When I moved into a new home a year ago I was finally able to join the 21ਸ੍ਟ੍ਰੀਟ century and ordered BT Infinity which is supplied with a SmartHub. The SmartHub is actually reasonably decent kit considering it comes for free, but as with most ISP supplied devices it is locked down in some ways, for example you can’t use your own DNS servers which I prefer to do. In the early days of ADSL (circa 2001) I ran a smoothwall box in place of a router, and for a range of reasons (including internet filtering controlled by me, rather than an ISP) I decided to go back to a linux-based firewall router.
The little Celeron J1900 box I got to do the hardware side of things didn’t want to install smoothwall, so I installed pfsense instead. I also had to get a vDSL (fibre) modem to connect the router to the phone socket. I got a netgear DM200 which is actually a full router that can be switched into “modem only” mode. Getting the whole arrangement working took quite some fiddling, so I thought I’d pull all the resources together in one place
1. Installing pfsense
I needed to install pfsense via USB, so effectively by flash drive. This was made possible by the use of a blank pen drive, software called rufus, and the ‘memstick’ download of pfsense.
2. Configuring the netgear DM200
To do anything with the DM200 you will have to connect both a LAN cable to it, and the phone socket to it. Your PC should get an address from the netgear by DHCP but if it doesn’t you will need to manually set you IP address to 192.168.5.x (x being anything from 2 — 254). You can then log in via web interface at 192.168.5.1. The default login username is admin and the password is password. Select the “advanced” tab, and then the “advanced” menu option at the bottom left of that page. Under that select the “device mode” option. Change the device mode to “Modem (modem only)” and click apply. You can see more details and screenshots on the netgear help pages
3. Login and change the default password
Connect your pfsense box to the lan and connect to it using web interface via it’s lan IP address (which it will display on it’s default boot up screen if you connect a display to it). You may have to change your local IP address to achieve this. Login to the pfsense with the username admin and password pfsense. Go through the setup wizard and when given the opportunity change the default webui password. For more detailed information on steps 1–3 I recommend a guide on tecmint
4. Configuring the pfsense box to get a basic connection
I use BT infinity and getting the right settings proved trickier than I had hoped. I had to first configure the WAN settings correctly and after that, set the correct profile for the WAN interface. First, go to Interfaces: WAN and set the following.
IPv4 Configuration Type | PPPoE |
IPv6 Configuration Type | DHCP6 |
Use IPv4 connectivity as parent interface | ticked |
Request only an IPv6 prefix | ticked |
DHCPv6 Prefix Delegation size | 56 |
username | bthomehub@btbroadband.com |
password | any value will work |
Save the changes, and then go to Interfaces: Assignment. Set the WAN interface to “PPPOE…” which after saving should show with the physical interface in brackets — in my case it says “PPPOE (em0)”. Save the changes again and hopefully you will get a connection.
4b. WAN MTU Value
In the WAN Interface settings you might want to adjust your MTU setting to work optimally with BT Infinity to avoid fragmented packets and possible packet loss. I have written a [intlink id=“4002” type=“post”]dedicated article[/intlink] on this issue.
5. IPv6 Testing
The settings above should be sufficient to get IPv6 working on your LAN clients — you should also see an IPv6 address for the pfsense LAN interface (i.e. one that doesn’t start fe80). Try pinging google.com from a terminal window on a LAN client — if you get a response from the IPv6 address then all is well. You can also check that all i correct using test-ipv6.com. Thanks to Danneh for the settings. For more information I recommend this reddit thread.
There is one further tweak required to make sure IPv6 works fully, you need to allow ICMPv6 packets through the firewall. Go to Firewall, and then Rules. Add a new rule, set the address family to IPv6, change the protocol to ICMP, leave “any” selected as the subtypes (unless you want to do a lot more reading about specific subtypes). Click Save, and then click “Apply Changes”.
6. Enabling Intel enhanced speed-step
I don’t want my lower powered router running at full tilt all the time — but sadly pfsense doens’t seem to correctly support intel enhanced speed step by default at the moment. To get mine working (and a lower cpu temperature to go with it!) I first had to enable PowerD in System -> Advanced -> Miscellaneous -> Enable PowerD. If you want to enable the lowest frequencies (altho these don’t save much power) you will also need to do the following changes: go to Diagnostics, Edit File. Then enter the file path /boot/device.hints. change the bottom 2 entries from 1 to 0 (called hint.acpi_throttle.0.disabled and hint.p4tcc.0.disabled). Thanks to SecondEdge and dreamslacker for these tips. To check this is working you will need to log into the router via SSH, select option 8 (shell) and run sysctl dev.cpu. | grep freq. This took my cpu core temperature from 66C to 57C — not bad for a tiny fanless system packed in next to another PC, a modem, and an 8‑port switch.
