Jump to content
Not connected, Your IP: 52.90.49.108

pfSense_fan

Members2
  • Content Count

    247
  • Joined

    ...
  • Last visited

    ...
  • Days Won

    21

Reputation Activity

  1. Like
    pfSense_fan got a reaction from Lee47 in Does Air Servers drop your connection when not in use?   ...
    Ok here is a tutorial for you to follow to best set up pfSense for AirVPN seeing that you have four NIC's to work with. We are going to leave one interface, the default LAN interface that is created during pfSense install, facing the clear-net and your ISP.
    This will give you the choice to use the regular internet for any needs you may have or if the VPN goes down by simply moving your network cable from one interface to the other. I am going to skip the OpenVPN setup since you already have it connected and focus on the setup of your interfaces, subnets, firewall rules and NAT. Ready? Here we go!
     
    First of all because you are using high quality Intel server NIC's, lets start by making sure we are utilizing the power of them and offload as much as we can from that AMD Processor.
     
    1.) Go to System > Advanced > Networking (https://192.168.1.1/system_advanced_network.php)
    2.) Under the section titled Network Interfaces, Find the check box for Enable device polling and check [√] the box to enable it.
    3.) Now find the check boxes right below this for Disable hardware checksum offload, Disable hardware TCP segmentation offload, and Disable hardware large receive offload. Make sure these three boxes ARE NOT CHECKED. Uncheck [  ] them if they are checked by default.
     
    4.) Click [ SAVE ]
    5.) Click [ Apply Changes ]
     
    6.) Now go to Diagnostics > Reboot  (https://192.168.1.1/reboot.php).
    Go ahead and reboot the system for these to take effect. The Intel drivers are the most developed and supported drivers for pfSense/freeBSD. You can benefit from these options and offload quite a bit from your cpu and improve overall performance.  We can verify these are working by going to https://192.168.1.1/status.php (or replace 192.168.1.1 with whatever your GUI login is) and looking among the lines under the interfaces section you should see "polling" as well as the other options for offloading listed amongst the interfaces.
     
    Here is a line from mine:
     
    options=407fb<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,POLLING,VLAN_HWCSUM,TSO4,TSO6,LRO,VLAN_HWTSO>
     
    Your results may vary depending if the card you have supports all of this. Keep an eye for any that do not show up, and disable as necessary. Keep a keen eye for "LRO" which is Large Recieve Offload. If that does not show up as enabled, go back and check that box and reboot.
     
    Now that we have that set we need to enable a third NIC and undo any settings you may have now from the other tutorial you followed that are not compatible. Before that I want to set a few parameters for the purposes of this tutorial. You may change these as you wish but I will refer to them as such throughout the tutorial and it may be easier for you to name them the same for later reference:
     
    WAN (likely em0 interface) = ISP Gateway = WAN_DHCP (default) - This will remain the default gateway set up with my method, we likely have to "undo" this for you.
    LAN (likely em1 interface) = 192.168.1.1/24 = Clear-Net facing NIC
    AirVPN_WAN (likely ovpn1 interface) = AirVPN Gateway
    AirVPN_LAN (likely em2 interface)= 192.168.123.1 / 24 = VPN facing NIC
    Opt1 = the interface we will program/assign to be our AirVPN_LAN
     
    Before we "start" lets set a few things so you do not lose internet connectivity during setting this up while concurrently setting up our WAN and LAN Interfaces the way we need it.
     
    #################################################################################
    #################################################################################
     
    Let's make sure the WAN interface is our default gateway.
    1.) Go to System > Routing  (https://192.168.1.1/system_gateways.php)
    2.) On the "Gateways" tab and on the "WAN_DHCP" line select the [e] edit button on the right.
    3.) Set as Follows:
    Interface = [ WAN ]
    Address Family = [ IPv4 ]
    Default Gateway = [√] checked
     
    Click [sAVE]
    Click [ Apply Changes ]
     
    #################################################################################
    #################################################################################
     
    Let's set up the primary DNS servers which will be used by the LAN interface.
    Go to System > General Setup: DNS servers  (https://192.168.1.1/system.php)
    We are going to set two of the DNS servers to OpenDNS and leave the other two blank.
     
