pfSense (or other dedicated router) questions

[sfx2000]

And for the most part - I'm a lot nicer about things than some over on the pfSense main community - they're all smart and good - no doubt, but there is a filter there that makes things tough for noobs...

 

[garyd9]

Anyways - since you've already filed the bug - an update will reopen it, so someone needs to take action - there are lots of bugs that are marked "dupe" based on info at the time - you have more info now to add...

I had updated with the info.. it's still duped. I'd like to fight over it, but I need to let these things go or I'll lose my mind trying to take over the world. If the pfSense maintainers want to leave it marked as a dupe of a feature... well.. it's their ball. Until the next release, it really no longer impacts me (and I've taken notes in "google keep" on what's going on, why, and how to work around it.. in case they don't fix it... or implement the feature.. or whatever.. before the next release.)

Gary, respectfully, are you by chance making this too complicated?

This thread has jumped through about 1200 different topics. Chances are that I AM making things too complicated, but it'd be good to know what you are referring to in particular. Please quote something I can reference back to... until then, I'm GUESSING you're referring to the link I posted for my post on forums.pfsense.org concerning the vlan setup with bridging, etc.

If so, I want guests to be able to see some of the machines on a subnet, but not all of them. There are a couple things on the "system" vlan that don't have ADS protection (because the vendors never implemented it, I guess) and I don't trust their plaintext, "pleasehackme" authentication systems (if they even have any kind of auth system.)

As an example: Do you know how easy it is to take over a TiVo system and send remote control buttons to it? All you need is the media access key... and it's trivial to find that with a few unprotected button presses on the real remote while someone steps out of the room. Next thing I know, 4 days later, someone is downloading all my recorded porn and sending keys remotely via wifi to my TiVo causing all my shows to get deleted. If that happened, my wife would kill me, collect my life insurance, resurrect me, and then divorce me.

On an older "DD-WRT" type router (or tomato), I'd assign the tivo an IP address with the last octet being < 128. Then, if the guest wifi was "wl0.2", I could use ebtables to block access: ebtables -I FORWARD -i wl0.2 -p ip --ip-dst 192.168.1.0/25 -j DROP (This used knowledge of how the bridging works in WRT-based routers.)

 

[garyd9]

DUH! I hit the "moderation required" BS.

MODS : can you exempt this thread at least from that silly filter? It really destroys the flow of a conversation when replies get put "on hold" for 24 hours.

 

[garyd9]

And for the most part - I'm a lot nicer about things than some over on the pfSense main community - they're all smart and good - no doubt, but there is a filter there that makes things tough for noobs...

It's okay. I'm a natural born a-hole. I should be able to handle them. (Watch.. THIS comment won't get auto-moderated even though it contains implied profanity.)

 

[sfx2000]

It's okay. I'm a natural born a-hole. I should be able to handle them. (Watch.. THIS comment won't get auto-moderated even though it contains implied profanity.)

That's ok - there's been a couple of times I've hit a filter well beyond the keywords - all good...

 

[garyd9]

So.. a new problem:

Despite the raging of an incredibly annoying but also very unhelpful person on the pfsense forum, Windows Server 2012 R2 Essentials PREFERS that you use the DHCP server on a router and the DNS server on the AD. Don't ask me to explain it.. it just does. (In fact, it also forces the ADS DNS server to use the router IP as a DNS forwarder - only using the ADS DNS for local domain resolutions.)

In order to make that work, I have to override most DHCP server configurations to force it to give my ADS server as the first DNS server (because most DHCP servers want to make themselves the primary DNS.) By the way, this is needed for ADS workstations to properly register themselves in the ADS DNS. (They eventually manage to do it anyway, but then the network can be... wonky.. for 10-15 minutes after a restart.)

Okay, so that's all good. I can force pfSense to specify that 192.168.1.100 is the first DNS server for IPv4. Did you notice that? FOR IPv4. What I can't do is specify "192.168.1.100" as the first DNS server in the DHCPv6 configuration. So, the DHCPv6 server provides it's own IPv6 address for the first DNS server in the DHCPv6 and IPv6 RA's.

That shouldn't be a problem... until you get past Windows 7 and move into Win8 and Win10. Why? Because given an IPv4 DNS address and an IPv6 DNS address, it wants to use the IPv6 one. Now I'm back to the problem I mentioned above in this post about ADS workstations wanting to register their DNS... and not being able to.

In a former life... back when I used a single subnet and vlans were nothing more than an unused configuration option on my switch, I "solved" this by assigning my ADS machine a static IPv6 of "fe80::100". Then I used that as the first IPv6 DNS server. It worked.

Now we move into vlan and subnetting. Guess what doesn't work anymore? fe80::100 is link local. It won't route across subnets. Damn.

Any suggestions? I had considered adding the use of ULA's, but pfSense doesn't seem to support having the radvd giving out TWO prefixes (one for the global prefix and one for the ULA.) So, if I restructured the pfSense config to use ULA's, workstations wouldn't get globally addressable IPv6 addresses.

I also considered a quick ULA-type static address fc00::100 (or anything in fc00::/7) for the ADS/DNS machine... which should be addressable by anything behind the router... but how would I configure the routing rules for that so the router knows to route fc00::100 to the proper interface?

