of using pfSense as a DNS server. As long as we create a
static mapping for every device on our network, their hostnames will resolve automatically.
Using this method, we’ll only have to add explicit hostname records for devices that specify their own
IP address (that is, devices that don’t use DHCP), which should be few and far between.
Register DHCP Leases in DNS Forwarder
If the Register DHCP Leases in DNS Forwarder option is enabled, pfSense will automatically register any
devices that specify a hostname when submitting a DNS request. The downside, of course, is that not all
devices submit a hostname and even when they do, it is sometimes cryptic. I prefer to only register
important devices using DHCP static mappings, and all other (unimportant/unknown) devices can be referenced
using their IP addresses.
====== How To Create And Configure VLANs In pfSense ======
From: https://www.iceflatline.com/2013/09/how-to-create-and-configure-vlans-in-pfsense/
In this post I will describe how to create and configure VLANs in pfSense. Once configured, you’ll be
able to route (or prevent routing) traffic between each VLAN, and each VLAN will be able to share the
same Internet connection. To help explain the steps involved, we’ll create two static VLANs on a 24-port
switch and trunk those VLANs from the switch to the LAN interface on pfSense, where we will assign each
VLAN a unique /24 private IP subnet.
====== Virtual IP and arp proxy ======
From: http://pfsensesetup.com/pfsense-virtual-ip-addresses-part-one/
A virtual IP address (VIP or VIPA) is an IP address that is not assigned to a specific single server or
network interface card (NIC). Rather, it is assigned to multiple applications on a single server, multiple
domain names, or multiple servers. Normally, a server IP address depends on the MAC address of the attached
NIC, and only one logical IP may be assigned per card. However, VIP addressing enables hosting for
several different applications and virtual appliances on a server with only one logical IP address.
====== Filter Log Format for pfSense 2.2 ======
From: https://doc.pfsense.org/index.php/Filter_Log_Format_for_pfSense_2.2
Starting with pfSense 2.2, the raw filter log output generated by pfSense for its internal filter
log and the log output transmitted over syslog to remote hosts has changed. The new log format is
a single line containing comma-separated values that should be much easier to parse than the previous
methods that involved guessing at various layouts and string contents of log data generated by pf.
====== CPU Temperature ======
These messages in log file a gazillion times:
Nov 26 13:30:25 192.168.1.249 kernel: arpresolve: can't allocate llinfo for 192.168.1.10
Solution: I had static routed a gateway to itself. 192.168.1.10 was a gateway to 192.168.0.0 net
====== CPU Temperature ======
From: http://doc.pfsense.org/index.php/What_Hardware_Monitoring_Is_Supported
sysctl hw.acpi.thermal
hw.acpi.thermal.min_runtime: 0
hw.acpi.thermal.polling_rate: 10
hw.acpi.thermal.user_override: 0
hw.acpi.thermal.tz0.temperature: 19.0C <=> the temperature
hw.acpi.thermal.tz0.active: -1
hw.acpi.thermal.tz0.passive_cooling: 1
hw.acpi.thermal.tz0.thermal_flags: 0
hw.acpi.thermal.tz0._PSV: 83.0C
hw.acpi.thermal.tz0._HOT: -1
hw.acpi.thermal.tz0._CRT: 85.0C
hw.acpi.thermal.tz0._ACx: 83.0C -1 -1 -1 -1 -1 -1 -1 -1 -1
hw.acpi.thermal.tz0._TC1: 4
hw.acpi.thermal.tz0._TC2: 3
hw.acpi.thermal.tz0._TSP: 60
====== Why can't I access forwarded ports on my WAN IP from my LAN/OPTx networks? ======
http://doc.pfsense.org/index.php/Why_can%27t_I_access_forwarded_ports_on_my_WAN_IP_from_my_LAN/OPTx_networks%3F
Method 2: Split DNS
The more elegant solution to this problem involves using Split DNS. Basically this means that internal and external clients resolve your hostnames differently.
====== Squid log File Time Conversion ======
http://www.onlineconversion.com/unix_time.htm
====== Squid Configuration ======
=== Cache management page ===
cache_mem 580 MB
maximum_object_size_in_memory 64 KB
memory_replacement_policy heap LFUDA
cache_replacement_policy heap LFUDA
cache_dir aufs /var/squid/cache 3500 16 256
minimum_object_size 0 KB
maximum_object_size 8192 KB
offline_mode off
cache_swap_low 90
cache_swap_high 95
cache allow all
From: https://forum.pfsense.org/index.php?topic=16204.15
(my rig has 1GB ram minus some shared video ram)
Here is my cache setup:
Cache management page :
Hard disk cache size = 2000 MB (more HDD space uses more RAM becarefull not set it too big)
Memory cache size = 128 MB
Minimum object size = 0 KB
Maximum object size = 8192 KB (Squid default is 4096 KB)
set this larger if you want too (32MB maybe) it depends on how much files are how large and how
often you download these types of files.
Read the squid visolve manual on caching policy (heap LFUDA). This not always stored in memory,
it is the "cache" value!!! It can either be RAM or HDD.
