Tuesday, December 30, 2014

Getting pfSense Up and Routing in Hyper-V - Series, Part 3: The Synergy of Hyper-V and pfSense

I had a nice little break for Christmas, but we have work to do. Let's get this pfSense router working with Hyper-V and then we'll go into some extra bonus features. I say some because you could write an entire blog on pfSense features.

In part one, we focused on setting up Hyper-V so that it doesn't freak out when you slap pfSense inside of it. It took a lot of trial and error on my part to figure it out back in the day, so now you don't have to.

(Part 1) The Synergy of Hyper-V and pfSense - Prepping Hyper-V


In part two, we installed and configured pfSense so that we could get connected through webConfigurator, the web GUI. However, that's all we did, so we need to turn it into an actual router.

(Part 2) The Synergy of Hyper-V and pfSense - Connecting to the webConfigurator


So, here's what we're looking at...


webConfigurator - Configuration Using the Web... even though it's not on the "web"



Username: admin
Password: pfsense

Log in, and you get this screen:


If you log in and do not get this screen and want to get this screen to follow along, go to System -> Setup Wizard from the landing page.


Normally, I skip this wizard and go straight to setting up firewall rules on all the interfaces, but we'll go through it this time. This wizard is honestly fantastic for such a powerful piece of technology.

1. Click Next.

2. pfSense Gold is definitely worth it and you should consider it at some point in the near future. However, because you're just getting started, just go ahead and click Next.

3. Fill out the fields for hostname, domain, and DNS server(s). See my router below.


You technically don't need to enter anything here. You could just hit next. But entering a hostname is just smart, putting the domain is helpful, and DNS servers are required to reach external update and patch servers. For DNS servers, you can use the ones I used above because they are publicly accessible and usable.

For "Override DNS", this means that if you connect the router directly to the internet and it receives a public IP address from your ISP, it will also receive a list of DNS servers. This also applies if your network has a DHCP server of its own on that subnet. If the router won't be directly connected to the web and your network won't ever have a DHCP server on this subnet, it doesn't matter what you put here. Just uncheck it if you are unsure.

Click Next.

4. Choose your timezone. The default NTP server will work just fine. More specific time servers can be found at http://www.pool.ntp.org/en/. Click Next.

5. We'll now configure our WAN interface first. Remember that WAN/LAN/OPT interface design plays a bigger role when using pfSense on physical hardware, but it's still important here. Let's take another look at the diagram for the router I'm configuring to determine how to set up this interface.


We'll go ahead and designate our interfaces based on this. I'm choosing these arbitrarily, but it needs to stay consistent so we don't get confused and misconfigure things. I'm also going to list the routes on these interfaces, which we'll come back to.

  • WAN interface: 10.123.123.6 /30      Routes: Default route through 10.123.123.5
  • LAN interface: 10.123.123.14 /30      Routes: 10.10.0.0 /24 through 10.123.123.13
  • OPT1 interface: 10.0.0.1 /25      Routes: none
  • OPT2 interface: 10.0.0.129 /25      Routes: none
So now we know what to enter on this screen. 

For "Selected Type" under "Configure WAN Interface", select Static.



For "IP Address" and "Upstream Gateway" under "Static IP Configuration", enter the correct information. Alternatively, you could enter the incorrect information. I'm using the info I listed above.


Remove the checkmarks for "RFC1918 Networks" (private addresses) and also for "Block bogon networks." We covered these types of addresses in part two of this series.


Click Next.

6. For the LAN interface, to which we're currently connected, just click Next. We'll fix it after we know that we can connect through another interface.

7. Set your administrator password on the next screen and click Next. If you can't think of a good password, use PenguinsDoNotLikeFalafel23.

8. Click Reload on the next screen to reload the webConfigurator. This means that, up to this point, no changes have been made. Once you reload, all your settings are saved. Keep this in mind if you ever forget to complete the wizard.


It's normal for this to take a long time. For some reason, I occasionally need to manually reboot the router to be able to reconnect. This is option 5.

