Software

Software that runs on Protectli Hardware

OPNsense Optional Port Configuration

Luke Green October 23, 2020

Overview

This article covers configuring OPT ports for use in OPNsense. This will include: assigning the interfaces, enabling DHCP, and a basic firewall rule to allow connection to the internet.

Prerequisites

OPNsense installed and access to the web interface. OPNsense 20.7 was used for this article

Assigning and enabling Interfaces

This section covers assigning OPT interfaces and enabling them with a static IP address. Typically interface assignments are done when installing OPNsense and correcting the port order as noted in our OPNsense Install article. The interface will still need to be enabled. This article will assume no OPT interfaces are assigned.

Verify the Vault is powered on and OPNsense is up and running
Access the OPNsense web interface
- The default web address is 192.168.1.1
- The default login credentials are
  - Username: root
  - Password: opnsense
From the OPNsense web interface dashboard, select Interfaces on the left column
Under the interfaces column select Assignments
Select the + for each interface you would like to add, then select Save.

Once the interface is assigned, it will appear in the interfaces column.
Select the OPT interface to bring up the “Basic configuration” menu
To enable a interface:
- Check the box next to Enable Interface
- Change IPv4 Configuration Type to Static IPv4
- Assign a unique IPv4 address, we are using 192.168.2.1 with a subnet mask of 24 for this example
  - Note each additional interface will need a different subnet (example 192.168.3.1, 192.168.4.1, ect.) Any number can be used such as 192.168.42.1
- Select Save at the bottom of the page, then Apply changes at the top

Enable DHCP

Now the interface is assigned with an IP address, a DHCP server can be enabled to hand out IP addresses on the subnet

Select Services from the left column menu, then DHCPv4
Select the assigned OPT port to bring up the DHCP configuration menu
Check the box next to Enable DHCP Server
Fill in a Range for the IP address pool. The “Available range” can be used as guidelines for the IP address pool. Leave the default gateway(192.168.2.1) out of the range.
- We used 192.168.2.2 to 192.168.2.254 for this example
Select Save at the bottom

Firewall Rule

Now the interface is enabled with an IP address assigned, and a DHCP server is handing out IP address, a simple firewall rule is needed to allow access to the internet.

Select Firewall from the left column menu, then Rules
Select the OPT interface assigned, this will bring up the Firewall Rules for this interface
Select Add in the top right corner

A basic pass rule is necessary using the default rule configuration with the following change
- Source – (OPT assigned) net
  - Note: The “OPT net” source from the dropdown menu might require scrolling through the options to find the correct choice
Select Save at the bottom, then Apply Changes at the top right

The OPT port should now be functioning just as the default LAN port. This step can be repeated to enable additional ports depending on your device. If you have any trouble or additional questions feel free to reach out either by opening a ticket here https://protectli.com/submit-ticket/ or send us an email here support@protectli.com

How to configure OPNsense for the Internal 4G LTE Modem

phil October 19, 2020

Overview

Protectli offers 4G LTE Modems and service subscription plans. An overview can be found on the main 4G LTE page. One of the options is an internal modem, the MDG100. In order to use the MDG100, an Operating System (OS) must be installed on the Vault and configured to recognize and utilize the 4G LTE Modem. This article describes how to configure OPNsense to utilize the MDG100 Internal 4G LTE Modem.

Accessories

The Internal 4G LTE Modem, MDG100, includes micro coax cables and antennas. When the MDG100 is ordered with one of the Vaults, the MDG100 is installed and tested by Protectli at the factory. If the modem has not been installed, install the modem in the proper slot, connect the coax cables and attach the external antennas.

OPNsense Configuration

To install OPNsense, follow the instruction in this Knowledge Base article.

When complete, verify that the OPNsense Dashboard is displayed

Select Interfaces->Assignments
Verify the Interfaces:Assigments page is displayed

Screen Shot OPNsense Interfaces-Assignments

Select the “New interface:” dropdown
Verify one of the options is “ue0”, which is the MDG100 Internal 4G LTE Modem
Select ueo for the new interface

Screen Shot OPNsense Interfaces-Assignments-ue0

Add a Description if desired (recommended)
Select the “+” button
Select the Save button

Screen Shot OPNsense Interfaces-Assignments-ue0-Description

Verify the new 4GLTE interface is saved

Screen Shot OPNsense Interfaces-Assignments-4GLTE

Select the 4G LTE Interface
Verify the 4G LTE interfaces page is displayed
Select “Enable Interface” checkbox
Verify the configuration menu is expanded
Select IPv4 Configuration Type->DHCP
Select the Save Button
Select the Apply Changes Button

Screen Shot OPNsense Interfaces-4GLTE-Config

The Internal 4G LTE Modem is now configured in OPNsense. It should now be possible to browse to 172.16.0.1 which is the default IP address of the MDG100.

Open another tab in the same browser or another browser window
Browse to 172.16.0.1
Verify the MDG100 Internal 4G LTE Modem Login page is displayed

At this point, the modem has been installed, OPNsense has been installed and configured to recognize and utilize the modem. The modem is ready to be configured and used. As always, if you have questions or issues, please reach out to us at support@protectli.com or find more information in our Knowledge Base.

