Here is a short note to explain how to create a VPN connection on a secondary line of a pfSense router. The creation itself is detailed here and here whether you want to create a connection for mobile users or a permanent site to site tunnel.

I recently upgraded my main line (WAN) with a simple Freebox has a fiber optic line. Free on my old line I configured a VPN connection for my mobile users and I wanted to switch to the new line that has more bandwidth. Technically I wanted to move the line of WAN OPT1 Free to retain in backup and use the fiber over the WAN. So I sent an email to my users explaining the changes to make in their VPN configuration file (new IP!) But I knew that some do not take into account ... My idea was to retain temporarily the former active VPN OPT1 for these people to continue to connect. For this it is very simple, I went in VPN> OpenVPN then I clicked on Edit my VPN connection. At the bottom of the configuration options in Custom options, I entered the following command:

local 192.168.8.2

192.168.8.2 is the IP associated with OPT1 in my configuration, you can find in your Interface> OPT1 and input IP address. It remains only to click on Save to apply the configuration. In this way UDP packets exchanged during a VPN connection will be routed to OPT1 well, allowing the establishment of a tunnel.

One of the main interests of pfSsense is the ability to load-balancing with multiple ADSL lines. However, it raises some problems with some sites whose sessions are related to the client's IP. Indeed, suppose that when you log into a site with a login / password the connection is made on a first line but the display of the next page through the second one: the site will see two IP addresses different and will consider that this is not the same session and the user will again be called to enter his login. We can create a rule in the firewall to force traffic to the IP of the site on a given line, which solves the problem.

Another example is the case of YouTube, which often display a message "Sorry, this video is no longer available". The video is actually there but the load-balancing breaks sessions ... The difficulty here is that YouTube has a number of different IP addresses and it is difficult to create as many rules manually.

To remedy this, simply create an alias YouTube in pfSense that will include the IP address ranges used by YouTube. It will then create a rule in the firewall to redirect traffic to a single line.

Continue reading "pfSense, load-balancing and YouTube"

Here is a Management Pack to monitor the basic activity of pfSense. It displays the following values ​​in the Performance View of Operations Manager 2007:

• CPU Load: CPU usage on the router
• LAN Traffic In Total: total volume of data downloaded in bytes
• LAN Traffic Total Out: total volume of data sent in bytes
• Memory Usage: memory used
• Number of Processes: number of running processes
• Number of States: number of states of Packet Filter
• Total Traffic In OPT: total volume of data downloaded from the link OPT1 in bytes
• OPT Out Total Traffic: total volume of data sent over the link OPT1 in bytes
• Swap Usage: use the swap file
• Uptime: Time since last reboot in hundredths of seconds
• Total WAN Traffic In: total volume of data downloaded from the WAN link in bytes
• Total WAN Traffic Out: total volume of data sent over the WAN link in bytes

Note that the values ​​of traffic variables are coded in 64 bits and therefore are reset to 0 when the volume of data exchanged will reach 4,294,967,296 bytes.

Management Pack for pfSense

In this article we'll look at setting up a permanent VPN tunnel between two remote sites each with a pfSense router installed and configured.

Site to Site VPN Tunnel

The principle of the VPN tunnel is simple: a router will act as a server while the other will be the client. The main advantage of the VPN tunnel from a Road Warrior configuration is that the client will not need to connect individually to the remote site VPN. This configuration will give the impression to customers on both sides to be on a single network, allowing you to easily share data.

Continue reading "pfSense tunnel and VPN site to site"

Access to external FTP servers is only possible with pfsense WAN link and to correct connection problems we must make two important settings:

• click on Firewall> Rules and click the LAN tab. Click on the "+" icon to add a rule that will contain the following:
  • Action: Pass
  • Interface: LAN
  • Protocol: TCP / UDP
  • Source: any
  • Destination: Type: Single host or alias and Address: 127.0.0.1
  • Destination port range: From (other) 1 TB (other) 65 535
  • Gateway: default
  • Description: LAN -> FTP -> WAN
  • Click Save and then Apply.
• in Interfaces> LAN, uncheck the "Disable the userland FTP-Proxy application"