2Sostituzione del BT Infinity SmartHub con pfsense

Quando mi sono trasferito in una nuova casa un anno fa sono stato finalmente in grado di aderire al 21st secolo e ha ordinato BT Infinity che viene fornito con uno SmartHub. Lo SmartHub è kit in realtà abbastanza decente considerando che viene fornito gratuitamente, ma come con la maggior parte ISP dispositivi forniti è bloccato, per certi versi, for example you can­’t use your own DNS i server che preferisco fare. Nei primi giorni di ADSL (circa 2001) Ho eseguito una scatola a pareti lisce al posto di un router, e per una serie di motivi (compreso il filtraggio Internet controllato da me, piuttosto che un ISP) Ho deciso di tornare a un router firewall basato su Linux.

The little Cel­er­on J1900 box I got to do the hard­ware side of things did­n’t want to install smooth­wall, così ho installato pfSense al posto. Ho anche dovuto prendere un VDSL (fibra) modem to con­nect the router to the phone sock­et. I got a net­gear DM200 which is actu­ally a full router that can be switched into “modem only” mode. Get­ting the whole arrange­ment work­ing took quite some fid­dling, so I thought I’d pull all the resources togeth­er in one place

1. Installazione di pfSense

Avevo bisogno di installare pfsense via USB, so effect­ively by flash drive. This was made pos­sible by the use of a blank pen drive, soft­ware called rufus, and the ‘mem­stick’ down­load of pfsense.

2. Configurazione del DM200 netgear

To do any­thing with the DM200 you will have to con­nect both a LAN cable to it, and the phone sock­et to it. Your PC should get an address from the net­gear by DHCP but if it does­n’t you will need to manu­ally set you IP rivolgersi ad 192.168.5.x (x being any­thing from 2 - 254). You can then log in via web inter­face at The default login user­name is Admin and the pass­word is pass­word. Select the “advanced” tab, and then the “advanced” menu option at the bot­tom left of that page. Under that select the “device mode” option. Change the device mode to “Modem (solo modem)” and click apply. You can see more details and screen­shots on the net­gear help pages

3. Effettua il login e cambiare la password di default

Con­nect your pfsense box to the lan and con­nect to it using web inter­face via it’s lan IP indirizzo (which it will dis­play on it’s default boot up screen if you con­nect a dis­play to it). You may have to change your loc­al IP affrontare per raggiungere questo obiettivo. Login to the pfsense with the user­name Admin and pass­word pfSense. Go through the setup wiz­ard and when giv­en the oppor­tun­ity change the default webui pass­word. For more detailed inform­a­tion on steps 1–3 I recom­mend a guide on tec­mint

4. Configurazione della scatola pfSense per ottenere una connessione di base

I use BT infin­ity and get­ting the right set­tings proved trick­i­er than I had hoped. I had to first con­fig­ure the WAN set­tings cor­rectly and after that, set the cor­rect pro­file for the WAN inter­face. Primo, vai a Inter­faces: WAN and set the fol­low­ing.

IPv4 Con­fig­ur­a­tion TypePPPoE
IPv6 Con­fig­ur­a­tion TypeDkp6
Use IPv4 con­nectiv­ity as par­ent inter­facebarrata
Request only an IPv6 pre­fixbarrata
DHCPv6 Pre­fix Del­eg­a­tion size56
pass­wordqualsiasi valore funzionerà

Salvare le modifiche, e poi andare a Inter­faces: Assign­ment. Impostare l' WAN inter­face to “PPPOE…” which after sav­ing should show with the phys­ic­al inter­face in brack­ets — in my case it says “PPPOE (em0)”. Save the changes again and hope­fully you will get a con­nec­tion.

4b. WAN MTU Valore

Nel WAN Inter­face set­tings you might want to adjust your MTU set­ting to work optim­ally with BT Infin­ity to avoid frag­men­ted pack­ets and pos­sible pack­et loss. I have writ­ten a ded­ic­ated art­icle riguardo questo argomento.

