Table of Contents
Scrape PFSense DHCP Leases Status Page and Export Results to JSON
From: https://gist.github.com/pletch/037a4a01c95688fff65752379534455f
# This python (2.7) script provides a function to query the pfsense (v2.3) dhcp leases status page and store the results for # ip, hostname, and mac as lists. A second function is also provided to export the results in json to the file /tmp/dhcp_list.
Firewall Rule Basics
From: https://doc.pfsense.org/index.php/Firewall_Rule_Basics
any - 0.0.0.0 to 255.255.255.255, or all IPv6 addresses Single host or alias - Select this and enter one IP address (1.2.3.4, aa:bb:cc:dd::1) or type the name of an Alias that has already been configured (Firewall > Aliases) Network - Select this and enter a network and mask (10.99.0.0/16, aa:bb:cc:dd::0/64) LAN net - The subnet configured on the LAN interface under Interfaces > LAN. On pfSense 2.2+, this also includes IP alias networks on that interface. LAN address - The IP address configured on the LAN interface under Interfaces > LAN zzz Net / zzz address - Works the same as LAN above but for other interfaces (WAN, OPT1, OPT2, etc.) PPTP clients - Automatically locate and use the addresses of PPTP clients L2TP clients - Automatically locate and use the addresses of L2TP clients This Firewall (self) - Any IP address assigned to any interface on this firewall (pfSense 2.2+)
Installing the Ubiquiti UniFi Controller Software on pfSense 2.2
Note: I am leaving this here for the reference and posterity, but for a variety of reasons, I no longer recommend doing this. It is a neat hack, but tends to be a bit of a pain to live with as you end up having to troubleshoot or reinstall it every time you update pfSense or Unifi. When you can install it on a Raspberry Pi for less than $50, there's really no need to do this.
Automatically backup Pfsense configuration files
From: https://www.outsideopen.com/pfmb/
The script is secure and will only connect via SSH using SSH key authentication instead of passwords. We use pfMb on Mac and Linux but it should work on any *nix under bash.
From: https://knowledge.zomers.eu/pfsense/Pages/How-to-automate-pfSense-backup.aspx
It is very lightweight and easy to use this tool. It requires the Microsoft .NET framework 2.0 to be installed on the machine from which you are running it. Extract the executable in the ZIP and run it without parameters to see the help text which explains the options you have to run it:
From: https://doc.pfsense.org/index.php/Configuration_Backup_and_Restore
pfSense keeps its configuration in one convenient XML document. A backup of this document can be saved by going to Diagnostics > Backup/Restore, and clicking Download Configuration. Before downloading, review the options available such as only backing up certain areas, or excluding the RRD data from the backup file. Restoring a configuration is just as easy, click Browse, locate the backup configuration file, then click Restore Configuration
From: https://www.proteansec.com/linux/pfsense-automatically-backup-configuration-files/
From: http://www.gremwell.com/node/397
From:
PFSENSE BEHIND A ROUTER
From: http://hakology.co.uk/2014/02/pfsense-behind-a-router/
Trouble shooting: Can pfsense ping router – NO WAN config error Can pfsense ping pfsense client – NO – LAN config error / Client firewall Can pfsense client ping pfsense – NO – LAN config error / Client firewall Can pfsense ping 8.8.8.8 – NO – ASDL/CABLE router config error Can pfsense client ping router – NO – NAT error Can pfsense client ping 8.8.8.8 – NO – NAT error / ADSL / CABLE config error Can pfsense client ping 8.8.8.8 – YES – All good Can pfsense client load a website – NO – DNS Error – Check everything above is OK Can pfsense client load a website – YES – Everything is working
PFsense System Advanced Notification SMTP configuration
From: https://forum.pfsense.org/index.php?topic=72015.0
Now - guess what ... Exchange does support plaintext-logins when configured correctly, but only using the method "LOGIN" ... Re: Cannot send mails using office365 smtp server « Reply #14 on: November 22, 2014, 10:05:07 pm » Got it working! Issue was STARTTLS (and save before Test). Thanks!
Office365 SMTP Configuration for PFsense to relay mail to notification e-mail address. Note for testing always reenter the password.
pfsense ipv6 with comcast
From: http://undergroundmod.com/2016/08/25/pfsense-ipv6-with-comcast/
From: https://r.wundrd.net/article/pfsense-ipv6-comcast/
go to Status: Interfaces page. Under your WAN interface section, you should see an IPv6 address (in addition to link local), a subnet mask ipv6 of 64, and a gateway ipv6. Note the ISP DNS Servers section should contain ipv6 addresses. Record one of those for later testing. Under the LAN interface section, you should see an IPv6 address (in addition to link local), and a subnet mask ipv6 of 64
From: https://forum.pfsense.org/index.php?topic=83576.0
Comcast will let you request no more than a /60. 16 /64 subnets on a personal network should be more than enough for most people. Business class service may be able to request larger allocations, but consumer service can request anything from /64 to /60 only, depending on how many subnets you need (1 to 16, based on number of bits). Because of pfSense's IPv6 implementation with DHCPv6 on the WAN, there is no way to set up a static IPv6 address for your router on your LAN. You set up "Track Interface", "WAN", then select which subnet you want to use (which will only be 0 if you request a /64, could be 0-F if you request a /60). The LAN interface gets a SLAAC address based on the interface's MAC address.