How to Configure a WiFi module in OPNsense

Luke Green September 25, 2020

Overview

This article covers configuring the Protectli WiFi Kit in Access Point Mode for OPNsense. This includes interface assignment, interface configuration, a DHCP server, and firewall rule.

Prerequisites

Protectli Vault with WiFi Kit installed
OPNsense is installed. Version 20.7 was used for this article

Add Device and Assign Interface

This section will cover adding the wireless device and assigning it an interface.

Verify the Vault is powered on and OPNsense is up and running
Access the OPNsense web interface.
- Default web address is 192.168.1.1
- Default login credentials
  - Username: root
  - Password: opnsense
From the OPNsense web interface dashboard, select Interfaces on the left column
Under the interfaces column, select Wireless, then Devices
In the Devices menu, select Add in the top right corner

Select run0() as the Parent interface and save
The interface run0_wlan1 should be displayed as seen below

Back to the Interfaces menu, select Assignments
run0_wlan1 should be available as a New interface. select the “+” button to assign it and save

Once the interface is assigned, select the interface the wireless device is assigned to. In this example it would show up as OPT3
You should now be in the interface configuration menu. Check Enable Interface to display additional options
Select Static IPv4 as IPV4 Configuration Type
Under Static IPV4 configuration, assign an IP address of your choice. We used 192.168.10.1 with a subnet mask of 24 for this example
Under common wireless configuration, select the wireless standard you wish to utilize. Our WiFi kits have B/G available in OPNsense. We will be using G in this example.

Interface Configuration 1

For Mode select Access Point
Enter the SSID of your choice
Under WPA check Enable
Enter a secure password in the WPA Pre-Shared Key field
For WPA mode, we recommend selecting WPA2
Select Save at the bottom, then Apply Changes at the top right

Configuring DHCP and Firewall Rule

Now WiFi should be up and running, but we need to conveniently hand out IP address and allow access outside the firewall to the internet!

To configure a DHCP server, select Services>DHCPv4>(WiFi interface) from the left column menu
Check Enable, and fill in the Range. You can use the Available range as a guide, but select a “from” address above the default gateway. See example below
Select Save

Now that DHCP is configured and IP addresses can be handed out, its time to move on to the firewall rule
Select Firewall from the left column menu, then Rules>(WiFi Interface)
Select Add on the top right

Verify the follow are configured for this rule (See example below)
- Action: Pass
- Interface: (WiFi Interface)
- Direction: In
- TCP/IP Version: IPv4
- Protocol: Any
- Source: (WiFi Interface) Net
- Destination: Any
Select Save, then Apply Changes on the top right

At this point you should be able to connect to the SSID, obtain an IP address, and access the internet. If you have any trouble or additional questions feel free to reach out either by opening a ticket here https://protectli.com/submit-ticket/ or send us an email here support@protectli.com

pfSense®CE Configuration Recommendations

phil May 7, 2020

pfSense® CE Configuration Recommendations

Overview

pfSense® CE is an open source routing and firewall software which is based on FreeBSD. An article covering installation can be found at this link. This article offers some basic recommendations to configure pfSense® CE on the Vault. Some of these recommendations had been in other articles, but for ease of use, we are consolidating them here in one article. This article includes the following areas of interest:

Thermal Monitoring
Enable Cryptographic Hardware assist with AES-NI and BDS
Power Management with PowerD
Enable Optional (OPT) ports

At the bottom of this article, there is a table with downloadable configuration files for each of the Vaults that include the settings described below.

Thermal Monitoring

The Vault has a solid state, fanless design. The case is designed to dissipate the heat generated by the unit. Although the case may be warm to the touch, it most likely indicates that the system is functioning correctly. However, Thermal Monitoring can be used to verify the Vault is operating under normal thermal conditions. Intel based CPUs have built in thermal monitoring and pfSense® CE can access it to display temperatures on the dashboard. The following article will describe how to enable and monitor the thermal sensors.

Enable Thermal Monitoring

Enabling Thermal Monitoring is done through the pfSense® CE WebUI.

Browse to the pfSense® CE Dashboard, default 192.168.1.1 on the LAN port
Select “System –> Advanced” and click on the “Miscellaneous” tab

pfsense system advanced System->Advanced

Scroll down to “Cryptographic & Thermal Hardware”
Click on “Thermal Sensors.”
From the drop down, choose “Intel Core* CPU…”

System->Advanced->Miscellaneous->Cryptographic & Thermal Hardware

Click “Save” button at the bottom of the page
Verify success message is displayed at the top of the page
Thermal monitoring of the CPUs is now enabled

Display Thermal Sensors on the Dashboard

The preceding steps enabled thermal monitoring. The following steps will show how to display thermal monitoring on the dashboard.

Select the Dashboard
Click the “+” icon in the upper right corner
Verify the “Available Widgets” box appears
Click the “+” next to Thermal Sensors

pfsense thermal sensors Dashboard->Available Widgets

Verify the Thermal Sensors box is displayed at the bottom of the dashboard

Dashboard with Thermal Monitoring, Idle

The screenshot above shows an example of the FW4B that is essentially idle for over 40 minutes. Note that the core temperatures range from 51 to 53 degrees C. This is well within normal range.

