0استبدال BT إنفينيتي SmartHub مع pfsense

عندما انتقلت الى منزل جديد قبل سنة كنت في النهاية قادرا على الانضمام إلى 21شارع أمر قرن وBT إنفينيتي الذي تم توفيره مع SmartHub. وSmartHub وعدة في الواقع لائق بشكل معقول معتبرا انه يأتي مجانا, ولكن كما هو الحال مع معظم ISP الأجهزة الموردة مقفل عليه في بعض الطرق, على سبيل المثال لا يمكنك استخدام بنفسك DNS الخوادم التي كنت تفضل أن تفعل. في الأيام الأولى من ADSL (حوالي 2001) ركضت مربع smoothwall بدلا من جهاز التوجيه, ولمجموعة من الأسباب (بما في ذلك تصفية الإنترنت التي تسيطر عليها لي, بدلا من ISP) قررت أن أعود إلى جدار حماية جهاز التوجيه القائم على لينكس.


The little Cel­er­on J1900 box I got to do the hard­ware side of things didn’t want to install smooth­wall, لذا فإنني تثبيت pfsense بدلا. كما أتيحت لي للحصول على VDSL (الأساسية) modem to con­nect the router to the phone sock­et. I got a net­gear DM200 which is actu­ally a full router that can be switched into “modem only” mode. Get­ting the whole arrange­ment work­ing took quite some fid­dling, so I thought I’d pull all the resources togeth­er in one place

1. تثبيت pfsense

كنت بحاجة إلى تثبيت pfsense عبر USB, so effect­ively by flash drive. This was made pos­sible by the use of a blank pen drive, soft­ware called rufus, and the ‘mem­stick’ down­load of pfsense.

2. تكوين DM200 نتغير

To do any­thing with the DM200 you will have to con­nect both a LAN cable to it, and the phone sock­et to it. Your PC should get an address from the net­gear by DHCP but if it doesn’t you will need to manu­ally set you IP معالجة ل192.168.5.x (x being any­thing from 2 - 254). You can then log in via web inter­face at 192.168.5.1. The default login user­name is مشرف and the pass­word is pass­word. Select the “advanced” tab, and then the “advanced” menu option at the bot­tom left of that page. Under that select the “device mode” option. Change the device mode to “Modem (مودم فقط)” and click apply. You can see more details and screen­shots on the net­gear help pages

3. تسجيل الدخول وتغيير كلمة المرور الافتراضية

Con­nect your pfsense box to the lan and con­nect to it using web inter­face via it’s lan IP عنوان (which it will dis­play on it’s default boot up screen if you con­nect a dis­play to it). You may have to change your loc­al IP معالجة لتحقيق ذلك. Login to the pfsense with the user­name مشرف and pass­word pfsense. Go through the setup wiz­ard and when giv­en the oppor­tun­ity change the default webui pass­word. For more detailed inform­a­tion on steps 1–3 I recom­mend a guide on tec­mint

4. تكوين مربع pfsense للحصول على اتصال الأساسي

I use BT infin­ity and get­ting the right set­tings proved trick­i­er than I had hoped. I had to first con­fig­ure the WAN set­tings cor­rectly and after that, set the cor­rect pro­file for the WAN inter­face. الأول, اذهب إلى Inter­faces: WAN and set the fol­low­ing.

IPv4 Con­fig­ur­a­tion TypePPPOE
IPv6 Con­fig­ur­a­tion TypeDkp6
Use IPv4 con­nectiv­ity as par­ent inter­faceتكتك
Request only an IPv6 pre­fixتكتك
DHCPv6 Pre­fix Del­eg­a­tion size56
user­namebthomehub@btbroadband.com
pass­wordستعمل أي قيمة

حفظ التغييرات, ثم انتقل إلى Inter­faces: Assign­ment. تعيين WAN inter­face to “PPPOE…” which after sav­ing should show with the phys­ic­al inter­face in brack­ets — in my case it says “PPPOE (em0)". Save the changes again and hope­fully you will get a con­nec­tion.

4ب. WAN قيمة MTU

في WAN Inter­face set­tings you might want to adjust your MTU set­ting to work optim­ally with BT Infin­ity to avoid frag­men­ted pack­ets and pos­sible pack­et loss. I have writ­ten a ded­ic­ated art­icle بشأن هذه المسألة.

