pfSense Multi-WAN Configuration: Part One

pfSense multi-WANpfSense incorporates the ability to set up multiple WAN interfaces (multi-WAN), which allows you to utilize multiple WAN connections. This in turn enables you to achieve higher uptime and greater throughput capacity (for example, if the user has one 1.5 Mbps connection and a second 2.5 Mbps connection, their total bandwidth using a multi-WAN setup would be 4 Mbps). It has been reported that some pfSense deployments have used as many as 12 WAN connections, and pfSense may scale even higher than that with the right hardware.

Any additional WAN interfaces are referred to as OPT WAN interfaces. References to WAN refer to the primary WAN interfaces, and OPT WAN to any additional WAN interfaces.

There are several factors to consider in a multi-WAN deployment. First, you’re going to want to use different cabling paths, so that multiple Internet connections are not subject to the same cable cut. If you have one connection coming in over a copper pair, you probably want to choose a secondary connection utilizing a different type and path of cabling. IN most cases, you cannot rely upon two or more connections of the same type to provide redundancy. Additional connections from the same provider are typically a solution only for additional bandwidth; the redundancy provided is minimal at best.

Another consideraton is the path from your connection to the Internet. With larger providers, two different types of connections will traverse significantly different networks until reaching core parts of the network. These core network components are generally designed with high redundancy and problems are addressed quickly, as they have widespread effects.

Whether an interface is marked as down or not is determined by the following ping command:

ping -t 5 -oqc 5 -i 0.7 [IP ADDRESS]

In other words, pfSense sends 5 pings (-c 5) to your monitor IP, waiting 0.7 seconds between each ping. it waits up to 5 seconds (-t 5) for a resoibsem and exits successfully if one reply is received (-o). It detects nearly all failures, and is not overly sensitive. Since it is successful with 80 percent packet loss, it is possible your connection could be experiencing so much packet loss that it is unusable but not marked as down. Making the ping settings more strict, however, would result in false posiitives and flapping. Some of the ping options are configurable in pfSense 2.2.4.

In the next article, we’ll cover WAN interface configuration in a multi-WAN setup.


External Links:

Network Load Balancing on Wikipedia

Configuring Dynamic DNS in pfSense

pfSense DDNS

Adding a domain name at the Duck DNS website.

Dynamic DNS (DDNS) is a method of automatically updating a name server in the Domain Name System (DNS), often in real time, with the active DNS configuration of its configured hostnames and/or addresses. The term is used to describe two separate concepts. The first is dynamic DNS updating, which refers to systems that are used to update traditional DNS records without manual editing; this mechanism is described in RFC 2136. The second permits lightweight and immediate updates, often using an update client. These clients provide a persistent addressing method for devices that change their location or IP addresses.

Most internet users who have consumer-grade internet access have a dynamic IP address, most likely assigned by their Internet service provider’s (ISP) DHCP server. These types of IP addresses pose a problem if the user wants to provide a service to other users on the Internet (e.g. a file server). DDNS provides a solution to this problem by providing a means of mapping a potentially rapidly changing IP address to a domain name without suffering the delay which it usually takes for a DNS change to propagate through the hierarchy of DNS servers.


Over the years, several companies and organizations have provided dynamic DNS capabilities. One such company, Dyndns (now called Dyn), provided a free domain name. In 2014, Dyn discontinued their free domain name service. They now charge $40 a year, which I still consider to be a reasonable price. But why pay for domain names when you can still get them for free? Duck DNS provides up to 5 free domain names (all subdomains of duckdns.org; e.g. mydomainname.duckdns.org) and is easy to configure with pfSense. In this article, I will outline the process.

Configuring Dynamic DNS: Creating a Duck DNS Domain Name

First, create a free account on Duck DNS. Once you have done this, scroll down to the domains section of the page. There will be an edit box for entering your domain name and a green add domain button. Enter a domain and press this button; if your domain isn’t taken already, you should see a page similar to the one shown in the screen capture in which your new domain is listed.

Next you need to install the Duck DNS client on your computer. The Windows version of the client can be downloaded from www.etx.ca and installed easily. The Linux version can be installed even more easily. You will need to install zenity, cron and curl first. Cron comes with most if not all Linux distros; zenity and curl can be installed with the apt-get command. There is a script you can download and execute which provides the same functionality as the Windows Duck DNS client. You will need to enter the domain you created in the first step in the Domain field and in the Token field you need to enter the token generated by Duck DNS for your domain. [This token can be found in the as part of the Update URL provided in the pfSense installation instructions on the Duck DNS website. The token is the part between token= and the ampersand.]

Configuring Dynamic DNS: Adding a DynDns Entry in pfSense

pfSense DDNS

Adding a DynDns entry in pfSense 2.2.4.

With Duck DNS configured and the client installed, now we can log into our pfSense box and configure DynDNS. From the pfSense menu, navigate to Services -> Dynamic DNS. There will be two tabs on the page: DynDns and RFC2136; select DynDns if it is not already selected. Press the plus button to the right of the table to add a new entry. For Service type, select Custom from the dropdown box. The Username and Password fields can be left blank. For the Update URL, you need to copy and paste the URL provided in the pfSense installation instructions on the Duck DNS webside. [You can find this instructions page by clicking on install on the menu at the top and then clicking on pfSense in the Routers section.] For Results Match, enter OK. Once these settings are entered, click on Save to save the changes.

