pfSense_fan got a reaction from
Lee47 in Does Air Servers drop your connection when not in use?
...
Ok here is a tutorial for you to follow to best set up pfSense for AirVPN seeing that you have four NIC's to work with. We are going to leave one interface, the default LAN interface that is created during pfSense install, facing the clear-net and your ISP.
This will give you the choice to use the regular internet for any needs you may have or if the VPN goes down by simply moving your network cable from one interface to the other. I am going to skip the OpenVPN setup since you already have it connected and focus on the setup of your interfaces, subnets, firewall rules and NAT. Ready? Here we go!
First of all because you are using high quality Intel server NIC's, lets start by making sure we are utilizing the power of them and offload as much as we can from that AMD Processor.
1.) Go to System > Advanced > Networking (https://192.168.1.1/system_advanced_network.php)
2.) Under the section titled Network Interfaces, Find the check box for Enable device polling and check [√] the box to enable it.
3.) Now find the check boxes right below this for Disable hardware checksum offload, Disable hardware TCP segmentation offload, and Disable hardware large receive offload. Make sure these three boxes ARE NOT CHECKED. Uncheck [ ] them if they are checked by default.
4.) Click [ SAVE ]
5.) Click [ Apply Changes ]
6.) Now go to Diagnostics > Reboot (https://192.168.1.1/reboot.php).
Go ahead and reboot the system for these to take effect. The Intel drivers are the most developed and supported drivers for pfSense/freeBSD. You can benefit from these options and offload quite a bit from your cpu and improve overall performance. We can verify these are working by going to https://192.168.1.1/status.php (or replace 192.168.1.1 with whatever your GUI login is) and looking among the lines under the interfaces section you should see "polling" as well as the other options for offloading listed amongst the interfaces.
Here is a line from mine:
options=407fb<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,POLLING,VLAN_HWCSUM,TSO4,TSO6,LRO,VLAN_HWTSO>
Your results may vary depending if the card you have supports all of this. Keep an eye for any that do not show up, and disable as necessary. Keep a keen eye for "LRO" which is Large Recieve Offload. If that does not show up as enabled, go back and check that box and reboot.
Now that we have that set we need to enable a third NIC and undo any settings you may have now from the other tutorial you followed that are not compatible. Before that I want to set a few parameters for the purposes of this tutorial. You may change these as you wish but I will refer to them as such throughout the tutorial and it may be easier for you to name them the same for later reference:
WAN (likely em0 interface) = ISP Gateway = WAN_DHCP (default) - This will remain the default gateway set up with my method, we likely have to "undo" this for you.
LAN (likely em1 interface) = 192.168.1.1/24 = Clear-Net facing NIC
AirVPN_WAN (likely ovpn1 interface) = AirVPN Gateway
AirVPN_LAN (likely em2 interface)= 192.168.123.1 / 24 = VPN facing NIC
Opt1 = the interface we will program/assign to be our AirVPN_LAN
Before we "start" lets set a few things so you do not lose internet connectivity during setting this up while concurrently setting up our WAN and LAN Interfaces the way we need it.
#################################################################################
#################################################################################
Let's make sure the WAN interface is our default gateway.
1.) Go to System > Routing (https://192.168.1.1/system_gateways.php)
2.) On the "Gateways" tab and on the "WAN_DHCP" line select the [e] edit button on the right.
3.) Set as Follows:
Interface = [ WAN ]
Address Family = [ IPv4 ]
Default Gateway = [√] checked
Click [sAVE]
Click [ Apply Changes ]
#################################################################################
#################################################################################
Let's set up the primary DNS servers which will be used by the LAN interface.
Go to System > General Setup: DNS servers (https://192.168.1.1/system.php)
We are going to set two of the DNS servers to OpenDNS and leave the other two blank.
