New to pfsense, what are my options? Need help!



  • Hello all.

    I am looking to setup pfsense as an inline webfilter and transparent proxy for my children as well as my mom's house (which is across our driveway, connected by buried CAT6) and also do some traffic shaping. We are sharing a 2mb down 1mb down wireless internet connection between two houses and it's not working out very well. Unfortunately we live in a rural area and this is the only option we have for internet at this time.

    Our internet connection being wireless has tons of latency issues and buffering of packets when all the available bandwidth is in use. I have been able to circumvent this using QoS on an ASUS Router running tomatousb by setting upper limits of bandwidth use of 1.75Mbps down/0.75Mbps up and setting up rules that gave Voip/IM/Gaming packets a higher priority class. This has made my internet connection "usable" but it also leaves alot to be desired so I figured an inline web cache could at least help things out. My kids are also getting older and it's time that I implement some parental controls on our network as my oldest son is getting more tech savvy and it's only a matter of time before he learns how to circumvent parental control software I installed on his devices. I figured nix/bsd on an old computer would be the most cost effective way to accomplish all these things… and I was told that pfsense would be ideal for my situation.

    I first setup pfsense as a router, like such:

    Internet --> pfsense box --> switch --> lan

    I was able to get transparent web proxy, caching, and filtering working properly however no matter how many times I reran the traffic shaping wizard and no matter how much I tinkered with the settings I couldn't get pfsense to actually follow the upper limits I set and my connection became unusably latent every time I did anything bandwidth intensive.

    After spending hours and hours reading tutorials and trying everything I can think of I gave up on using pfsense for my QoS and decided to continue letting my router running Tomatousb handle the QoS and then install the pfsense firewall between my router and the rest of my LAN.

    So then I set things up like this:

    Internet --> tomatousb router --> pfsense box --> switch --> lan

    Now I am able to get internet on the pfsense box, download packages, ping and dns resolution is fine when done from the console of the pfsense box. Devices on the lan are able to access the pfsense box's web interface and can pull an IP via DHCP, but are unable to access the internet or anything past the pfsense box.

    My current Interface configuration:

    WAN: 192.168.0.234 (DHCP)
    LAN: 192.168.1.1 (Static)

    I removed all the packages I installed, reset to factory defaults... and still not able to get internet past the pfsense box, despite being able to access the pfsense webgui from devices on the LAN and the pfsense box itself being able access the internet just fine... I also verified that my only firewall rules are the default rules to ALLOW all LAN traffic... I didn't add or change anything after the factory reset.

    Any help or advice would be greatly appreciated!



  • Maybe a better way to word the question….

    What is the quickest and easiest way to setup pfsense to act as a firewall + inline transparent caching proxy + web filter on my LAN while continuing to use my router for DHCP, DNS, and QoS?


  • Banned

    RTFM



  • RTFM

    LOL what manual?

    What is the quickest and easiest way to setup pfsense to act as a firewall + inline transparent caching proxy + web filter on my LAN while continuing to use my router for DHCP, DNS, and QoS?

    pfSense + Squid w/WPAD instead of transparent mode + SquidGuard.


  • Banned



  • @Supermule:

    RTFM

    Instead of being a "Forum Hero" and making useless posts pointing out the obvious (when I stated I spent hours reading relevant howto's and tutorials) to up your post count and not actually add anything of value to the thread why not post links to relevant documentation or posts or point out what I might have missed?

    Thanks.



  • @Supermule:

    Sorry

    RTFD

    https://doc.pfsense.org/index.php/Main_Page

    I've spent hours going through the documentation, over and over again… you're not helping. But keep that post count going up.... that's what's important right?


  • Banned

    Thanks mate….

    sigh



  • @Supermule:

    Thanks mate….

    sigh

    Yeah, you're welcome. And thanks for nothing.

    If someone has any real advice or could point me to any specific documents / articles / howtos or have any ideas that are actually relevant to my question it would be greatly appreciated.


  • Banned



  • @Supermule:

    1: https://doc.pfsense.org/index.php/Gateway_Settings

    2: https://doc.pfsense.org/index.php/Example_basic_configuration

    https://doc.pfsense.org/index.php/Setup_Squid_as_a_Transparent_Proxy

    https://doc.pfsense.org/index.php/SquidGuard_package

    https://doc.pfsense.org/index.php/Traffic_Shaping_Guide

    What more do you need?

