Pfsense

From Security Weekly Wiki
Jump to navigationJump to search

Tech Segment: Using pfSense and an Alix.6F2 For A Wireless Access Point

I wanted a new access point. I have stacks of WRT54G series routers, and they are good, but often aren't up to the task. They are low in memory and processing power, and share one single 10/100 Ethernet bus. This limits their usage for things like streaming HD. Can you do it? Sure. My other problem was the WRT54G I had was constantly needing to be power cycled. All my old ones either went to friends and family members, bricked, or are in pieces somewhere. I bought a shiny new Dlink Dir-655, but after about a year it crapped out on me, actually the wireless radio itself died, which turns out to be a common problem. So, I wanted to build something myself out of really good hardware, and use real software like pfsense, and have an access point that would just kick ass.

Hardware List

All hardware for this project came from www.netgate.com:

  1. ALIX.6F2 Kit Black Unassembled - $188 - This kit comes with the board, power supply, CF card, and enclosure.
  2. Atheros WLM54G-HP mini PCI Card, U.FL to RP-SMA pigtails (two), 5.5 dbi rubber duck antennas (two) - $88 - This is the wireless card, with all the fixings!
  3. 2.4 GHz 9 dBi Rubber Duck Omni Antenna RP-SMA - Bigger is better, right? I want to cover my entire house with one 802.11g access point.

Total cost: $305.77

Get pfSense and Install on CF Card

For the embedded version, make sure you get the NanoBSD images.

Important, verify that you are installing the operating system on the correct disk image:

# df -h
Filesystem      Size   Used  Avail Capacity  Mounted on
/dev/disk0s2   465Gi  425Gi   40Gi    92%    /
devfs          185Ki  185Ki    0Bi   100%    /dev
map -hosts       0Bi    0Bi    0Bi   100%    /net
map auto_home    0Bi    0Bi    0Bi   100%    /home
/dev/disk1s1   7.5Gi  805Mi  6.7Gi    11%    /Volumes/AVST

On OS X, for example, the OS disk is "disk0", try not to overwrite that one (even though you'd likely get an error that its already in use, however I did not test that!). Then use the following command to dump the image on the CF card:

# gzcat pfSense-2.0.1-RELEASE-2g-i386-nanobsd.img.gz | dd of=/dev/disk3 bs=16k

Note: If you get an error like this, do this:

# gzcat pfSense-2.0.1-RELEASE-4g-i386-nanobsd.img.gz | dd of=/dev/disk1 bs=16k
dd: /dev/disk1s1: Resource busy

# umount /dev/disk1s1
umount(/Volumes/KINGSTON): Resource busy -- try 'diskutil unmount'

# diskutil umount /dev/disk1s1
Volume KINGSTON on disk1s1 unmounted

Now go get a cup of coffee, it takes a while. Notice I used the image labeled "2g", for 2 gig, which is the size of my card.

Configure an IP address in the Serial Interface

I used OS X for this, and used the following tools:

  1. zTerm - Excellent serial interface software, works well.
  2. Plugable USB to RS-232 DB9 Serial Adapter (Prolific PL2303HX Chipset) - USB serial adapter was $11 on Amazon, handy to have. I had to connect another serial cable to it from some of my old Cisco gear (those connectors should say "Terminal" on them).
  3. Prolific drivers for OS X Lion - I had to get updated drivers to work with the serial adapter that have been updated to work with OS X Lion.

Once you have all that, Follow Mike's instructions located here on setting up the LAN IP address.

Setup the Wifi Interface using the Web UI

Make sure you add the interface on this page by clicking the "+" symbol
Add the LAN and Wifi interface to the same bridge
Set a static IP
Set an SSID and choose your security, I chose "WPA"
More WPA settings
Define your channel settings, choose one not so much in use!
Configure the firewall or the Wifi interface will drop all packets from wireless network to the LAN by default!

Tech Segment: Installing pfSense on an Alix.6e1 by InternMike & Security Weekly

We here at Security Weekly love FreeBSD. We also love beer, and so we've been looking for an economical (read: cheap) way to install a firewall without raiding our beer fund. I also have to say, that I am totally in love with the ALIX.6e1 hardware platform:

2 10/100 LAN / 1 miniPCI / 1 miniPCI Express / AMD LX800 / 256 MB / 2 USB / DB9 serial port / CF Card slot / Board size: 6 x 6

pfSense is a FreeBSD-based project that has been special purposed for use as either a firewall or router. The project started in 2004 as a fork of the embedded firewall software package called m0n0wall. pfSense is focused towards full PC installations rather than the embedded hardware focus of m0n0wall. After some research, we decided to purchase the ALIX6E1 kit as there was a lot of web documentation for the project and well, because it was a sweet red color that made Larry crazy. Well, more crazy than his usual self.

