I want to add pfsense to my server; how/where to get started?

[JustinChase]

I'm running the latest beta (6.0-beta14b) and have a Windows8 VM running with KVM.  I have several dockers running also, but nothing to exotic.

 

I've installed a VPN on my fast router, but it KILLS the throughput, so I've been reading a bit about pfsense, and it seems like a good option for me, but since I'm not at all a network person, it's pretty over my head.

 

So, I'm wondering if anyone has pfsense running on KVM, and if so, could/would they share with me how to get it setup and running on unRAID?

 

My motherboard has dual NICs, and I have a separate Intel NIC I can install in addition if that makes the process any easier/better.

 

Thanks in advance for any help!

[archedraft]

If you look through my past posting history you can find the steps I did to create my ofsense VM. I'm not at a computer now or I would dig it up. FWIW, I would recommend setting up pfsense on a spare computer and learning how it works before setting it up as a VM. Pfsense has a crazy amount of options and settings and can take a little while to get used to if you have not used it before. I defiantly would recommend using pfsense thought, it's amazing! 

[htpcnewbie]

Good start Justin, I have been thinking about this as well but haven't had the time to dig into details. Will keep a tab on your progress, good luck!

 

 

I'm running the latest beta (6.0-beta14b) and have a Windows8 VM running with KVM.  I have several dockers running also, but nothing to exotic.

 

I've installed a VPN on my fast router, but it KILLS the throughput, so I've been reading a bit about pfsense, and it seems like a good option for me, but since I'm not at all a network person, it's pretty over my head.

 

So, I'm wondering if anyone has pfsense running on KVM, and if so, could/would they share with me how to get it setup and running on unRAID?

 

My motherboard has dual NICs, and I have a separate Intel NIC I can install in addition if that makes the process any easier/better.

 

Thanks in advance for any help!

[archedraft]

http://lime-technology.com/forum/index.php?topic=37845

 

Here is the link to my other post. It's not a true guide but it will probably help a bit.

[jbrodriguez]

@JustinChase, what router are you using ?

[JustinChase]

@JustinChase, what router are you using ?

 

ASUS RT-N66

 

Using it with privateinternetaccess takes my 60MB service to 7-8MB.  The router just can't handle all the encryption

 

http://lime-technology.com/forum/index.php?topic=37845

 

Here is the link to my other post. It's not a true guide but it will probably help a bit.

 

Thanks.  I'd already searched for your posts, but hadn't seen that one yet.  I'm still trying to get to grips with the logistics of setting this up; especially if I'll have internet when unRAID goes down (I think not?).

 

Also, which NIC's to use for pfsense and for unRAID.

 

Then, obviously how in the world to actually setup and use pfsense; and how long before I figure it out enough to get everything working the way I want.

 

I'm hoping to start soon, but we just bought a fixer-upper, which is taking all my time lately, so it may still be a bit before I get far enough to ask pertinent questions.

 

Thanks for all the feedback everyone.

[ijuarez]

I would recommend another VPN service that I believe is better than PIA airvpn. Now that my endorsement is done. Search the forum for a user pfsense_fan he's done an awesome guide on how to setup up vpn without dns leaks.

 

[JustinChase]

I don't think there is a user "pfsense_fan" on the forum.

 

I did a search for guide from that user and got nothing, then searched for beta and unraid from that user and got nothing.

 

I then searched for pfsense guide from all users and got about a dozen results, but nothing from that user.

 

If you happen to find the guide you mentioned, I'd love to see it.

 

thanks.

[archedraft]

FWIW,

 

Here is a guide I put together on how to get pfsense working with multiple PIA VPN's at the same time. SO what I have done is some computers on "Alias A" only use my ISP and do not get redirected through the VPN, computers on "Alias B" use a PIA US VPN and computers on "Alias C" go through a Non US VPN... Probably way overkill but it was fun to learn about advanced pfSense options. Also, the pfSense forum is pretty helpful and users are nice (not as awesome as the unRAID forum but still a great group). I asked lots of questions over at their forum.

 

https://forum.pfsense.org/index.php/topic,68539.0.html

 

EDIT:

Also, the guide was made for pfSense 2.1 not 2.2 so some things look different but it has not visibly changed much.

[JustinChase]

Cool.  Thanks again for sharing.  I'm walking out right now to work on the new house for the next 8 hours, but will look closer when I get back.

[ijuarez]

I don't think there is a user "pfsense_fan" on the forum.

 

I did a search for guide from that user and got nothing, then searched for beta and unraid from that user and got nothing.

 

I then searched for pfsense guide from all users and got about a dozen results, but nothing from that user.

 

If you happen to find the guide you mentioned, I'd love to see it.

 

thanks.

 

Damn taptalk

 

Let me explain again.

 

airvpn.org is another vpn service, i use it and im happy with this service and its pretty affordable.