Dashboard with Thermal Monitoring, Iperf 40 Minutes

The screenshot above shows an example of the same FW4B that is running an iperf test at linerate for over 40 minutes. Note that the CPU usage has increased from 3% to 30% and core temperatures range from 55 to 58 degrees C. Although this may seem high, and the case may be warm to the touch, it indicates that the case is functioning correctly and dissipating the heat. The Intel TJmax core temperatures from ark.intel.com for each of the processors is displayed in the table below.

Platform	CPU	TJmax
FW1	J1900	105 C
FW2	J1800	105 C
FW2B	J3060	90 C
FW4A	E3845	110 C
FW4B	J3160	90 C
FW6A	3865U	100 C
FW6B	7100U	100 C
FW6C	7200U	100 C

Cryptographic Hardware Support (AES-NI and BDS)

The FW2B, FW4A, FW4B and FW6 series of the vault have cryptographic hardware support built into the CPU. Cryptographic Hardware support is critical for the performance of VPNs and other features that encrypt and decrypt packets as they traverse the unit. By default, it is not enabled in pfSense® CE.

Enable Cryptographic Hardware Support

Enabling Cryptographic Hardware Support is done through the pfSense® CE WebUI.

Browse to the pfSense® CE Dashboard, default 192.168.1.1 on the LAN port
Select “System –> Advanced” and click on the “Miscellaneous” tab

pfsense system advanced System->Advanced

Scroll down to “Cryptographic & Thermal Hardware”
Click on “Cryptographic Hardware.”
From the drop down, choose “Intel Core* CPU…”

System->Advanced->Miscellaneous->Cryptographic & Thermal Hardware

Click “Save” button at the bottom of the page
Verify success message is displayed at the top of the page

At this point cryptographic hardware support should be enabled.

Power Management with PowerD

All of the Vault series use Intel CPUs that have Power Management features that allow the selection of power management modes. The power management modes trade performance vs. power by adjusting the frequency based on system load. PowerD is a power control utility built into pfSense® CE, which is inherited from the underlying FreeBSD operating system. In this section, we will enable PowerD and select the optimum performance vs. power settings.

Enable PowerD

In this example we will enable PowerD within the pfSense® CE WebUI.

Browse to the pfSense® CE Dashboard, default 192.168.1.1 on the LAN port
Navigate to the System tab and select Advanced from the drop down menu

pfSense System Advanced - enable PowerD

pfSense® CE Dashboard

Verify the Advanced page is displayed
Select the Miscellaneous tab
Verify the Miscellaneous page is displayed
Scroll down to the section labeled Power Savings
To enable PowerD, check the box next to Enable PowerD
Verify Hiadaptive is selected for the power modes as shown in the image below

pfSense advanced Misc

PowerD Settings

Scroll down to the bottom of the page and click Save
Verify a message stating “The changes have been applied successfully” is displayed at the top of the page.

At this point, PowerD should be enabled for optimum power management.

Configuring Optional Ports

This article covers how to configure the Optional Ports in pfSense® CE. The Optional Ports are labeled “OPTx” on the Vault. The configuration has the same type of default settings as the LAN port. Those settings include:

An IP Address of 192.168.x.1
- OPT1 192.168.2.1
- OPT2 192.168.3.1
- OPT3 192.168.4.1 (FW6 only)
- OPT4 192.168.5.1 (FW6 only)
Enabling the OPT port to be a DHCP Server
Firewall rules to allow “Any” traffic originating on this port to pass without being blocked

Configuring Optional Ports – IP Address

Browse to the pfSense® CE Dashboard, default 192.168.1.1 on the LAN port
Navigate to the Interfaces tab and select Assignments from the drop down menu

Interface->Assignments

Verify the Interface Assignments page is displayed and add the next available interface

Interfaces->Interface Assignments

Verify OPT1 is added and Select Save

Interface->Interface Assignments OPT1

Select OPT1

Interfaces->Interface Assignments->OPT1 Select

Verify the OPT1 General Configuration page is displayed and configure as follows:

General Configuration->Enable – Check the box
General Configuration->IPv4 Configuration Type – Select Static IPv4
Static IPv4 Configuration>IPv4 Address – Set 192.168.2.1 /24
Select the Save Button

Interfaces->OPT1 Configure

Verify the OPT1 Configuration has been changed and Apply Changes

Interfaces->OPT1 ApplyChanges

Verify changes have been applied successfully

Interfaces->OPT1 Success

Configuring Optional Ports – DHCP Server

Navigate to the Services tab and select DHCP Server from the drop down menu

Services->DHCP Server

Verify the Services->DHCP Server page is displayed and Select OPT1

Services->DHCP Server Select OPT1

Verify Services->DHCP Server->OPT1 page is displayed and configure as follows:

General Configuration->Enable – Check the box
General Configuration->Range – 192.168.2.100 to 192.168.2.199

