Pfsense newbie questions (coming from smoothwall)



  • Hello everyone!

    Just came here, moved from Smoothwall since it fucked up and needed reboot atleast 1 time per day.. ( too many mods? )

    So now i want to get pointed in the right directions of what i want out of my firewall :)

    Setup is in sweden with Telia Fibre internet 100/100 mbps

    –-------------------------------------
    RED is a 100mbit NIC
    GREEN is a 1000 mbit NIC
    also got a wireless NIC in.
    Pentium 4 HT @ 3ghz
    1 gb ram
    120 gb sata hdd

    Interwebz -> PFSENSE -> Gigabit Switch -> Ubuntu server (with all my harddrives, filesharing and such), AirDC++ box, Xbox 360 and my OpenELEC media center.


    1. I want a sturdy proxy for gettings some more speed out of the connection, video grabber. (Tried some guidelines at the FAQ but couldnt install all puthon packages)

    2. Best way to do the Traffic Shaping? 1. Gaming 2. HTTP and Media Center 3. Filesharing... how to setup this easily ? for good pings while gaming..

    3. An Dynamic IP would be very nice

    4. Ad blocking would be awsome too, best way to do it ?

    5. Good guide to get the wireless card working? and when its working i want the wireless card to have access too the local cable network too.

    6. Any other great tips you have for a newcomer to PFsense?


    I posted this Topic to get the latest answers, i know how to search but things like the Proxy problems with videograbber is out of date.. i was able to install python27 packages but not the python25 packages.. Anyhow! Hope some1 got some great tips :)

    //BultiZ



  • @BultiZ:

    Hello everyone!

    Just came here, moved from Smoothwall since it fucked up and needed reboot atleast 1 time per day.. ( too many mods? )

    So now i want to get pointed in the right directions of what i want out of my firewall :)

    Setup is in sweden with Telia Fibre internet 100/100 mbps

    –-------------------------------------
    RED is a 100mbit NIC
    GREEN is a 1000 mbit NIC
    also got a wireless NIC in.
    Pentium 4 HT @ 3ghz
    1 gb ram
    120 gb sata hdd

    Interwebz -> PFSENSE -> Gigabit Switch -> Ubuntu server (with all my harddrives, filesharing and such), AirDC++ box, Xbox 360 and my OpenELEC media center.


    1. I want a sturdy proxy for gettings some more speed out of the connection, video grabber. (Tried some guidelines at the FAQ but couldnt install all puthon packages)
            I'm no help here, since I operate off my home internet (80/40) I don't have the need to cache videos (not many people on this connection)

    2. Best way to do the Traffic Shaping? 1. Gaming 2. HTTP and Media Center 3. Filesharing... how to setup this easily ? for good pings while gaming..
            There's a few guides out there, and the new book coming out I'm sure will go over it (as did the previous book)

    3. An Dynamic IP would be very nice
            If you mean support for things like DynDNS it's already there, just go to Services > Dynamic DNS

    4. Ad blocking would be awsome too, best way to do it ?
            Download pfblocker, and then load your favorite list of bad IP addresses (Bluecoat etc...) Personally I use Chrome / Firefox + AdblockPlus.

    5. Good guide to get the wireless card working? and when its working i want the wireless card to have access too the local cable network too.
            Easier in my personal experience to 1 - buy a supported wireless card, 2 - Go from a NIC > Access Point (my current method) - Forcing an unsupported wirelss card is going to require to to compile new drivers. Which isn't even the hard part, finding the drivers or creating them is the hard part.

    6. Any other great tips you have for a newcomer to PFsense?
              Explore all the menu options, get comfortable. There's a lot of good documentation out there.


    I posted this Topic to get the latest answers, i know how to search but things like the Proxy problems with videograbber is out of date.. i was able to install python27 packages but not the python25 packages.. Anyhow! Hope some1 got some great tips :)

    //BultiZ



  • Thanks for that reply, going to try PFblocker.. but what still remains is a proxy then.. i dont really need it either… but using common sense.. pulling stuff locally will allways be faster no matter what connection your on.. or am i wrong? :)

    Missed the Dynamic DNS option, but now im set and running no-ip.com too.. that was almost too easy, hope it works when my ip updates too :)
    A question now since i have dynamic ip setup, if i enter my dynamic ip in a browser im ending up at my pfsense box.. thats ok.. but will people from the outside end up at my pfsense login screen when entering my dynamic ip in a browser ?

    And for the wireless part, i found how to bridge interfaces, so i bridged the wireless card with my lan card.. and that works.. but speeds isnt as fast as i expected.. 50% of what im getting from my external wireless router.. and thats both with 54 mbps connections



  • Thanks for that reply, going to try PFblocker.. but what still remains is a proxy then.. i dont really need it either… but using common sense.. pulling stuff locally will allways be faster no matter what connection your on.. or am i wrong? :)

    This is true, but how often do you rewatch the same video? I too have seen a couple guides out there for caching movies/videos/streams, but there are so many various types it can be a challenge. I'll see if I can find it again. It's very seldom I rewatch streams, and also very seldom somebody in my household will watch it too. With my connection, it buffers the whole movie/video before I've gotten 1/3 into it.

    Missed the Dynamic DNS option, but now im set and running no-ip.com too.. that was almost too easy, hope it works when my ip updates too :)
    A question now since i have dynamic ip setup, if i enter my dynamic ip in a browser im ending up at my pfsense box.. thats ok.. but will people from the outside end up at my pfsense login screen when entering my dynamic ip in a browser ?

