0Sostituzione del BT Infinity SmartHub con pfsense

Quando mi sono trasferito in una nuova casa un anno fa sono stato finalmente in grado di aderire al 21st secolo e ha ordinato BT Infinity che viene fornito con uno SmartHub. Lo SmartHub è kit in realtà abbastanza decente considerando che viene fornito gratuitamente, ma come con la maggior parte ISP dispositivi forniti è bloccato, per certi versi, per esempio, non è possibile utilizzare il proprio DNS i server che preferisco fare. Nei primi giorni di ADSL (circa 2001) Ho eseguito una scatola a pareti lisce al posto di un router, e per una serie di motivi (compreso il filtraggio Internet controllato da me, piuttosto che un ISP) Ho deciso di tornare a un router firewall basato su Linux.


The little Cel­er­on J1900 box I got to do the hard­ware side of things didn’t want to install smooth­wall, così ho installato pfSense al posto. Ho anche dovuto prendere un VDSL (fibra) modem to con­nect the router to the phone sock­et. I got a net­gear DM200 which is actu­ally a full router that can be switched into “modem only” mode. Get­ting the whole arrange­ment work­ing took quite some fid­dling, so I thought I’d pull all the resources togeth­er in one place

1. Installazione di pfSense

Avevo bisogno di installare pfsense via USB, so effect­ively by flash drive. This was made pos­sible by the use of a blank pen drive, soft­ware called rufus, and the ‘mem­stick’ down­load of pfsense.

2. Configurazione del DM200 netgear

To do any­thing with the DM200 you will have to con­nect both a LAN cable to it, and the phone sock­et to it. Your PC should get an address from the net­gear by DHCP but if it doesn’t you will need to manu­ally set you IP rivolgersi ad 192.168.5.x (x being any­thing from 2 - 254). You can then log in via web inter­face at 192.168.5.1. The default login user­name is Admin and the pass­word is pass­word. Select the “advanced” tab, and then the “advanced” menu option at the bot­tom left of that page. Under that select the “device mode” option. Change the device mode to “Modem (solo modem)” and click apply. You can see more details and screen­shots on the net­gear help pages

3. Effettua il login e cambiare la password di default

Con­nect your pfsense box to the lan and con­nect to it using web inter­face via it’s lan IP indirizzo (which it will dis­play on it’s default boot up screen if you con­nect a dis­play to it). You may have to change your loc­al IP affrontare per raggiungere questo obiettivo. Login to the pfsense with the user­name Admin and pass­word pfSense. Go through the setup wiz­ard and when giv­en the oppor­tun­ity change the default webui pass­word. For more detailed inform­a­tion on steps 1–3 I recom­mend a guide on tec­mint

4. Configurazione della scatola pfSense per ottenere una connessione di base

I use BT infin­ity and get­ting the right set­tings proved trick­i­er than I had hoped. I had to first con­fig­ure the WAN set­tings cor­rectly and after that, set the cor­rect pro­file for the WAN inter­face. Primo, vai a Inter­faces: WAN and set the fol­low­ing.

IPv4 Con­fig­ur­a­tion TypePPPoE
IPv6 Con­fig­ur­a­tion TypeDkp6
Use IPv4 con­nectiv­ity as par­ent inter­facebarrata
Request only an IPv6 pre­fixbarrata
DHCPv6 Pre­fix Del­eg­a­tion size56
user­namebthomehub@btbroadband.com
pass­wordqualsiasi valore funzionerà

Salvare le modifiche, e poi andare a Inter­faces: Assign­ment. Impostare l' WAN inter­face to “PPPOE…” which after sav­ing should show with the phys­ic­al inter­face in brack­ets — in my case it says “PPPOE (em0)”. Save the changes again and hope­fully you will get a con­nec­tion.

4b. WAN MTU Valore

Nel WAN Inter­face set­tings you might want to adjust your MTU set­ting to work optim­ally with BT Infin­ity to avoid frag­men­ted pack­ets and pos­sible pack­et loss. I have writ­ten a ded­ic­ated art­icle riguardo questo argomento.