Now the dynamic DNS configuration is complete, but since the whole point of setting up DDNS is to make services on your home network available to others, you are probably going to want to add an entry to the Network Address Translation (NAT) table to redirect incoming traffic to the node providing the service. You also need a corresponding firewall rule to allow the traffic through (NAT can create such a rule automatically). This is assuming that you didn’t already alter the NAT/firewall rules for the service you want to make available. One potential issue is that your ISP may block port 80 traffic, so if you want to set up your own web server, you may have to use a different port. [You can use NAT to redirect traffic from the port you selected to port 80.] If you cannot access the service you are trying to make available from the WAN side, you might want to try a different port and see if it works.


External Links:

Dynamic DNS on Wikipedia

Duck DNS website

 

Video: Configuring Dynamic DNS with pfSense

You may want to set up a domain name for your home or SOHO WAN IP. This video demonstrates how to do this. In this video I cover:

  • What DDNS is, why you might want to use it, and different methods of implementing DDNS
  • Configuring Duck DNS on the Duck DNS web site; downloading and installing the Duck DNS client
  • Configuring DDNS in pfSense and setting up NAT so we can access an Apache web server behind the firewall
  • Accessing a web site using the domain name I set up in the previous steps

IPsec VPN Configuration in pfSense: Part One

IPsec VPN

Phase 1 IPsec configuration in pfSense 2.2.4.

In the previous article, we covered how to set up a PPTP VPN connection in pfSense, and how to connect to it in Mint Linux. Since PPTP relies on MS-CHAPv2, which has been compromised, we probably want to use another method if security is paramount. In this article, we will cover setting up an IPsec tunnel with pfSense and connecting to it with Mint Linux.

IPsec VPN Configuration: Phase 1

First we need to set up the IPsec tunnel in pfSense. Navigate to VPN -> IPsec and click on the plus button on on the lower right to add a new tunnel. Under General information, there is an entry for Interface, where we select the interface for the local endpoint of the tunnel. Since our end user will be connecting remotely, the local endpoint should be WAN. The next entry is Remote Gateway, where we enter the IP address or host name of the remote gateway. Enter a brief description and scroll down to the Phase 1 proposal (Authentication) section. At Pre-Shared Key, you need to enter a key (PSK), which will essentially be the tunnel’s password. Whether you alter the Phase 1 proposal (Algorithms) settings or not, take note of the settings, as we will need them for future reference. Press the save button at the bottom to save the Phase 1 configuration. On the next page, press the Apply changes button to commit changes.

IPsec VPN

Phase 2 IPsec configuration.

IPsec VPN Configuration: Phase 2

Now there should be a new entry in the IPsec table for the new Phase 1 configuration. Click on the big plus button underneath the entry you just created to initiate Phase 2 configuration. This section should expand, revealing an empty table for Phase 2 settings. Click on the (smaller) plus button to the right of the table to bring up the Phase 2 settings page. For Mode, you can select whichever method you prefer, but note that whoever connects will have to use the same method. For Local Network, enter the network or address to which you want to give the VPN user access (probably LAN net). For Remote Network, enter the address of the remote end of the VPN tunnel. Enter a brief description. In the Phase 2 proposal section (SA/Key Exchange), set the protocol and encryption options, again taking note of them for future reference (AES-256 is the commonly used standard). When you are done, press the Save button at the bottom of the page. Press the Apply changes button on the next page to commit changes. Finally, check the Enable IPsec check box on the main IPsec page and press the Save button.


Now that Phase 1 and Phase 2 configuration are complete, all that remains is to create a firewall rule for IPsec traffic. Navigate to Firewall -> Rules. There should be a new tab for IPsec; click on it. There may already be a rule there allowing traffic to pass to whatever network or address you specified in the Phase 2 configuration. If not, then create one now by pressing the one of the plus buttons on this page. Most of the default settings can be kept, but set Destination to the network or address specified in Local Network in the Phase 2 configuration. For Destination port range, specify any. Add a brief description, and press the Save button. On the next page, press the Apply changes button to commit these changes.

In part two of this article, we will cover connecting to the VPN tunnel from the remote node.

External Links:

IPsec on Wikipedia

pfSense IPsec configuration information from the official pfSense site

PPTP VPN Configuration in pfSense

PPTP VPN

Configuring the PPTP VPN settings in pfSense 2.2.4.

A virtual private network is a means of extending a private network across a public network. The public network is most commonly the Internet, although not always. It enables a computer or network-enabled device to send and receive data across shared or public networks as if it were directly connected to the private network. A VPN establishes a virtual point-to-point connection to the destination network. Major implementations of VPNs inclue OpenVPN, IPsec, L2TP and PPTP.

pfSense makes it easy to set up a VPN connection, with support for all four of the abovementioned VPN protocols. [m0n0wall, which I used prior to making pfSense my primary firewall, supported IPsec and PPTP.] In this article, I will demonstrate how to configure a PPTP connection with pfSense, and connect to it with a Mint Linux system.