5. IPv6 Testing

The set­tings above should be suf­fi­cient to get IPv6 work­ing on your LAN cli­ents — you should also see an IPv6 address for the pfsense LAN inter­face (i.e. one that does­n’t start fe80). Try pinging google.com from a ter­min­al win­dow on a LAN cli­ent — if you get a response from the IPv6 address then all is well. You can also check that all i cor­rect using test-ipv6.com. Grazie alla Dan­neh for the set­tings. For more inform­a­tion I recom­mend this red­dit thread.

There is one fur­ther tweak required to make sure IPv6 works fully, you need to allow ICMPv6 pack­ets through the fire­wall. Go to Fire­wall, e poi Regole. Aggiungere una nuova regola, set the address fam­ily to IPv6, change the pro­tocol to ICMP, leave “any” selec­ted as the sub­types (unless you want to do a lot more read­ing about spe­cif­ic sub­types). Fare clic su Salva, and then click “Apply Changes”.

6. L'attivazione di Intel maggiore velocità-step

I don’t want my lower powered router run­ning at full tilt all the time — but sadly pfsense doens’t seem to cor­rectly sup­port intel enhanced speed step by default at the moment. To get mine work­ing (and a lower cpu tem­per­at­ure to go with it!) Ho dovuto consentire PowerD in Sys­tem -> Avanzate -> Mis­cel­laneous -> Abilita PowerD. If you want to enable the low­est fre­quen­cies (altho questi non salvare molto potere) you will also need to do the fol­low­ing changes: vai a Dia­gnostics, Modifica file. Quindi, immettere il percorso del file /stivale / device.hints. change the bot­tom 2 le voci dalla 1 a 0 (detto hint.acpi_throttle.0.Disabilitato e hint.p4tcc.0.Disabilitato). Grazie alla SecondEdge e dreamslack­er per questi consigli. To check this is work­ing you will need to log into the router via SSH, selezionare l'opzione 8 (guscio) e corri dev.cpu sysctl. | grep freq. This took my cpu core tem­per­at­ure from 66C to 57C — not bad for a tiny fan­less sys­tem packed in next to anoth­er PC, il modem, and an 8‑port switch.

7. Port forwarding

Vai a fire­wall: NAT and then click the add but­ton. Inserisci il IP address and port for the des­tin­a­tion and (più probabilmente) the same port for the extern­al port. For more detailed inform­a­tion I recom­mend un post di splurben on the pfsense for­ums.

8. NAT Riflessione

I use my laptop both at home on the LAN and away from home and in both cases want to access vari­ous web inter­faces on the LAN. I use DDNS to get a domain name and wanted to use this to con­nect even when con­nec­ted to the LAN. This requires NAT reflec­tion which can be enabled under sys­tem: Avanzate: NAT Reflec­tion mode for port for­wards. Potresti (probabilmente) necessario abilitare anche 2 oth­er options on this page: Enable NAT Reflec­tion for 1:1 NAT e Enable auto­mat­ic out­bound NAT for Reflec­tion

9. adblocking

All of my PC webbrowsers have adb­locked installed, but the same can­’t be said of my android devices as these have to be rooted to install block­ers. So being able to block ads with pfsense is one of the major advant­ages of using it. Primo, vai a sys­tem: pack­age man­ager e quindi cercare pfb­lock­erng e installarlo. You can then con­fig­ure it using Fire­wall: PFB­lock­erNG. Ho quindi utilizzato la guida per Fred­Merc to con­fig­ure it. A brief sum­mary of the set­tings I’ve used is as fol­lows. Vai a Fire­wall: PFB­lock­erNG e poi clicca sul DNSBL linguetta, e poi clicca sul DNSBL EasyL­ist tab. Turn on the top EasyL­ist feed and point it to EasyL­ist. Then click the add but­ton, and set the second EasyL­ist feed to EasyP­ri­vacy and turn that on too. List action should be “unbound” and I set the update fre­quency to 1 giorno. Fare clic su Salva. Poi vai al DNSBL scheda e abilitare l'opzione Abilita DNSBL. Infine andare al Gen­er­al scheda e enable pfB­lock­erNG.

