How to Configure a PXE Server on CentOS 7 with pfSense® CE

You are here:

Overview

PXE (Preboot Execution Environment), allows for remote clients to boot from a network hosted image. In this article we will be setting up a PXE server on CentOS 7 with a pfSense® router in place. Vault models FW2B, FW4B, and all versions of the FW6 can be flashed to coreboot which has PXE capabilities.

We have guides covering how to install CentOS, pfSense® CE and how to flash coreboot on to the Vault.

Example Setup

For this example we will be configuring a CentOS 7 server for hosting PXE files along side pfSense® running the DHCP server to allow for network boot and install of CentOS 7 on a FW2B flashed with coreboot.

  • FW6C – Hosting a virtual machine of CentOS 7
  • FW4B – Running pfSense®
  • FW2B – coreboot flashed for PXE
PXE Network Diagram
PXE Diagram

Prerequisites

For this guide we will assume the following are in place:

  • PXE enabled client
  • CentOS 7 Server
  • pfSense® router with DHCP enabled

Setting Up the PXE Server

  • Log into the CentOS 7 server
  • Verify all the packages are updated using the following command
#yum update -y
  • Install the required packages using the following command
#yum install syslinux xinetd tftp-server vsftpd wget -y
  • Edit the TFTP configuration file with the vi command
#vi /etc/xinetd.d/tftp
  • Change disable from yes to no.
  • Tips for vi editing: Press ‘Insert’ on the keyboard to edit the file, ‘Esc’ to exit edit mode, and type “:wq” to write and close the file.
PXE Server
TFTP Configuration File
  • Change directory to syslinux and copy the necessary files to the TFTP
#cd /usr/share/syslinux
#cp pxelinux.0 mboot.c32 menu.c32 chain.c32 memdisk /var/lib/tftpboot
  • Make and change to the tmp directory.
  • Download a CentOS 7 image. The following address is for a minimal image, but you may find your own mirror and version
#mkdir tmp
#cd tmp/
#wget http://mirrors.ocf.berkeley.edu/centos/7.6.1810/isos/x86_64/CentOS-7-x86_64-Minimal-1810.iso
  • While in tmp mount the downloaded image and copy the files to the FTP directory
#mount -o loop CentOS-7-x86_64-Minimal-1810.iso /mnt/
  • Make a directory for the image files and copy them over
#mkdir /var/ftp/pub/centos7
#cp -rf /mnt/* /var/ftp/pub/centos7
#chmod -R 755 /var/ftp/pub/centos7
  • Make a directory and sub-directory called networkboot/centos7 and copy over vmlinuz along with initrd.img
#mkdir -p /var/lib/tftpboot/networkboot/centos7
#cp /var/ftp/pub/centos7/images/pxeboot/{vmlinuz,initrd.img} /var/lib/tftpboot/networkboot/centos7
  • Create a PXE configuration file that points to the correct files
#mkdir /var/lib/tftpboot/pxelinux.cfg
  • Make note of the IP address for the next steps. Use the following command to show IP address
#ip a
  • Open the PXE configuration file with the vi editor
#vi /var/lib/tftpboot/pxelinux.cfg/default
  • Add the following lines to this new configuration file. Screenshot below is an example of what it should look like.
default menu.c32
prompt 0
timeout 60

menu title <insert title>
label Install CentOS 7

kernel /networkboot/centos7/vmlinuz
append initrd=/networkboot/centos7/initrd.img inst.repo=ftp://<server_ip_addr>/pub/centos7
PXE Server
PXE Configuration File
  • use ‘:wq’ to save and exit the editor
  • Enable and start the TFTP and FTP services
#systemctl enable vsftpd.service
#systemctl start vsftpd.service

#systemctl enable tftp.service
#systemctl start tftp.service
  • Add firewall rules for the TFTP and FTP servers
#firewall-cmd --permanent --add-service=tftp
#firewall-cmd --permanent --add-service=ftp
#firewall-cmd --reload
  • Log into your pfSense® webGUI and locate the DHCP Server menu under the Services tab
pfSense DHCP server
pfSense® DHCP Server
  • Scroll down to “Other Options” and fill in the TFTP server IP address
  • Verify the “Enables network booting” box is ticked
  • Enter the IP address of the Next Server (same as TFTP)
  • For “Default BIOS file name” enter pxelinux.0
pfSense TFTP Server
DHCP PXE Settings
  • Click Save

At this point you can boot up the PXE client and verify that it lists the image and network installation functions.

You are here:

Overview

Depending on individual use cases, different hardware firewalls may be useful for different types of network applications and as such, Protectli offers different hardware with varying capabilities.  Frequently, it is useful for a customer to know the performance characteristics of specific hardware before making a decision to purchase.  This article aims to provide a baseline of IPSec performance for several different Vaults, as tested in a lab environment, so the customer can make an informed decision as to what products best suit their needs.