Sexyred.png "Sexy red firewall..."

First step: break out the credit card

As we hold a strong belief that you should purchase from the vendor whose Google page ranking is first in search results, we clicked the link to Netgate's ALIX 6E1. Netgate's ALIX 6E1 Costs $175, or roughly a box of PADRON 7000's

The kit includes:

  • ALIX.6E1 system board (2/1/1/256/LX800)
  • Laser etched red aluminum enclosure with USB and antenna cutouts
  • Blank 2 GB Sandisk Ultra II CF Card
  • 15V 1.25A 18W power supply (US 3 prong plug style)

You will also need a Compact Flash card writer for installing the pfSense operating system. The one we used cost $10.00 or one PADRON 1926 Series Cigar.

Next you will need the pfSense & physdiskwrite Software, Cost: FREE! (or what a sexy blond pays to drink beer at a frat party).

Second step: Download the necessary packages

We needed the embedded version specifically created for the 2GB CF card size. The embedded version performs only reads from the flash card, with read/write file systems as RAM disks as compact flash cannot handle many write operations. The embedded versions can be found on pfSense's mirror list

Third step: Install the pfSense operating system on our CF card

pfSense's documentation does a good job. We used a Windows PC as all our other boxes were busy umm analyzing pr0n, so we opted for the physdiskwrite method.

WARNING: Follow the documentation's advice and be sure you are not overwriting the wrong disk!

C:\Documents and Settings\All Users\Documents>physdiskwrite.exe pfSense-1.2.3-2g
-20091207-1914-nanobsd.img

physdiskwrite v0.5.2 by Manuel Kasper <mk@neon1.net>

Searching for physical drives...

Information for \\.\PhysicalDrive0:
   Windows:       cyl: 19452
                  tpc: 255
                  spt: 63
   C/H/S:         16383/16/63
   Model:         ST3160812AS
   Serial number:             9LS0V1FC
   Firmware rev.: 3.ADH

Information for \\.\PhysicalDrive1:
DeviceIoControl() failed on \\.\PhysicalDrive1.

Information for \\.\PhysicalDrive2:
   Windows:       cyl: 244
                  tpc: 255
                  spt: 63

Information for \\.\PhysicalDrive3:
DeviceIoControl() failed on \\.\PhysicalDrive3.

Information for \\.\PhysicalDrive4:
DeviceIoControl() failed on \\.\PhysicalDrive4.

Which disk do you want to write? (0..2) 2
About to overwrite the contents of disk 2 with new data. Proceed? (y/n) y
2001194496/2001194496 bytes written in total

C:\Documents and Settings\All Users\Documents>

Fourth step: Find a desktop PC for a serial connection to the Alix

You'll need either a USB to serial converter cable or a desktop PC to connect the serial cable. In OS X I've used the USB to Serial cable and software called "Zterm". You can also use the command line utility called "screen", or several other free programs.

Fifth Step: Bootup the device and fire up Windows' hyperterminal

Use the following settings for the connection:

  • Baud rate: 9600
  • Data: 8 bit
  • Parity: None
  • Stop: 1 bit
  • Flow control: None

Now we boot into pfSense. As the bootloader comes there are 7 options listed. The first choice you will be asked is

“Do you want to set up     VLAN's now [y|n]?”  select no or 'n'.    

Then you are asked to

“Enter your LAN interface name”,  

We used 'fxp1'. Next,

“Enter your WAN interface name”  

We entered 'fxp2'. Next,

“Enter the Optional 1 interface name”,  

here we used 'fxp0'.

Using the above examples, you'd see  “The interfaces will be assigned as follows:”
LAN  -> fxp1
WAN ->  fxp2
OPT1 -> fxp0
Do you want to proceed [y|n]?                      (make sure you enter 'y' here).

pfSense is now running in RAM and almost fully functional. If you wish you may plug your LAN interface into a hub or switch and connect via the web interface. pfSense is by default assigned an ip of 192.168.1.1. Open your browser and navigate to http://192.168.1.

  • If you choose to login the username is 'admin' and the password is 'pfsense'.

Guides & Further Reading