Tuesday, April 5th, 2011
Nice to see a copy of the pfSense 2.0 Cookbook land on my desk today. Packt Publishing asked me to do a pass of technical review for this a while ago, which was good fun. Matt Williamson has done a good job of creating a useful set of enumerated examples that should help anyone wanting to roll out 2.0, which has recently achieved Release Candidate 1 status.
Posted in Technology | No Comments »
Thursday, January 20th, 2011
I’ve just put together a reasonably big document with a load of content copy/pasted from a web page (in this case, a firewall configuration GUI). Everything looked fine. Then I closed the VPN to the remote firewall … and all the icon images I’d pasted broke! When they were pasted in, by default only links to the graphics were added, instead of copies …
Luckily for me, I was using OpenOffice.org, a wordprocessor with a sensible internal file storage.
To fix my document all I needed to do was to unpack my .odt file into a temporary location, grab local copies of the icons (I populated ~/tmp/fwicons/ from a different firewall, as it happens) into the Pictures/ directory, change all the old image URLs into filenames (just by changing their prefix from http://something/... to Pictures/), and repack the changes into the original document.
OpenOffice.org detected my monkeying around internally, and insisted on running a quick “repair” over the file; when that was done I had all my lovely icons back again!
Here’s the complete command-line session …
jim@hex:~/ORIG$ mkdir ~/tmp/fixdoc
jim@hex:~/ORIG$ cp Network\ Configuration\ 1.0.odt /home/jim/tmp/fixdoc/
jim@hex:~/ORIG$ cd /home/jim/tmp/fixdoc/
jim@hex:~/tmp/fixdoc$ ls -l
total 80
-rw-r--r-- 1 jim jim 73421 2011-01-20 18:29 Network Configuration 1.0.odt
jim@hex:~/tmp/fixdoc$ mkdir unpack
jim@hex:~/tmp/fixdoc$ cd unpack
jim@hex:~/tmp/fixdoc/unpack$ unzip ../Network\ Configuration\ 1.0.odt
Archive: ../Network Configuration 1.0.odt
extracting: mimetype
extracting: Pictures/10000201000001ED000001882B8674A7.png
inflating: content.xml
inflating: layout-cache
inflating: manifest.rdf
inflating: styles.xml
extracting: meta.xml
inflating: Thumbnails/thumbnail.png
inflating: Configurations2/accelerator/current.xml
creating: Configurations2/progressbar/
creating: Configurations2/floater/
creating: Configurations2/popupmenu/
creating: Configurations2/menubar/
creating: Configurations2/toolbar/
creating: Configurations2/images/Bitmaps/
creating: Configurations2/statusbar/
inflating: settings.xml
inflating: META-INF/manifest.xml
jim@hex:~/tmp/fixdoc/unpack$ cp ~/tmp/fwicons/*gif Pictures
jim@hex:~/tmp/fixdoc/unpack$ perl -pi -e 's|http://firewall/themes/pfsense_ng/images/icons/|Pictures/|g' content.xml
jim@hex:~/tmp/fixdoc/unpack$ zip -r ../Network\ Configuration\ 1.0.odt Pictures/*
adding: Pictures/icon_block_d.gif (deflated 15%)
adding: Pictures/icon_block.gif (deflated 17%)
adding: Pictures/icon_log_d.gif (deflated 28%)
adding: Pictures/icon_log.gif (deflated 30%)
adding: Pictures/icon_log_s.gif (deflated 29%)
adding: Pictures/icon_pass_d.gif (deflated 7%)
adding: Pictures/icon_pass.gif (deflated 9%)
adding: Pictures/icon_reject_d.gif (deflated 13%)
adding: Pictures/icon_reject.gif (deflated 15%)
jim@hex:~/tmp/fixdoc/unpack$ zip -r ../Network\ Configuration\ 1.0.odt content.xml
updating: content.xml (deflated 93%)
Posted in Technology | No Comments »
Tuesday, July 13th, 2010
I used to have a Linksys WRT54GL at the edge of the network, running the Tomato firmware, and things were nice. Then I decided to switch to pfSense on a PC Engines ALIX 2C10 (see my earlier post), and …
Well, VoIP behaves very differently in this new regime, by which I mean SIP and RTP of course. I’ve spent far too long reading pages of badly-stated problems and non-helpful answers, and trying to get my head around just how badly NAT screws things up. And far too long changing settings trying to get improved behaviour …
Ultimately of course pfSense should behave the same way that Linux/Tomato does — things should just work without having to do any specific setup. But the timeout seems to be far more aggressive, and I think that was the real issue that started me down a long road …
I’ve been using a SIP proxy (siproxd), I’ve been NATting RTP & SIP down to a single device, I’ve been using STUN servers … The siproxd seemed to be working perfectly but at the same time there was an upstream problem that prevented me receiving calls on one of my accounts, so that solution got ripped out. The NATting worked fine but was only appropriate for one device at a time, so I started trying to move SIP to a different source port. At one stage I was seeing non-NATted traffic on my firewall’s external interface, which was rumoured to be a specific SIP (UDP port 5060) exclusion in the codebase … but I can’t replicate that any more!
