Maybe it's just me, but somehow i think that in the recent past a lot of people came to this board and asked a question which has been answered a few times before.
i'm trying to make a thread here (which i intend to update) that provides a list of links to threads that answer stuff i see repeatedly appear in the forum.
Also i'm trying to write some kind of "getting started" or better said a collection of random information which should be useful for pfSense which one day maybe can go into the docs.
if anyone want to help me please post it here or send a PM
--------------------------------------------------------------------
If you are looking for help on the forum because you have a problem:
provide as much information as possible.
(log-outputs, screenshots of config/rules, etc.)
Often a Diagram (ASCII ART ?) can help more than pages of descriptions how your network is set up.
Before you ask on the Forum:
USE THE SEARCH-FUNCTION OF THE FORUM!
There are some Tutorials here:
http://doc.pfsense.org/index.php/TutorialsAnd the docs here:
http://doc.pfsense.org/index.php/Main_PageAlso a devwiki:
http://devwiki.pfsense.org/PfSenseDevHome--------------------------------------------------------------------
Hardware:Before buying it, check the supported hardware page
http://www.freebsd.org/releases/6.2R/hardware-i386.htmlNetwork cards: Use Intel server cards where possible.
If you're not able to boot your hardware:
http://devwiki.pfsense.org/BootTroubleShootingIf you are experiencing high pings/high latency
Your hardware is most probably undersized or you have an Interrupt problem (caused by bad NIC's)
-----------------------------------
If you're installing to a CF Card use the embedded version.
A fullinstall to a CF will kill the card. The CF should be minimum 128 MB (more works too but the space is not used).
If you want to use packages you need to use the full version --> install to a HD. Alternatively you can use a Microdrive (Harddisk in CF format).
-->
YOU CAN NOT USE PACKAGES WITH THE EMBEDDED INSTALL(dont ask why, dont ask how you can get packages to run on the embedded, just accept the fact!)
cheesyboofs posted some info on how to get certain types of microdrives to run.
http://forum.pfsense.org/index.php/topic,11016.msg61193.html#msg61193The embedded version does not have any VGA output. Connect and configue per Serial port.
-----------------------------------
Tutorial for PXE booting FreeDOS and updating the Bios of an ALIX:
http://forum.pfsense.org/index.php/topic,6729.msg39665.html#msg39665also a few posts below this link is a way to install without booting over network but with writing a CF which is NOT 128 MB.
-----------------------------------
If you want to do a fullinstall to a harddisk on embedded hardware (like an ALIX or soekris)
http://devwiki.pfsense.org/FullInstallOnWRAP--------------------------------------------------------------------
System:Advanced:If you want to be able to use NAT-mappings from withing your own LAN disable the checkbox "Disable NAT Reflection"
General Setup:If you get your IP on WAN per DHCP you mostly get a DNS assigned automatically.
When you use a static IP on WAN (insted of per DHCP) you need to set the DNS Servers here.
Static Routes:The dropdown for the interface defines on which interface the gateway for the remote subnet is reachable.
NOT that on the selected interface is the static route applied on inbound traffic.
-----------------------------------
Interfaces:if you are having problems with FTP and the FTP-helper:
Dotdash posted some info what the problem with FTp and NAT is.
-->
http://forum.pfsense.org/index.php/topic,7096.msg40254.html#msg40254-----------------------------------
Firewall:NAT:You can use port-aliases to forward multiple single ports in single rule.
Every locally connected subnet, whether defined and reachable via a static route or attached to a LAN or OPT interface, will have its outbound traffic leaving any WAN interfaces NATed to that WAN interface's IP. You can change this behavior by enabling Advanced Outbound NAT (AON) but this is usually unnecessary and adds unneeded complexity.
For OpenVPN if you want the OpenVPN subnet NAT'ed to WAN, you will have to use AON.