Services->DHCP Server Configure OPT1

Select the Save button and verify the changes have been applied successfully

Services->DHCP Server OPT1 Success

Configuring Optional Ports – Firewall Rules

Navigate to the Firewall tab and select Rules from the drop down menu

Select Firewall->Rules

Verify the Firewall Rules page is displayed and Select OPT1

Firewall->Rules Select OPT1

Verify Firewall OPT1 page is displayed and select the Add Button

Firewall->Rules OPT1 Add Rule

Verify Firewall->Rules->Edit for OPT1 page is displayed and configure as follows:

Edit Firewall Rule->Action- Pass
Edit Firewall Rule->Interface- OPT1
Edit Firewall Rule->Address Family – IPv4
Edit Firewall Rule->Protocol – Any
Save the changes

Firewall>Rules Configure OPT1

Verify the configuration and Apply the changes

Firewall->Rules->OPT1 Apply Changes

Verify success message

Firewall->Rules->OPT1 Success

OPT1 has now been configured with static IP address 192.168.2.1, it is a DHCP server, and any traffic coming into this port is allowed to pass.

Configuring Optional Ports – Verify Configuration

OPT1 has been configured so it needs to be tested to verify the configuration changes are correct. Follow the instructions below to test the changes:

Connect a PC to OPT1
Verify the PC gets an IP address in the range of 192.168.2.100-199
From the PC, browse to a site outside of the local network
Verify an external web page is displayed correctly on the PC

At this point OPT1 is up and running. To configure OPT2 repeat the same steps as OPT1, but use IP address 192.168.3.1. For an FW6 with OPT3 and OPT4, repeat the same steps using IP addresses 192.168.4.1 and 192.168.5.1.

Configuration Files

The steps above were described to manually configure the Vault as indicated. It is important to understand the steps required, however, it is very convenient to load a configuration file rather than manually configure each item.

We have included configuration files in the table at the bottom of the page. These configuration files have

Thermal Monitoring Enabled
Cryptographic Hardware Support Enabled
Power Management Enabled
OPT Ports Enabled with Static IP Address, DHCP Server, and Basic Firewall Rule

Note: These configuration files have the default admin password retained. The additional ports assigned use default firewall rules, same as what pfSense® configures for the LAN port.

How to Restore a Config File

Verify pfSense® has been installed correctly
Verify the correct configuration file has been downloaded from the table below and pfSense® will be able to access it
Log into the WebGUI. This is 192.168.1.1 by default.
The default pfSense® login user is ‘admin’ and password is ‘pfsense’
Click Diagnostics on the top of the GUI
From the drop-down menu click Backup & Restore

pfSense backup & restore — pfSense® Setup Wizard page

Click Choose File
Select the appropriate config, click open
Click Restore Configuration

pfSense backup & restore settings — pfSense® Backup & Restore page

Verify the Vault reboots
Log back into the WebGUI with the default credentials
Verify OPT1 and OPT2 (OPT3 /OPT4 additionally on the FW6x) now appear on the Interfaces widget

It is now recommended to change the default ‘admin’ password
Verify the newly assigned ports are functioning and DHCP is handing out IP addresses

If you experience any issues, please feel free to reach out: support@protectli.com. You can find additional information in our Knowledge Base, or reference pfsense.org directly.

Configuration Files

Model	pfSense® Version	Notes	Download	Release
FW1	2.4.5	Enabled: Thermal Monitoring PowerD OPT1, OPT2 DHCP Default Firewall Rules	config-pfSense.Basic-FW1-200506.xml	May 6, 2020
FW2	2.4.5	Enabled: Thermal Monitoring PowerD	config-pfSense.Basic-FW2-200506.xml	May 6, 2020
FW4A	2.4.5	Enabled: Thermal Monitoring PowerD AES-NI OPT1, OPT2 DHCP Default Firewall Rules	config-pfSense.Basic-FW4A-200506.xml	May 6, 2020
FW2B	2.4.5	Enabled: Thermal Monitoring PowerD AES-NI	config-pfSense.Basic-FW2B-200506.xml	May 6, 2020
FW4B	2.4.5	Enabled: Thermal Monitoring PowerD AES-NI OPT1, OPT2 DHCP Default Firewall Rules	config-pfSense.Basic-FW4B-200506.xml	May 6, 2020
FW6(A,B,C)	2.4.5	Enabled: Thermal Monitoring PowerD AES-NI OPT1, OPT2, OPT3, OPT4 DHCP Default Firewall Rules	config-pfSense.Basic-FW6-200506.xml	May 6, 2020

How to Configure pfSense® CE for 4G LTE Failover

phil October 16, 2019

Overview

pfSense® CE is an open source routing and firewall software which is based on FreeBSD. It has a variety of packages easily downloaded and configurable within the GUI itself. https://www.pfsense.org/getting-started/ There are multiple articles regarding pfSense® CE on the Protectli Knowledge Base at this link. This article describes how to configure pfSense® CE for 4G LTE Failover using Protectli 4G LTE Products and Service. The example uses pfSense ® CE version 2.4.4-p3. Protectli 4G LTE Products and Services can be found at this link. 4G LTE Failover with the Vault requires at least 3 Ethernet ports, 1 each for WAN, LAN, and OPT1. Therefore a 4 or 6 port version of the Vault is required. In addition, it requires that the Protectli 4G LTE modem has been provisioned and is active on the cellular network. This article assumes the default configuration of pfSense ® CE with the WAN getting an IP address via DHCP and the default LAN static IP address of 192.168.1.1 and is a DHCP server.