7. Port forwarding
Go to firewall: NAT and then click the add button. Enter the IP address and port for the destination and (most likely) the same port for the external port. For more detailed information I recommend a post by splurben on the pfsense forums.
8. NAT Reflection
I use my laptop both at home on the LAN and away from home and in both cases want to access various web interfaces on the LAN. I use DDNS to get a domain name and wanted to use this to connect even when connected to the LAN. This requires NAT reflection which can be enabled under system: advanced: NAT Reflection mode for port forwards. You may (probably) need to also enable 2 other options on this page: Enable NAT Reflection for 1:1 NAT and Enable automatic outbound NAT for Reflection
9. Adblocking
All of my PC webbrowsers have adblocked installed, but the same can’t be said of my android devices as these have to be rooted to install blockers. So being able to block ads with pfsense is one of the major advantages of using it. First, go to system: package manager and then search for pfblockerng and install it. You can then configure it using Firewall: PFBlockerNG. I then used the guide by FredMerc to configure it. A brief summary of the settings I’ve used is as follows. Go to Firewall: PFBlockerNG and then click on the DNSBL tab, and then click on the DNSBL EasyList tab. Turn on the top EasyList feed and point it to EasyList. Then click the add button, and set the second EasyList feed to EasyPrivacy and turn that on too. List action should be “unbound” and I set the update frequency to 1 day. Then click save. Then go to the DNSBL tab and enable the option Enable DNSBL. Finally go to the General tab and enable pfBlockerNG.
9b. Adblock fixes
The default PFBlockerNG configuration causes problems for the amazon android app. To avoid this, and other issues, it is worth using some whitelisting. Go to Firewall: PFBlockerNG and then click on the DNSBL tab, scroll down to custom domain whitelist and enter the following (thanks to bchow on the pfsense forums)
.amazonaws.com .amazon-adsystem.com .amazon.com .ssl.google-analytics.com .ssl-google-analytics.l.google.com # CNAME for (ssl.google-analytics.com) .www.google-analytics.com .www-google-analytics.l.google.com # CNAME for (www.google-analytics.com) .www.googleadservices.com .plex.tv .gravatar.com .thetvdb.com .themoviedb.com .googleapis.com # 172.217.3.202 is important for amazon app to work .1e100.net # cname? altname? for googleapis.com .ad.doubleclick.net # needed for clash of clans? .g.doubleclick.net # needed for clash of clans? .q1mediahydraplatform.com # needed for hungryhouse android app?
You may also want to enable the alexa whitelist of top sites.
10. Transparent squid proxy
I decided to set up a transparent squid proxy as much of the browsing that we do hits the same sites repeatedly on different devices, I don’t expect it to make a huge difference, but I can’t see any good reasons not to. Use system: package manager to install squid. Then go to services: squid proxy server to configure it. This is also needed for SquidGuard if you want to use it, as I do.
11. Web filtering for child safety with SquidGuard
I have young children in the house and want to block unsuitable content. This can be achieved with the SquidGuard package and Shalla’s Blacklists. Install squidguard from system: package manager. Then go to services: squidguard proxy filter. Go to the blacklist tab, enter the address HTTPS://www.shallalist.de/Downloads/shallalist.tar.gz and click download. Then use the Common ACL tab, click on the plus button and select the categories you wish to block. It is also necesary to set up a dummy target category due to a bug. For more information see this post on pfsense forum. Don’t forget to set the default for all of the lists to allow at the very bottom of the lists. Thanks to networkinggeek on the pfsense forums for this tip. Lastly — it may be worth editing a couple of advanced options so that blocked requests are only cached for a short period of time — that way if you decide to unblock some sites you wont have to clear the browser cache to access those sites — there is more information on the pfsense forum. I had to whitelist the category[blk_BL_sex_lingerie] so that my wife could buy underwear as the filter was blocking the underwear sections on mainstream retailers (e.g. Debenhams).
12. Enable U‑PNP for a range of services (gaming, messaging, torrent, etc)
Go to Services: UPnP & NAT-PMP, tick the top 2 boxes (Enable UPnP & NAT-PMP and Allow UPnP Port Mapping), and click save.