    Yup, it does a hell of a job with keeping it up to date. Technically you can't access yourself via your public IP, pfsense is smart enough now to detect what you're doing and reroutes you to the pfsense interface. Before it did nothing, people would get "page cannot be displayed" and it created a lot of confusion. If you connect from the outside, it will followup whatever rules you have setup (Forwarding to port 80 to server1 etc..) What I've done on my network, is added a hostname entry to point to the webserver I've setup.

    And for the wireless part, i found how to bridge interfaces, so i bridged the wireless card with my lan card.. and that works.. but speeds isnt as fast as i expected.. 50% of what im getting from my external wireless router.. and thats both with 54 mbps connections

    Ideally you wouldn't want to bridge the two cards if you want to keep your LAN pcs secure. Specifically if you're going to be hosting services on one and not the other. Do you see the wireless card showing up under interfaces? If so you'll have a separate tab under NAT and Firewall Rules so you can set/configure the rules. I believe by default it has 0 rules, so all traffic is blocked, you'll have to add rules to give it access to the interwebz.

    I also wanted to note I came from smoothwall years ago, my biggest gripe was the lack of updates and the very quiet community. I did like it, and think it has potential - but the community edition doesn't get enough love.

    If you wanted to try something similar to smoothwall, give endian a shot. I liked it, but felt it was a little too "dumbed" down. However like smoothwall, it works with iptables instead of PF.

    If you wanted a lighter PF based firewall, m0n0wall is freaking awesome. Not so many packages, but has the core functionality. I believe pfsense is a branch of m0n0wall intended to simply bring more features/packages. You could run m0n0wall on a bowl of soup lol.



  • @heavy1metal:

    Thanks for that reply, going to try PFblocker.. but what still remains is a proxy then.. i dont really need it either… but using common sense.. pulling stuff locally will allways be faster no matter what connection your on.. or am i wrong? :)

    This is true, but how often do you rewatch the same video? I too have seen a couple guides out there for caching movies/videos/streams, but there are so many various types it can be a challenge. I'll see if I can find it again. It's very seldom I rewatch streams, and also very seldom somebody in my household will watch it too. With my connection, it buffers the whole movie/video before I've gotten 1/3 into it.

    Actually not so often do you re-watch a stream. but when u actually do.. i could spare that bandwith to other things :)
    Why i mostly want a good proxy running is for casual web surfing.. like facebook.. it feels good when everythings allready cached when you update your feed and dont have to wait for pictures to load :)

    Missed the Dynamic DNS option, but now im set and running no-ip.com too.. that was almost too easy, hope it works when my ip updates too :)
    A question now since i have dynamic ip setup, if i enter my dynamic ip in a browser im ending up at my pfsense box.. thats ok.. but will people from the outside end up at my pfsense login screen when entering my dynamic ip in a browser ?

    Yup, it does a hell of a job with keeping it up to date. Technically you can't access yourself via your public IP, pfsense is smart enough now to detect what you're doing and reroutes you to the pfsense interface. Before it did nothing, people would get "page cannot be displayed" and it created a lot of confusion. If you connect from the outside, it will followup whatever rules you have setup (Forwarding to port 80 to server1 etc..) What I've done on my network, is added a hostname entry to point to the webserver I've setup.

    Okok thats great info then :)

    And for the wireless part, i found how to bridge interfaces, so i bridged the wireless card with my lan card.. and that works.. but speeds isnt as fast as i expected.. 50% of what im getting from my external wireless router.. and thats both with 54 mbps connections

    Ideally you wouldn't want to bridge the two cards if you want to keep your LAN pcs secure. Specifically if you're going to be hosting services on one and not the other. Do you see the wireless card showing up under interfaces? If so you'll have a separate tab under NAT and Firewall Rules so you can set/configure the rules. I believe by default it has 0 rules, so all traffic is blocked, you'll have to add rules to give it access to the interwebz.

    I also wanted to note I came from smoothwall years ago, my biggest gripe was the lack of updates and the very quiet community. I did like it, and think it has potential - but the community edition doesn't get enough love.

    If you wanted to try something similar to smoothwall, give endian a shot. I liked it, but felt it was a little too "dumbed" down. However like smoothwall, it works with iptables instead of PF.

    If you wanted a lighter PF based firewall, m0n0wall is freaking awesome. Not so many packages, but has the core functionality. I believe pfsense is a branch of m0n0wall intended to simply bring more features/packages. You could run m0n0wall on a bowl of soup lol.

    Humff.. but i want my wireless clients to be able to contact my local clients.. so bridge isnt a problem for me i guess.. and running WPA2 for security.. WPA2 is enough secure for me :P can take days to bruteforce ;p

    But the speed is still an "issue" on that interface.. cant figure out why it gets half the bandwidth it could do..


  • Netgate Administrator

    What throughput are you actually seeing between wired and wireless clients?

    Take care using no-ip. I use them and have done for years through ipcop and smoothwall, only reason I'm still using them. If you are using their free service they require you update at most every 25 days or so. pfSense only sends an update when the IP changes (or did at least) so if your connection is stable it might timeout. There I'd a thread about this that included a patch to force more regular updates. I'm unsure if that made it into 2.1 release.

    Steve



  • Your wireless can access your LAN clients without any issue so long as you permit it via the rules. My wireless clients connect to my media server which are both on different segments/vlans.

    True, any service that utilizes broadcast packets might not work, since that requires you to be on the same network/subnet/switch. Something like DLNA or Homegroups (windows vista/7/8). However there's even a work around for that too, but it's a bit over my head. I was just reading about it via another thread where a guy wanted to access windows shares between two different segments.

    WPA2 isn't bullet proof though, and if you have a bored neighbor they can still weasel their way in. Though you're right, it would take considerable amount of time - especially if you're using a solid random password. Though I'm just naturally paranoid, even when it's not needed :-P


Log in to reply