9b. correzioni di Adblock

The default PFB­lock­erNG con­fig­ur­a­tion causes prob­lems for the amazon android app. Per evitare questo, and oth­er issues, it is worth using some whitel­ist­ing. Vai a Fire­wall: PFB­lock­erNG e poi clicca sul DNSBL linguetta, scorrere verso il basso per cus­tom domain whitel­ist and enter the fol­low­ing (grazie a bchow on the pfsense for­ums)

.ssl-google-analytics.l.google.com # CNAME per (ssl.google-analytics.com)
.www-google-analytics.l.google.com # CNAME per (www.google-analytics.com)
.googleapis.com # is important for amazon app to work
.1e100.net # cname? altname? for googleapis.com
.ad.doubleclick.net # necessaria per lo scontro dei clan?
.g.doubleclick.net # necessaria per lo scontro dei clan?
.q1mediahydraplatform.com # necessaria per Hungryhouse android app?

You may also want to enable the alexa whitel­ist of top sites.

10. Transparent proxy squid

I decided to set up a trans­par­ent squid proxy as much of the brows­ing that we do hits the same sites repeatedly on dif­fer­ent devices, I don’t expect it to make a huge dif­fer­ence, but I can­’t see any good reas­ons not to. Usa sys­tem: pack­age man­ager installare calamari. Poi vai a servizi: squid proxy serv­er to con­fig­ure it. This is also needed for Squid­Guard if you want to use it, come faccio io.

11. Web filtering per la sicurezza dei bambini con SquidGuard

I have young chil­dren in the house and want to block unsuit­able con­tent. This can be achieved with the Squid­Guard pack­age and Shal­la’s Black­lists. Install squid­guard from sys­tem: pack­age man­ager. Poi vai a servizi: squid­guard proxy fil­ter. Vai black­list linguetta, inserire l'indirizzo http://www.shallalist.de/Downloads/shallalist.tar.gz e fare clic su down­load. Then use the Com­mon ACL tab, click on the plus but­ton and select the cat­egor­ies you wish to block. It is also necesary to set up a dummy tar­get cat­egory due to a bug. For more inform­a­tion see this post on pfsense for­um. Don’t for­get to set the default for all of the lists to permettere at the very bot­tom of the lists. Thanks to net­work­inggeek on the pfsense for­ums per questo suggerimento. Lastly — it may be worth edit­ing a couple of advanced options so that blocked requests are only cached for a short peri­od of time — that way if you decide to unblock some sites you wont have to clear the browser cache to access those sites — there is more inform­a­tion on the pfsense for­um. I had to whitel­ist the cat­egory [blk_BL_sex_lingerie] so that my wife could buy under­wear as the fil­ter was block­ing the under­wear sec­tions on main­stream retail­ers (e.g. Deben­hams).

12. Enable U‑PNP for a range of services (gioco, messaggistica, torrente, eccetera)

Vai a Ser­vices: UPnP & NAT-PMP, spuntare la cima 2 scatole (Permettere UPnP & NAT-PMP e permettere UPnP Port Map­ping), e fare clic su Salva.

13. traffico dannoso blocco con SNORT

To block detect and block poten­tially mali­cious traffic you can install the SNORT pack­age. I recom­mend run­ning it without block­ing for the first few weeks as it will block lots of things you don’t want due to large num­bers of false pos­it­ives. I recom­mend using the fol­low­ing sup­pres­sion list to avoid some of the most annoy­ing false pos­it­ives

#E P2P Bittorrent P2P Client User-Agent (uTorrent)
sopprimere GEN_ID 1, sig_id 2011706
#E P2P BitTorrent DHT announce_peers request
suppress gen_id 1, sig_id 2008585
#(spp_ssl) Invalid Client HELLO after Server HELLO Detected
suppress gen_id 137, sig_id 1
#E P2P BitTorrent DHT ping request
suppress gen_id 1, sig_id 2008581
#(http_inspect) SIMPLE REQUEST
suppress gen_id 119, sig_id 32
#(http_inspect) UNKNOWN METHOD
suppress gen_id 119, sig_id 31
suppress gen_id 120, sig_id 8
#(http_inspect) NO CONTENUTO-lunghezza o transfer-encoding IN HTTP RESPONSE
suppress gen_id 120, sig_id 3
suppress gen_id 119, sig_id 2
suppress gen_id 120, sig_id 6
suppress gen_id 119, sig_id 7
suppress gen_id 119, sig_id 4
#(http_inspect) LIVELLI JAVASCRIPT di offuscamento SUPERI 1
sopprimere GEN_ID 120, sig_id 9
suppress gen_id 120, sig_id 10
#(http_inspect) SPAZIO IN senza caratteri di escape HTTP URI
sopprimere GEN_ID 119, sig_id 33
#(http_inspect) U ENCODING
suppress gen_id 119, sig_id 3
suppress gen_id 119, sig_id 2
suppress gen_id 120, sig_id 11
suppress gen_id 120, sig_id 4
#Directshow FILE-IMMAGINE GIF logical width overflow attempt
suppress gen_id 1, sig_id 27525