13. Malicious traffic blocking with SNORT
To block detect and block potentially malicious traffic you can install the SNORT package. I recommend running it without blocking for the first few weeks as it will block lots of things you don’t want due to large numbers of false positives. I recommend using the following suppression list to avoid some of the most annoying false positives
#ET P2P Bittorrent P2P Client User-Agent (uTorrent) suppress gen_id 1, sig_id 2011706 #ET P2P BitTorrent DHT announce_peers request suppress gen_id 1, sig_id 2008585 #(spp_ssl) Invalid Client HELLO after Server HELLO Detected suppress gen_id 137, sig_id 1 #ET P2P BitTorrent DHT ping request suppress gen_id 1, sig_id 2008581 #(http_inspect) SIMPLE REQUEST suppress gen_id 119, sig_id 32 #(http_inspect) UNKNOWN METHOD suppress gen_id 119, sig_id 31 #(http_inspect) INVALID CONTENT-LENGTH OR CHUNK SIZE suppress gen_id 120, sig_id 8 #(http_inspect) NO CONTENT-LENGTH OR TRANSFER-ENCODING IN HTTP RESPONSE suppress gen_id 120, sig_id 3 #(http_inspect) DOUBLE DECODING ATTACK suppress gen_id 119, sig_id 2 #(http_inspect) HTTP RESPONSE GZIP DECOMPRESSION FAILED suppress gen_id 120, sig_id 6 #(http_inspect) IIS UNICODE CODEPOINT ENCODING suppress gen_id 119, sig_id 7 #(http_inspect) BARE BYTE UNICODE ENCODING suppress gen_id 119, sig_id 4 #(http_inspect) JAVASCRIPT OBFUSCATION LEVELS EXCEEDS 1 suppress gen_id 120, sig_id 9 #(http_inspect) JAVASCRIPT WHITESPACES EXCEEDS MAX ALLOWED suppress gen_id 120, sig_id 10 #(http_inspect) UNESCAPED SPACE IN HTTP URI suppress gen_id 119, sig_id 33 #(http_inspect) U ENCODING suppress gen_id 119, sig_id 3 #(http_inspect) DOUBLE DECODING ATTACK suppress gen_id 119, sig_id 2 #(http_inspect) MULTIPLE ENCODINGS WITHIN JAVASCRIPT OBFUSCATED DATA suppress gen_id 120, sig_id 11 #(http_inspect) HTTP RESPONSE HAS UTF CHARSET WHICH FAILED TO NORMALIZE suppress gen_id 120, sig_id 4 #FILE-IMAGE Directshow GIF logical width overflow attempt suppress gen_id 1, sig_id 27525
14. Getting web-access to the modem, through the pfsense box
My Netgear DM200 modem (in pass-through mode) is only accessible via a fixed IP address (192.168.5.1). I wanted to be able to access its web interface on LAN computers. There are some instructions in the pfsense wiki, but these didn’t work for me at first. There is a helpful post by user Nonsense on the pfsense forum
14b. Showing the modem connection statistics on the pfsense dashboard
After some headscratching I figured out a way to make the modem statistics for my netgear modem show on my dashboard.
This is done by creating a custom widget with php code.
Go to diagnostics and edit file. Create a new file at the path
/usr/local/www/widgets/widgets/modemstatus.widget.php
with the contents
< ?php $status= file_get_contents("HTTPS://username:password@192.168.5.1/RST_statistic.htm"); $status= str_replace("var timereset=\"5\";","var timereset=\"0\";",$status); echo $status ?>
You will need to customise the username and password. The above code works for the Netgear DM200, and probably other netgear modems and routers. For other makes of hardware you will need a different address for the statistics and you may need to do additional manipulation of the response using php.
Note that I have over-ridden the default netgear refresh interval — I’ve turned it off as the reload breaks the dashboard display. To get updated numbers just refresh the pfsense dashboard using your web browser reload button
Now go to the dashboard and add the widget and you’re all done.
15. Fixing the certificate warning when logging in
See this guide
16. Ask firefox to use local DNS over HTTPS, instead of bypassing our filters (added April 2020)
In Services -> DNS Resolver
Add following line to “custom options” field…
server:local-zone: "use-application-dns.net." always_nxdomain
17. Use domain name of pfsense box for blocked resources instead of IP (added April 2020)
Services -> SquidGuard Proxy Filter -> Common ACL
Change “ReDirect Mode” to “ext url move (enter URL)”
In the “Redirect info” field set “https://your-router-name/sgerror.php?url=403%20&a=%a&n=%n&i=%i&s=%s&t=%t&u=%u”
Fantastic guide where do i place this in floating rules?
There is one further tweak required to make sure IPv6 works fully, you need to allow ICMPv6 packets through the firewall. Go to Firewall, and then Rules. Add a new rule, set the address family to IPv6, change the protocol to ICMP, leave “any” selected as the subtypes (unless you want to do a lot more reading about specific subtypes). Click Save, and then click “Apply Changes”.
Pls keep the guides coming!!
Thanks for the extra info. I had indeed enabled ICMPv6 packets but must have forgotten that I had when I wrote this. I’ll update it. I’m not sure which part of the guide your first question refers to?