Thursday, April 22, 2021

Do I have to reinstall packages after a restore on PFSense?

Short answer: Yes

I did a restore of a config after reloading the pfsense software, and did a test of installing the packages before I did a restore of the configuration. When I did the restore of the config, I did have to go reinstall the packages again.  

Wednesday, April 21, 2021

Site To Site IPSec issue with 21.X release of PFSense

I ran into this issue a few months back where I upgraded the Netgate SG-5100 from 2.4.5 to 21.01.  That night I noticed that I had issues with my IPSec site to site VPNs.  I also have several OpenVPN site to site VPNs, but they were unaffected.

Last night, I ran into the same issue when upgrading from 2.4.5 to 21.02-2.  Same customer.  When I did this upgrade (to fix another problem), this IPSec issue came back again.  In doing some research, I found this link in the Netgate forum: https://redmine.pfsense.org/issues/11524 

After reading through this, I verified my settings.  Sure enough, I was using SHA256 as my hash for my VPN settings.  I made the following changes:

1.  Changed from SHA256 to SHA512 (from what I read, use anything but SHA256 or SHA1)

2.  Disabled AES-NI by going to System --> Advanced --> Miscellaneous --> Cryptographic Hardware, and changing that setting from "AES-NI and BSD crypto device" to "Intel QuickAssist (QAT)".

 

Thursday, April 1, 2021

Update from Console access

 I was reloading a Netgate SG-3100 and did an upgrade from the console.  Select 13 to do the update.


 0) Logout (SSH only)                  9) pfTop

 1) Assign Interfaces                 10) Filter Logs

 2) Set interface(s) IP address       11) Restart webConfigurator

 3) Reset webConfigurator password    12) PHP shell + Netgate pfSense Plus tools

 4) Reset to factory defaults         13) Update from console

 5) Reboot system                     14) Enable Secure Shell (sshd)

 6) Halt system                       15) Restore recent configuration

 7) Ping host                         16) Restart PHP-FPM

 8) Shell


Enter an option: 13


>>> Updating repositories metadata...

Updating pfSense-core repository catalogue...

Fetching meta.conf: . done

Fetching packagesite.txz: . done

Processing entries: . done

pfSense-core repository update completed. 8 packages processed.

Updating pfSense repository catalogue...

Fetching meta.conf: . done

Fetching packagesite.txz: .......... done

Processing entries: .......... done

pfSense repository update completed. 449 packages processed.

All repositories are up to date.

>>> Upgrading pfSense-upgrade... done.

>>> Setting vital flag on pfSense-upgrade... done.

>>> Updating repositories metadata...

Updating pfSense-core repository catalogue...

Fetching meta.conf: . done

Fetching packagesite.txz: . done

Processing entries: . done

pfSense-core repository update completed. 8 packages processed.

Updating pfSense repository catalogue...

Fetching meta.conf: . done

Fetching packagesite.txz: .......... done

Processing entries: .......... done

pfSense repository update completed. 449 packages processed.

All repositories are up to date.

Your packages are up to date


*** Welcome to Netgate pfSense Plus 21.02-RELEASE-p1 (arm) on pfSense ***

Wednesday, March 31, 2021

Reinstall SG-3100

 I had a Netgate 3100 go down after a storm recently and I had to do a reinstall of the software.  Below is the process I went through.

1.  Create USB install with pfSense-plus-SG-3100-recover-21.02-RELEASE-p1-armv7.img.gz image. I used etcher to create the USB stick.

2.  Insert USB and boot the 3100.

3.  Stop the boot to where you have the Marvell prompt.

4.  Type "run recovery". (You may have to type "usb reset" first if it does not recognize the USB drive).

5.  Walk through install.

6.  Reboot and take out USB.

Saturday, March 27, 2021

OpenVPN Site To Site

 pfSense has the ability to do site to site VPNs either with IPSec or OpenVPN. Both are capable of being very secure. But one of the things I like about the OpenVPN site to site is that you can configure a firewall to be a vpn server and the remote as a client.  This is especially good when the remote has dynamic address assigned to it. No messing with dynamic dns and you never need to know the remote power IP.  It's not that hard to setup and it's a good solution. There are many things that I do like about the pfSense box, and this is one of them. 