    Set as Follows:
     
    DNS Server                Use gateway
    [ 208.67.222.222 ]      [ WAN_DHCP ]
    [ 208.67.220.220 ]      [ WAN_DHCP ]
    [        (empty)       ]      [       none       ]
    [        (empty)       ]      [       none       ]
     
    [  ]    Allow DNS server list to be overwritten by DHCP/PPP on WAN  = UNCHECKED
    [  ]    Do not use the DNS Forwarder as a DNS server for the firewall = UNCHECKED
     
    Click [sAVE]
     
    #################################################################################
    #################################################################################
     
    Let's set up the LAN interface:
    Go to Interfaces > LAN  (https://192.168.1.1/interfaces.php?if=lan)
     
    Set it as follows:
     
    General configuration
    Enable = [√]
    Description = LAN
    IPv4 Configuration Type = Static IPv4
    IPv6 Configuration Type = none
    MAC address = (empty)
    MTU = (empty)
    MSS = (empty)
    Speed and duplex = Advanced > Autoselect
    Static IPv4 configuration
    IPv4 address = 192.168.1.1 / 24
    Gateway = none
    Private networks
    Both options here are left UNCHECKED / NOT CHECKED
     
    Click [sAVE]
    Click [ Apply Changes ]
     
    (NOTE: if you get locked out of the GUI here, give your pc a static ip in the 192.168.1.1/24 range and your DNS to 192.168.1.1 until we finish. 192.168.1.50 should suffice.)
     
    #################################################################################
    #################################################################################
     
    Let's set the DHCP Server for the LAN interface.
    1.) Go to Services > DHCP server  (https://192.168.1.1/services_dhcp.php)
    2.) Ensure the "LAN" tab is selected
    3.)Set it as follows (Only options we will change are listed, leave the rest as they were by default):
    Enable DHCP server on LAN interface = [√] (checked)
    Range = [ 192.168.1.100 ] to [ 192.168.1.200 ]
     
    Click [sAVE]
    Click [ Apply Changes ]
     
     
    #################################################################################
    #################################################################################
     
    Let's set up the outgoing NAT for the LAN interface.
    1.) Go to Firewall > NAT > Outbound  (https://192.168.1.1/firewall_nat_out.php)
    2.) Ensure Manual Outbound NAT rule generation - (AON - Advanced Outbound NAT) is selected.
    3.) Click [ SAVE ]
    4.) Click [ Apply Changes ]
    5.) If there is already a rule for your LAN interface, select the [e] button to the right of it. If there is not a rule for your LAN, you will need to create one by selecting the [+] at the top right and creating a new one.
    6.) Set as follows:
    Do not NAT = [  ] (unchecked)
    Interface = WAN
    Protocol = Any
    Source = Type: [ Network ]
                    Address: [ 192.168.1.0 ] / [ 24 ]
                    Source port: [        ] (empty/blank)
    Destination: Type = [ Any ]
    Translation: Address = [ Interface Address ]
    Description = [ LAN -> WAN ]
     
    Click [ SAVE ]
    Click [ Apply Changes ]
     
     
    #################################################################################
    #################################################################################
     
    Now we must set a few firewall rules for the LAN Interface to enforce the policy based routing and redundantly block leaks.
    We will set these in "reverse" order so that they should end up in the order we need them. This is assuming the only rule you have is the Anti-lockout rule. If you have advanced rules for your other needs you will just have to move these rules into place. There are two necessary rules for the LAN interface.
     
    The first is a "Block Everything rule, this MUST be at the very bottom of the list.
    1.) Go to Firewall > Rules and select your "LAN" interface.
    Click the [+] on the right to "Add New Rule" and create a rule we will title "BLOCK ALL ELSE LAN"
    Action = [block]
    Interface = [LAN]
    TCP/IP Version = [iPv4]
    Protocol = [Any]
    Source = [ Any ]
    Destination = [ Any ]
    Log packets that are handled by this rule = [√] (checked, enable this to be able to diagnose when you potentially block yourself )
    Description = BLOCK ALL ELSE LAN
    *** For this rule we will NOT set the advanced setting for gateway, it should be left as default
     
    2.) Click [ SAVE ]
    3.) Click [ Apply Changes ]
     