PPTP VPN Configuration: Configuring the PPTP Server

After logging into your pfSense firewall, navigate to VPN -> PPTP. From the Configuration tab, select the Enable PPTP server radio button. For Server address, you should enter an IP address on an unused subnet. For Remote address range, you should specify the starting address for VPN users (presumably on the same subnet as the server address). Scroll to the bottom and check the Require 128-bit encryption check box. Press the Save button at the bottom of the page.


Now PPTP is enabled, but we still have to create users and a firewall rule. Click on the Users tab and press the Plus button to add a user. Enter a username and password (you have to enter it twice). If you want to assign a specific IP address to this user, you can do it here. Press the Save button when you’re done.

PPTP VPN

Creating an firewall rule to allow traffic to pass from the VPN to the LAN.

Now all we have to do is add a firewall rule. Navigate to Firewall -> Rules. You will see that in addition to tabs for all your interfaces (LAN, WAN, DMZ/OPT1, etc.) there is a tab for PPTP. Click on that tab, and click on the Plus button to the right of the table to add a rule. For Destination, select LAN net (to allow access to the LAN network from our VPN), and for Destination port range, select any. Add a brief Description (e.g. “Allow PPTP to LAN”) and press the Save button. [All other settings can be kept at the default values.] Once the rule is saved, press the Apply changes button on the next page to force a reload of the firewall rules.


PPTP VPN Configuration: Testing the Connection in Linux Mint

Our setup of the pfSense firewall for VPN is complete; now we need to test it. Your mileage may vary depending on what operating system you use. I used Mint Linux to connect. In Linux Mint, click on the connection icon in the system notification area of the toolbar. A box with various networking options should appear. In this box, click on Network Connections. This should open the Network Connections dialog box. [You can also reach this dialog box by navigating to Preferences -> Network Connections on the Mint Linux menu, also accessible from the toolbar.] In this dialog box, click on the Add button. This will launch the Choose a Connection Type dialog box, choose Point-to-Point Tunneling Protocol (PPTP) and press the Create button. At Gateway (on the VPN tab), enter the WAN IP address of your pfSense firewall (or the domain name of your WAN gateway, if you have one). For User name and Password, enter the username and password you created when you were setting up PPTP on your pfSense box. Press the Advanced button and check the Use Point-to-Point encryption (MPPE) check box. This will enable the Security dropdown box, select 128-bit (most secure. Check the Allow stateful encryption check box. Press the OK button to save these settings. Next, click on the IPv4 Settings tab and for Method, select Automatic (VPN) addresses only from the dropdown box. Click on the Save button at the bottom of the dialog box to save the VPN connection settings.

PPTP VPN

Configuring the advanced settings in Mint Linux for our VPN connection.

Now, the VPN connection settings are saved and you should be able to connect. Again click on the connection icon in the system notification tray. In the box that appears, there should be a new section called VPN Connections. Click on the VPN connection you just created (most likely, VPN connection 1), when you do, Linux Mint will try to establish a VPN connection. If it works, you should be connected to the VPN.

If it doesn’t work, there can be several reasons. If the connection attempt fails without even connecting to your pfSense box, then you should make sure that the WAN interface of your pfSense box is reachable from your network. If, however, Mint Linux is able to connect to your pfSense box but the connection still fails (the more likely scenario), your VPN connection settings may be incorrect. In particular, you should check to make sure the security settings are correct (you must choose 128-bit encryption and allow stateful encryption). If you double-check the settings and everything seems to be right and you still cannot connect, then the mistake may have been how you configured PPTP in pfSense, so you probably should double-check those settings. If you are now connected to the VPN, you should be able to access LAN resources the same as a local LAN user would be able to access them.

One final note is that we should be mindful of the fact that VPN connections are encrypted, and encrypting data requires additional CPU power. One user connecting via VPN shouldn’t create an appreciable strain on the CPU, but 50 VPN users surely will. There is specialized hardware that you can purchase; Soekris is the most prominent manufacturer of such hardware, and installing them in your pfSense box will relieve the CPU of the computing-intensive tasks of encryption and compression. In most cases, however, the cheaper option is to just buy a faster CPU. In any case, you will probably want to consider VPN usage when you develop the specifications for your pfSense box.



External Links:

Virtual private network on Wikipedia.

Product page for vpn 14×1 products on the Soekris website.

 

Video: Upgrading a pfSense Firewall

This week, I upgraded my pfSense firewall from version 2.2.3 to 2.2.4. This video documents the process. If you’re running an old version of pfSense and want to bring it up-to-date, all that is required is a few mouse clicks and some time.

Video: Configuring a Second WAN Gateway in pfSense

This video describes how to configure a second WAN gateway for a multi-WAN setup in pfSense. [Hint: It doesn’t take long.]

© 2013 David Zientara. All rights reserved. Privacy Policy