Set as Follows:
DNS Server Use gateway
[ 208.67.222.222 ] [ WAN_DHCP ]
[ 208.67.220.220 ] [ WAN_DHCP ]
[ (empty) ] [ none ]
[ (empty) ] [ none ]
[ ] Allow DNS server list to be overwritten by DHCP/PPP on WAN = UNCHECKED
[ ] Do not use the DNS Forwarder as a DNS server for the firewall = UNCHECKED
Click [sAVE]
#################################################################################
#################################################################################
Let's set up the LAN interface:
Go to Interfaces > LAN (https://192.168.1.1/interfaces.php?if=lan)
Set it as follows:
General configuration
Enable = [√]
Description = LAN
IPv4 Configuration Type = Static IPv4
IPv6 Configuration Type = none
MAC address = (empty)
MTU = (empty)
MSS = (empty)
Speed and duplex = Advanced > Autoselect
Static IPv4 configuration
IPv4 address = 192.168.1.1 / 24
Gateway = none
Private networks
Both options here are left UNCHECKED / NOT CHECKED
Click [sAVE]
Click [ Apply Changes ]
(NOTE: if you get locked out of the GUI here, give your pc a static ip in the 192.168.1.1/24 range and your DNS to 192.168.1.1 until we finish. 192.168.1.50 should suffice.)
#################################################################################
#################################################################################
Let's set the DHCP Server for the LAN interface.
1.) Go to Services > DHCP server (https://192.168.1.1/services_dhcp.php)
2.) Ensure the "LAN" tab is selected
3.)Set it as follows (Only options we will change are listed, leave the rest as they were by default):
Enable DHCP server on LAN interface = [√] (checked)
Range = [ 192.168.1.100 ] to [ 192.168.1.200 ]
Click [sAVE]
Click [ Apply Changes ]
#################################################################################
#################################################################################
Let's set up the outgoing NAT for the LAN interface.
1.) Go to Firewall > NAT > Outbound (https://192.168.1.1/firewall_nat_out.php)
2.) Ensure Manual Outbound NAT rule generation - (AON - Advanced Outbound NAT) is selected.
3.) Click [ SAVE ]
4.) Click [ Apply Changes ]
5.) If there is already a rule for your LAN interface, select the [e] button to the right of it. If there is not a rule for your LAN, you will need to create one by selecting the [+] at the top right and creating a new one.
6.) Set as follows:
Do not NAT = [ ] (unchecked)
Interface = WAN
Protocol = Any
Source = Type: [ Network ]
Address: [ 192.168.1.0 ] / [ 24 ]
Source port: [ ] (empty/blank)
Destination: Type = [ Any ]
Translation: Address = [ Interface Address ]
Description = [ LAN -> WAN ]
Click [ SAVE ]
Click [ Apply Changes ]
#################################################################################
#################################################################################
Now we must set a few firewall rules for the LAN Interface to enforce the policy based routing and redundantly block leaks.
We will set these in "reverse" order so that they should end up in the order we need them. This is assuming the only rule you have is the Anti-lockout rule. If you have advanced rules for your other needs you will just have to move these rules into place. There are two necessary rules for the LAN interface.
The first is a "Block Everything rule, this MUST be at the very bottom of the list.
1.) Go to Firewall > Rules and select your "LAN" interface.
Click the [+] on the right to "Add New Rule" and create a rule we will title "BLOCK ALL ELSE LAN"
Action = [block]
Interface = [LAN]
TCP/IP Version = [iPv4]
Protocol = [Any]
Source = [ Any ]
Destination = [ Any ]
Log packets that are handled by this rule = [√] (checked, enable this to be able to diagnose when you potentially block yourself )
Description = BLOCK ALL ELSE LAN
*** For this rule we will NOT set the advanced setting for gateway, it should be left as default
2.) Click [ SAVE ]
3.) Click [ Apply Changes ]
4.) The second is the rule that will force traffic from the LAN interface to only exit via the WAN interface. This rule should be second from the bottom, right above the Block All rule
Go to Firewall > Rules and Select your "LAN" interface.
Click the [+] on the right to "Add New Rule" and create a rule we will title "Allow LAN to any rule" (Note: There may already be a rule titled "Default allow LAN to any" or similar. You certainly can just edit that entry to these settings, or delete and create this..)
Action = [ Pass ]
Interface = [ LAN ]
TCP/IP Version = [ IPv4 ]
Protocol = [ Any ]
Source = [ LAN Subnet ]
Destination = [ Any ]
Description = Default allow LAN to any rule
IMPORTANT STEP --> ADVANCED FEATURES > GATEWAY = WAN_DHCP
#################################################################################
#################################################################################
OK, let's enable that third NIC.