Enable Interfaces

By default the WAN interface is configured to receive an IP address via DHCP and the LAN interface has static IP address 192.168.1.1 and is a DHCP server. Only the OPT1 interface needs to be configured.

Install pfSense ® CE on the Vault. (See Knowledge Base link if needed)
Connect the WAN and LAN ports to the devices or ports that they are normally connected to
Connect the OPT1 port to the LAN port of the 4G LTE modem
Browse to the pfSense ® CE GUI and login
Select Interfaces->Interface Assignments
Add OPT1 and select the default Network port (em2 or igb2)
Select “OPT1” to configure the port
Select General Configuration->Enable->Enable interface check box
Select General Configuration->IPv4 Configuration Type->DHCP to get the IP address of OPT1 from the 4G LTE modem

pfSense OPT1 interface — Interfaces->OPT1

Select the SAVE button at the bottom of the page
Select the APPLY CHANGES button when it appears at the top of the page
Select Status->Dashboard and verify that the Dashboard is displayed
Select the red “+” sign in the upper right corner of the GUI and enable the “Interfaces” widget
Verify the WAN, LAN, and OPT1 interfaces are up with IP addresses in the “Interfaces” widget
Select the red “+” sign in the upper right corner of the GUI and enable the “Traffic Graphs” Widget
Verify the Traffic Graphs widget is displayed and shows WAN, LAN, and OPT1

At this point the interfaces have been enabled and are active. Now the WAN and OPT1 interfaces need to be configured as Gateways and form a Gateway Group so that they can failover and revert.

Configure Gateways

Select System->Routing->Gateways
Verify WAN_DHCP is displayed
Select Edit Icon
Set Edit Gateway->Monitor IP to 8.8.8.8 This is the Google DNS address. pfSense ® CE will monitor this address to determine if this connection is up

Select the SAVE button at the bottom of the page
Select the APPLY CHANGES button when it appears at the top of the page
Select System->Routing->Gateways
Select ADD button
Add OPT1 Interface
Verify the Name is OPT1_DHCP
Set Edit Gateway->Monitor IP to 1.1.1.1 This is the Cloudflare DNS address. pfSense ® CE will monitor this address to determine if this connection is up

pfSense routing gateways OPT1_DHCP — OPT1 Gateway

Select the SAVE button at the bottom of the page
Select the APPLY CHANGES button when it appears at the top of the page

At this point the WAN and OPT1 interfaces have been configured as Gateways. Now they need to be configured as a Gateway Group so that they can operate as a single entity, failover and revert.

Configure Gateway Groups

Select System->Routing->Gateway Groups
Select ADD button
Set Edit Gateway Group Entry->Group Name to “Group_WAN_OPT1” or desired name
Set Edit Gateway Group Entry->Gateway Priority->WAN_DHCP->Tier to “Tier 1” (highest priority)
Set Edit Gateway Group Entry->Gateway Priority->OPT1_DHCP->Tier to “Tier 5” (lowest priority)
Set Edit Gateway Group Entry->Trigger Level to “Member Down” (Failover when link is down)
Set Edit Gateway Group Entry->Description if desired

Select the SAVE button at the bottom of the page
Select the APPLY CHANGES button when it appears at the top of the page

At this point interfaces are enabled, Gateways configured and a Gateway Group with WAN and OPT1 has been configured. The last step is to set the LAN Firewall rule to select the Gateway Group as the Gateway, rather than treat WAN and OPT1 as individual interfaces.

Configure LAN Firewall

Select Firewall->Rules->LAN
Select Edit for “Default allow LAN to any rule”
Select ADVANCED button
Set Advanced Options->Gateway to “Group_WAN_OPT1” or the name given to the Gateway Group above

pfSense firewall rules — LAN Firewall Group

Select the SAVE button at the bottom of the page
Select the APPLY CHANGES button when it appears at the top of the page

At this point, everything has been configured. We need to verify the Gateway status.

Verify Gateway Status

Select Status->Gateways
Verify WAN_DHCP and OPT1_DHCP Gateways are online

At this point, everything has been configured, gateways are up. We need to verify that the 4G LTE Failover functions as desired.

Verify 4G LTE Failover

The Vault has been configured to failover from WAN port to OPT1 port in the event the WAN port goes down. When the WAN port comes back, traffic should revert back to the WAN port. pfSense® CE monitors the gateway connectivity via the “Monitor IP” address configured earlier to determine whether the connection is “up” or not. “Up” means full connectivity to the Monitor IP address. This means that even if the Ethernet link is up, but the unit cannot ping the Monitor IP address, the Gateway is considered down and will failover to another gateway in the Gateway Group. The detection time and failover is typically on the order of 15-20 seconds because pfSense® CE monitors the connectivity at the system level as opposed to just the Ethernet link level.

