VPN service on a PC



  • Hello!

    I am new to all this so bear with me please.

    I would like to turn my old desktop PC (a Celeron D with 512 MB RAM) into a router/FW/etc., primarely because I would like to establish a home VPN service.

    I installed the 64-bit version of pfSense via USB (should I have installed the 32-bit version since I only have 512 MB or RAM?) with VGA support and I can't get past the WAN setting. If I hit "a" nothing happens but I know why. Because I'm not connected to the WAN, I'm using another router in between.

    It's like this: –>ISP/DSL-->Router-->Switch-->"pfSense PC-to-be". I tried also a direct connection via UTP cable from my laptop into the NIC of the old PC but I don't know the IP of pfSense. Tried 192.168.1.1 but that didn't work.

    I would like to use this machine for a home VPN and also learn as much as possible (about networking in general) and also put my old PC to as much use as possible for learning.

    I have two NICs in that PC, the integrated LAN card and a 3Com 3CRDAG675 Wireless LAN card. Ubuntu and Windows XP recognise and work with that old Wireless card but there are no drivers for Windows 7 or 8. How can I know if pfSense will recognise it?

    Any help would be greatly appreciated!


  • Banned

    @Bellzemos:

    It's like this: –>ISP/DSL-->Router-->Switch-->"pfSense PC-to-be".

    Make it like this:

    DSL (bridged) -> pfSense LAN -> Switch -> WiFi AP (connected via LAN port, no DHCP/routing)



  • Sadly I can't move this portion of the network: "ISP/DSL–>Router-->Switch". From switch onwards I can change things but that's all. So the pfSense machine would have to work in the LAN domain I guess.

    I have another wireless home router that I can use. But only one NIC with RJ-45 in the machine. The other NIC is the old 3COM wireless card.

    How can I access the interface anyway? If I connect via UTP cable to my laptop nothing happens. What should be the IP address?


  • Banned

    Well from switch onwards it's completely useless. You are tripple-NATing.



  • But can I have a VPN server there? That's what I'm trying to use pfSense for, not as a firewall.



  • @Bellzemos:

    If I hit "a" nothing happens

    After hitting A key you have to plug in the network cable into WAN interface to tell pfSense which NIC it is.

    The VPN server will also work in LAN, provided you can forward VPN traffic to it.



  • When I was hitting the A key I had an UTP cable going from the pfSense machine into the switch and then into the LAN port on the router which's WAN connects to the DSL "modem".

    How can I access pfSense's interface? Connect an UTP cable into it's NIC and the other end into my laptop's RJ-45. I don't know the IP address to log in. Or it does not work like that?



  • @Bellzemos:

    How can I know if pfSense will recognise it?

    https://www.freebsd.org/releases/10.1R/hardware.html

    @Bellzemos:

    When I was hitting the A key I had an UTP cable going from the pfSense machine into the switch and then into the LAN port on the router which's WAN connects to the DSL "modem".

    How can I access pfSense's interface? Connect an UTP cable into it's NIC and the other end into my laptop's RJ-45. I don't know the IP address to log in. Or it does not work like that?

    There should be no network cable be connected before you hit A.

    There are some guides on web describing the intallation process like
    https://doc.pfsense.org/index.php/Installing_pfSense

    After installation if at least two network card are recognised pfSense set the first as WAN and second as LAN and assign 192.168.1.1 to LAN.
    pfSense will also list recognised NIC at the console and you can assign them manually.

    To run a VPN server, just one NIC will be sufficient.



  • I think pfSense recognised tha WLAN adapter, it stated that it's Atheros (3COM with an Atheros chip I guess), not sure if it will work though.

    I would like to log into pfSense and can not. I can only log into LAN port, not WAN, right?

    Sometimes it recognises the WAN, sometimes says there's no link (even though there is) and I doesn't assing LAN.

    How can I log into it throught that one NIC with RJ-45? And how could I run a VPN server with just one NIC?

    I'm lost… Thank you for bearing with me!



  • It would already be a success for me just to get in here:

    Is an UTP cable connecting the pfSense box with a laptop enough to get to the dashboard? Or do I have to have WAN link/signal?

    I am unable to log in…



  • After installation if you haven't assign any IP to interfaces the screen looks like that in my first attachment below.
    Under "Valid interfaces are:" pfSense lists recognized interfaces with MAC addresses an names. Here it is just one: re0

    You can assign the interfaces manually. If you also have just one assign this to WAN. In my case I had to enter "re0" to manually assign the NIC to WAN.
    When you are asked for LAN just press Enter to skip.

