What are some of the things you do when you install pfSense?



  • Hi Everyone,

    There are few things like setting RRD Graph backup to 12 hours and setting DNS to 8.8.8.8 that I do to all pfSense routers. What are some of the things that you do to all your pfSense routers? I am very interested to see what tips / tricks everyone has. This helps a lot in the long run when you notice that, "oh, shoot, I should have set that option right at the begining".

    Cheers,


  • Rebel Alliance Developer Netgate

    A few things I do to pretty much any box these days:

    • Enable ssh, add my own user and my ssh keys
    • Install the sudo package, make sure I can get to root/admin as needed.
    • Add an "rfc1918" alias containing 192.168./16, 172.16./12, 10./8
    • Add a "web_ports" alias containing 80 and 443
    • Add an "admin_ports" alias containing web_ports and ssh, or whatever ports the GUI and SSH use if they have been moved. Also if darkstat or ntop are in use, those ports go in there too.
    • Add a "remote_management" alias that includes my hostnames and static subnets
    • Add a rule to pass from remote_management to the WAN IP on admin_ports
    • Allow ping from remote_management or any
    • Setup a DynDNS hostname even if it's on a static IP (unless it's on a domain I control and can add an A record for)
    • Setup OpenVPN for remote management
    • Add the client export package
    • Setup some form of bandwidth monitoring, usually ntop or bandwidthd or darkstat, depends on the kind of router being monitored and the resources available. iftop is also good to have for the CLI.


  • For multi-office systems with site-to-site VPN links:

    • Alias "internal_nets" containing all the private subnets used internally and routable around the internal VPN network. Handy for putting in pass rules on links that are allowed to pass internal traffic in general.
    • Alias "public_IPs" containing the (DynDNS) FQDNs of all the offices. Handy for allowing incoming clients on WAN/s to the VPN site-to-site server process.


  • The most important… Install a better shell (bash ;D) if you are familiar with it and use a shell in pfSense a lot.

    Disable State killing in Advanced / Gateway Monitoring section for non-multi-wan setups.  This always gets me when I forget and later find connections being killed when the external wan link just temporarily goes down for a very short amount of time.


  • Rebel Alliance Developer Netgate

    I also tend to add 3+ NTP servers so there are at least four listed. It helps to keep the clock accurate over time.
    And change the gateway monitor IPs to something farther out, such as the DNS servers.



  • @jimp:

    I also tend to add 3+ NTP servers so there are at least four listed. It helps to keep the clock accurate over time.
    And change the gateway monitor IPs to something farther out, such as the DNS servers.

    Jim, can you please list some NTP servers you use that you trust?
    Also, what is the gateway monitor IPs?



  • @adam65535:

    The most important… Install a better shell (bash ;D) if you are familiar with it and use a shell in pfSense a lot.

    Disable State killing in Advanced / Gateway Monitoring section for non-multi-wan setups.  This always gets me when I forget and later find connections being killed when the external wan link just temporarily goes down for a very short amount of time.

    Thanks for the input.
    For some reason shell keeps disconnecting on me after few minutes. Is there some timer on it? Also, can you please explain how to install a better shell?


  • Rebel Alliance Developer Netgate

    @torontob:

    @jimp:

    I also tend to add 3+ NTP servers so there are at least four listed. It helps to keep the clock accurate over time.
    And change the gateway monitor IPs to something farther out, such as the DNS servers.

    Jim, can you please list some NTP servers you use that you trust?
    Also, what is the gateway monitor IPs?

    0.pfsense.pool.ntp.org through 3.pfsense.pool.ntp.org - using the numbers makes sure you get a different "sub" pool that won't have overlapping servers.


  • Rebel Alliance Developer Netgate

    @torontob:

    @adam65535:

    The most important… Install a better shell (bash ;D) if you are familiar with it and use a shell in pfSense a lot.

    Disable State killing in Advanced / Gateway Monitoring section for non-multi-wan setups.  This always gets me when I forget and later find connections being killed when the external wan link just temporarily goes down for a very short amount of time.

    Thanks for the input.
    For some reason shell keeps disconnecting on me after few minutes. Is there some timer on it? Also, can you please explain how to install a better shell?

    If you have a down gateway, it could be the state killing option he mentioned that should be checked (though fixing your monitor IPs is better)



  • 0.pfsense.pool.ntp.org through 3.pfsense.pool.ntp.org - using the numbers makes sure you get a different "sub" pool that won't have overlapping servers.

    This makes for a great update in future versions. Why not just add this as default.

    Also, some things I would do that is not mentioned:
    -install cron package
    -set nanobsd RRD graphs to 12 hours so RRD graphs are not all lost if system is unexpectedly turned off
    -disable HTTP Referrer to WAN access from outside doesn't become an issue
    -assign a universal password for console port - this may not be so secure but at least there is some security and some less headache when a universal password is used.



  • @adam65535:

    Disable State killing in Advanced / Gateway Monitoring section for non-multi-wan setups.

    That's System -> Advanced click on Miscellaneous tab and scroll down to Gateway Monitoring section.


  • Rebel Alliance Developer Netgate

    @kejianshi:

    Set up DNS on the box and set up NTP on the box.
    Also Openvpn.

    Use my public IP as DNS server, NTP server and Openvpn Server when traveling in some parts of the world.
    (Your personal public IP is so obscure as to not be on any list of things to block overseas)

    Exposing the DNS forwarder to the public is a very, very bad idea. It doesn't matter how obscure you believe your IP is, it will be found by automated scanners and used for DNS amplification DoS attacks if a "bad" scanner finds it. If a "good" scanner finds it, you could find yourself on a blacklist.

    More info and a way to look up if your host has been found and flagged here: http://openresolverproject.org/



  • Open to the public NTP servers aren't hard to find. You really should select public stratum-2 servers and avoid stratum-1 servers unless your ISP offers one. Look for a close (in net hops / delay) open server that does not require you to request permission to connect for the least hassle.

    NTP site: http://support.ntp.org/bin/view/Servers/

    Rules: http://support.ntp.org/bin/view/Servers/RulesOfEngagement

    Stratum 2 list: http://support.ntp.org/bin/view/Servers/StratumTwoTimeServers

    If you don't have several open stratum-2 servers near you then using a pool isn't a bad option.

    NTP Pool List: http://www.pool.ntp.org/en/

    Keep an eye on your status page (pfsense/status_ntpd.php) and tune your list of servers by dropping ones not providing you usable responses.

    I use my ISP's (Cox Cable) stratum-1 NTP server since it is close to me (in net hops) and is very reliable and one of the Phoenix, Arizona public library servers. I also use a local NTP server on my LAN for when my net connection is down. I have tried one of these http://www.pool.ntp.org/zone/north-america pools from time to time but it usually shows up on the status list as an outlier so I drop it after a couple days.



  • Set System > Firmware > Update Settings to either Stable or Developmental firmware. I would set it to developmental having learned my lesson of seeing broken features in stable versions but working in developmental version - many vouch for dev version to be stable in production.