Wow.. things were so much less interesting when I just plugged the switching into the asus wireless router/AP/gateway/thingy and let it go slow.

Okay, network guru's... what say you?

 

[garyd9]

One potential solution: Use a virtual IP (IP Alias.) (I'm shocked that they work with IPv6. When I didn't see something asking if I wanted a virtual IPv4 or IPv6, I expected it to be IPv4 only.)

I "registered" a ULA of fd01:19fc:be04::/48.

I then gave my ADS/DNS server a static IPv6 in that network of fd01:19fc:be04::100. I could ping "fd01:19fc:be04::100" from localhost and from any other machine on the same vlan. Good start. Can't ping it from any machine on another vlan.

Go into pfsense, Firewall->virtual IP's. Add a virtual IP. Set the interface to the one corresponding to the vlan that the ADS is in. Set the address to fd01:19fc:be04::1. Save.

Now I can ping fd01:19fc:be04::100 from any machine behind the router. Nice... very nice. I could now set the DNS server for every vlan's DHCP to be fd01:19fc:be04::100 and it'd work properly.

If this is the best solution, I'll have to change the ULA to use a "subnet" (fd01:19fc:be04:1::/64 instead of fd01:19fc:be04::/48) for that interface, and add firewall rules to ensure the IP doesn't get sent out over the WAN interface. (Okay, I really don't have to "subnet" the ULA, but I'd be more comfortable if I did.)

My problem is that.. well.. it feels hacky.

 

[sfx2000]

In your situation - perhaps make Active Directory the authoritative DNS/DHCP solution there...

pfSense can deal with that...

 

[garyd9]

In your situation - perhaps make Active Directory the authoritative DNS/DHCP solution there...

pfSense can deal with it... but it's a fight to get the ADS machine to accept it. It's something MS changed with 2012R2 Essentials to make it more "friendly" to small business routers (which are basically just the same as consumer wireless routers.)

The ULA on a virtual IP isn't working out. Now DHCPv6 (and radvd) on the interface that I gave the fd01:19fc:be04:1:: IP to is advertising ONLY the fd01:19fc:be04:1:: prefix and NOT the global prefix. Damn... IPv6 is designed to allow multiple IP addresses for a single interface, but very few of the tools can handle that gracefully.

 

[sfx2000]

pfSense can deal with it... but it's a fight to get the ADS machine to accept it. It's something MS changed with 2012R2 Essentials to make it more "friendly" to small business routers (which are basically just the same as consumer wireless routers.)

The ULA on a virtual IP isn't working out. Now DHCPv6 (and radvd) on the interface that I gave the fd01:19fc:be04:1:: IP to is advertising ONLY the fd01:19fc:be04:1:: prefix and NOT the global prefix. Damn... IPv6 is designed to allow multiple IP addresses for a single interface, but very few of the tools can handle that gracefully.

Gaah - seems to be perhaps a good solution to put a managed switch in the middle to handle the VLAN's...

Just an observation - rather than peel back layers one by one, and ask for input - perhaps just put all the cards out there - might be more productive...

 

[Nullity]

Gaah - seems to be perhaps a good solution to put a managed switch in the middle to handle the VLAN's...

Just an observation - rather than peel back layers one by one, and ask for input - perhaps just put all the cards out there - might be more productive...

Agreed.

I would also say read a book or two on pfSense and related tech.

"The Book of pf" is great, along with the official pfSense book. Heck, if you haven't read the pfSense wiki, please do that...

 

[garyd9]

Just an observation - rather than peel back layers one by one, and ask for input - perhaps just put all the cards out there - might be more productive...

I'd love to.. This "project" has grown significantly beyond what I originally planned, and I've hit issues that I didn't anticipate (simply because details often slip through the cracks) such as the IPv6 DNS thing (and fe80:: not being routable.)

The original diagram I posted so many pages ago still applies. There's no new information. Just the implications of that information is causing some bumps.

BTW, this is how I learn. I f' things up, and then figure out or find out how to fix them. Yes, I did burn my fingers OFTEN as a child while learning not to touch the hot stove.

 

[Nullity]

...
BTW, this is how I learn. I f' things up, and then figure out or find out how to fix them.
...

Fair enough, but not everyone on the forum(s) wants to be your teacher (for free)...

 

[garyd9]

Agreed.

I would also say read a book or two on pfSense and related tech.

"The Book of pf" is great, along with the official pfSense book. Heck, if you haven't read the pfSense wiki, please do that...

The information out there is of only limited value, sadly. There's nothing good (and current) about the entire thing. For example, no good resource for configuring radvd in pfsense, or some of the side-effects of virtual IP's. (For example, nothing in the wiki mentions that "IP Alias" can use an ipv6, but "Proxy ARP" can't... I found it by just trying things out.)