Thursday, February 25, 2021

Restoring To Factory Default

 Recently, I had some IPSec problems with the new version of code and I had to revert back to the 2.4.5 code to try to resolve the issue.  The thing I did was to do a "factory default" while I was on the new image.  In most vendors, when you do a factory default, it defaults to the image that came from the manufacturer at the time of shipping.  However, on the Netgate box, the image you factory default to is the image that you are currently running.  Just FYI.

Sunday, January 31, 2021

Route Reflection

 I had a call from a customer who needed to be able to get to an internal server by way of the external public IP address, from the INSIDE of the network.  This is not uncommon when you have an application on a cell phone that has not been setup with external DNS, but has instead a public IP put in.  This is not a problem for the PFSense firewall.  The option you need is called Route Reflection.

Go to System --> Advanced --> Firewall and NAT --> and under the Heading "Network Address Translation".  

Change the setting of "NAT Reflection mode for port forwards" to "Pure NAT".

Change the setting of "Enable NAT Reflection for 1:1 NAT" to a checked box.

Change the setting of "Enable automatic outbound NAT for Refletion" to a checked box.

Wednesday, December 30, 2020

Multi-Factor Authentication for the PfSense WebGUI

 Multi-Factor Authentication for the PfSense WebGUI

1. Download the "freeradius3" package

 2. Navigate to the FreeRADIUS option listed under the "Services" tab

3. Go to the "Interfaces" tab and click the green "Add" button

4. Put "Authentication" in description and hit save

5. Click "Add" again

6. Change Port to 1813

7. Change interface Type to Accounting"

8. Put "Accounting" in the description and hit save

9. Go to the "NAS/Clients" tab and click "Add"

10. Under General Configuration put "127.0.0.1" as the Client IP address

11. Put "RadServer" (or whatever you want) in in the "Client Shared Secret"

12. Put a shared secret (keep up with shared secret)

13. Save

14. Navigate to "User Manager" under the "System" tab on the top bar of the pfSense menu

15. Go to "Authentication Servers" and click "Add"

16. Under Server Settings enter descriptive name

17. Change type to "RADIUS"

18. Under RADIUS Server Settings put "127.0.0.1" as the "Hostname or IP address"

19. Change the "RADIUS NAS IP Attribute" to LAN

20. Enter same shared secret from step 12

21. Hit save

22. Navigate back to the "FreeRADIUS" package under the "Services" tab

23. Under the "users" tab click "Add"

24. Create a username and password and click save

25. Test by going to "Authentication" listed under the "Diagnostics" tab on the top menu of the pfSense

26. Change Authentication Server to "RadServer" (or whatever you named the server) and enter your credentials

27. Click "Test"

28. If successful it will say "User authenticated successfully"

29. Navigate back to "User Manager" under the "System" tab and click on "Authentication Servers"

30. Click the edit button on your "RADIUS" type server

31. Under the "RADIUS server settings" change the Protocol to "PAP" and click "Save"

32. Navigate to the "FreeRADIUS" package under "Services" and click on the "Settings" tab

33. Scroll down to the "Mobile-One-Time-Password Configuration" area and check the box beside "Mobile-One-Time- and click "Save"

34. Click on the "Users" tab and click to edit previously created     user

35. Scroll down to the "One-Time Password Configuration" area

36. Check box beside "One-Time Password"

37. Change "OTP Auth Method" to "Google-Authenticator"

38. Click blue "Generate OTP Secret" (copy this secret somewhere easily accessible as it will be used by the user to set up his Google Authentication on his mobile device)

39. Enter a pin ***MUST BE NUMBERS ONLY***

40. Under the "General Configuration" area remove password (password area must be blank)

41. Click "Save"

42. On the clients phone, download the  Google Authenticator app

43. Click the add button (a "+" sign on the Apple app)

44. Click "Manual entry" 

45. Enter the username from step 24 

46. Enter the OTP Secret from step 38

47. Hit save

48. Credentials are the Username from step 24, and the password is the PIN from step 39 plus the code given on the Google Authenticator app. So if you entered a PIN of "1234" on step 39 and Google Authenticator had a code of "123 4567" your password would be "12341234567"

49. Go to System / User Manager / User and click Add

50. The Username must be the exact same as one of the users you created on the FreeRADIUS service (that was step 23).

51. Create a password (I recommend a VERY long and difficult password, as pfSense will recognize this password as well as your OTP with Google Authenticator as a fail-safe in case your FreeRADIUS quits working). 

