PfSense for secure browsing from public WiFi?
-
yes pfsense would allow you to vpn and admin anything on your network, and sure you could then surf the internet through this vpn connection.
I would assume your APE is also your wireless.. Putting that in front of pfsense and still using it for wireless is not a typical setup. There must be another device that connects you to the internet that your APE is plugged into?
Putting that into bridge mode yes would be a preferred setup vs double nat.
Then you put your APE behind pfsense as just an AP.. Just turn off its dhcp server, connect it to your network via one of its lan ports and then give it an IP on the network your connecting it to so you can connect to it and manage the wifi.
-
Yes, the APE is also my wireless access point. There is a broadband modem before the APE.
The proposed configuration is:
Broadband <-> dumb switch <-> various LAN connections
modem <-> pfSense <-> Apple Airport Extreme <-> Desktop Mac
<-> FreeNAS server -
modem <-> pfsense <-> dumb switch <-> APE
<-> Mac
<-> FreeNAS
<-> Other LAN stuff -
modem <-> pfsense <-> dumb switch <-> APE
<-> Mac
<-> FreeNAS
<-> Other LAN stuffI'll need a better switch if I do that. I did have the Mac and FreeNAS connected through the switch at one point, but I found that I got much better throughput if I bypassed the switch. It is a TP-Link SG1005D, which gets good reviews, so I was surprised that it didn't perform well for me. Maybe I was expecting too much from an unmanaged switch.
Once I bridge the APE, can it act as a switch (as I had it used above), or is that simply not possible?
-
You can use the switch ports on the APE as just switch, I don't know why you keep saying bridge for the APE?? Are you wanting to bridge the wan port to the lan ports so you have an extra port? Really don't see the point.
Normally you would put your switch before any other devices - but yes you can leverage the switch ports on your APE once you set it up as just an Access Point.
As to your performance on your switch.. Its a gig switch what do you think you should get, and what are you getting.. And you say if you use the ports on your APE you get better performance?? Gig is gig is gig is gig.. You should see very sim performance in home setup with any gig switch be it dumb, smart or fully managed.
Your not doing anything that suggest you need a smart/managed switch - now if you want to do vlans then sure. If you want more insight into your network via reporting of interface stats, or rate limiting, igmp snooping, etc. etc.. then sure a smart/managed switch makes sense. And to be honest the prices are really very very reasonable these days. I personally would never buy a dumb switch since your only talking a few dollars more to get a smart version.. And you can get some really feature rich devices for in the low 100's etc.. As long as your not talking really large port density..
It is possible that some devices don't like each other, comes down to your nic and switch.. But really everything should work and give you the performance they state on their spec shit.. I would be very curious to how you determine that the performance of your switch is less than the performance of the switch on your APE.. Did you run iperf testing, file copies? what?
-
You can use the switch ports on the APE as just switch, I don't know why you keep saying bridge for the APE?? Are you wanting to bridge the wan port to the lan ports so you have an extra port? Really don't see the point.
I'm using the word "bridged", as it matches what I see in Airport Utility. I've got three options for the router mode, "DHCP and NAT", "DHCP" and "OFF (bridge mode)". I thought that the third option is the one that I should use if pfSense was doing the router function. Am I wrong? Has Apple mis-named that option?
As to your performance on your switch.. Its a gig switch what do you think you should get, and what are you getting.. And you say if you use the ports on your APE you get better performance?? Gig is gig is gig is gig.. You should see very sim performance in home setup with any gig switch be it dumb, smart or fully managed.
Did you run iperf testing, file copies? what?
I was expecting 10-20% less than 1 Gbps, due to various overheads. Originally, I was getting significantly lower than expected throughput when transferring large files to FreeNAS. I rejigged the network to take the switch out of the picture, and the speeds went up to about what I was expecting. iperf and netperf both show close enough to 1 Gbps to keep me happy.
But, I just did tests with netperf, and I get 940 Mbps with or without the switch in play. So, perhaps the switch is not a problem, and I had some other variable at play that I didn't realize at the time. More testing required.
-
That mode listing in your APE is kind of pointless unless that is the only way to turn of its dhcp server? To use any wifi router as just an AP all that is required is turn off its dhcp server, connect it to your network with one of its lan ports.
If you want to make it easier to manage then put its lan IP on your network. Since your not connecting anything to its wan port what it thinks is doing between a wan connection and its lan ports is completely pointless…
Pretty much every single soho router out there is the same sort of setup, wifi bridged to the switch ports.. If you want to bridge in the wan port for an extra port that is up to you.. But normally 1 port is not an issue, and its just easier to ignore its use vs playing with badly worded modes in these soho devices.