5. IPv6 Testing

The set­tings above should be suf­fi­cient to get IPv6 work­ing on your LAN cli­ents — you should also see an IPv6 address for the pfsense LAN inter­face (i.e. uno che non inizia fe80). Try pinging google.com from a ter­min­al win­dow on a LAN cli­ent — if you get a response from the IPv6 address then all is well. You can also check that all i cor­rect using test-ipv6.com. Grazie alla Dan­neh for the set­tings. For more inform­a­tion I recom­mend this red­dit thread.

There is one fur­ther tweak required to make sure IPv6 works fully, you need to allow ICMPv6 pack­ets through the fire­wall. Go to Fire­wall, e poi Regole. Aggiungere una nuova regola, set the address fam­ily to IPv6, change the pro­tocol to ICMP, leave “any” selec­ted as the sub­types (unless you want to do a lot more read­ing about spe­cif­ic sub­types). Fare clic su Salva, and then click “Apply Changes”.

6. L'attivazione di Intel maggiore velocità-step

I don’t want my lower powered router run­ning at full tilt all the time — but sadly pfsense doens’t seem to cor­rectly sup­port intel enhanced speed step by default at the moment. To get mine work­ing (and a lower cpu tem­per­at­ure to go with it!) Ho dovuto consentire PowerD in Sys­tem -> Avanzate -> Mis­cel­laneous -> Abilita PowerD. If you want to enable the low­est fre­quen­cies (altho questi non salvare molto potere) you will also need to do the fol­low­ing changes: vai a Dia­gnostics, Modifica file. Quindi, immettere il percorso del file /stivale / device.hints. change the bot­tom 2 le voci dalla 1 a 0 (detto hint.acpi_throttle.0.Disabilitato e hint.p4tcc.0.Disabilitato). Grazie alla SecondEdge e dreamslack­er per questi consigli. To check this is work­ing you will need to log into the router via SSH, selezionare l'opzione 8 (guscio) e corri dev.cpu sysctl. | grep freq. This took my cpu core tem­per­at­ure from 66C to 57C — not bad for a tiny fan­less sys­tem packed in next to anoth­er PC, il modem, ed un interruttore 8 porte.

7. Port forwarding

Vai a fire­wall: NAT and then click the add but­ton. Inserisci il IP address and port for the des­tin­a­tion and (più probabilmente) the same port for the extern­al port. For more detailed inform­a­tion I recom­mend un post di splurben on the pfsense for­ums.

8. NAT Riflessione

I use my laptop both at home on the LAN and away from home and in both cases want to access vari­ous web inter­faces on the LAN. I use DDNS to get a domain name and wanted to use this to con­nect even when con­nec­ted to the LAN. This requires NAT reflec­tion which can be enabled under sys­tem: Avanzate: NAT Reflec­tion mode for port for­wards. Potresti (probabilmente) necessario abilitare anche 2 oth­er options on this page: Enable NAT Reflec­tion for 1:1 NAT e Enable auto­mat­ic out­bound NAT for Reflec­tion

9. adblocking

All of my PC webbrowsers have adb­locked installed, but the same can’t be said of my android devices as these have to be rooted to install block­ers. So being able to block ads with pfsense is one of the major advant­ages of using it. Primo, vai a sys­tem: pack­age man­ager e quindi cercare pfb­lock­erng e installarlo. You can then con­fig­ure it using Fire­wall: PFB­lock­erNG. Ho quindi utilizzato la guida per Fred­Merc to con­fig­ure it. A brief sum­mary of the set­tings I’ve used is as fol­lows. Vai a Fire­wall: PFB­lock­erNG e poi clicca sul DNSBL linguetta, e poi clicca sul DNSBL EasyL­ist tab. Turn on the top EasyL­ist feed and point it to EasyL­ist. Then click the add but­ton, and set the second EasyL­ist feed to EasyP­ri­vacy and turn that on too. List action should be “unbound” and I set the update fre­quency to 1 giorno. Fare clic su Salva. Poi vai al DNSBL scheda e abilitare l'opzione Abilita DNSBL. Infine andare al Gen­er­al scheda e enable pfB­lock­erNG.

9b. correzioni di Adblock

The default PFB­lock­erNG con­fig­ur­a­tion causes prob­lems for the amazon android app. Per evitare questo, and oth­er issues, it is worth using some whitel­ist­ing. Vai a Fire­wall: PFB­lock­erNG e poi clicca sul DNSBL linguetta, scorrere verso il basso per cus­tom domain whitel­ist and enter the fol­low­ing (grazie a bchow on the pfsense for­ums)

You may also want to enable the alexa whitel­ist of top sites.