    4.) The second is the rule that will force traffic from the LAN interface to only exit via the WAN interface. This rule should be second from the bottom, right above the Block All rule
    Go to Firewall > Rules and Select your "LAN" interface.
    Click the [+] on the right to "Add New Rule" and create a rule we will title "Allow LAN to any rule" (Note: There may already be a rule titled "Default allow LAN to any" or similar. You certainly can just edit that entry to these settings, or delete and create this..)
    Action = [ Pass ]
    Interface = [ LAN ]
    TCP/IP Version = [ IPv4 ]
    Protocol = [ Any ]
    Source = [ LAN Subnet ]
    Destination = [ Any ]
    Description = Default allow LAN to any rule
    IMPORTANT STEP --> ADVANCED FEATURES  >  GATEWAY = WAN_DHCP
     
    #################################################################################
    #################################################################################
     
    OK, let's enable that third NIC.
    1.) Go to Interfaces > Assign (https://192.168.1.1/interfaces_assign.php)
    Here you will find your assigned interfaces. If you assigned them during original install you will see all four and should likely have a WAN, LAN, opt1 and opt2 (as well as ovpn1). If you did not assign them you will have to click the [+] button at the bottom right to assign another. Once it is assigned, click save.
     
    2.) Now we need to select an "opt" interface and give it settings.
    Select one from the Interfaces drop down menu (likely Opt1).
     
    Set it as follows:
     
    General configuration
    Enable = [√]
    Description = AirVPN_LAN
    IPv4 Configuration Type = Static IPv4
    IPv6 Configuration Type = none
    MAC address = (empty)
    MTU = (empty)
    MSS = (empty)
    Speed and duplex = Advanced > Autoselect
    Static IPv4 configuration
    IPv4 address = 192.168.123.1 / 24
    Gateway = none
    Private networks
    Both options here are left UNCHECKED / NOT CHECKED
     
    3.) Click [sAVE]
    4.) Click [ Apply Changes ]
     
    #################################################################################
    #################################################################################
     
    Now we need to set up the DHCP Server for the AirVPN_LAN interface.
     
    1.) Go to Services > DHCP server  (https://192.168.1.1/services_dhcp.php)
    2.)Select the Tab / Drop Down for AirVPN_LAN
    3.) Set it as follows (Only options we will change are listed, leave the rest as they were by default):
    Enable DHCP server on AIRVPN_LAN_1 interface = [√]
    Range = [ 192.168.123.100 ] to [ 192.168.123.200 ]
    DNS servers = [ 10.4.0.1 ], [ 10.5.0.1 ]
     
    4.) Click [ SAVE ]
    5.) Click [ Apply Changes ]
     
    #################################################################################
    #################################################################################
     
    Let's set up the outgoing NAT for the AirVPN_LAN interface.
     
    1.) Go to Firewall > NAT > Outbound  (https://192.168.1.1/firewall_nat_out.php)
    2.) Ensure Manual Outbound NAT rule generation - (AON - Advanced Outbound NAT) is selected. (It should be from earlier)
    3.) You will need to select the [+] at the top right and creat a new one.
    4.) Set as follows:
    Do not NAT = [  ] (unchecked)
    Interface = AirVPN WAN
    Protocol = Any
    Source = Type: [ Network ]
                    Address: [ 192.168.123.0 ] / [ 24 ]
                    Source port: [        ] (empty/blank)
    Destination: Type = [ Any ]
    Translation: Address = [ Interface Address ]
    Description = [ AirVPN_LAN -> AirVPN_WAN ]
    5.) Click [sAVE]
    6.) Move this rule to the top of the list
    7.) Click [ Apply Changes ]
     
    #################################################################################
    #################################################################################
     
    Now we must create FOUR Firewall rules for the AirVPN_LAN Interface to enforce the policy based routing and redundantly block leaks. There will be two rules exactly the same as for the LAN interface, as well as two rules to redundantly ensure no possibility of a DNS leak. You should have no firewall rules here since this is a new interface. If there are any rules, just delete them. We will again make them in "Reverse" order so that they should end up in the order that is neccesary.
     