 

here is the link https://airvpn.org/topic/11245-how-to-set-up-pfsense-21-for-airvpn/

 

I will warn you, its long and its for 2.1 BUT it works, Secondly read thru the whole thing, yes its long but it will save you headaches.

 

The person that created this guide seems pretty nutty about privacy so he built it pretty bullet proof. however its on a physical box and im not sure how it performs on a virtual.

 

[JustinChase]

Thanks for that link, it's got some really good information.

 

I'm finally getting back around to working on this again now.  I've downloaded the most recent/stable version of pfSense and am working on creating the VM to install it into.

 

The guide you linked covers the setup quite thoroughly, but not much info on creating the right environment, so I have a few more questions.

 

I'm planning on assigning 512MB of memory and 8GB of hard drive space.  I originally tried to assign only 1GB, but it warned me that it might not be big enough for crash dumps, so I bumped the image/size up to 8GB.  I looked around for a suggestion no what size it might need but didn't find anything.  I hope 8GB is a reasonable amount.

 

I'm planning on installing it to my unassigned SSD, for speed and to keep it separate from the array.

 

I don't really know what type of network bridge would be best, so I'm going with br0.  I'm not sure if this is good/safe considering my other VM's use the same bridge.  I would think I'd want them to be different, since I'm trying to separate everything, but I'm not sure what else I'd select, so I'm starting with this setup as a test.

 

Also, I'm planning a 3 NIC setup, using the 2 onboard NIC's and one Intel card.  I figure I'll use the card for WAN and the 2 motherboard NIC's for the LAN's.  I wonder if this will be an issue since I used to have problems with unRAID using the 'other' onboard NIC for network communications and I'd occasionally be unable to connect to unRAID after a reboot.  I'd asked about this issue at the time and was told unRAID will grab whatever NIC it 'sees first' and if I'd plugged my cable into the other one, I would just not have connectivity.  I resolved this by turning off one of my onboard NIC's in the BIOS, but now I'll have to turn this back on to have access to all 3.  I guess I'll find out if this causes any issues, but thought I'd ask about it while typing out my plan.

 

Well, those are the issues I expect to face as I move forward.  Any ideas/suggestions about these things are most welcome, as are any other thoughts about setting all this up.  I'll try to update this thread as I proceed, since I really haven't found much other information about pfSense on unRAID.  Perhaps this will help others someday (as well as remind me what I need to do in case I have to do this again someday)

[JustinChase]

Okay, I'm trying to get this working this evening, and I'm not having much luck.

 

I've tried to setup pfsense using my normal syslinux.cfg (not excluding any network cards), and using a bridge in the pfsense VM.  When I start that VM it gets to the point of asking me to plug in my network cable, so it can determine which cable is for the WAN.  This doesn't work, I assume because I'm actually connecting via a bridge.

 

So, I then tried excluding my NIC in the syslinux.cfg, then rebooted.  I was able to connect to the server, could browse user shares from withing windows, but only for a short time.  After a couple of minutes, I was unable to browse the shares, and was unable to navigate the unRAID GUI.  I had been able to go from the main GUI to the docker GUI, but could never navigate to the VM tab. 

 

Okay, something must be preventing me from long-term usage, so fine, I'll reboot and try again, making sure to go to the VM tab first thing.  once on that page, I figured I could launch the VNC link and get into the pfsense setup, and hopefully at least get it to recognize/use the WAN NIC I excluded from unRAID.

 

But, that didn't work.  after restarting, I was able to navigate the user shares again, but could never get the GUI to load.  i cleared cookies in the browser, forced a refresh of the GUI (shift-click), but nothing.  I was able to connect to putty, but after a several minutes, even that connection got hosed.

 

I assume something is spamming my network connection and killing the GUI.  Whatever is happening, I'm not sure how to get this setup now.

 

It seems clear my idea of excluding a NIC from unRAID to let pfSense have it isn't working, and not excluding it doesn't leave me one to assign to pfSense, so how the hell do I proceed?  What are the 'proper' steps to "move" the NIC from unRAID to pfSense which allow me to get to the unRAID GUI to launch the pfsense VNC connection, while still allowing me to assign the NICs to pfSense once I'm able to get it launched?

 

I know others have gotten this working, but I'm not having any luck :(

[archedraft]

When you add the network cables to pfsense have you first turned off your modem for a minute before turned img on the pfsense VM?

[JustinChase]

no.  I couldn't figure out how to exclude the NIC's from unRAID so pfSense can have them, yet still connect to unRAID to launch the pfSense VM.

 

I'm now trying to exclude just one NIC, so I can still get to unRAID, but have one available to pfSense.  I got stuck with a bad xml that was autostarting and killing my server, so for the last hour I've not made any progress.  i just resolved that issue, and am about to try my exclude one NIC attempt.