Thanks to a fair bit of handholding from Chris MacGreggor at VentureVoIP, I’ve finished up with a very clean setup — no STUN, no mention of NAT on the phones, anything like that. I have decreased the Registration timeouts to 500 seconds (that’s just over 8 minutes), and put in a couple of rules matching the VoIP destination networks to increase the firewall state timeout to 1800 seconds (30 minutes). This seems to be working well …
For the record, I’ve got a number of SIP devices here :-
- Snom 300
- Inode Ltd account at VentureVoIP
- Home account at VentureVoIP
- Test account on 2talk
- Linksys SPA3102 (used as an ATA)
- Home account at VentureVoIP
- Grandstream HT486, currently not configured
- Nokia n900 mobile, currently not working
- Inode Ltd account at VentureVoIP
So I still have a couple of steps left to take; the n900 thinks everyone is offline when it tries to call them, but then again I’ve never had this working yet so perhaps it’s not my changes that have caused this! And the old HT486 is just plugged backwards into the house phone wiring, but I no longer have any phones connected around the place (just a triplet of DECT phones connected to the Linksys SPA3102) so it’s not much of a priority.
But the basic lesson in migrating from a Linux-based working firewall into a BSD-based one seems to be “check the state table timeouts”!
Posted in Technology | 1 Comment »
Thursday, July 8th, 2010
The PC Engines ALIX single-board computers don’t have much in the way of interfaces, just ethernet, USB and a serial port, so if you’re not used to dealing with these things it can seem a little daunting to get an OS installed.
Here’s the procedure I use to get the pfSense firewall OS installed on something like an ALIX 2D3. Note that I’m putting the full live distribution on a CF card, which may not be a good choice for you — CF cards have a limited write lifetime. You’ll need the following equipment :-
- ALIX system board
- Power Supply of course
- CF card, I’m using 1GB
- CF card reader on your desktop machine
- Null modem 9DB cable
- A serial port on your desktop (I use a USB/Serial converter)
- Serial port communications software (minicom works fine; on Ubuntu remember to make sure you have permission to read the /dev file — you may need to join the dialout group)
- UTP Ethernet cable
Configure the ALIX board
First, check that your ALIX machine is working and do a little setup. Don’t put the board into its case at this stage, as that usually blocks access to the CF card we’ll be using later. Be careful to keep the board on a non-conductive surface. Connect the serial cable to your PC, get the serial port communications software configured for 38400 baud, 8N1. Power on the ALIX machine and you should see this :-
PC Engines ALIX.2 v0.99h
640 KB Base Memory
261120 KB Extended Memory
01F0 - no drive found !
No boot device available, press Enter to continue.
If you don’t get something like that, look for the green lights on the ALIX board and check your comms settings. Once you get that working, it’s time to reboot the ALIX and change the baud rate. Take out the power (remember that PC Engines don’t recommend un/plugging the PSU connector at their end due to the risk of arcing, so do it at the mains end), and this time as the machine reboots press the “s” key while the memory check is counting up.
PC Engines ALIX.2 v0.99h
640 KB Base Memory
261120 KB Extended Memory
01F0 - no drive found !
BIOS setup:
(9) 9600 baud (2) 19200 baud *3* 38400 baud (5) 57600 baud (1) 115200 baud
*C* CHS mode (L) LBA mode (W) HDD wait (V) HDD slave (U) UDMA enable
(M) MFGPT workaround
(P) late PCI init
*R* Serial console enable
(E) PXE boot enable
(X) Xmodem upload
(Q) Quit
Press “9″, then “q”, then “y” to save … at which point you may as well power off again while you change the communication settings on your terminal down to 9600 baud!