1.) Go to Interfaces > Assign (https://192.168.1.1/interfaces_assign.php)
Here you will find your assigned interfaces. If you assigned them during original install you will see all four and should likely have a WAN, LAN, opt1 and opt2 (as well as ovpn1). If you did not assign them you will have to click the [+] button at the bottom right to assign another. Once it is assigned, click save.
2.) Now we need to select an "opt" interface and give it settings.
Select one from the Interfaces drop down menu (likely Opt1).
Set it as follows:
General configuration
Enable = [√]
Description = AirVPN_LAN
IPv4 Configuration Type = Static IPv4
IPv6 Configuration Type = none
MAC address = (empty)
MTU = (empty)
MSS = (empty)
Speed and duplex = Advanced > Autoselect
Static IPv4 configuration
IPv4 address = 192.168.123.1 / 24
Gateway = none
Private networks
Both options here are left UNCHECKED / NOT CHECKED
3.) Click [sAVE]
4.) Click [ Apply Changes ]
#################################################################################
#################################################################################
Now we need to set up the DHCP Server for the AirVPN_LAN interface.
1.) Go to Services > DHCP server (https://192.168.1.1/services_dhcp.php)
2.)Select the Tab / Drop Down for AirVPN_LAN
3.) Set it as follows (Only options we will change are listed, leave the rest as they were by default):
Enable DHCP server on AIRVPN_LAN_1 interface = [√]
Range = [ 192.168.123.100 ] to [ 192.168.123.200 ]
DNS servers = [ 10.4.0.1 ], [ 10.5.0.1 ]
4.) Click [ SAVE ]
5.) Click [ Apply Changes ]
#################################################################################
#################################################################################
Let's set up the outgoing NAT for the AirVPN_LAN interface.
1.) Go to Firewall > NAT > Outbound (https://192.168.1.1/firewall_nat_out.php)
2.) Ensure Manual Outbound NAT rule generation - (AON - Advanced Outbound NAT) is selected. (It should be from earlier)
3.) You will need to select the [+] at the top right and creat a new one.
4.) Set as follows:
Do not NAT = [ ] (unchecked)
Interface = AirVPN WAN
Protocol = Any
Source = Type: [ Network ]
Address: [ 192.168.123.0 ] / [ 24 ]
Source port: [ ] (empty/blank)
Destination: Type = [ Any ]
Translation: Address = [ Interface Address ]
Description = [ AirVPN_LAN -> AirVPN_WAN ]
5.) Click [sAVE]
6.) Move this rule to the top of the list
7.) Click [ Apply Changes ]
#################################################################################
#################################################################################
Now we must create FOUR Firewall rules for the AirVPN_LAN Interface to enforce the policy based routing and redundantly block leaks. There will be two rules exactly the same as for the LAN interface, as well as two rules to redundantly ensure no possibility of a DNS leak. You should have no firewall rules here since this is a new interface. If there are any rules, just delete them. We will again make them in "Reverse" order so that they should end up in the order that is neccesary.
The first is a "Block Everything rule, this MUST be at the very bottom of the list.
1.) Go to Firewall > Rules and select your "AirVPN LAN" interface.
Click the [+] on the right to "Add New Rule" and create a rule we will title "BLOCK ALL ELSE AirVPN_LAN"
Action = [ Block ]
Interface = [ AirVPN_LAN ]
TCP/IP Version = [ IPv4 ]
Protocol = [ Any ]
Source = [ Any ]
Destination = [ Any ]
Log packets that are handled by this rule = [√] (checked, enable this to be able to diagnose when you potentially block yourself )
Description = BLOCK ALL ELSE AirVPN_LAN
*** For this rule we will NOT set the advanced setting for gateway, it should be left as default. This will block connections to any and all gateways this interface tries to connect to that we have not explicitly allowed.
2.) Click [ SAVE ]
3.) Click [ Apply Changes ]
4.) The second is the rule that will force traffic from the AirVPN_LAN interface to only exit via the AirVPN_WAN interface. This rule should be second from the bottom, right above the Block All rule
Go to Firewall > Rules and Select your "AirVPN_LAN" interface.