The following steps can be used to verify the 4G LTE Failover is working correctly.

Generate significant traffic from the LAN port to the Internet, for example, using a PC connected to the LAN port, browse to a web site and play a video
Select Dashboard and monitor the Traffic Graphs
Verify the WAN and LAN ports have similar high levels of traffic
Disconnect the WAN port from the Vault
Verify the video continues to play
Verify the OPT1 and LAN ports have similar high levels of traffic and the WAN port shows no traffic (as noted, about 15-20 seconds to failover)
Reconnect the WAN port to the Vault
Verify the video continues to play
Verify the WAN and LAN ports have similar high levels of traffic and the OPT1 port shows little traffic (about 15-20 seconds to revert)

At this point, 4G LTE Failover should be up and running on The Vault. However, if you experience any issues, please feel free to reach out to us: You can submit a ticket here, or find more information in our Knowledge Base.

How to Setup pfBlockerNG

Luke Green August 23, 2019

Overview

pfBlockerNG is a very powerful package for pfSense® which provides advertisement and malicious content blocking along with geo-blocking capabilities.

Installing pfBlockerNG

Access the pfSense WebGUI (default 192.168.1.1)
Click on the System tab, then Package Manager

From the Package Manager menu select the Available Packages tab
Scroll down and find pfBlockerNG-devel and click Install

Verify pfBlockerNG is now installed by going to the Firewall drop down menu
Open the pfBlockerNG menu and start the wizard

At the Component Configuration page of the wizard select the WAN interface for inbound. For outbound typically LAN is used. CTRL+Click any additional interfaces you want included.
Leave the DNSBL default
Click Finish and allow pfBlocker to update
If you would like multiple LAN segments to be included in with DNSBL check the setting Permit Firewall Rules and select the interface (ctrl+click) you would like included.

pfSense DNSBL Configuration — DNSBL Configuration

By Default pfBlockerNG will setup basic advertisement and IP blocking from defaults feeds
We recommend also including the DNSBL feed from BBcan177(creator of pfBlockerNG) as well as the Cryptojackers feed

Add by clicking the + next to the feed name
In the feed configuration click Enable All and change Action to Unbound
Click Save DNSBL Setting

pfBlockerNG DNSBL settings — Feed Configuration

Repeat this process for any other feeds you would like to add

pfBlockerNG DNSBL settings continued — Cryptojackers Feed

Once the feeds are added, it is important to reload and update

Now browse a few websites and then check the pfSense dashboard to verify the pfBlockerNG widget is showing data

You might come across false positives possibly breaking certain sites. The solution is adding addresses to a Whitelist

To add an item to the whitelist access the pfBlockerNG Reports either by clicking on one of the packet stats (arrow below) or through the pfBlocker menu

pfBlocker also has built in GeoIP blocking. This allows you control over geographic regions connecting to your network. You can find this in the pfBlockerNG menu under IP>GeoIP. Careful blocking too much, websites host content and media on servers around the world. Unintentionally blocking some of these IP addresses could result in broken sites or unavailable downloads.

pfBlockerNG GeoIP blocking — GeoIP Blocking

You should now have network wide advertisement and malicious content blocking. If you need additional assistance, please feel free to reach out: support@protectli.com. You can find more information about pfSense on the Vault in our Knowledge Base, or at pfSense.org

How to Configure a PXE Server on CentOS 7 with pfSense® CE

Luke Green July 24, 2019

Overview

PXE (Preboot Execution Environment), allows for remote clients to boot from a network hosted image. In this article we will be setting up a PXE server on CentOS 7 with a pfSense® router in place. Vault models FW2B, FW4B, and all versions of the FW6 can be flashed to coreboot which has PXE capabilities.

We have guides covering how to install CentOS, pfSense® CE and how to flash coreboot on to the Vault.

Example Setup

For this example we will be configuring a CentOS 7 server for hosting PXE files along side pfSense® running the DHCP server to allow for network boot and install of CentOS 7 on a FW2B flashed with coreboot.

FW6C – Hosting a virtual machine of CentOS 7
FW4B – Running pfSense®
FW2B – coreboot flashed for PXE

Prerequisites

For this guide we will assume the following are in place:

PXE enabled client
CentOS 7 Server
pfSense® router with DHCP enabled

Setting Up the PXE Server

Log into the CentOS 7 server
Verify all the packages are updated using the following command

#yum update -y

Install the required packages using the following command

#yum install syslinux xinetd tftp-server vsftpd wget -y

Edit the TFTP configuration file with the vi command

#vi /etc/xinetd.d/tftp

Change disable from yes to no.
Tips for vi editing: Press ‘Insert’ on the keyboard to edit the file, ‘Esc’ to exit edit mode, and type “:wq” to write and close the file.