*9* 9600 baud (2) 19200 baud (3) 38400 baud (5) 57600 baud (1) 115200 baud
*C* CHS mode (L) LBA mode (W) HDD wait (V) HDD slave (U) UDMA enable
(M) MFGPT workaround
(P) late PCI init
*R* Serial console enable
(E) PXE boot enable
(X) Xmodem upload
(Q) Quit
Save changes Y/N ?
Writing setup to flash... OK
x����x<�������x������x�������x���x���x
Confirm you can talk to the device once again, then power off and leave it alone for a little while.
Configure the CF card
Now we’re ready to install pfSense onto the CF card. I don’t want to boot my desktop from the pfSense LiveCD, I’m going to do this via a VM under VirtualBox. First, we need to identify how the CF card shows up in your normal desktop machine, so plug it in. If a filesystem is automounted (most CF cards come with a FAT32 filesystem on them by default) then unmount it. Have a look with dmesg to find out which device it has been connected as — mine comes in as /dev/sdc
$ dmesg|tail
[45748.609374] sd 3:0:0:0: [sdb] Attached SCSI removable disk
[45748.610134] sd 3:0:0:1: [sdc] Write Protect is off
[45748.610141] sd 3:0:0:1: [sdc] Mode Sense: 03 00 00 00
[45748.610146] sd 3:0:0:1: [sdc] Assuming drive cache: write through
[45748.613126] sd 3:0:0:1: [sdc] Assuming drive cache: write through
[45748.613136] sdc: sdc1
[45748.615125] sdc1:
[45748.618619] sd 3:0:0:1: [sdc] Assuming drive cache: write through
[45748.618629] sd 3:0:0:1: [sdc] Attached SCSI removable disk
Now you need to create a passthrough disk that will allow a VM guest machine to talk directly to /dev/sdc. This isn’t well covered through Google searches, but it is out there, and it’s in the VirtualBox documentation too …
$ sudo VboxManage internalcommands createrawvmdk \
-filename passthroughsdc.vmdk -rawdisk /dev/sdc -register
Make sure you create that passthroughsdc.vmdk in the correct directory, ~/.VirtualBox/HardDisks on my setup. You need to be root in order to connect to /dev/sdc, but once the disk file has been created you can chown it back to your ownership.
Now set up a VM guest for FreeBSD, giving it the passthroughsdc.vmdk as the hard drive, and the pfSense LiveCD on the CD drive. Start it up. When pfSense boots, select “i” for the Installer, choose “Easy Install” and let it rip through, copying files onto your CF drive. At the end, choose the “Embedded kernel”, and shutdown normally.
Booting pfSense on the ALIX
Now you can take the CF card and install it into the ALIX, carefully. Switch back to the serial console and power up …
PC Engines ALIX.2 v0.99h
640 KB Base Memory
261120 KB Extended Memory
01F0 Master 044A CF 2GB
Phys C/H/S 3933/16/63 Log C/H/S 983/64/63
F1 FreeBSD
Boot: F1
pfSense should then boot, leaving you with the serial console options :-
Bootup complete
FreeBSD/i386 (pfSense.local) (console)
*** Welcome to pfSense 1.2.3-RELEASE-pfSense on pfSense ***
LAN -> vr0 -> 192.168.1.1
WAN -> vr1 -> NONE(DHCP)
pfSense console setup
***************************
0) Logout (SSH only)
1) Assign Interfaces
2) Set LAN IP address
3) Reset webConfigurator password
4) Reset to factory defaults
5) Reboot system
6) Halt system
7) Ping host
Shell
9) PFtop
10) Filter Logs
11) Restart webConfigurator
12) pfSense Developer Shell
13) Upgrade from console
14) Enable Secure Shell (sshd)
Enter an option:
Now you should be able to connect a UTP Ethernet cable to the LAN interface (vr0 will probably be the interface closest to the power connector) and the other end to your PC — note that this should provide an address (and default route/DNS config — be careful if you thought your PC was supposed to be working via a different interface at the same time) for you automatically. Point your web browser to http://192.168.1.1 and enjoy your pfSense firewall!
By the way, all my PC Engine hardware comes from Nicegear, NZ’s VoIP and Open Source Hardware specialists.
Posted in Technology | 1 Comment »