9. Log back in with your new password.

10. If you have any additional interfaces, go ahead and configure them now. You can do this by selecting Interfaces -> OPT1 or whichever number it is.


The configuration screen is the same as what we saw for the WAN interface in step 5, except you first have to enable the interface. You do not need to configure a IPv6 address.

Be sure to Apply Changes whenever you're done making them. Otherwise, they won't take effect.


11. Now we're going to open up the firewall temporarily so that traffic can pass through. The idea is that you open it up all the way so that you can do other configuration first. That way, if you run into issues, you know that the firewall rules are not the issue. Later, when everything is working, you will go back to the inherent deny all system that I described in the previous post.

Go to Firewall -> Rules.


12. For the WAN interface, click the icon shown below to add a new rule.


13. The only thing you need to change is Protocol. Make it "any".


Click Save.

14. Click the icon for "add a new rule based on this one", shown below.


15. Change the interface to LAN. Click Save. Then repeat steps 14 and 15 for any additional interfaces. You can also make copies of your IPv4 rules and change it to IPv6 if you want. You can't have rules that apply to both IPv4 and IPv6. If you did that, you would have created 2 rules for each interface. The LAN interface should automatically have some extra rules.

16. After you have all your rules set, Apply Changes.

17. Go to System -> Routing.


18. Delete the gateway associated with the LAN interface.

(I forgot to highlight the delete button. It's the one with the X on the right side.)

19. We're now going to connect through a different interface so that we can make changes to the LAN interface, which we've been using to get to the webConfigurator. We first need to make sure you're all set with routing so you can, you know, reach the router.

Important: Keep in mind that your other routers need to be aware that the new guy and the network behind him exist. There should be a route set up on each upstream* router to direct traffic downstream. The process for this will vary greatly depending on what brand of equipment is being used. Refer to this footnote** for a little more information.

You can just try connecting via the browser at one of the other interfaces. The problem with this is that it might take longer than expected to load. That might also be annoying if you sit there waiting for it to load for a solid minute and then it fails.

You can also use these methods which will conveniently give you a tour of other parts of the interface.

If the router will have access to the Internet
The fastest way to make sure all is well is to go to Status -> Dashboard.

FYI, this is the "start screen" after you log in.

Check the interfaces. They should all be green and configured correctly--with the exception of the one you're using for the webConfigurator.


Then, look at System Information on the left.


If it says "You are on the latest version" or "Update available", then you are gravy (that's good). Go ahead and connect through the browser to one of the other interfaces.

If it says that it could not connect to check for updates, then you are not gravy. First things first, just reboot. That is pretty likely to fix it, especially if you are using pfSense version 2.1.5.

If you are still having issues, scroll to the bottom of this article and check out the Troubleshooting section.

If the router will not have Internet access
Go to Diagnostics -> Ping.


You want to make sure that you can ping the below hosts. If one works, all the ones below it should as well unless ICMP has been configured to disallow pings.
  • The computer you will access the webConfigurator from, which may be the same one you're using
  • The router closest to that computer along the path to the pfSense router (starting with the far interface, then the nearer one)
  • The next closest router
  • Any host on the directly connected network
  • Itself using the specified address
  • Itself using loopback (example: 127.0.0.1)
You can also do a route trace, but I think squeezing out a few pings ends up being a little faster.

If you're having problems, do a reboot. If you're still having problems, refer to the troubleshooting section at the end of this article.

Go ahead and connect to the interface in your browser and log yourself back in. Remember that you changed your password in an earlier step.

20. Go to Interfaces -> LAN. Configure this interface correctly and apply your changes.

21. Go back to System -> Routing.

22. Make sure you have routes for any networks that:

  • Aren't already going to go out through the default gateway
  • Aren't directly connected (i.e. you don't need a route for 172.16.0.0 if the router interface's IP address is 172.16.0.1 /24)
I am going to add a gateway for 10.123.123.13 /30 because that is how traffic will get to network 10.10.0.0 /24 on the LAN interface. Make sure you do NOT select "default gateway" for this gateway. You should only have one default gateway.