52. Add to the "admins" group and click Save. 

53. Go to Settings and change the Authentication Server to your FreeRADIUS server and hit Save.

54. Go back to the FreeRADIUS service and click to edit the user you are using for the WebGUI multi-factor authentication.

55. Scroll down to the "Advanced Configuration" area near the bottom of the page, and enter Class := "admins" into the Additional RADIUS Attributes (REPLY-ITEM) box. Click Save.

56. Test your login to make sure it works with the PIN+OTP from Google Authenticator (ie if you entered a PIN of "1234" on step 39 and Google Authenticator had a OTP code of "123 4567" your password would be "12341234567").

Monday, December 14, 2020

Suricata Startup Instructions

 This is a guide to the basic startup for Suricata on the pfSense. There are many in-depth settings that can be configured to best fit your individual needs, but for this guide I will only be going over the basics needed to start using Suricata. I wouldn’t recommend installing this on any system lower than an SG-3100 as it can be very memory intensive. 

Install Suricata package under “Package Manager”.
Navigate to Suricata under the “Services” tab and click on “Global Settings”.
Check the box for “Install ETOpen Emerging Threats rules” under the “Please Choose The Type Of Rules You Wish To Download” section.
Check the boxes for “Install Snort GPLv2 Community rules” and “Hide Deprecated Rules Categories” under the same section as step 3.
While in the same section, check the box for “Use a custom URL for ETOpen downloads” and on a separate window navigate to the following site:   rules.emergingthreats.net/OPEN_download_instructions.html
Copy and paste the following link from the site into the box for “ETOpen Custom Rule Download URL” on the pfSense (be aware that this link may change if Suricata is updated to a different version in the future, so always get the link from site and not this document): https://rules.emergingthreats.net/open/suricata-5.0.0/emerging.rules.tar.gz
Under the “General Settings” section towards the bottom of the page it is recommended that the time for “Remove Blocked Hosts Interval” be set to 1 hour.
Click the “Save” button at the bottom of the page.
Click on the “Updates” tab and then click “Update” under the “UPDATE YOUR RULE SET” section.
Once updated, navigate to the “Global Settings” tab and change the “Update Interval” to once a day under the “Rules Update Settings” section and click “Save” at the bottom of the page.
Navigate to the “Interfaces” tab and click “Add”.
Under “General Settings” change the “Interface” and “Description” to LAN and click “Save” at the bottom of the page.
Click on the “LAN Categories” tab and click “Select All” under the “Select the rulesets (Categories) Suricata will load at startup” section, then click “Save” at the bottom of the page.
Click on the “Interfaces” tab and click on the blue “play” type button on the interface to start Suricata on this interface.
Click the edit button on that interface and make sure the “Block Offenders” box isn’t checked under the “Alert and Block Settings”.

 I suggest monitoring the feed on the “Alerts” tab for at least a week to check for false positives before implementing it with blocking enabled. If a false positive is found click the red “x” to the right of the alert to force disable the rule and remove it from the current ruleset.


Monday, November 30, 2020

Squid Installation Step By Step For HTTP sites


Just a quick walkthrough on installing SquidGuard and getting it up and running.

1. Install squid and SquidGuard packages from package manager
2. After installation, go to Squid Proxy Server under services
3. Go to the Local Cache and scroll down to the Squid Hard Disk Cache Size area and click the orange "Clear Disk Cache NOW" option
4. Go back to the General tab and scroll down to the Transparent HTTP Proxy area and check the box for Transparent HTTP Proxy "Enable transparent mode to forward all requests for destination port 80 to the proxy server."
5. Scroll to the bottom of the page and save
6. Go to SquidGuard Proxy Filter under services
7. Scroll down to Blacklist options and check box to enable Blacklist
8. Add http://www.shallalist.de/Downloads/shallalist.tar.gz into Blacklist URL
9. Save
10. Scroll up and go to the Blacklist tab
11. Click the green Download option and wait for download to complete
12. Go to Common ACL tab
13. Click on Target Rules List + sign
14. Scroll down and change Default access [all] to "allow"
15. Deny Porn and Spyware categories (and any other categories you wish to block)
16. Scroll down and save
17. Go back to General settings tab and hit green "Apply" button
18. Go back to Squid Proxy Server under Services tab
19. Check box to enable Squid Proxy and save
20. Go back to Squidguard Proxy Filter
21. Check box to enable and save
22. White box should say "STARTED"