Thursday, April 22, 2021

Do I have to reinstall packages after a restore on PFSense?

Short answer: Yes

I did a restore of a config after reloading the pfsense software, and did a test of installing the packages before I did a restore of the configuration. When I did the restore of the config, I did have to go reinstall the packages again.  

Wednesday, April 21, 2021

Site To Site IPSec issue with 21.X release of PFSense

I ran into this issue a few months back where I upgraded the Netgate SG-5100 from 2.4.5 to 21.01.  That night I noticed that I had issues with my IPSec site to site VPNs.  I also have several OpenVPN site to site VPNs, but they were unaffected.

Last night, I ran into the same issue when upgrading from 2.4.5 to 21.02-2.  Same customer.  When I did this upgrade (to fix another problem), this IPSec issue came back again.  In doing some research, I found this link in the Netgate forum: https://redmine.pfsense.org/issues/11524 

After reading through this, I verified my settings.  Sure enough, I was using SHA256 as my hash for my VPN settings.  I made the following changes:

1.  Changed from SHA256 to SHA512 (from what I read, use anything but SHA256 or SHA1)

2.  Disabled AES-NI by going to System --> Advanced --> Miscellaneous --> Cryptographic Hardware, and changing that setting from "AES-NI and BSD crypto device" to "Intel QuickAssist (QAT)".

 

Thursday, April 1, 2021

Update from Console access

 I was reloading a Netgate SG-3100 and did an upgrade from the console.  Select 13 to do the update.


 0) Logout (SSH only)                  9) pfTop

 1) Assign Interfaces                 10) Filter Logs

 2) Set interface(s) IP address       11) Restart webConfigurator

 3) Reset webConfigurator password    12) PHP shell + Netgate pfSense Plus tools

 4) Reset to factory defaults         13) Update from console

 5) Reboot system                     14) Enable Secure Shell (sshd)

 6) Halt system                       15) Restore recent configuration

 7) Ping host                         16) Restart PHP-FPM

 8) Shell


Enter an option: 13


>>> Updating repositories metadata...

Updating pfSense-core repository catalogue...

Fetching meta.conf: . done

Fetching packagesite.txz: . done

Processing entries: . done

pfSense-core repository update completed. 8 packages processed.

Updating pfSense repository catalogue...

Fetching meta.conf: . done

Fetching packagesite.txz: .......... done

Processing entries: .......... done

pfSense repository update completed. 449 packages processed.

All repositories are up to date.

>>> Upgrading pfSense-upgrade... done.

>>> Setting vital flag on pfSense-upgrade... done.

>>> Updating repositories metadata...

Updating pfSense-core repository catalogue...

Fetching meta.conf: . done

Fetching packagesite.txz: . done

Processing entries: . done

pfSense-core repository update completed. 8 packages processed.

Updating pfSense repository catalogue...

Fetching meta.conf: . done

Fetching packagesite.txz: .......... done

Processing entries: .......... done

pfSense repository update completed. 449 packages processed.

All repositories are up to date.

Your packages are up to date


*** Welcome to Netgate pfSense Plus 21.02-RELEASE-p1 (arm) on pfSense ***

Wednesday, March 31, 2021

Reinstall SG-3100

 I had a Netgate 3100 go down after a storm recently and I had to do a reinstall of the software.  Below is the process I went through.

1.  Create USB install with pfSense-plus-SG-3100-recover-21.02-RELEASE-p1-armv7.img.gz image. I used etcher to create the USB stick.

2.  Insert USB and boot the 3100.

3.  Stop the boot to where you have the Marvell prompt.

4.  Type "run recovery". (You may have to type "usb reset" first if it does not recognize the USB drive).

5.  Walk through install.

6.  Reboot and take out USB.

Saturday, March 27, 2021

OpenVPN Site To Site

 pfSense has the ability to do site to site VPNs either with IPSec or OpenVPN. Both are capable of being very secure. But one of the things I like about the OpenVPN site to site is that you can configure a firewall to be a vpn server and the remote as a client.  This is especially good when the remote has dynamic address assigned to it. No messing with dynamic dns and you never need to know the remote power IP.  It's not that hard to setup and it's a good solution. There are many things that I do like about the pfSense box, and this is one of them. 

Thursday, February 25, 2021

Restoring To Factory Default

 Recently, I had some IPSec problems with the new version of code and I had to revert back to the 2.4.5 code to try to resolve the issue.  The thing I did was to do a "factory default" while I was on the new image.  In most vendors, when you do a factory default, it defaults to the image that came from the manufacturer at the time of shipping.  However, on the Netgate box, the image you factory default to is the image that you are currently running.  Just FYI.

Sunday, January 31, 2021

Route Reflection

 I had a call from a customer who needed to be able to get to an internal server by way of the external public IP address, from the INSIDE of the network.  This is not uncommon when you have an application on a cell phone that has not been setup with external DNS, but has instead a public IP put in.  This is not a problem for the PFSense firewall.  The option you need is called Route Reflection.

Go to System --> Advanced --> Firewall and NAT --> and under the Heading "Network Address Translation".  

Change the setting of "NAT Reflection mode for port forwards" to "Pure NAT".

Change the setting of "Enable NAT Reflection for 1:1 NAT" to a checked box.

Change the setting of "Enable automatic outbound NAT for Refletion" to a checked box.