(screenshots to clarify:
http://forum.pfsense.org/index.php/topic,7693.0.html )
This might create a problem for FTP with multiWAN
more here:
http://forum.pfsense.org/index.php/topic,7096.msg40810.html#msg40810If you are running IPsec or VoiP clients in your network you might want to enable the static port option. The same goes for most games.
more info on that here:
http://doc.pfsense.org/index.php/Static_PortFor NAT portforwardings: NAT is applied before the Firewall rules.
If you want to use 1:1 NAT mappings with additional IP's on the WAN:
Set first these VIP's up.
You can enter in the 1:1 NAT config the IP which should be on your WAN but without setting up a VIP first, it just wont work.
1:1 NAT is bidirectional.
Meaning traffic originating from the Computer that is 1:1 NATed will appear as if from the external IP used in the 1:1 NAT mapping.
NAT-Reflection does not work with 1:1 NAT
http://forum.pfsense.org/index.php?topic=7266.msg41244quote:
You most likely need to setup split dns or add a port forward on top of the 1:1 nat to invoke reflection. Reflection by default does not work with 1:1 nat's. So your most likely resolving the public IP address which will not forward back across to the 1:1 server.
How to set up split-DNS with the DNS-forwarder in pfSense:
http://forum.pfsense.org/index.php/topic,9440.0.htmlIf you have problems with FTP and NAT:
http://forum.pfsense.org/index.php/topic,7096.0.htmlMy "personal solution" to ftp-problems:
quote=
http://forum.pfsense.org/index.php/topic,10844.msg60345.html#msg603451: Disable the ftp-helper on all interfaces.
2: Define a port-range on your ftp-server for the data-transfer.
3: forward port 21 and your data-transfer-range to your server. You can do that for multiple WANs.
Rules:Rules are processed from top to down.
If a rule catches the rest of the rules is no longer considered.
Per default a "block all" rule is always in place (invisible below your own rules).
Traffic is filtered on the Interface on which traffic comes in.
So traffic comming in on the LAN-Interface will only be processed by the rules you define on the LAN tab.
If you have a private subnet on your WAN: uncheck the "Block private networks" checkbox on your WAN-config page.
Trafficshaper:Currently the Trafficshaper only works between 2 Interfaces. (not with MultiWAN)
Virtual IP's:A Service cannot bind to an Proxy-ARP VIP. (Services on pfSense) use for that CARP instead.
You can NOT ping Proxy ARP VIP's
Use CARP VIP's instead.
http://forum.pfsense.org/index.php/topic,4499.0.htmlA description of what the differences between the 3 types of VIPs are:
http://forum.pfsense.org/index.php/topic,3987.msg24632.html#msg24632-----------------------------------
VPN:OpenVPN:If you want to force your clients to send their traffic over the VPN you need to set some custom options:
Please read the following thread for more infos:
http://forum.pfsense.org/index.php/topic,6056.0.htmlIf you are using MultiWAN and your local LAN should be able to connect to the clients connecting to your network:
you need to have a rule above your default rule (which has as gateway the loadbalancer)
with desination your VPN-subnet and as gateway the default gateway (displayed as *) NOT the loadbalancer.
The config files for the OpenVPN servers and clients are saved in the path /var/etc/
You cannot access windows shares via the "My network places" because windows shares work with UDP-broadcasts.
The VPN is routed and will block broadcasts.
If you want to access a windows share you have to access it directly by IP
ie: start-->run: \\IPofServer
--------------------------------------------------------------------
General Stuff:If you want to make use of WANx for a service on pfSense:
You need a static route to the <remote-tunnel-endpoint-IP>/32 via <gateway-of-wan2>. All services running at the pfSense directly (like ipsec, a proxy, dnsforwarder,...) only follow the routingtable definitions.
pfSense is not Linux but FreeBSD
If you really HAVE to use ifconfig aliases on an interface here is a small howto:
http://doc.pfsense.org/multiple-subnets-one-interface-pfsense.pdf
pfSense Forum