Click the [+] on the right to "Add New Rule" and create a rule we will title "Allow AirVPN_LAN to any rule"
Action = [ Pass ]
Interface = [ AirVPN_LAN ]
TCP/IP Version = [ IPv4 ]
Protocol = [ Any ]
Source = [ AirVPN_LAN Subnet ]
Destination = [ Any ]
Description = Allow AirVPN_LAN to any
IMPORTANT STEP --> ADVANCED FEATURES > GATEWAY = AirVPN_WAN
5.) The third rule we will will block all DNS requests that we do not explicitly allow.
Go to Firewall > Rules and Select your "AirVPN_LAN" interface.
Click the [+] on the right to "Add New Rule" and create a rule we will title "BLOCK_DNS_LEAKS"
Action = [ Block ]
Interface = [ AirVPN_LAN ]
TCP/IP Version = [ IPv4 ]
Protocol = [ UDP ]
Source = [ Any ]
Destination = [ Any ]
Destination port range = [ DNS ] (Select from the drop down)
Log = [√] (checked
Description = BLOCK_DNS_LEAKS
*** For this rule we will NOT set the advanced setting for gateway
6.) Before we create our last rule, we must create an alias for our AirVPN DNS servers.
Go to Firewall > Aliases: IP (https://192.168.1.1/firewall_aliases.php?tab=ip)
Click the [+] to "Add a new Alias"
Name = AirVPN_DNS_Servers
Description = AirVPN_DNS_Servers
Type = Hosts
Under the "Hosts" section, using the [+] near the bottom create new entries and enter two or more of the following AirVPN DNS Servers: 10.4.0.1, 10.5.0.1, 10.6.0.1, 10.7.0.1, 10.8.0.1, 10.9.0.1, 10.30.0.1, 10.50.0.1
Click "Save"
5.) Go to Firewall > Rules and Select your "AirVPN_LAN" interface.
Click the [+] on the right to "Add New Rule" and create a rule we will title "ALLOW_AirVPN_DNS"
Action = Pass
Interface = AirVPN_LAN
TCP/IP Version = IPv4
Protocol = UDP
Source = Any
Destination = (Single host or Alias) AirVPN_DNS_Servers
Destination port range = DNS
Description = ALLOW_AirVPN_DNS
IMPORTANT STEP --> ADVANCED FEATURES > GATEWAY = AirVPN_WAN
The order of the rules we just created is important!
They should appear in this following order when viewed:
ALLOW_AirVPN_DNS
BLOCK_DNS_LEAKS
Allow AirVPN_LAN to any
BLOCK ALL ELSE AirVPN_LAN
#################################################################################
#################################################################################
The last thing we must do (unless I have forgot something, which I will just go back and edit if I have) is to properly set up our DNS Forwarder for our uses.
1.) Go to Services > DNS Forwarder (https://192.168.1.1/services_dnsmasq.php)
2.) Find the section titled "Interfaces".
By default all interfaces are selected. Using the Ctrl key, select only the interface/s you wish to face your ISP, which for this tutorial, let's only select LAN and possibly Localhost (Be aware if you do choose to highlight localhost that if you do a dns lookup within pfsense (for instance from the firewall logs) this may be a potential privacy leak as this will use the ISP facing DNS servers you set under System > General Setup > DNS Servers. For my uses since I am not a whistleblower and this is not critical, I choose to have localhost highlighted. Not highlighting only affects these lookups and is not critical to the functionality of your firewall. There are a number of websites that can do this for you once you are accessing through the vpn if you need it.)
2.) Under this there is a check box titled "Strict Interface Binding". Check this box to enable it,
3.) Click [ SAVE ]
4.) Click [ Apply Changes ]
#################################################################################
#################################################################################
#################################################################################
#################################################################################
That's it! You should be off and running with a basic setup for multiple NIC's. Remember our LAN interface faces the clear-net, and AirVPN_LAN will face the VPN. You can now add your fourth interface and set it up either exactly like the LAN, or exactly like the AirVPN_LAN.depending on how you intend to use it. Just give it an individual name and set the rules accordingly. Do not forget to disable the DNS forwarder for any additional interface.
I hope this works for you! Good luck, let me know if you need assistance.