5. الإصدار IPv6 اختبار

The set­tings above should be suf­fi­cient to get IPv6 work­ing on your LAN cli­ents — you should also see an IPv6 address for the pfsense LAN inter­face (أي. واحد لا يبدأ FE80). Try pinging google.com from a ter­min­al win­dow on a LAN cli­ent — if you get a response from the IPv6 address then all is well. You can also check that all i cor­rect using test-ipv6.com. بفضل Dan­neh for the set­tings. For more inform­a­tion I recom­mend this red­dit thread.

There is one fur­ther tweak required to make sure IPv6 works fully, you need to allow ICMPv6 pack­ets through the fire­wall. Go to Fire­wall, وفوق قواعد. إضافة قاعدة جديدة, set the address fam­ily to IPv6, change the pro­tocol to ICMP, leave “any” selec­ted as the sub­types (unless you want to do a lot more read­ing about spe­cif­ic sub­types). انقر فوق حفظ, and then click “Apply Changes”.

6. تمكين إنتل تعزيز السرعة خطوة

I don’t want my lower powered router run­ning at full tilt all the time — but sadly pfsense doens’t seem to cor­rectly sup­port intel enhanced speed step by default at the moment. To get mine work­ing (and a lower cpu tem­per­at­ure to go with it!) كان لي أول لتمكين. برمجة في Sys­tem -> المتقدمة -> Mis­cel­laneous -> تمكين. برمجة. If you want to enable the low­est fre­quen­cies (ثابتة وهذه لا توفر الكثير من الطاقة) you will also need to do the fol­low­ing changes: اذهب إلى Dia­gnostics, تعديل ملف. ثم أدخل مسار الملف /التمهيد / device.hints. change the bot­tom 2 مقالات من 1 إلى 0 (دعا hint.acpi_throttle.0.معاق و hint.p4tcc.0.معاق). بفضل SecondEdge و dreamslack­er لهذه النصائح. To check this is work­ing you will need to log into the router via SSH, حدد الخيار 8 (قذيفة) و اهرب dev.cpu sysctl. | البقرى التكرار. This took my cpu core tem­per­at­ure from 66C to 57C — not bad for a tiny fan­less sys­tem packed in next to anoth­er PC, المودم, والتبديل 8 الميناء.

7. ميناء الشحن

اذهب إلى fire­wall: NAT and then click the add but­ton. دخول IP address and port for the des­tin­a­tion and (على الأرجح) the same port for the extern­al port. For more detailed inform­a­tion I recom­mend وظيفة من قبل splurben on the pfsense for­ums.

8. NAT التأمل

I use my laptop both at home on the LAN and away from home and in both cases want to access vari­ous web inter­faces on the LAN. I use DDNS to get a domain name and wanted to use this to con­nect even when con­nec­ted to the LAN. This requires NAT reflec­tion which can be enabled under sys­tem: المتقدمة: NAT Reflec­tion mode for port for­wards. يمكنك (ربما) يجب أن تسمح أيضا 2 oth­er options on this page: Enable NAT Reflec­tion for 1:1 NAT و Enable auto­mat­ic out­bound NAT for Reflec­tion

9. Adblocking

All of my PC webbrowsers have adb­locked installed, but the same can’t be said of my android devices as these have to be rooted to install block­ers. So being able to block ads with pfsense is one of the major advant­ages of using it. الأول, اذهب إلى sys­tem: pack­age man­ager ثم ابحث عن pfb­lock­erng وتثبيته. You can then con­fig­ure it using Fire­wall: PFB­lock­erNG. وبعد ذلك استخدم الدليل من قبل Fred­Merc to con­fig­ure it. A brief sum­mary of the set­tings I’ve used is as fol­lows. اذهب إلى Fire­wall: PFB­lock­erNG ثم انقر فوق على DNSBL علامة التبويب, ثم انقر فوق على DNSBL EasyL­ist tab. Turn on the top EasyL­ist feed and point it to EasyL­ist. Then click the add but­ton, and set the second EasyL­ist feed to EasyP­ri­vacy and turn that on too. List action should be “unbound” and I set the update fre­quency to 1 يوم. ثم انقر فوق حفظ. ثم انتقل إلى DNSBL التبويب وتمكين الخيار تمكين DNSBL. أخيرا يذهب إلى Gen­er­al التبويب و enable pfB­lock­erNG.

9ب. إصلاحات ادبلوك

The default PFB­lock­erNG con­fig­ur­a­tion causes prob­lems for the amazon android app. لتجنب هذا, and oth­er issues, it is worth using some whitel­ist­ing. اذهب إلى Fire­wall: PFB­lock­erNG ثم انقر فوق على DNSBL علامة التبويب, انتقل لأسفل ل cus­tom domain whitel­ist and enter the fol­low­ing (وذلك بفضل bchow on the pfsense for­ums)

You may also want to enable the alexa whitel­ist of top sites.

