Top
Connect
email: vic @ hong . com . au
mobile: +1 604-783-6519
office: +1 604-677-2829


Search

Twitter Updates

    Blog Categories
    Admin
    Section2

    Entries in pfsense (2)

    Thursday
    27Aug2009

    pfSense - ftp server in DMZ / OPT interface - the userland FTP-Proxy setting

    DateThursday, August 27, 2009 at 10:25PM

    Had some fun setting up a FTP server, on a OPT interface on a pfSense router.

    On the legacy router setup, we had Virtual IP for the ftp server. With this setup, we would put in a port forward to the ftp server in the DMZ, and everything would play nice.

    With pfSense, you need to tweak some settings to get things happening.

    After setting up my virtual IPs, and setting up some WAN rules, we couldn't connect to the ftp server via any interface. Problem turns out to be a combination of using the virt IP (as apposed to the primary IP of the WAN interface as the IP you are using to access ftp from the WAN side), and a little pfSense userland ftp-proxy setting

    I sifted through some pfSense forum entries, and the following links gave me the clues:

    http://forum.pfsense.org/index.php/topic,6218.0.html

    http://doc.pfsense.org/index.php/FTP_Troubleshooting

    So I went through things step by step, and as suggested:

    1. remove all ftp rules (WAN side) I setup previously
    2. removed the Virtual IP - I HAD to use the WAN interface primary IP address - the Virtual IP would NOT work - had to make an A record change and notify users of the change
    3. went to Interfaces -> WAN -> unticked the Disable the userland FTP-Proxy application (also unticked on the other interfaces)
    4. this auto created a WAN rule: * * * ext_WAN_IP 21 *
    5. then added another WAN rule: * * * ftpserver_opt_IP 21 *
    6. for users in the LAN, I made an internal DNS override for the ftp domain name to point to the ftp server's internal IP address - eg: ftp.blah.com -> 192.168.1.1 (normally on the net, it would point to the WAN interface primary IP address in the A record)

    Took a bit of time, but finally sorted it out and now we are back to ftp serving via pfSense!

    CommentPost a Comment |
    tagged , , , , ,
    Wednesday
    17Jun2009

    pfSense - Über 1337 opensource firewall / router

    DateWednesday, June 17, 2009 at 4:46PM

    I have been using pfSense since 2005. One setup has been for myself running on a PC Engines WRAP (embedded) setup. The other setup has been salvaged Pentium II Dell PC hardware to replace a malfunctioning Linksys Router for one of my clients.

    The WRAP hardware is now replaced by AMDs ALIX board, which should provide a little more horse power, however, for any average SOHO setup, the WRAP has and does provide plenty of omph (although I have seen my WRAP pfSense setup max out on CPU with large file transfers over 802.11g wifi). I purchased this hardware in Canada from Xagyl Communications .

    The first point to make, is that this is rock solid. It is the one bit of hardware that never needs to be restarted what so ever. Secondly, this is a great (and much cheaper) alternative to Cisco, and Sonicwall firewalls. No VPN licenses to worry about, there is an active community driving the opensource project forward with new features and releases approximately once or twice a year. Lastly, there is even a commercial support option.

    pfSense - use whitebox PC hardware, just add network cards for as many interfaces as you needAnother client recently has been having flaky performance from their Sonicwall - we suspect faulty hardware. So I took this as an opportunity to pitch an opensource solution, that will bring more features/option/flexibility and a lower cost. The other great feature, as you can see from the photo here, you can load pfSense up with as many interfaces as you need, including PCI wifi adapters.

    With this 5 interface setup for this client, we have implemented Linksys WRT54GL routers, flashed with the Tomato firmware, as we didn't have any PCI wifi cards lying around (but we did have a bunch of 3Com ethernet cards!). We have DHCP enabled on the WIFI interface, setup a static IP on the Linksys that has a gateway address pointing to the WIFI interface IP address. DHCP is passed through to the clients connecting to the Linksys. Then we have a rule on the firewall (via an alias) for a NOT allow traffic from WIFI subnet to the alias subnets (the LAN for example) so that we can isolate WIFI traffic from the LAN.

    Setting up firewall rules and port forwards (with port translation) is fricking basic to setup - compared to Sonicwall's Advanced OS for example. All done via web based gui. The next best thing is setting up PPTP VPN takes minutes - try setting it up on Windows Server, opening up the firewall and start accepting connections in less than 5 mins!

    CommentPost a Comment |
    tagged , , in