I'd dig more on the pfsense forum, but I tend to get very annoyed at certain specific users on there who like to imply that everyone else is an idiot, but never actually answer questions. For example, I posted a question on there about my overall LAN concept and asking for feedback and suggestions. ONE person replied (and it was one of the idiots I referred to) and took ONE part of the entire thing and flamed me for even considering such a sacrilegious thing and DEMANDED to know why I'd want to do that. He obviously didn't read my post where I described why... and when I responded to him (very politely, in fact), explaining it to him, he disappeared. No answers.. no suggestions... just "your an idiot.. don't do that" with no alternatives.

Here's a link to that topic: https://forum.pfsense.org/index.php?topic=116109.0

So.. I'm working through it. To be honest, I'm having to work around most of the things I encounter without actually solving them. Once I get everything running smoothly, I'll revisit most of this stuff to try and make it better... and learn more in the process.

 

[sfx2000]

I'd love to.. This "project" has grown significantly beyond what I originally planned, and I've hit issues that I didn't anticipate (simply because details often slip through the cracks) such as the IPv6 DNS thing (and fe80:: not being routable.)

Well, you're running into Scope Creep on a project - so take some time to think about the baselines there - and that's ok... we all fall into that situation from time to time..

So look back at what you're really trying to do here...

Project Management 101 - and it's an easy trap to fall in to... but easy enough, but one has to step back and look at the whole, knowing the new information.

 

[sfx2000]

So.. I'm working through it. To be honest, I'm having to work around most of the things I encounter without actually solving them. Once I get everything running smoothly, I'll revisit most of this stuff to try and make it better... and learn more in the process.

Best advice I can give at the moment - take a break - seriously - you're getting wrapped up in particulars, and this is driving you down a rat-hole - and this is not a good place to be.

Take a step back - knowing what you know now - and then let things go for a day or two - and then reconsider what you're trying to do - it'll clear your mind, and you'll find the right solution to your problem, and I'm guessing your rebuild your project plan around it.

 

[EngChi]

garyd9 - would you be able to explain what are the problems you are having?

I run Windows Server 2012 Essentials server with 3 windows 10 clients and pfsense as my firewall , all without an issue

on client
gateway - pfsense
DHCP - windows server
DNS1 - windows server
DNS2 - pfsense

no issues.

 

[garyd9]

garyd9 - would you be able to explain what are the problems you are having?

ah... so many. Seriously, I have it running in a basic form.. it's just trying to get certain oddities going is a PITA. Before I start, though - do you have IPv6 going with your configuration? (with global assigned dynamic prefix addressing?)

Honestly, I think the folks reading this thread are tired of reading my problems. Most are listed above in the previous couple of pages.

For now, however, I'm taking the advice of @sfx2000 and just taking a break from it. I can use the time to get the "unifi" AP controller working on a raspberry pi, or trying to figure out how to pull ethernet through three stories of my house. (As with other things, I could just pay someone to pull the wire, but I'd learn nothing doing it that way, and it'd probably cost me 10x as much.)

 

[EngChi]

Sounds good. my knowledge of pfsense is probably lower than yours - all I wanted it to do is do automatic WAN failover/balancing for multiple ISPs, built in firewall, and things like per country/continent traffic blocking (I have no need , desire, or interest in getting pings from say South Korea which is within top 3 spam bot countries).

Give me some time to look at your thread to understand it as it may help taking a brain dump of what you want in numbered form. some of the things you route I currently do not understand i.e. below - my mind immediately stumbles when I read "IP addresses change" - arent you assigning _all_ IP addresses in your network? how can they change if you map them to MAC addresses?

"
For example, let's say I want to block MAC address A:B:C:E:F from any internet (LAN <> WAN) traffic. I prefer not using IP addresses for a couple reasons:
1. I'd have to set up multiple rules for IPv4 and IPv6.
2. IP addresses change... between IPv4 dynamic assignments and Windows constantly rotating IPv6 addresses, there's no constant.
3. Even if not for #1 and #2, most non-techies find it much easier to spoof an IP address than to spoof a MAC address.
"

what I have done with my network is set up static IPs for all key devices (obihai VOIP adapters, HDHR network tuners, network printers, workstations, server, NAS, consumption appliances like shieldtv and amazon firebox, etc), gave a pool for dynamic assignments for times when wireless is needed (phones, tablets) and left it at that. I do not run into issues with guest wireless network as I do not run that. also everything possible is hard wired with cat5e, as others on this forum I came to realization that wireless is convenience and should be avoided whenever possible if such choice exists. for what its worth..

 

[sfx2000]

As with other things, I could just pay someone to pull the wire, but I'd learn nothing doing it that way, and it'd probably cost me 10x as much.

Been there - and I'll tell you what - it's not worth it - I've got a telcom/cable installer as a sub-contractor at $75/hour, and he charges me time/material - and he's good at what he does, and he has all the tools to deploy and test... he does it in his off-hours, so evenings and weekends are best for him, and he has a good hustle going on.

Most homes he can do in two hours at most... and CAT5e/CAT6a is cheaper by the spool, as is RG6 (upgraded coax).

Most jobs end up being under $200 - considering time/material, and one's on time/value - find an installer - I found him on the local Craigslist actually under the Jobs/Skilled Trade and Craft section... wish I would have found him before I did my own cable pulls here at the house - he would have done the same job in a quarter of the time...