    The first is a "Block Everything rule, this MUST be at the very bottom of the list.
    1.) Go to Firewall > Rules and select your "AirVPN LAN" interface.
    Click the [+] on the right to "Add New Rule" and create a rule we will title "BLOCK ALL ELSE AirVPN_LAN"
    Action = [ Block ]
    Interface = [ AirVPN_LAN ]
    TCP/IP Version = [ IPv4 ]
    Protocol = [ Any ]
    Source = [ Any ]
    Destination = [ Any ]
    Log packets that are handled by this rule = [√] (checked, enable this to be able to diagnose when you potentially block yourself )
    Description = BLOCK ALL ELSE AirVPN_LAN
    *** For this rule we will NOT set the advanced setting for gateway, it should be left as default. This will block connections to any and all gateways this interface tries to connect to that we have not explicitly allowed.
     
    2.) Click [ SAVE ]
    3.) Click [ Apply Changes ]
     
    4.) The second is the rule that will force traffic from the AirVPN_LAN interface to only exit via the AirVPN_WAN interface. This rule should be second from the bottom, right above the Block All rule
    Go to Firewall > Rules and Select your "AirVPN_LAN" interface.
    Click the [+] on the right to "Add New Rule" and create a rule we will title "Allow AirVPN_LAN to any rule"
    Action = [ Pass ]
    Interface = [ AirVPN_LAN ]
    TCP/IP Version = [ IPv4 ]
    Protocol = [ Any ]
    Source = [ AirVPN_LAN Subnet ]
    Destination = [ Any ]
    Description = Allow AirVPN_LAN to any
    IMPORTANT STEP --> ADVANCED FEATURES  >  GATEWAY = AirVPN_WAN
     
    5.) The third rule we will will block all DNS requests that we do not explicitly allow.
    Go to Firewall > Rules and Select your "AirVPN_LAN" interface.
    Click the [+] on the right to "Add New Rule" and create a rule we will title "BLOCK_DNS_LEAKS"
    Action = [ Block ]
    Interface = [ AirVPN_LAN ]
    TCP/IP Version = [ IPv4 ]
    Protocol = [ UDP ]
    Source = [ Any ]
    Destination = [ Any ]
    Destination port range = [ DNS ] (Select from the drop down)
    Log = [√] (checked
    Description = BLOCK_DNS_LEAKS
    *** For this rule we will NOT set the advanced setting for gateway
     
    6.) Before we create our last rule, we must create an alias for our AirVPN DNS servers.
    Go to Firewall > Aliases: IP (https://192.168.1.1/firewall_aliases.php?tab=ip)
    Click the [+] to "Add a new Alias"
    Name = AirVPN_DNS_Servers
    Description = AirVPN_DNS_Servers
    Type = Hosts
    Under the "Hosts" section, using the [+] near the bottom create new entries and enter two or more of the following AirVPN DNS Servers: 10.4.0.1, 10.5.0.1, 10.6.0.1, 10.7.0.1, 10.8.0.1, 10.9.0.1, 10.30.0.1, 10.50.0.1
    Click "Save"
     
    5.) Go to Firewall > Rules and Select your "AirVPN_LAN" interface.
    Click the [+] on the right to "Add New Rule" and create a rule we will title "ALLOW_AirVPN_DNS"
    Action = Pass
    Interface = AirVPN_LAN
    TCP/IP Version = IPv4
    Protocol = UDP
    Source = Any
    Destination = (Single host or Alias) AirVPN_DNS_Servers
    Destination port range = DNS
    Description = ALLOW_AirVPN_DNS
    IMPORTANT STEP --> ADVANCED FEATURES > GATEWAY = AirVPN_WAN
     
    The order of the rules we just created is important!
    They should appear in this following order when viewed:
    ALLOW_AirVPN_DNS
    BLOCK_DNS_LEAKS
    Allow AirVPN_LAN to any
    BLOCK ALL ELSE AirVPN_LAN
     
     
    #################################################################################
    #################################################################################
     
    The last thing we must do (unless I have forgot something, which I will just go back and edit if I have) is to properly set up our DNS Forwarder for our uses.
     
    1.) Go to Services > DNS Forwarder  (https://192.168.1.1/services_dnsmasq.php)
    2.) Find the section titled "Interfaces".
    By default all interfaces are selected. Using the Ctrl key, select only the interface/s you wish to face your ISP, which for this tutorial, let's only select LAN and possibly Localhost  (Be aware if you do choose to highlight localhost that if you do a dns lookup within pfsense (for instance from the firewall logs) this may be a potential privacy leak as this will use the ISP facing DNS servers you set under System > General Setup > DNS Servers. For my uses since I am not a whistleblower and this is not critical, I choose to have localhost highlighted. Not highlighting only affects these lookups and is not critical to the functionality of your firewall. There are a number of websites that can do this for you once you are accessing through the vpn if you need it.)
     
