Tag: pfSense

Technology

Selective routing thru multiple pfSense and OpenVPN

Lets say you want to pass traffic from your local container/VM via some external pfSense box. This way there is no need to setup VPN on each container you want to include in the setup. There is OpenVPN option to pass all traffic thru the tunnel, but it breaks several other things both locally and on remote pfSense box. So there is this network configuration: Local virtualizated pfSense purpose is to pass-thru traffic. So it has only one interface which is WAN. No LAN interface over there. Addressing can be the same as on local physical pfSense. You need to

Technology

Recover pfSense 2.6 from kernal panic at ZFS freeing free segment

Recently my pfSense running on the same hardware for almost 3 years, died. I tried rebooting it and removing RAM, cards etc, with no luck. So decided to bring it back from configuration backup onto new drive. But after few days I stared investigating this matter and I got some temporary solution to start it back. Here is how kernel panic looks like. It says: “Attempt to query device size failed” and “zfs: freeing free segment”. The latter is the cause of the problem with system starting up. First, select “3” to escape to loader prompt: Then set: And you

Technology

Private cloud for 50€ (Hetzner, Proxmox, pfSense, HAProxy, Docker Swarm, Portainer, Suricata, PBS)

Create secure, high-performance, affordable environment for your container applications using Hetzner dedicated servers.For around 50€ per month. This setup can also be done using different server providers, both dedicated and shared, even on public cloud. This tutorial has not been sponsored by Hetzner or any other software vendors. If you are interested in similar setup, please drop me a message via Linkedin. Goal The goal for this setup is to run Docker container in Swarm mode in secure and reliable environment. For sake of security we enable Proxmox firewall, pfSense firewall and Suricata IDS/IPS. For sake of reliability we configure

Technology

Private Docker Registry with pfSense-offloaded TLS connections

Benefit from running your own docker registry is cost and privacy. But in order to use it in various places you need to secure its connection with SSL/TLS certificates. In case you have only ZeroSSL or LE certificates it can be difficult to maintain both you certificate at ACME/HAProxy leve in pfSense and secondary also in docker registry somewhere else. Fortunately there is solution for that. Add your docker registry domain to ACME certificate enrollment as usual. Run docker registry without giving it certificate. Instead configure a domain pointing at pfSense, preferably using non-WAN address. Next configure proxy-pass at Nginx

Security

Dual WAN with failover in pfSense

Once in a while there is outage in my main internet connection. In order to keep everything up and running (fortunately) we can setup secondary WAN over LTE connection. Start with connecting your device (e.g. LTE router) over ethernet cable to pfSense box. Then in pfSense itself go to System.Routing.Gateways and a secondary one. Be sure to first activate your secondary interface in Interfaces. You cannot have same monitor IP on both gateways so try to point at well known addresses. Then go to Gateway Groups and configure as follows: At this point you should have both gateways up and

Security

Suricata IDS/IPS on pfSense

Detecting and preventing threats Introduction To provide security in a network you can deploy IDS or IPS systems. The difference is on the second letter, D stands for detection and P for prevention. First you start a system in IDS mode and only then you configure it to become IPS system. Enabling Suricata in IPS mode from the start could be confusing. It is advisable to see what’s going on first on a network to be sure not to generate too many false-positive alerts and blocks. Why IDS/IPS? You may ask why do I need intrusion detection or prevention system.

Technology

Geo location with Filebeat on Elasticsearch 7, HAProxy and NGINX

Display geo location map for NGINX traffic logs in Kibana Summary There are 3 things to remember and configure in order to have geo location map working: Use “forwardfor” option on pfSense HAProxy TLS frontend Enable filebeat NGINX module and point particular log files Define custom NGINX log format This guide relates to Ubuntu Linux setup. Elasticsearch 7 First install Elasticsearch 7 as follows. Note: for more resilent setup install more than one Elasticsearch server node and enable basic security. For sake of clarity I will skip these two aspects which will be covered by another article. Kibana Then install

Technology

growfs fsck required (pfSense)

In case you’ve managed to overcome other issues with system unable to boot, disk size not updated then there might be still one problem left. Sometimes resizing with gpart works fine but file system resize does not. I’ve encountered such issue and frankly speaking I’m not quite sure what is root cause of it. Is says that file system is dirty and I should run fsck which can be executed from console selecting number 5 and then F letter. System reboots and makes file system check. It says that the file system is fine, so it’s quite confusing. Solution for

Technology

Azure FreeBSD (pfSense) not able to pick boot partition after disk resize

Following previous struggles on pfSense FreeBSD on Azure. After resizing disk Microsoft starts at some point adding an another drive which is temporary one. I do not need this by any means. It seems that NetGate pfSense template is also not quite compatible with cloud-init as the platform tries to execute systemctl which is not present here. The problem with this is that FreeBSD will not be able to pick which partition it should start from. Fix for this is pretty simple. Just go and edit /etc/fstab and instead of pointing to some virtual labels. In my case it was