Basic Performance

In a basic setup, The Vault is capable of routing/switching packets at wire speed on all ports for all models. For a 1 Gbps ethernet interface, the actual throughput is ~940 Mbps due to overhead in an IP packet. The test network consists of 2 computers running Ubuntu 18.04 version of Linux and 2 Vaults running pfSense® CE version 2.4.3. One of the Ubuntu computers is running iperf3 as a server, the other is running iperf3 as a client.

 

IP LAN diagram

IP LAN

IPsec

IPsec is a set of protocols that is used to authenticate and encrypt/decrypt packets to provide secure transport of packets through the network. An IPsec “tunnel” encrypts the entire packet, not just the payload, and is commonly used to create Virtual Private Networks (VPN).

Configuring IPsec

When configuring IPsec tunnels (and other secure connections) multiple parameters must be configured. The set of parameters is known as a “cipher suite”. The parameters consist of a Key Exchange method, an Encryption method and a Message Authentication method. The configuration must be identical at each end of the tunnel in order to make a connection. An operating system or IPsec implementation will typically support multiple ciphers for each of Key Exchange, Encryption, and Message Authentication that can be combined to form many different cipher suites.

OpenSSL, which is an open source software library, provides a large number of ciphers. The list of ciphers supported can be displayed with the command “openssl ciphers –v”. The cipher suite is described by combining the methods together into a single string. For example, the cipher DH-RSA-AES256-SHA256 indicates:

Diffie-Hellman (DH) Key Exchange using a Rivest, Shamir, Adelman key (RSA) with 
Advanced Encryption Standard 256 bit (AES256) encryption 
and Secure Hash Algorithm 256 bit (SHA256) message authentication.

There are various standards and recommendations that dictate the required cipher suite for different applications that is beyond the scope of this article.

The diagram below shows an IPsec tunnel. The difference between the LAN example above and the IPsec tunnel is that the entire packet is encrypted “end-to-end” between the Vault/Firewalls and the data can travel through the network securely.

 

IPSec diagram

IPsec Tunnel

IPsec Performance

Adding an IPSec tunnel introduces “overhead” which is added when a packet enters a tunnel and stripped off when a packet leaves the tunnel. This process adds additional data to each packet, but is not part of the payload. Therefore, when running performance measurement tests, the indicated traffic throughput will be less than throughput achieved without an IPSec encrypted tunnel.

In addition to the pure impact on the payload due to additional overhead, the device that adds the overhead must also encrypt the data. Similarly, the device at the other end of the tunnel receiving the packet must decrypt the data before sending it onward. Encryption and decryption of the packet requires significant processing power and affects the throughput of the devices. The latest versions of The Vault include Intel’s AES-NI hardware support which facilitates faster encryption/decryption with less impact on CPU performance.

The performance varies depending on the parameters of the many different cipher suites. For example, a cipher suite that uses AES128 may perform better than AES256 due to easier encryption/decryption. It would be difficult if not impossible to test all possible cipher suites.

In order to test performance, pfSense® CE 2.4.3 was installed on the Vaults and IPsec tunnels were configured with the following cipher suite:

  • Diffie Hellman (DH) Key Exchange using Pre-Shared Key (PSK)
  • AES256 bit encryption algorithm with 128 bit blocks using the Galois/Counter Mode (GCM) operation
  • Secure Hash Algorithm (SHA) 256 bit Message Authentication

The configuration pages at VPN->IPsec->Tunnels are shown below.

 

pfSense IPSec tunnels

IPsec Tunnel Configuration

IPsec Tunnel Configuration

IPsec Tunnel Configuration (Remote End)

In this example, data from LAN network 192.168.10.0 is “tunneled” to LAN network 192.168.20.0 over the WAN interface. In the reverse direction, data from LAN network 192.168.20.0 is “tunneled” to LAN network 192.168.10.0 over the WAN interface.

The max throughput as tested over the IPsec tunnel for a 1 Gbps Ethernet interface is ~880 Mbps, which is expected due to the overhead added by the IPsec configuration. The results of performance tests  run on the Vaults that contain AES-NI hardware support are shown in the table below.

Conclusions on IPSec Performance

IPsec is a critical set of protocols used to provide secure communication through the Internet.  There are many different cipher suites that can be used depending on the requirements of the user. The configuration used may impact the performance and therefore the throughput of the devices in the network. This tutorial is an aid to selecting the best Vault for your application.

If you experience any issues, feel free to reach out to us: You can submit a ticket here, find more information in our Knowledge Base, or visit the official pages at pfSense.org as reference.