    2.) Under this there is a check box titled "Strict Interface Binding". Check this box to enable it,
    3.) Click [ SAVE ]
    4.) Click [ Apply Changes ]
     
    #################################################################################
    #################################################################################
    #################################################################################
    #################################################################################
     
    That's it! You should be off and running with a basic setup for multiple NIC's. Remember our LAN interface faces the clear-net, and AirVPN_LAN will face the VPN. You can now add your fourth interface and set it up either exactly like the LAN, or exactly like the AirVPN_LAN.depending on how you intend to use it. Just give it an individual name and set the rules accordingly. Do not forget to disable the DNS forwarder for any additional interface.
     
    I hope this works for you! Good luck, let me know if you need assistance.
  2. Like
    pfSense_fan got a reaction from Lee47 in Does Air Servers drop your connection when not in use?   ...
    Excellent. Looking at that snapshot, might I suggest disabling IPv6 on that interface... and perhaps QoS, File and printer sharing (unless you actually share this from this computer), link layer topology discovery responder (lets other computers on your lan discover your computer) and netbios from the IPv4 Properties > General> Advanced > WINS. I suggest this because I assume you are not using features that use this on a computer connected to a VPN. Perhaps you are... but these things can always be reversed.
     
     
    That website is the exact IP address of airvpn.org. This is the address a DNS would retrieve for your computer if you typed in the name "www.airdns.org". If We are directly accessing this because this does not require the use of a DNS. If you are able to access this during a down time it will verify where our problem is.
     
     
    Hopefully now your IP and DNS setting in windows are set to obtain addresses automatically. If pfSense is configured correctly these will be served to any device connected to a NIC directed to do so.
     
     
    No offense meant to Knicker, he has been a great help to the community and his guide is appreciated by many, but I find it to be a bit incomplete as well as disagreeing with the methods in a few sections. This is one I disagree with. pfSense is not like Windows at all. Windows is designed to try to keep it's users connected by all means possible... for the lay person mostly. It will circumvent some rules to keep connected. pfSense on the other hand is based off freebsd. It is much more secure in that it will not do or allow anything that you do not explicitly tell it to do. No, for our uses and more correct would be to disable the DNS Forwarder on VPN interfaces and set the DNS servers on each NIC's DHCP Server page. This combined with checking the "Skip rules when gateway is down" box found at System > Advanced > Miscellaneous. From the description: "By default, when a rule has a specific gateway set, and this gateway is down, rule is created and traffic is sent to default gateway. This option overrides that behavior and the rule is not created when gateway is down", so by default we are/were telling pfSense to fall back to another Gateway. By checking this check box, which is correct for our uses, pfSense simply will not fail over a down VPN connection to another gateway. For the paranoid,  four firewall entries on a VPN facing NIC will both block all possible DNS leaks as well as guarantee the connection itself does not leak, even if someone tries. This is how I have mine set, and would like for you to try.
     
     
    Fantastic! You have extra NIC's for us to use. This will help us as well as teach you how to use the extras. The guide I began to post in another thread will greatly help you. I am going to copy that post I made as well as add to it here so you can enable another interface. But first we have to undo your settings for your current LAN interface and set it correctly. I hope you will try this, I am just going to work on the tutorial right after posting this since I have the time tonight. Please start by following the step I posted above and checking that check box.
  3. Like
    pfSense_fan got a reaction from Lee47 in Does Air Servers drop your connection when not in use?   ...
    What I am asking about the assigned IP is this: If you go to your network settings (I'll assume you are using Windows, so "Network and Sharing Center) on your computer, double click on your NIC, and select "Details", what information is provided. It is important we know what it says when it is malfunctioning. It may also be useful to have a snapshot from when it is working. You can highlight the text and use ctrl+c to copy the text.
     
    As you can see from this snapshot, DHCP is enabled and pfSense has served me an IP adress. Further, pfSense has served me the correct DNS srvers as well. This is what it should look like when functioning.
     