 

If that doesn't work, I'm really not sure how to proceed.  I wish there was a way to access the GUI from the console, so I wouldn't need a NIC to connect to the GUI, but I couldn't figure out how to do that, so I have to have at least one NIC assigned to unRAID.

 

It seems like it could be easier, but nothing is ever as easy as I'd like it to be

[archedraft]

Question, do you have a physical pfsense box now?

[JustinChase]

no.  I have a computer that I think is missing a few parts which I might be able to scrounge together to get running; or I could create a new partition on my laptop, but it only has one NIC (as does the other machine).

 

I assume you're thinking of just getting it running on a separate box, then copy/move the working install to the server?

 

Good idea, but I'm not sure I can make that happen.  If I don't make any progress soon, I'll dig out the other computer and see if I can make it run enough to try that method.

[METDeath]

As long as you use the same NIC ports on the VM as on the physical box, and don't use generated certificates (think OpenVPN), migration is a snap using the built in Back up/Restore in pfSense.

 

If you do use generated certificates, just download them from your physical box, then upload them to the VM box.

[JustinChase]

ha, easier said than done.  First, I don't yet have a physical box to start with.  Second, I'd have to get pfSense to fully install before I could restore (and it won't install until I pass thru a WAN port).  Third, I don't know how I'd use the same NIC ports on both machines, since they would be physically different NIC's/brands/ports.

 

So, not that it's a bad idea, I'm hoping it doesn't come to this

[MyKroFt]

To run this in a VM w/unRAID - dont you have to have 3 nics - 2 reserved for pfSense and 1 for unRAID?

[JustinChase]

I believe it's preferred, but as I understand it; not required.

 

one for the WAN, one for the LAN, upon which unRAID resides, so you can get to it that way.  I believe the 3rd NIC is usually used to allow the system internet access even if the VPN goes down; which would get lost with a 2 NIC setup.

 

I will probably add a 3rd NIC at some point, but am trying to get it going with just the 2 for now.

 

I'm trying to exclude one of the NICs by adding pci-stub.ids=8086:15a1 to my syslinux file, but after rebooting, both NICs still show in the system devices listing, which I think is wrong.  I thought by adding this to syslinux.cfg it would basically become invisible to unRAID, so it shouldn't show in the system devices listing.  Perhaps I'm wrong about that.

 

I've tried to move the location of that bit around in the syslinux to see it if changed anything, and it didn't, so I'll try proceeding to install pfSense and see if it recognized when i connect that port to the WAN during install.

[METDeath]

I believe it's preferred, but as I understand it; not required.

 

one for the WAN, one for the LAN, upon which unRAID resides, so you can get to it that way.  I believe the 3rd NIC is usually used to allow the system internet access even if the VPN goes down; which would get lost with a 2 NIC setup.

 

I will probably add a 3rd NIC at some point, but am trying to get it going with just the 2 for now.

 

I'm trying to exclude one of the NICs by adding pci-stub.ids=8086:15a1 to my syslinux file, but after rebooting, both NICs still show in the system devices listing, which I think is wrong.  I thought by adding this to syslinux.cfg it would basically become invisible to unRAID, so it shouldn't show in the system devices listing.  Perhaps I'm wrong about that.

 

I've tried to move the location of that bit around in the syslinux to see it if changed anything, and it didn't, so I'll try proceeding to install pfSense and see if it recognized when i connect that port to the WAN during install.

 

I have passed through an Intel PRO/1000 Dual Gigabit PCI-E card using this guide. I migrated my physical pfSense machine's configuration file over and it works perfectly... except when I shutdown my unRAID box for whatever reason.

[JustinChase]

Yeah, that's the guide I'm trying to follow.  I assume you also excluded the NICs by adding the line to your syslinux.cfg file.  If so, can you please go to the tools tab, then click/open system devices and see if the NICs you excluded still show in the list?  I thought they shouldn't show up, but mine does, so I'm not sure if it's not working, or if that's how it works.

[JustinChase]

Okay, that part worked.  I was able to get pfSense to find and register the WAN NIC (em0).  I had only passed one card, so I couldn't set the VLAN NIC, but will now try excluding the other NIC from unRAID and see if I can get pfSense to find/register it, then work on setup to get me up and running.  Seems like progress.

[JustinChase]

sometimes I just want to punch stuff.

 

I rebooted with both NICs excluded, then realized I'd forgotten to autostart the pfSense VM, so I had no way to connect to it.  Okay, I'll edit the syslinux.cfg back to only exlcuding the one NIC and reboot from the console.  After rebooting, i can connect to user shares and via putty, but cannot get the GUI to come up.  I've rebooted 4 times, tried 3 browsers, cleared cookies, and just simply cannot get the GUI to display.  I'm obviously connected to the server, since I can see user shares and login to putty, so I can't think of any reason I can't get to the GUI, other than the NSA is playing with me.

 

AAArrrgggghhhhh!!!!!!

 

Time for sleep I think.