    Oh and get your modem running in bridgemode so you dont do double NAT.

    Thanks for posting something useful instead of just "RTFM".

    These are the exact links I followed to setup my pfsense box… I have gone back through them over and over and verified that I did each step, in order... still not getting internet through the firewall... even with the default rules allowing all traffic on LAN and I can access the internet from the pfsense box. I was also not able to resolve the bandwidth saturation problem with pfsense... and I spent hours testing and tweaking settings as suggested in the traffic shaping guide link.


  • Banned

    Why don't you just restore you previous working configuration, nuke the broken shaper and move on? Traffic shaping on pfSense requires a lot of reading (instead of unproductive rants), plus, you are essentially killing it with the proxy plague.

    Want a simple shaper? Here.



  • @doktornotor:

    Why don't you just restore you previous working configuration, nuke the broken shaper and move on?

    Since I was never able to get QoS working satisfactorily I didn't consider it a working config so I never backed it up.  :(

    @doktornotor:

    Traffic shaping on pfSense requires a lot of reading (instead of unproductive rants),

    I understand this, I spent several hours studying and following the Traffic Shaper Guide (as well as some other posts and was able to get the latency much better improved but no matter what settings I used I couldn't match the performance of the QoS on my router. It gets frustrating when you don't have days on end to put into trying to simply setup a firewall and proxy server so I decided to go back to tomato's QoS since it seems to be much better implemented or using a different algorithm that works better with my particular situation.

    @doktornotor:

    plus, you are essentially killing it with the proxy plague.

    I had squid disabled during all my QoS trial and error, as to not complicate things.

    @doktornotor:

    Want a simple shaper? Here.

    Cool thanks, I'll give it a try!



  • Now I can't get any traffic through the firewall… even after doing a factory reset and having it setup like this:

    internet --> pfsense --> desktop pc

    Still have internet access on the pfsense box though.... just can't get access the internet from any devices connected to the pfsense box.



  • After failing to get internet connectivity to any devices beyond the firewall after several factory resets I decided to reformat and reinstall… which corrected the connectivity issues.

    @doktornotor:

    Want a simple shaper? Here.

    Tried using CODELQ for QOS like you suggested and still got 2000+ ms ping times with 1 youtube video playing in 360p. With Tomato doing the QoS on my old ASUS router and I can have 10+ youtube videos playing at once and ping times remain under 100ms.  I have tried many many many different combinations of QoS settings with pfsense and none of them have lead to a useable internet connection… even with no other packages installed and only 1 device connected to the pfsense box which is connected directly into my internet connection. What gives?


  • Banned

    You know what? Stick with Tomato… I don't see this thread getting anywhere near anything productive. Noone can debug your QoS attempts with unknown configuration. And frankly, while the horrible proxy thing is in place, you won't get any decent shaping at all using the traffic shaper. If you insist, play with stuff like Squid's delay pools or whatnot.



  • @doktornotor:

    You know what? Stick with Tomato… I don't see this thread getting anywhere near anything productive. Noone can debug your QoS attempts with unknown configuration.

    What information would be needed to debug my QoS? I'd be happy to provide any information that would be helpful, screenshots of my configs, whatever.

    I would be happy to stick with tomato but it can't do web caching or offer the level of parental controls which is what brought me to pfsense.

    What steps would I need to take to setup pfsense behind my tomato router, and let tomato handle Gateway, DHCP, QoS and have the pfsense box handle Firewall/NAS/Proxy/Web Filtering/DNS, etc?

    I was thinking something like this:

    Internet –> Tomato Router (QoS/DHCP) --> Pfsense Box ---> Switch ---> LAN

    @doktornotor:

    And frankly, while the horrible proxy thing is in place, you won't get any decent shaping at all using the traffic shaper. If you insist, play with stuff like Squid's delay pools or whatnot.

    Like I've stated several times now all my QoS testing was done with the proxy disabled, and now I am running with no packages installed and getting the same results.



  • I'd dump whatever I didn't need.  Squid would be at the top of my list.

    Then I'd set up simple traffic shaping.

    Try that.