23. Click on the Routes tab.


24. Add any static routes that you need to create. For example:


Apply changes.


Verification

That should be it. The easiest way to verify is to ping a host through the router using another router. Trace route also comes in handy here because you can see the response from our new router.

Also check out Diagnostics -> Routes to make sure nothing is missing. Both the Diagnostics and Status menus are chock full of helpful information and tools.


Extras

I'm just going to point you in the right direction for a few things.



  • Backup/Restore: Backup frequently! It's really easy!! Go to Diagnostics -> Backup/Restore.
  • NAT/Port Forwarding: Go to Firewall -> NAT for both of these.
  • High Availability: Here's a great article on CARP
  • Download add-on packages (I highly recommend using pfSense 2.1.5 for 3rd party stuff): Go to System -> Packages, then click the Available Packages tab
    • Snort: For free, it is an Intrusion Detection System (IDS), letting you know when bad traffic is coming in. For a really great price, it becomes an Intrusion Prevention System (IPS), stopping the traffic as well.
    • Squid ("Squid3"): Forward proxy, reverse proxy, and more. Totally free and totally great.
    • Squidguard: Added to Squid to do URL filtering. Free.
    • iperf: I haven't personally used this on pfSense, but it will tell you all kinds of network information including data transfer rates. Free.
    • HAVP: I honestly haven't used this one personally either, but I've heard great things. It helps prevent viruses from entering the network. Free.



Troubleshooting


If you're having problems, check the following in no particular order:

  • WAN interface (or the one with the default gateway route):
    • Subnet (it might have defaulted to 1 or 32)
    • IP address
    • Network/bogon filters at the bottom are empty
    • Gateway is correct and says it is a default gateway
    • IPv6 address is static or not enabled -- DHCP can be problematic during setup
  • Routes/Gateways:
    • If you've been following along, you should only have one gateway and it should be a default gateway
    • Make sure you only have one default gateway
    • Make sure the gateway is on the same subnet as your interface (it will yell at you if it isn't)
  • Firewall rules:
    • The interface that isn't working should have at least one rule allowing all traffic over IPv4
    • The rule allowing all traffic should be at the top of the list, although this likely isn't an issue yet (the rules are processed in order, from top to bottom, with the invisible implicit deny all hiding at the very bottom)
  • Go to Diagnostics at the top and choose Ping, then start pinging address close to the interface and then move farther away (you can also do Trace Route, but I find that you can throw out quick pings a little faster)
  • Make sure your other routers contain the right networks in their routing tables
  • Remember: rebooting is your friend
  • If all else fails, disable and re-enable the interface. If that doesn't work, uninstall the interface and reinstall. This is more likely to fix the problem if your other interfaces are working correctly.


Footnotes

* The terms upstream and downstream traffic refer to the directions to get out of or deeper into the network. Upstream traffic is heading outward to a WAN interface where it can reach the Internet or get directed to another site. Downstream traffic is heading farther into the network, meaning it will have to pass through another router when it heads upstream. Upstream/downstream can also be used when referring to servers. For example, an upstream Windows Server Update Services (WSUS) server can download Windows updates and pass them to a downstream WSUS server.
** For very basic systems, detailed (static) route information is needed. For example, you would have to use 10.20.30.64 /26 as the destination and it would reach IP addresses from 10.20.30.64 to 10.20.30.127. However, many systems, including pfSense, allow for route aggregation. This lets you specify a range of addresses to route to even if they are spread across multiple subnets. For example, you could just put 10.0.0.0 /8 to send all traffic with a destination IP address starting with "10" in that direction. The majority of hardware routing is managed with routing protocols and does not use static routes, but this is beyond our scope for today.
Posted by at No comments:
Labels: , , , ,

Monday, December 22, 2014

Connecting to the pfSense webConfigurator - Series, Part 2: The Synergy of Hyper-V and pfSense

Hey! Check out the new banner! I actually went to school originally for graphic design, but this was the first time I touched Photoshop in about 6 years. It was really weird that I still remembered a ton of hotkeys. There is just so much random information that we can store in our brains...