CONFIGURING DHCP SERVER AND DYNAMIC DNS SERVICES
Configure PFSENSE to serve DNS names for Local Lan
If the DNS Forwarder is enabled, every DNS request from every interface will be processed by pfSense. Individual host records are checked first, and if a match is found, the associated IP address is immediately returned. By enabling the Register DHCP Static Mappings option, you won’t have to worry about creating DNS records for those devices. This is my preferred method of using pfSense as a DNS server. As long as we create a static mapping for every device on our network, their hostnames will resolve automatically. Using this method, we’ll only have to add explicit hostname records for devices that specify their own IP address (that is, devices that don’t use DHCP), which should be few and far between. Register DHCP Leases in DNS Forwarder If the Register DHCP Leases in DNS Forwarder option is enabled, pfSense will automatically register any devices that specify a hostname when submitting a DNS request. The downside, of course, is that not all devices submit a hostname and even when they do, it is sometimes cryptic. I prefer to only register important devices using DHCP static mappings, and all other (unimportant/unknown) devices can be referenced using their IP addresses.
How To Create And Configure VLANs In pfSense
From: https://www.iceflatline.com/2013/09/how-to-create-and-configure-vlans-in-pfsense/
In this post I will describe how to create and configure VLANs in pfSense. Once configured, you’ll be able to route (or prevent routing) traffic between each VLAN, and each VLAN will be able to share the same Internet connection. To help explain the steps involved, we’ll create two static VLANs on a 24-port switch and trunk those VLANs from the switch to the LAN interface on pfSense, where we will assign each VLAN a unique /24 private IP subnet.
Virtual IP and arp proxy
From: http://pfsensesetup.com/pfsense-virtual-ip-addresses-part-one/
A virtual IP address (VIP or VIPA) is an IP address that is not assigned to a specific single server or network interface card (NIC). Rather, it is assigned to multiple applications on a single server, multiple domain names, or multiple servers. Normally, a server IP address depends on the MAC address of the attached NIC, and only one logical IP may be assigned per card. However, VIP addressing enables hosting for several different applications and virtual appliances on a server with only one logical IP address.
Filter Log Format for pfSense 2.2
From: https://doc.pfsense.org/index.php/Filter_Log_Format_for_pfSense_2.2
Starting with pfSense 2.2, the raw filter log output generated by pfSense for its internal filter log and the log output transmitted over syslog to remote hosts has changed. The new log format is a single line containing comma-separated values that should be much easier to parse than the previous methods that involved guessing at various layouts and string contents of log data generated by pf.
CPU Temperature
These messages in log file a gazillion times:
Nov 26 13:30:25 192.168.1.249 kernel: arpresolve: can't allocate llinfo for 192.168.1.10 Solution: I had static routed a gateway to itself. 192.168.1.10 was a gateway to 192.168.0.0 net
CPU Temperature
From: http://doc.pfsense.org/index.php/What_Hardware_Monitoring_Is_Supported
sysctl hw.acpi.thermal hw.acpi.thermal.min_runtime: 0 hw.acpi.thermal.polling_rate: 10 hw.acpi.thermal.user_override: 0 hw.acpi.thermal.tz0.temperature: 19.0C <=> the temperature hw.acpi.thermal.tz0.active: -1 hw.acpi.thermal.tz0.passive_cooling: 1 hw.acpi.thermal.tz0.thermal_flags: 0 hw.acpi.thermal.tz0._PSV: 83.0C hw.acpi.thermal.tz0._HOT: -1 hw.acpi.thermal.tz0._CRT: 85.0C hw.acpi.thermal.tz0._ACx: 83.0C -1 -1 -1 -1 -1 -1 -1 -1 -1 hw.acpi.thermal.tz0._TC1: 4 hw.acpi.thermal.tz0._TC2: 3 hw.acpi.thermal.tz0._TSP: 60
Why can't I access forwarded ports on my WAN IP from my LAN/OPTx networks?
Method 2: Split DNS The more elegant solution to this problem involves using Split DNS. Basically this means that internal and external clients resolve your hostnames differently.