    After that is done pfSense finishes configuration and shows the screen in the second attachment. This is the console menu.
    Here it shows an IP assigned to WAN per DHCP.
    To change the WAN IP, press "2" and assign an IP and mask to WAN and respond to the other questions.

    After that you can connect to WebConfigurator over WAN interface by typing the WAN IP in the browser of a connected computer.
    There should be no complexity.






  • Thank you very much for this. I went through all those stages before. I now manually set the bfe0 for WAN and assigned an IP (no DHCP) and I was able to log, I came to the log screen. But then since I didn't know the password it threw me out and even if I rebooted and set a new IP I couldn't log back in. It could well be an obscure hardware issue on my side so I'm going to install pfSense in VMWare and try there as soon as I have some time. Again, thank you a lot!



  • I have installed pfSense in VMWare Player and then figured out I have to have a bridged WAN connection. I was finally able to log into the pfSense web interface. It's overwhelming. :D

    How do you recommend me, as a beginner, to start with setting up a VPN service?

    Thank you! :)



  • How do you recommend me, as a beginner, to start with setting up a VPN service?

    The same way the rest of us do it:  lots of reading, lots of video-viewing, lots of trial & error, lots of questions.



  • I know, I know, as with anything. But still, can I use pfSense as a VPN server even though it's not connected to the real WAN? It's in the LAN segment of my network. I've read somewhere up there that one ethernet connection is enough for VPN - so how would I go about it then?

    Thank you.



  • @Bellzemos:

    But still, can I use pfSense as a VPN server even though it's not connected to the real WAN? It's in the LAN segment of my network. I've read somewhere up there that one ethernet connection is enough for VPN - so how would I go about it then?

    I've run such a set-up with 2.1 at the time I moved from other firewall product to pfSense to provide continuous VPN service. I see no reason why it shouldn't work with current version, at least in case you use openVPN.
    You have to forward the OVPN port to pfSense at the DSL router and configure the VPN server to listen on the only one interface.

    If you run a VPN server on pfSense it adds a virtual interface for the VPN tunnel network, so you have than 2 interfaces. At these interfaces you can configure firewall rules to control traffic in both directions.



  • And you need to do something so that devices in the LAN know how to reply to packets coming from across the OpenVPN. LAN devices (like some server that OpenVPN users want to connect to) are going to have some other default gateway - e.g. the DSL router.
    a) Add a static route in the DSL router pointing traffic for the OpenVPN tunnel to the pfSense interface. Introduces asymmetric routing at the DSL router (the packets from the OpenVPN tunnel to LAN servers will not be seen by the DSL router). If the DSL router does not care then this option will work.
    or
    b) Add a static route to the OpenVPN tunnel to each server on the LAN. If there are only 1 or a few then this can be an easy option.
    or
    c) NAT traffic from the OpenVPN tunnel out the pfSense interface that goes to your LAN. Then all traffic appears to come from the pfSense address on your LAN. LAN servers reply fine and all is well. Disadvantage is that the LAN servers cannot distinguish the various clients inside the OpenVPN tunnel - if you care about that.



  • Thank you for your help guys, but this is a bit beyond the scope of my currnet knowledge. Let me clarify how things are set here and what I'd like to achieve. Thank you for bearing with me!

    This is how things are set in my house and sadly I can not change it. It would be ideal to remove the router and replace it with the pfSense machine but it's impossible. So the pfSense machine is in the LAN. It has 2 NICs, a wired one and a wireless one. I have also installed pfSense on my PC (in VMware), so whatever will be easier to do.

    What I'd like to achieve (just to learn stuff, not to have the VPN server running 24/7) is: 1. Be able to safely surf the web from a public unsecure WiFi connection, tunneled into my house, throught the DSL interface and router, into the pfSense and then securely to the internet - as if i was home. 2. Make the pfSense also act as a wireless point - using the 2nd (wireless) NIC, alongside it being the VPN server.

    I was thinking OpenVPN or IPSec (since for IPSec there's no additional softare needed on the Windows clients). What would you recommend, I'm guessing OpenVPN?

    So, how would achieve what I want in the easiest way, without modifying/compromising the current network setup (the Cheap router being the firewall protection as everything goes through it and pfSense is just an experiment for me right now - just for the VPN, not to act a firewall).

    Thank you!



  • I think, an IPSec server is more difficult to set up and to route. However, I've never set up one at pfSense, but openVPN.

    If you add the "Open VPN client export utility" you can export a OpenVPN client and the required settings and install it on Windows with a single stroke.