14. Ottenere web-accesso al modem, attraverso la scatola pfsense

My Net­gear DM200 modem (in modalità pass-through) is only access­ible via a fixed IP indirizzo ( I wanted to be able to access its web inter­face on LAN com­puters. There are some instruc­tions in the pfSense wiki, but these did­n’t work for me at first. There is a help­ful post by user Non­sense on the pfsense for­um

14b. Mostrando le statistiche di connessione del modem sul cruscotto pfSense

After some head­scratch­ing I figured out a way to make the modem stat­ist­ics for my net­gear modem show on my dash­board.
This is done by cre­at­ing a cus­tom wid­get with php code.
Go to dia­gnostics and edit file. Cre­ate a new file at the path

/usr / local / www / widgets / widgets / modemstatus.widget.php

with the con­tents

< ?php $ status = file_get_contents("http://nome utente:password@"); $status = str_replace("era TimeReset = "5\";","era TimeReset = "0\";",$stato); $ Echo Stato ?>

You will need to cus­tom­ise the user­name and pass­word. The above code works for the Net­gear DM200, and prob­ably oth­er net­gear modems and routers. For oth­er makes of hard­ware you will need a dif­fer­ent address for the stat­ist­ics and you may need to do addi­tion­al manip­u­la­tion of the response using php.
Note that I have over-rid­den the default net­gear refresh inter­val — I’ve turned it off as the reload breaks the dash­board dis­play. To get updated num­bers just refresh the pfsense dash­board using your web browser reload but­ton
Now go to the dash­board and add the wid­get and you’re all done.

15. Che fissa l'avviso di certificato quando si accede

Vedere questa guida

16. Chiedi firefox per usare locali DNS su HTTPS, invece di bypassare i nostri filtri (Aggiunto aprile 2020)

In Ser­vices -> DNS Resolv­er
Add fol­low­ing line to “cus­tom options” field…

server:locale-zone: "use-application-dns.net." always_nxdomain

17. Utilizzare il nome di dominio del box pfSense per le risorse bloccate invece di IP (Aggiunto aprile 2020)

Ser­vices -> Squid­Guard Proxy Fil­ter -> Com­mon ACL
Change “ReDir­ect Mode” to “ext url move (inserire URL)”
In the “Redir­ect info” field set “https://your-router-name / sgerror.php?url=403%20&a =% un&n = n%&i = i%&s = s%&t = t%&u=%u”

Ho trovato questo utile? Per favore fateci sapere facendo cadere un commento qui sotto. Se si desidera iscriversi si prega di utilizzare il link iscriviti sul menu in alto a destra. È inoltre possibile condividere con i tuoi amici usando i link sottostanti sociali. Saluti.

lascia un commento

2 Commenti


Fant­ast­ic guide where do i place this in float­ing rules?
There is one fur­ther tweak required to make sure IPv6 works fully, you need to allow ICMPv6 pack­ets through the fire­wall. Go to Fire­wall, e poi Regole. Aggiungere una nuova regola, set the address fam­ily to IPv6, change the pro­tocol to ICMP, leave “any” selec­ted as the sub­types (unless you want to do a lot more read­ing about spe­cif­ic sub­types). Fare clic su Salva, and then click “Apply Changes”.

Pls keep the guides com­ing !!

gravatarJon Scaife

Grazie per le informazioni aggiuntive. I had indeed enabled ICMPv6 pack­ets but must have for­got­ten that I had when I wrote this. I’ll update it. I’m not sure which part of the guide your first ques­tion refers to?