Memory replacement policy = heap LFUDA (RAM cache object handling)
Cache replacement policy = heap LFUDA (HDD cache object handling)
General settings page:
Custom Options =
redirect_program /usr/local/libexec/adzap;redirect_children 10;maximum_object_size_in_memory 128 KB;
maximum_object_size_in_memory; I bumped that value up from the default 64KB because some sites
(I visit often) use larger object than 64KB and so this raises the chance of objects being cached
from RAM in stead of HDD cache. Play with this value a little in combination with the "Memory cache
size" value, remember mine is set to 128MB ram being used. (128MB / 128KB = max. number of "large"
objects cached directly from squid RAM. RAM is faster than HDD.) Don't over do these options it will
do more harm than good over time...performance will suffer.
Cache is cleaned automatically.
How depends on the caching policy that is chosen. (LRU, Heap GDSF, Heap LFUDA, Heap LRU)
When is controlled by the high and low water mark options in the "Cache management" page.
Low-water-mark in % = 90
High-water-mark in % = 95
If the total cache is BIG the 5 % difference between the low- and high-water-mark can be many
MBs or GBs of cache (real data).
(Worst case) Your system could be constantly cleaning older objects from cache at 100% HDD
speed if the low-water-mark was reached. And caching speed would suffer greatly.
http://forum.pfsense.org/index.php?PHPSESSID=783a119759ebc298a3d99d016a4f1f16&/topic,11001.0.html
Proxy server: General settings
Proxy server: Cache management
From: https://calomel.org/squid.html
How do I test if the headers a being changed by squid correctly?
=== Filtering HTTPS / SSL Traffic on pfSense ===
From: https://forum.pfsense.org/index.php?topic=72528.0
This article will tell you how to install and configure Squid proxy capable of filtering
encrypted HTTPS connections using Diladele Web Safety ICAP content filtering server running
on pfSense
====== Traffic Shaper in pfSense 2.0 ======
From: http://www.hammerweb.com/blog/2011/09/traffic-shaper-in-pfsense-2-0/
Good review of PRIQ. Don't fully understand the rules he set up.
Have you recently upgraded from pfsense 1.2.3 to pfsense 2.0? Are you having difficulty getting the traffic shaper to work properly? A significant change in how the traffic shaper works between these releases, combined with a lack of documentation created a very frustrating situation.
http://forum.pfsense.org/index.php?topic=12601.0
Good discussion by davertron
http://devwiki.pfsense.org/HFSCBandwidthShapingNotes
* in hfsc, "realtime" is the scheduler used to guarantee upper bound delay
for a class it is valid only for child queues. "Linkshare" shares the bandwidth
between classes if available, and a hard limit for a "linkshare" specification
can be set by "upperlimit".
* if you DO not specify "linkshare", you should specify bandwidth.
===== Investigate links here =====
http://en.wikibooks.org/wiki/Advanced_QoS_for_IPCop/HFSC
http://automatthias.wordpress.com/2006/06/30/hfsc-and-voip/
===== Technical Explaination =====
http://linux-ip.net/articles/hfsc.en/
http://linux-ip.net/articles/hfsc.en/
http://forum.pfsense.org/index.php/topic,1384.0.html
https://calomel.org/pf_hfsc.html
http://forum.pfsense.org/index.php?topic=12601.0
Better:
http://forum.pfsense.org/index.php?topic=11986.0
---qTotalBandwidth (Value of upload bandwidth )
------qSubnet1 (50% bandwidth)
--------------q1VoIP (bandwidth 10% realtime m1 = 1.2Kb d = 30 m2 = 64Kb)
--------------q1VNC (bandwidth 10% realtime m1 = 6Kb d = 50 m2 = 128Kb)
--------------q1HTTP (bandwidth 30%)
------qSubnet2 (50% bandwidth)
--------------q2VoIP (bandwidth 10% realtime m1 = 1.2Kb d = 30 m2 = 64Kb)
--------------q2VNC (bandwidth 10% realtime m1 = 6Kb d = 50 m2 = 128Kb)
--------------q2HTTP (bandwidth 30%)
------qPenalty (bandwidth 10% default upperlimit m2 = 10%)
http://www.cs.cmu.edu/~hzhang/HFSC/main.html
{{http://www.cs.cmu.edu/~hzhang/HFSC/TALK/img041.GIF}}
===== Monitoring PF Firewalls For Health And Performance =====
http://prefetch.net/articles/monitoringpf.html
pfctl -s info
pfctl -v -s rules
===== Downstream queues should not be assigned to LAN interfaces =====
http://redmine.pfsense.org/issues/749
I haven't had time to test it yet, but what I believe this is referring to is the queue for Internet traffic being attached to the WAN interface, so traffic from one internal interface to another internal interface (such as routing between VLANs or multiple physical interfaces) is limited as if it were Internet traffic. That may not be the case.
pfSense can do several tasks at one, such as being a WAN router as well as bridging multiple LAN interfaces at the same time. The problem is when bridging LAN interfaces and the traffic shaper is restricting bandwidth, the shaper will delay say a Gbit LAN connection to the WAN's speed. As such downstream bandwidth needs to be shaped on the incoming traffic on the WAN interface, not on outgoing traffic from the LAN interface.
====== Setup Bridged Network ======
http://forum.pfsense.org/index.php?topic=30653.0
http://forum.pfsense.org/index.php/topic,20917.0.html
http://forum.pfsense.org/index.php?topic=39949.0
http://forum.pfsense.org/index.php?topic=38042.0
http://doc.pfsense.org/index.php/Access_Point2
http://forum.pfsense.org/index.php?topic=46154.0