    I don't want to discuss your hardware set-up any more. You may have your reasons.
    However, you can achieve your intention also this way. As said above, you have to forward the VPN port to pfSense. If your DSL modem is not in bridged mode you have to forward it here and a second time at the router.
    For routing the VPN traffic right in your LAN, you should have nothing further to do. The necessary rules should be automatically created if you have just WAN and WLAN interface. To check that go to Firewall > NAT > Outbound and look for a rule where interface is WAN, source is your VPN tunnel network, source port, destination and destination port are any (*) and NAT address is WAN address.
    If you can't find such a rule, select "Hybrid Outbound NAT rule generation" and click save and than add it by clicking +.



  • I just realised that I could in fact connect from pfSense to the DSL modem. I can't believe I haven't tought of it before. My ISP is supposed to provide me two IP addresses, not one. So I'll disconnect the cable that's connecting my dumb swithc to the router and connect it directly to the DSL modem. I'll try it tomorrow or when I'll have some time and hopefully it will work with the 2nd IP leased.

    Can I have 3 NICs in the old PC box? I think I'll need another wired NIC to make it all work properly. Thank you for all the tips, I can't wait to try and make it work.

    PS: Another question - I've read that pfSense supports WOL so that it can wake up computers on the LAN. But what about pfSense itself, is it possible to turn on the pfSense box itself with WOL? The PC supports WOL (in checked the BIOS), does pfSense support it too?



  • But what about pfSense itself, is it possible to turn on the pfSense box itself with WOL?

    If pfSense is installed on the PC and you wake up the PC with WoL then the PC boots and also the on the
    PC installed OS, that means also pfSense will starting if it is the installed OS on the PC.



  • Yep, that was a stupid question from me. It was a while since I last dealed with WOL - one has to set the things in the OS of the computer that will be waking the other one up (regarding NIC's settings for WOL). My pfSense box has WOL functionality in the BIOS so that should work.

    More importantly, will an old Lenovo box work with three NICs? The integrated one (in the MOBO), an additional wireless one and an additional wired one? If yes, I'll buy another wired one for cheap so that I can do more stuff with it.

    Another thing: the pfSense installation in my VMware just keeps on rebooting when I start it up. It won't stop, it's just rebooting on and on, do you know what might be causing it and how to fix it?

    Thank you!



  • More importantly, will an old Lenovo box work with three NICs?

    This can be a Xeon E5-26xxv3 and 128 GB RAM or a Celeron Dual Core @3,0GHz
    So a little bit closer to the point what is in the "old Lenovo"!

    If yes, I'll buy another wired one for cheap so that I can do more stuff with it.

    Buy a Intel Quad Port NIC for ~$60 so that is ~$15 for each Port but not consumer grade!

    Another thing: the pfSense installation in my VMware just keeps on rebooting when I start it up.
    It won't stop, it's just rebooting on and on, do you know what might be causing it and how to fix it?

    ???

    • I prefer running it on bare metal
    • if not able to run it on Hyper-V


  • My "old Lenovo" is a Celeron D with 512 MB of RAM. I will use this box to provide internet connection for only a couple of PCs and it's mainly for me to learn hot pfSense works and to learn more about networking in general.

    I will buy an used one-port NIC cause it's disgustingly cheap, it will be for learning only. What I'd like to achieve is use the onboard NIC for WAN, the coming NIC for LAN (or vice versa) and the wireless NIC as an wireless access point (WLAN basically). So I hope that the old Lenovo will work with three NICs.

    pfSense worked fine in my VMware Player before. And now I think it says something like that it wasn't dismounted properly and the just reboots and keeps rebooting… I don't know how to fix that.

    Thank you for helping me.



  • I'll be getting another NIC soon and will be able to finish the hardware part of the pfSense box.

    All I have to set right on it is assign the interface and it's IP address so that I can connect to it via the web interface, right? Everything else I can then set through the web interface?

    Another question: is there something like a default template or default settings so that when I replace my home router with the pfSense box and connect to the internet I am already safe & secure? And then I can tweak the settings in peace?

    Thank you!



  • If you intent to permit traffic coming in the new interface you have to add firewall rules.

    The pfSense settings can be exported and restored over the WebGUI Dignostics > Backup/Restore. Or you can reset all settings in Dignostics > Factory defaults as well as in the console.



  • Everything else I can then set through the web interface?

    Yes.

    Another question: is there something like a default template or default settings so that when I replace my home router with the pfSense box and connect to the internet I am already safe & secure?