Change directory to syslinux and copy the necessary files to the TFTP

#cd /usr/share/syslinux
#cp pxelinux.0 mboot.c32 menu.c32 chain.c32 memdisk /var/lib/tftpboot

Make and change to the tmp directory.
Download a CentOS 7 image. The following address is for a minimal image, but you may find your own mirror and version

#mkdir tmp
#cd tmp/
#wget http://mirrors.ocf.berkeley.edu/centos/7.6.1810/isos/x86_64/CentOS-7-x86_64-Minimal-1810.iso

While in tmp mount the downloaded image and copy the files to the FTP directory

#mount -o loop CentOS-7-x86_64-Minimal-1810.iso /mnt/

Make a directory for the image files and copy them over

#mkdir /var/ftp/pub/centos7
#cp -rf /mnt/* /var/ftp/pub/centos7
#chmod -R 755 /var/ftp/pub/centos7

Make a directory and sub-directory called networkboot/centos7 and copy over vmlinuz along with initrd.img

#mkdir -p /var/lib/tftpboot/networkboot/centos7
#cp /var/ftp/pub/centos7/images/pxeboot/{vmlinuz,initrd.img} /var/lib/tftpboot/networkboot/centos7

Create a PXE configuration file that points to the correct files

#mkdir /var/lib/tftpboot/pxelinux.cfg

Make note of the IP address for the next steps. Use the following command to show IP address

#ip a

Open the PXE configuration file with the vi editor

#vi /var/lib/tftpboot/pxelinux.cfg/default

Add the following lines to this new configuration file. Screenshot below is an example of what it should look like.

default menu.c32
prompt 0
timeout 60

menu title <insert title>
label Install CentOS 7

kernel /networkboot/centos7/vmlinuz
append initrd=/networkboot/centos7/initrd.img inst.repo=ftp://<server_ip_addr>/pub/centos7

use ‘:wq’ to save and exit the editor

Enable and start the TFTP and FTP services

#systemctl enable vsftpd.service
#systemctl start vsftpd.service

#systemctl enable tftp.service
#systemctl start tftp.service

Add firewall rules for the TFTP and FTP servers

#firewall-cmd --permanent --add-service=tftp
#firewall-cmd --permanent --add-service=ftp
#firewall-cmd --reload

Log into your pfSense® webGUI and locate the DHCP Server menu under the Services tab

pfSense DHCP server — pfSense® DHCP Server

Scroll down to “Other Options” and fill in the TFTP server IP address
Verify the “Enables network booting” box is ticked
Enter the IP address of the Next Server (same as TFTP)
For “Default BIOS file name” enter pxelinux.0

Click Save

At this point you can boot up the PXE client and verify that it lists the image and network installation functions.

How to Enable LAN Bridge with pfSense®

Luke Green July 17, 2019

Overview

This article covers how to enable a LAN bridge in pfSense®. LAN bridge act as a switch using the optional ports on the Vault. While not optimal compared to using a separate physical switch, it works if needed.

Note: If the port being used for the web interface is added to the bridge, then physical access to the unit will be necessary.

How to Create a LAN Bridge in pfSense®

In this example we will be assigning the LAN interface to a bridge utilizing the Vaults additional ports, OPT1 and OPT2. The idea of this example can be used across all the Vault models with small variation.

Access the webGUI. The default IP address: 192.168.1.1, username: admin, password: pfsense
Verify the Vaults optional interfaces(OPT1, OPT2, etc) are assigned with default settings.
To assign simply click Add next to the port you wish to assign. Click Save.

pfSense LAN Bridge — pfSense® Interface Assignment Menu

To enable the each interface, click the on the interface label(OPT1,OPT2,etc) in the left column.
Click Enable, leave all other settings default. Save and Apply Changes

pfSense LAN Bridge OPT1 — pfSense® Interface Configuration Menu

In the Interfaces menu select the Bridges tab and click Add
Select OPT1 and OPT2 using Ctrl+Click. Don’t select the LAN interface. Click Save.

pfSense LAN Bridge OPT1 OPT2 — Bridge Configuration Menu

Navigate back to the Interface Assignments tab and change the LAN interface port to BRDIGE0
Note: At this point once the settings are saved the web interface connection will be lost. Swap the Ethernet connection to one of the optional ports(OPT1,OPT2) added into the bridge to regain access

pfSense LAN Bridge - interface assignments — Assigning BRIDGE0

Assign the port previously used as LAN to OPT3 and enable it as done in the steps earlier
Navigate back to the Bridges menu and add(Ctrl+Click) OPT3. Save
Navigate to System > Advanced > System Tunables
Select net.link.bridge.pfil_member and change its value to 0. Save
Select net.link.bridge.pfil_bridge and change its value to 1. Save

Click Apply Changes at the top

Reboot
Verify bridged ports are functioning

At this point you should have a functioning LAN bridge in pfSense®. If you need additional assistance, please feel free to reach out: support@protectli.com. You can find more information about pfSense on the Vault in our Knowledge Base, or at pfSense.org

How to Enable LAN Bridge with OPNsense

Luke Green July 12, 2019

Overview

This article covers how to enable a LAN bridge in OPNsense. LAN bridges act as a switch using the optional ports on the Vault. While not optimal compared to using a separate physical switch, it works if needed.

Note: This will require physical access to the Vault if the port being used to access the web interface is added into the bridge.