Squid log File Time Conversion
Squid Configuration
Cache management page
cache_mem 580 MB maximum_object_size_in_memory 64 KB memory_replacement_policy heap LFUDA cache_replacement_policy heap LFUDA cache_dir aufs /var/squid/cache 3500 16 256 minimum_object_size 0 KB maximum_object_size 8192 KB offline_mode off cache_swap_low 90 cache_swap_high 95 cache allow all
From: https://forum.pfsense.org/index.php?topic=16204.15
(my rig has 1GB ram minus some shared video ram) Here is my cache setup: Cache management page : Hard disk cache size = 2000 MB (more HDD space uses more RAM becarefull not set it too big) Memory cache size = 128 MB Minimum object size = 0 KB Maximum object size = 8192 KB (Squid default is 4096 KB) set this larger if you want too (32MB maybe) it depends on how much files are how large and how often you download these types of files. Read the squid visolve manual on caching policy (heap LFUDA). This not always stored in memory, it is the "cache" value!!! It can either be RAM or HDD. Memory replacement policy = heap LFUDA (RAM cache object handling) Cache replacement policy = heap LFUDA (HDD cache object handling) General settings page: Custom Options = redirect_program /usr/local/libexec/adzap;redirect_children 10;maximum_object_size_in_memory 128 KB; maximum_object_size_in_memory; I bumped that value up from the default 64KB because some sites (I visit often) use larger object than 64KB and so this raises the chance of objects being cached from RAM in stead of HDD cache. Play with this value a little in combination with the "Memory cache size" value, remember mine is set to 128MB ram being used. (128MB / 128KB = max. number of "large" objects cached directly from squid RAM. RAM is faster than HDD.) Don't over do these options it will do more harm than good over time...performance will suffer. Cache is cleaned automatically. How depends on the caching policy that is chosen. (LRU, Heap GDSF, Heap LFUDA, Heap LRU) When is controlled by the high and low water mark options in the "Cache management" page. Low-water-mark in % = 90 High-water-mark in % = 95 If the total cache is BIG the 5 % difference between the low- and high-water-mark can be many MBs or GBs of cache (real data). (Worst case) Your system could be constantly cleaning older objects from cache at 100% HDD speed if the low-water-mark was reached. And caching speed would suffer greatly.
http://forum.pfsense.org/index.php?PHPSESSID=783a119759ebc298a3d99d016a4f1f16&/topic,11001.0.html
Proxy server: General settings Proxy server: Cache management
From: https://calomel.org/squid.html
How do I test if the headers a being changed by squid correctly?
Filtering HTTPS / SSL Traffic on pfSense
From: https://forum.pfsense.org/index.php?topic=72528.0
This article will tell you how to install and configure Squid proxy capable of filtering encrypted HTTPS connections using Diladele Web Safety ICAP content filtering server running on pfSense
Traffic Shaper in pfSense 2.0
From: http://www.hammerweb.com/blog/2011/09/traffic-shaper-in-pfsense-2-0/
Good review of PRIQ. Don't fully understand the rules he set up.
Have you recently upgraded from pfsense 1.2.3 to pfsense 2.0? Are you having difficulty getting the traffic shaper to work properly? A significant change in how the traffic shaper works between these releases, combined with a lack of documentation created a very frustrating situation.
http://forum.pfsense.org/index.php?topic=12601.0
Good discussion by davertron
http://devwiki.pfsense.org/HFSCBandwidthShapingNotes
* in hfsc, “realtime” is the scheduler used to guarantee upper bound delay for a class it is valid only for child queues. “Linkshare” shares the bandwidth between classes if available, and a hard limit for a “linkshare” specification can be set by “upperlimit”.
* if you DO not specify “linkshare”, you should specify bandwidth.
Investigate links here
Technical Explaination
http://linux-ip.net/articles/hfsc.en/
http://linux-ip.net/articles/hfsc.en/
http://forum.pfsense.org/index.php/topic,1384.0.html
https://calomel.org/pf_hfsc.html
http://forum.pfsense.org/index.php?topic=12601.0 Better: http://forum.pfsense.org/index.php?topic=11986.0
---qTotalBandwidth (Value of upload bandwidth ) ------qSubnet1 (50% bandwidth) --------------q1VoIP (bandwidth 10% realtime m1 = 1.2Kb d = 30 m2 = 64Kb) --------------q1VNC (bandwidth 10% realtime m1 = 6Kb d = 50 m2 = 128Kb) --------------q1HTTP (bandwidth 30%) ------qSubnet2 (50% bandwidth) --------------q2VoIP (bandwidth 10% realtime m1 = 1.2Kb d = 30 m2 = 64Kb) --------------q2VNC (bandwidth 10% realtime m1 = 6Kb d = 50 m2 = 128Kb) --------------q2HTTP (bandwidth 30%) ------qPenalty (bandwidth 10% default upperlimit m2 = 10%)
http://www.cs.cmu.edu/~hzhang/HFSC/main.html
Monitoring PF Firewalls For Health And Performance
Downstream queues should not be assigned to LAN interfaces
http://redmine.pfsense.org/issues/749
I haven't had time to test it yet, but what I believe this is referring to is the queue for Internet traffic being attached to the WAN interface, so traffic from one internal interface to another internal interface (such as routing between VLANs or multiple physical interfaces) is limited as if it were Internet traffic. That may not be the case.
pfSense can do several tasks at one, such as being a WAN router as well as bridging multiple LAN interfaces at the same time. The problem is when bridging LAN interfaces and the traffic shaper is restricting bandwidth, the shaper will delay say a Gbit LAN connection to the WAN's speed. As such downstream bandwidth needs to be shaped on the incoming traffic on the WAN interface, not on outgoing traffic from the LAN interface.