10. Transparent proxy squid

I decided to set up a trans­par­ent squid proxy as much of the brows­ing that we do hits the same sites repeatedly on dif­fer­ent devices, I don’t expect it to make a huge dif­fer­ence, but I can’t see any good reas­ons not to. Usa sys­tem: pack­age man­ager installare calamari. Poi vai a servizi: squid proxy serv­er to con­fig­ure it. This is also needed for Squid­Guard if you want to use it, come faccio io.

11. Web filtering per la sicurezza dei bambini con SquidGuard

I have young chil­dren in the house and want to block unsuit­able con­tent. This can be achieved with the Squid­Guard pack­age and Shalla’s Black­lists. Install squid­guard from sys­tem: pack­age man­ager. Poi vai a servizi: squid­guard proxy fil­ter. Vai black­list linguetta, inserire l'indirizzo http://www.shallalist.de/Downloads/shallalist.tar.gz e fare clic su down­load. Then use the Com­mon ACL tab, click on the plus but­ton and select the cat­egor­ies you wish to block. It is also necesary to set up a dummy tar­get cat­egory due to a bug. For more inform­a­tion see this post on pfsense for­um. Don’t for­get to set the default for all of the lists to permettere at the very bot­tom of the lists. Thanks to net­work­inggeek on the pfsense for­ums per questo suggerimento. Lastly — it may be worth edit­ing a couple of advanced options so that blocked requests are only cached for a short peri­od of time — that way if you decide to unblock some sites you wont have to clear the browser cache to access those sites — there is more inform­a­tion on the pfsense for­um. I had to whitel­ist the cat­egory [blk_BL_sex_lingerie] so that my wife could buy under­wear as the fil­ter was block­ing the under­wear sec­tions on main­stream retail­ers (e.g. Deben­hams).

12. Abilita U-PNP per una serie di servizi (gioco, messaggistica, torrente, eccetera)

Vai a Ser­vices: UPnP & NAT-PMP, spuntare la cima 2 scatole (Permettere UPnP & NAT-PMP e permettere UPnP Port Map­ping), e fare clic su Salva.

13. traffico dannoso blocco con SNORT

To block detect and block poten­tially mali­cious traffic you can install the SNORT pack­age. I recom­mend run­ning it without block­ing for the first few weeks as it will block lots of things you don’t want due to large num­bers of false pos­it­ives. I recom­mend using the fol­low­ing sup­pres­sion list to avoid some of the most annoy­ing false pos­it­ives

14. Ottenere web-accesso al modem, attraverso la scatola pfsense

My Net­gear DM200 modem (in modalità pass-through) is only access­ible via a fixed IP indirizzo (192.168.5.1). I wanted to be able to access its web inter­face on LAN com­puters. There are some instruc­tions in the pfSense wiki, ma questi non ha funzionato per me in un primo momento. There is a help­ful post by user Non­sense on the pfsense for­um

14b. Mostrando le statistiche di connessione del modem sul cruscotto pfSense

After some head­scratch­ing I figured out a way to make the modem stat­ist­ics for my net­gear modem show on my dash­board.
This is done by cre­at­ing a cus­tom wid­get with php code.
Go to dia­gnostics and edit file. Cre­ate a new file at the path

with the con­tents

You will need to cus­tom­ise the user­name and pass­word. The above code works for the Net­gear DM200, and prob­ably oth­er net­gear modems and routers. For oth­er makes of hard­ware you will need a dif­fer­ent address for the stat­ist­ics and you may need to do addi­tion­al manip­u­la­tion of the response using php.
Note that I have over-rid­den the default net­gear refresh inter­val — I’ve turned it off as the reload breaks the dash­board dis­play. To get updated num­bers just refresh the pfsense dash­board using your web browser reload but­ton
Now go to the dash­board and add the wid­get and you’re all done.

15. Che fissa l'avviso di certificato quando si accede

Vedere questa guida

Cosa ne pensi? Mandaci un commento qui sotto! Se si desidera iscriversi si prega di utilizzare il link iscriviti sul menu in alto a destra. È inoltre possibile condividere con i tuoi amici usando i link sottostanti sociali. Saluti.

lascia un commento