How to Create a LAN Bridge in OPNsense

In this example we will be assigning the LAN interface to a bridge containing the Vaults additional ports, OPT1 and OPT2. The idea of this example can be used across all the Vault models with small variation.

Access the web interface. The default IP address: 192.168.1.1, username: root, password: opnsense
Verify the Vaults optional interfaces(OPT1, OPT2, etc.) are assigned with default settings. They can be assigned by clicking the ‘+‘ then Save

OPNsense interfaces — OPNsense Interface Assignment Menu (FW4A)

Under the Interfaces tree open the OPT1 menu
Check Enable Interface leave all settings default
Click Save then Apply changes a the top
Repeat on additional interfaces to be included in the bridge

OPNsense interfaces OPT1 — OPNsense Interface Menu

Under the Interfaces tree select Other Types, then Bridge
Click Add and select OPT1, OPT2, etc then click Save

OPNsense interfaces bridge — OPNsense Bridge Menu

Under the Interfaces tree select Assignments
Change the LAN interface to bridge0 and click Save

Note: At this point access to the web interface will be lost. Plug into either port OPT1 or OPT2 to regain access.

OPNsense interfaces lan bridge — OPNsense Assignments Menu

In the Assignments menu add the port(em1) which was previously assigned to LAN. Click Save
Verify OPT3 is now assigned
Enable OPT3 with default settings. Save and Apply Changes
Navigate back to the Bridge menu and edit bridge0. Add OPT3 and Save

Verify the LAN port now has web interface access

Navigate to System > Settings > Tunables
Locate net.link.bridge.pfil_member and change its setting from Default to 0. Save and Apply Changes
Locate(directly below the previous setting) net.link.bridge.pfil_bridge and change the setting from Default to 1. Save and Apply Changes

Reboot
Verify bridged ports are functioning

At this point you should now have a functioning LAN bridge in OPNsense. If you need additional assistance, please feel free to reach out: support@protectli.com. You can also find more information in our Knowledge Base. or check the official pages at OPNsense.org.

How to Install FreeBSD 12.0 on the Vault

Luke Green July 11, 2019

Overview

As of writing this article FreeBSD 12.0 has a bug affecting the network interfaces on several models of Vaults. Here is a link to the bug report https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=235147. The workaround is fairly straightforward and can be done either during install or after.

Note: FreeBSD also inherited a bug from 11.2 which affects the FW1,FW2, and FW4A model Vaults. The workaround is simply changing the BIOS to UEFI. We have an article covering that here.

To Install FreeBSD 12.0 follow the FreeBSD 11.2 install guide (link) with the caveat below.

During a install

At the end of the install a “Manual Configuration” window opens
Select ‘Yes‘
Verify the command line is present
Edit the loader configuration file using the following command

# vi /boot/loader.conf

Verify loader.conf opens with a few lines already in place
Hit the ‘i‘ key to enable the insert function and ‘return‘ to make a new line
Add the following to the new, blank line

hw.pci.enable_msix=0

Hit ‘ESC‘ key
Type :wq to write the file and quit
Verify the command line prompt is present, then exit

# exit

Reboot the Vault
Verify the system boots into FreeBSD and the network interfaces now function as they should

Post-install FreeBSD

Verify FreeBSD boots and login
Verify the command line is present
Edit loader configuration file using the following command

# vi /boot/loader.conf

Verify loader.conf opens with a few lines already there
Hit the ‘i‘ key to enable the insert function and ‘return‘ to make a new line
Add the following to the new, blank line

hw.pci.enable_msix=0

Hit ‘ESC‘ key
Type ‘:wq‘ to write the file and quit
Verify the command line prompt is displayed and reboot

# reboot

Verify the system boots into FreeBSD and the network interfaces now function as they should

If you experience any issues, please feel free to reach out to us at support@protectli.com, or find more information in our Knowledge Base, or reference the official pages at freebsd.org.

Software

Overview

Prerequisites

Assigning and enabling Interfaces

Enable DHCP

Firewall Rule

Overview

Accessories

OPNsense Configuration

Overview

Prerequisites

Add Device and Assign Interface

Configuring DHCP and Firewall Rule

pfSense® CE Configuration Recommendations

Overview

Thermal Monitoring

Enable Thermal Monitoring

Display Thermal Sensors on the Dashboard

Cryptographic Hardware Support (AES-NI and BDS)

Enable Cryptographic Hardware Support

Power Management with PowerD

Enable PowerD

Configuring Optional Ports

Configuring Optional Ports – IP Address

Configuring Optional Ports – DHCP Server

Configuring Optional Ports – Firewall Rules

Configuring Optional Ports – Verify Configuration

Configuration Files

How to Restore a Config File

Configuration Files

Overview

Enable Interfaces

Configure Gateways

Configure Gateway Groups

Configure LAN Firewall

Verify Gateway Status

Verify 4G LTE Failover

Overview

Installing pfBlockerNG

Overview

Example Setup

Prerequisites

Setting Up the PXE Server

Overview

How to Create a LAN Bridge in pfSense®

Overview

How to Create a LAN Bridge in OPNsense

Overview

During a install

Post-install FreeBSD

Added to Cart