Personally if you want wifi, get a AP.. If you want ports get a switch.. Not real big on the everything one box sort of setup.. While sure any soho router can be used as AP they are not designed to be strategically placed/mounted for best wifi coverage.. And they also need a very close power plug.
Sure if you want to reuse the hardware switch ports as a dumb switch.. sure.. But if what your after is GOOD wifi, get a AP that is poe and designed to be mounted to give you best coverage.
-
Using OpenVPN via public hotspot may not be as secure as one might expect it to be if using DNS to resolve host names. Extra care must be taken to insure that the local DNS is not used.
Local vs VPN DNS Name Resolution
https://forum.pfsense.org/index.php?topic=77421.msg422027#msg422027
https://forum.pfsense.org/index.php?topic=77421.msg422311#msg422311OpenVPN Forum Thread:
https://forums.openvpn.net/viewtopic.php?t=15939 -
Using OpenVPN via public hotspot may not be as secure as one might expect it to be if using DNS to resolve host names.
From Windows 8 and up, Microsoft introduced parallel DNS aka Smart Multi-Homed Name Resolution.
To avoid this from happening, one puts
block-outside-dns register-dnsin the client config.
The client log will then show
us=537679 Blocking outside DNS us=537679 Opening WFP engine us=537679 Adding WFP sublayer us=547679 Blocking DNS using WFP us=547679 Tap Luid: 1688849893818368 us=547679 Filter (Block IPv4 DNS) added with ID=88910 us=547679 Filter (Block IPv6 DNS) added with ID=88911 us=547679 Filter (Permit IPv4 DNS queries from TAP) added with ID=88912 us=547679 Filter (Permit IPv6 DNS queries from TAP) added with ID=88913and
C:\Windows\system32\net.exe start dnscache C:\Windows\system32\ipconfig.exe /flushdns C:\Windows\system32\ipconfig.exe /registerdns End net commands... -
Does that also block local name resolution? If so then that creates issues for using local services such as printers etc.
What I would like to see is a means to only resolve local names locally and everything else via the VPN DNS.
-
Try it, it works here.
-
Try it, it works here.
I will at some point. But not in a situation right now for doing that.
-
The "–register-dns" option appears to be what enabling the pfSense "Force DNS cache update" option does.
Force DNS cache update
Run "net stop dnscache", "net start dnscache", "ipconfig /flushdns" and "ipconfig /registerdns" on connection initiation. This is known to kick Windows into recognizing pushed DNS servers.
--block-outside-dns
Block DNS servers on other network adapters to prevent DNS leaks. This option prevents any application from accessing TCP or UDP port 53 except one inside the tunnel. It uses Windows Filtering Platform (WFP) and works on Windows Vista or later.--register-dns
Run net stop dnscache, net start dnscache, ipconfig /flushdns and ipconfig /registerdns on connection initiation. This is known to kick Windows into recognizing pushed DNS servers.Since both of these are reliant on Windows executables and features. Do they cause any issues for non-Windows clients using the VPN?
Do any non-Windows clients have similar issues with DNS leakage to the non-VPN adapters?
-
Not sure but I have a strong feel the client will state something like this in the log:
us=327673 NOTE: --block-outside-dns is disabled since we are running on OS XXX us=327673 NOTE: --register-dns is disabled since we are running on OS XXX -
Do any non-Windows clients have similar issues with DNS leakage to the non-VPN adapters?
Not that I know of…..
-
The "–block-outside-dns" option results in this.
Thu Apr 28 14:26:17 2016 TCP: connect to [AF_INET]192.168.2.42:1194 failed, will try again in 5 seconds: The system tried to join a drive to a directory on a joined drive.
-
That log message is/seems unrelated to the block-outside-dns because it`s around for many years when block-outside-dns was non-existent ;)
Check your config.
-
It only happens with the block-outside-dns option.
The config is straight forward. Nothing exotic.
-
khorton,
As a direct answer to your #2 question: the term you are looking for is a "full-tunnel" VPN - all traffic goes through the tunnel. The opposite of this is a "split-VPN" or "split-scope VPN", where only data destined for the remote network goes over the VPN, all other data goes out the regular local internet.Best security is done with a full-tunnel VPN. This means remote user is subject to internet speeds at the host, filtering via the host, etc. Example, if a home user with a 100/20 connection connects to a full-tunnel VPN to corporate HQ, who has a 10/10 connection, then remote user is subject to all filter rules as at HQ, and only has a 10/10 connection to the Internet.
-
Ah ha. The block-outside-dns option was added in 2.3.9. I've not updated from 2.3.8 yet.