    Connection-specific DNS Suffix: XXXXXXXXXXX
    Description: XXX PCIe GBE Controller
    Physical Address: ‎XX-XX-XX-XX-XX-XX
    DHCP Enabled: Yes
    IPv4 Address: 192.168.XXX.XXX
    IPv4 Subnet Mask: 255.255.255.0
    Lease Obtained: Saturday, January 25, 2014 12:15:37 AM
    Lease Expires: Sunday, January 26, 2014 1:15:45 PM
    IPv4 Default Gateway: 192.168.XXX.1
    IPv4 DHCP Server: 192.168.XXX.1
    IPv4 DNS Servers: 10.4.0.1, 10.5.0.1
    IPv4 WINS Server:
    NetBIOS over Tcpip Enabled: No
     
    From what you have noted about the gateway statuses, everything there seems to be OK there, which leaves us to seek out other issues. The connection is up so it is not pfSense, AirVPN or your ISP. I suspect it is an issue with the DHCP server and/or the DNS Forwarder, with an emphasis on the DNS Forwarder (This would explain why you CAN log into pfSense and yet have no internet access.. If this is the case, it should be easy to correct with a bit of troubleshooting. In the mean time, next time you have this 5 minute delay, can you please enter https://95.211.138.143/ into your web browser? It is the direct IP address for airvpn.org. If this loads, we know it is a DNS Forwarder issue.
     
    I too was going to ask you about the advanced section. I do not think it has to do with your problem, but everyone should have a few entries there, at the very least to match the settings in the .OVPN files provided to us by AirVPN. Further then that, you can use this area to tweak settings towards your use once you become familiar with the options such as the "verb" setting. This setting controls how much info is shown in the logs. Default is 3, I use 4. The range is 1-5. Here is what I use, you may copy and paste this following string into yours if you wish:
     
    ns-cert-type server; verb 4; tun-mtu 1500; mssfix 1400; explicit-exit-notify 5; mute-replay-warnings; mute 20;
     
    But this brings me to another question, what hardware do you have pfSense installed on... what CPU are you using? I see you use intel NICs which is good. Any serious pfSense install should use intel NICs due to the support they have for BSD.
     
    I hope we can sort you out soon, after I post this, I am going to install Untangle on a separate hard drive to evaluate it compared to pfSense for my needs. I likely need to switch to Untangle mostly for it's ability to filter ads.
  4. Like
    pfSense_fan got a reaction from Lee47 in Does Air Servers drop your connection when not in use?   ...
    No, they do not drop when not in use.
     
    I do not have this issue. I have noticed you seem to have a number of issues with your setup. I do not have any of the issues you state. They are are not normal. I have not responded before because it is not the fault of pfSense or AirVPN. You either have an issue with your ISP, choice of equipment, or human error in your install.
     
    Do you monitor your AirVPN gateway? What is the packet loss?
  5. Like
    pfSense_fan got a reaction from Lee47 in Does Air Servers drop your connection when not in use?   ...
    Yes, I leave pfSense running 24/7... that is it's intended use. It is the firewall and router for my entire network and must be on at all times.
     
    To monitor packet loss on the AirVPN gateway you must enter a monitoring IP. I simply use 10.4.0.1 and it works well enough.
     
    Go to System > Routing
    The Gateways tab is already selected, so go to your AirVPN gateway on the page and find and select [e] edit button on the right.
    Find Monitor IP and enter your monitor IP of choice. 10.4.0.1 works.
    You will now be able to monitor packet loss on that gateway both under Status > Gateways and Status > RRD Graphs > Quality
    The RRD Graphs may give you some insight into why you are disconnecting.
  6. Like
    pfSense_fan got a reaction from Lee47 in Does Air Servers drop your connection when not in use?   ...
    refresh,
     
    I have a few questions for you that may help me help you with this issue.
     
    When you first come back from being away:
     
    1.) Does your computer have an assigned IP address from pfSense?
     
    2.) Are you able to log into pfSense? If yes, does Status > Gateways show a "online" connection to AirVPN or is it down? If you cannot log in what does the RRD Graph show for that time period? It will tell you if you have been disconnected or if the connection has remained.
     
     
    Also, are you running DHCP or static IP on your computer?
×
×
  • Create New...