10. وكيل الحبار شفافة

I decided to set up a trans­par­ent squid proxy as much of the brows­ing that we do hits the same sites repeatedly on dif­fer­ent devices, I don’t expect it to make a huge dif­fer­ence, but I can’t see any good reas­ons not to. استعمال sys­tem: pack­age man­ager لتثبيت الحبار. ثم اذهب الى الخدمات: squid proxy serv­er to con­fig­ure it. This is also needed for Squid­Guard if you want to use it, كما أفعل.

11. تصفية شبكة الإنترنت لسلامة الطفل مع SquidGuard

I have young chil­dren in the house and want to block unsuit­able con­tent. This can be achieved with the Squid­Guard pack­age and Shalla’s Black­lists. Install squid­guard from sys­tem: pack­age man­ager. ثم اذهب الى الخدمات: squid­guard proxy fil­ter. انتقل إلى black­list علامة التبويب, أدخل عنوان HTTP://www.shallalist.de/Downloads/shallalist.tar.gz وانقر down­load. Then use the Com­mon ACL tab, click on the plus but­ton and select the cat­egor­ies you wish to block. It is also necesary to set up a dummy tar­get cat­egory due to a bug. For more inform­a­tion see this post on pfsense for­um. Don’t for­get to set the default for all of the lists to السماح at the very bot­tom of the lists. Thanks to net­work­inggeek on the pfsense for­ums على هذه الحافة. Lastly — it may be worth edit­ing a couple of advanced options so that blocked requests are only cached for a short peri­od of time — that way if you decide to unblock some sites you wont have to clear the browser cache to access those sites — there is more inform­a­tion on the pfsense for­um. I had to whitel­ist the cat­egory [blk_BL_sex_lingerie] so that my wife could buy under­wear as the fil­ter was block­ing the under­wear sec­tions on main­stream retail­ers (e.g. Deben­hams).

12. تمكين U-PNP عن مجموعة من الخدمات (الألعاب, الرسائل, سيل, إلخ)

اذهب إلى Ser­vices: بنب & NAT-PMP, وضع علامة في أعلى 2 صناديق (تمكين بنب & NAT-PMP و السماح بنب Port Map­ping), ثم انقر فوق حفظ.

13. حركة المرور الضارة حجب مع الشخير

To block detect and block poten­tially mali­cious traffic you can install the SNORT pack­age. I recom­mend run­ning it without block­ing for the first few weeks as it will block lots of things you don’t want due to large num­bers of false pos­it­ives. I recom­mend using the fol­low­ing sup­pres­sion list to avoid some of the most annoy­ing false pos­it­ives

14. الحصول على الوصول إلى شبكة الإنترنت المودم, من خلال مربع pfsense

My Net­gear DM200 modem (في وضع تمريري) is only access­ible via a fixed IP عنوان (192.168.5.1). I wanted to be able to access its web inter­face on LAN com­puters. There are some instruc­tions in the pfsense يكي, ولكن هذه لم تنجح بالنسبة لي في البداية. There is a help­ful post by user Non­sense on the pfsense for­um

14ب. عرض الإحصاءات اتصال مودم على لوحة القيادة pfsense

After some head­scratch­ing I figured out a way to make the modem stat­ist­ics for my net­gear modem show on my dash­board.
This is done by cre­at­ing a cus­tom wid­get with php code.
Go to dia­gnostics and edit file. Cre­ate a new file at the path

with the con­tents

You will need to cus­tom­ise the user­name and pass­word. The above code works for the Net­gear DM200, and prob­ably oth­er net­gear modems and routers. For oth­er makes of hard­ware you will need a dif­fer­ent address for the stat­ist­ics and you may need to do addi­tion­al manip­u­la­tion of the response using php.
Note that I have over-rid­den the default net­gear refresh inter­val — I’ve turned it off as the reload breaks the dash­board dis­play. To get updated num­bers just refresh the pfsense dash­board using your web browser reload but­ton
Now go to the dash­board and add the wid­get and you’re all done.

15. تحديد التحذير شهادة عند تسجيل الدخول

نرى هذا الدليل

حصلت على بعض الأفكار الخاصة بك? تنغمس نفسك عن طريق التعليق أدناه! إذا كنت ترغب في الاشتراك يرجى استخدام الرابط الاشتراك في القائمة في اعلى اليمين. يمكنك أيضا مشاركة هذا مع أصدقائك باستخدام الروابط الاجتماعية أدناه. في صحتك.

اترك رد