  • @kejianshi:

    I'd dump whatever I didn't need.  Squid would be at the top of my list.

    Then I'd set up simple traffic shaping.

    Try that.

    @ns7979:

    I had squid disabled during all my QoS trial and error, as to not complicate things.

    @ns7979:

    I have tried many many many different combinations of QoS settings with pfsense and none of them have lead to a useable internet connection… even with no other packages installed and only 1 device connected to the pfsense box which is connected directly into my internet connection.

    @ns7979:

    Like I've stated several times now all my QoS testing was done with the proxy disabled, and now I am running with no packages installed and getting the same results.



  • After abit of reading, I just noticed.  No hardware specs.

    What is this running on?  CPU?  RAM?  Disk space?  etc etc…

    I can imagine, for instance that if your machine was running low on ram and was deep into swap usage things might get pretty laggy.

    (So, by "disabled" you mean there is no squid installed on your system?)



  • @kejianshi:

    After abit of reading, I just noticed.  No hardware specs.

    What is this running on?  CPU?  RAM?  Disk space?  etc etc…

    I can imagine, for instance that if your machine was running low on ram and was deep into swap usage things might get pretty laggy.

    (So, by "disabled" you mean there is no squid installed on your system?)

    Yes, by disabled I mean I removed all the packages related to squid to rule them out.

    System stats:

    Name pfSense.localdomain
    Version 2.2.1-RELEASE (amd64)
    built on Fri Mar 13 08:16:49 CDT 2015
    FreeBSD 10.1-RELEASE-p6

    You are on the latest version.
    Platform cdrom
    CPU Type AMD Athlon™ 64 X2 Dual Core Processor 5000+
    2 CPUs: 1 package(s) x 2 core(s)
    Uptime 01 Hour 49 Minutes 45 Seconds
    Current date/time
    Wed Mar 25 21:58:31 UTC 2015
    DNS server(s) 127.0.0.1
    8.8.8.8
    8.8.8.1
    Last config change Wed Mar 25 21:08:01 UTC 2015
    State table size
    0% (126/303000)
    Show states
    MBUF Usage
    1% (1270/189286)
    Load average
    0.00, 0.02, 0.00
    CPU usage
    (Updating in 10 seconds)
    Memory usage
    7% of 3036 MB
    Disk usage
    / (cd9660): 100% of 223M
    /tmp (ufs in RAM): 17% of 19M
    /var (ufs in RAM): 61% of 31M
    /etc (ufs in RAM): 42% of 19M
    /usr (unionfs): 94% of 242M
    /conf (ufs in RAM): 1% of 5.4M
    /home (ufs in RAM): 0% of 5.4M

    last pid: 38297;  load averages:  0.01,  0.02,  0.00  up 0+01:49:17    21:58:03
    123 processes: 3 running, 99 sleeping, 21 waiting

    Mem: 47M Active, 45M Inact, 173M Wired, 134M Buf, 2692M Free



  • Oh, and I am running off the live CD at the moment… testing QoS setups with a clean install with no additional packages. When I was using squid it was running from a hard drive install on the 80GB SSD drive in the box.



  • No idea.  I wouldn't be testing a livecd though.  Thats just me.

    Keep banging away.  It can be done.



  • @kejianshi:

    No idea.  I wouldn't be testing a livecd though.  Thats just me.

    Keep banging away.  It can be done.

    I hear ya, I've been switching back and forth between the live cd and hd install to see if it made any differences… but nope.. same results either way.



  • You will get some additional latency with shaping.



  • @kejianshi:

    You will get some additional latency with shaping.

    Well with Tomato QoS I am able to get consistently under 100ms ping times even when the bandwidth is saturated… and voip / games / etc remains low latency and lag free. It took some learning to setup, but I had it up and running great in a couple of hours of tweaking and fine tuning and it has been working without a hitch for a couple of years now.

    Ideally I'd like to setup the pfsense firewall between the tomato router (gateway) and the rest of my LAN (switch) and let tomato handle QoS/DHCP and let the pfsense box handle everything else (Proxy/Filtering/Firewall/NAS/DNS/OpenVPN) but I am not sure what steps to take to set this up and I am not having any luck finding information on how to make it work...



  • That configuration is the opposite of ideal.  Also, how are you measuring latency?


Log in to reply