Unflappings

Purpose

With any firewall and gateway, the issue of a single point of failure is always present. In order to mitigate this Common Address Redundancy Protocol was invented for the BSD world. For those of you coming from a Cisco or other network gear manufacturer, this functions at a high level the same as VRRP or HSRP. The main difference seen with pfSense is the ability to sync configurations using pfsync. This tutorial should provide an overview of configuring this setup within pfSense and showing effects of downtime on the system.

First of all we have the general layout of this sample setup.

Continue Reading »

Recently pfSense 2.0 was released into beta stages, and as an avid 1.2.x line user, I was eager to check it out. I did still want the ability to rollback to a previous version if things were too unstable, so I configured dual booting the stable 1.2.x line with the experimental 2.0 build. Note this should also work for any other versions in the future, but these two are just used as an example.

• Back up current configuration of stable system. Make sure you have the config.xml file handy to upload since you will actually need to re-install the system if you do not already have correctly sized slices.
• Boot stable pfSense media. It actually does not matter which is used, but for the sake of example stable comes first.
• Select to (i) install to the local hard disk.
• Select < Custom Install > as shown below after configuring keyboard and display.

• Next select the hard disk you would like to use to install the system. You may install over several drives if you wish using the same general idea, the only difference is where you place partitions. I am using a single drive setup here for simplicity and commonality.

Continue Reading »

If you are using pfSense (and possibly FreeBSD for that matter) you may have run into the problem of VLAN interfaces not responding after a reboot or interface creation. This leads to serious problems when this is your main router platform, as independent network segments are unable to communication.

Symptoms of this include:

• Systems can ARP the MAC address of the network card, but are unable to ping it.
• pfSense with Realtek RTL8110SC NIC responds to DHCP or any other layer 2 system but does not respond on layer 3.
• Realtek RTL8110SC instability issues and inconsistent VLAN state.

The fix  for this is much less than ideal, but it works in a pinch and in most situations where absolute performance is not the key, but rather making things stable till another workaround (or suggested hardware replacement) comes up.

#ifconfig rex promisc

Where “reX” is reO, re1, etc… or whatever the name of your parent interface. Doing this on a per-vlan level will not help. Please be aware there are performance hits to this tactic, as each packet seen on the interface will be passed to the CPU, not just the ones destined for it.  It may be quick and dirty, but it works. If anyone has an alternate suggestion on why this happens, please chime in.

Bold indicates a button clicked or key pressed.
“quotes” indicates a value which has been entered.

Grey block quote is a command typed directly into the console.

Purpose

To keep track of the rate and frequency which processes use resources, enabling accounting is a good simple solution. It is very effective and can tell you were performance bottlenecks are in your machine.

Procedures

#touch /var/account/acct
#accton /var/account/acct
#echo ‘accounting_enable=”YES”‘ >> /etc/rc.conf
#lastcomm

The “lastcomm” command will allow you to view process accounting information.

Bold indicates a button clicked or key pressed.
“quotes” indicates a value which has been entered.

Grey block quote is a command typed directly into the console.

1. Edit /etc/inetd.conf and ensure that the following lines are commented out:

telnet stream tcp nowait root /usr/libexec/telnetd telnetd

telnet stream tcp6 nowait root /usr/libexec/telnetd telnetd

Bold indicates a button clicked or key pressed.
“quotes” indicates a value which has been entered.

Grey block quote is a command typed directly into the console.

Procedures

#cd /usr/src/sys/i386/conf
#cp GENERIC MYKERNEL
#echo “options QUOTA” >> MYKERNEL
#cd /usr/src
#make buildkernel KERNCONF=MYKERNEL
#make installkernel KERNCONF=MYKERNEL
#reboot

Edit the /etc/fstab file and add “userquota,groupquota” to the /home filesystem line

Thats it.