    There is a default config and will be also some rules for the WAN interface if you set it up, but after this
    you must also setting up rules for any other interface then!

    And then I can tweak the settings in peace?

    You can do so no one is pressing you to be going fast.



  • I have installed another NIC into the pfSense box and it wouldn't recognise the new NIC. Then I reinstalled pfSense and now it works, all three NICs are recognised!

    I've set the new NIC as WAN, the onboard NIC as LAN and the wireless nic as WLAN. When I set the WLAN NIC as an access point the pfSense box started having some trouble and my internet connection was unstable.

    I was getting this displayed on the pfSense box monitor:

    swap_pager_getswapspace(3): failed
    swap_pager_getswapspace(3): failed
    swap_pager_getswapspace(5): failed
    swap_pager_getswapspace(16): failed
    swap_pager_getswapspace(9): failed
    swap_pager_getswapspace(16): failed
    swap_pager_getswapspace(3): failed
    swap_pager_getswapspace(3): failed
    swap_pager_getswapspace(3): failed
    swap_pager_getswapspace(3): failed
    (it goes on and on…)

    And I was getting this displayed in the pfSense WebGUI notice:

    Acknowledge All Notices
    [There were error(s) loading the rules: /tmp/rules.debug:19: cannot define table bogonsv6: Cannot allocate memory - The line in question reads [19]: table persist file /etc/bogonsv6]

    Could it be related to the fact that the box only has 512 MB of RAM? It has an 80 GB HDD though.



  • …and now pfSense is unable to boot up. It stops at Starting DHCP service... and I can hear the HDD but it won't go past that line and boot up. Do I have to reinstall pfSense? What caused this? How can avoid it in the future?



  • @Bellzemos:

    Could it be related to the fact that the box only has 512 MB of RAM? It has an 80 GB HDD though.

    It seems like that.

    I think, you won't need IPv6, so you may deactivate it. You may also deactivate IPv4 Bogons, you won't need it really for your purpose.
    Further you should keep the amount of tables in generally small and don't use large tables like pfBlockerNG. Then the 512 MB should be enough, however, I don't know how much is required by AP function. You better ask this under hardware topic.

    And yes, maybe the 32bit version requires less RAM.



  • OK, I will reinstall now. I'm not sure if I should install the 32-bit version since the 64-bit is recommended and my CPU supports 64-bit.

    How/where do I deactivate IPv6? and the IPv4 Bogons (I don't even know what that is)?

    I haven't done anything with tables yet. All I did was set up WAN, LAN and WLAN. And when is tried applying changes to WLAN settings the errors started…



  • I reinstalled the 64-bit version and it works fine. Except…

    I have not enabled the IPv6 or Bogons so I guess that should keep down the RAM usage?

    I enabled the WLAN (wireless NIC) but it's DHCP service assigned my wired LAN PC an IP from the wireless pool and there was no DNS and I couldn't go anywhere on the internet. This is really weird, I know I'm a newbie but still - weird.

    I have completely disabled the WLAN interface now and LAN interface's DHCP assigned me an IP which conencts to it's DNS and now it's OK. But that about the wireless - I really don't get it!



  • IPv6 is enabled by default. You can disabled it in System: Advanced: Networking.
    The Bogons? I don't know. I think, I've read here that it is possible to disable it. Maybe the table isn't loaded if you uncheck "Block bogon networks" in the interface settings.


  • Banned

    Uhm… what is the goal here exactly? Why "disable" IPv6? It disables nothing, it only blocks all IPv6 traffic (even written in the GUI).



  • Save memory. If IPv6 is not enabled the IPv6 bogons table is not loaded.


  • Banned

    Uh… Disable the bogons instead! facepalm



  • if you had read the last posts you would know that we know no way, how to disable bogons.


  • Banned

    @viragomann:

    if you had read the last posts you would know that we know no way, how to disable bogons.

    Because it's extremely well hidden in the GUI! Interfaces - WAN - scroll to the bottom. :o ::)



  • I'm not sure if I should install the 32-bit version since the 64-bit is recommended and my CPU supports 64-bit.

    Would it be to much adding some RAM modules to this pfSense unit!?
    Not that I know how many you will be able to add in, but it would perhaps really speeding up the entire
    process and also perhaps prevent you from reinstalling and tune some things.



  • @doktornotor:

    Because it's extremely well hidden in the GUI! Interfaces - WAN - scroll to the bottom. :o ::)

    I've assumed this an written it above, but was not sure if it helps.