Oh, and I figured out AdSense finally. I've tried to make it as unobtrusive as possible while still being visible. I'm not going to type out some heartfelt paragraph about needing to use ads because I survive on their support. I'm doing this blog for the good of the people -- and if I am one of those people who gets some good sent their way, I won't complain. But the honest-to-god truth is that I'm here to write the best dang tech blog I can and I'd be doing that even without the few quarters they mail me every other month.

Back to Business: Installing pfSense

I haven't re-read the post I made yesterday, which accidentally turned itself into this series. For those of you who didn't get a chance to read it, we went over the different pfSense versions, I described some common problems when integrating it with Hyper-V, I was in a state of near delirium, and I almost broke a server. So, go on! Check it out:

(Part 1) The Synergy of Hyper-V and pfSense - Prepping Hyper-V


If you were following along, our paths diverged at the end of the first part of the series. You were left with a whole lot of white text flying across the screen for about a minute as the system booted. Then it asked you if you want to set up VLANs now.

I, on the other hand, had to fight with permissions on two machines so that I could finally do a simple file transfer and get all the VM files in place. I am starting the machine up right........... now. I actually did type "now" and click Start at the same time. I'm such a loser.


Up and running, here's the prompt I was talking about:


1. Take note of those interface names. You will need them in a second and they're not always visible on screen when it asks.

Enter "no" or "n" to skip setting up VLANs.

2. It will ask you to label your interfaces. One thing you need to keep in mind while configuring pfSense is that it was created to run on hardware. The fact that it can run inside a virtual machine is just a really great feature. At this point with a hardware installation, you'd already have your cables connected to physical ports. That's why this matters. However, with a virtual machine, all your ports are whatever you want them to be. A WAN port can turn into a LAN port just by changing the IP. So it doesn't matter which interface is labeled what.

Just run down the interface list above to assign them. Don't just type what I'm typing here. Your interface labels may be completely different.

I have 4 virtual NICs installed, so I labeled 4 interfaces here. Once you've given names to all your interfaces, just hit enter one more time. Then enter "yes" or "y" at the confirmation.

3. It will do router-y and firewall-y things for a bit, then finally bring you to the main menu.


Remember that we downloaded the LiveCD for pfSense. This means that it can run straight off external media. You could go ahead and just move on in. You know, setiup a cozy new home complete with love seat and firewall state tables, but you'd be really annoyed when your furniture got deleted on a reboot.

We had to choose the LiveCD because the other option is built as an IMG file, which Hyper-V does not recognize natively. This really doesn't add much time anyway.

Enter "99" to kick off the installation.

4. Choose "Accept these Settings"


5. At the next screen, you really shouldn't ever need to do a custom install unless you have multiple VHDX files connected and you need to install to a drive not in the first slot of IDE Controller 0. "Quick/Easy Install" formats that disk automatically (which will be explained in the shell) and installs pfSense there.

Select Quick/Easy Install.


6. Select OK on the next prompt. pfSense begins installing.

7. Choose to install the standard kernel. The embedded kernel means that it is being installed on hardware that was likely designed to run it.

8. Once it asks you to reboot, don't. We want to turn the machine off. Keep in mind this is different than "Shut Down."

9. Once the machine has powered off, we need to remove the ISO from the drive. On the menu at the top of the VM window, go to Media --> DVD Drive --> Eject


We did this because FreeBSD will automatically boot from the DVD again each time it starts. If you try to remove the DVD at the moment the machine restarts, you will either get an error from Hyper-V or the system will present a mount error.

10. Start the machine back up.



Let's take a short break from doing stuff and learn some stuff

We now need to configure pfSense so that we can reach webConfigurator, which is the HTTP-/HTTPS-based web GUI. It's smooth sailing once we get to that point. This requires configuring IP addresses on specific interfaces. I can't very well tell you what addresses to use, so we're going to have a little sidebar here. I need to explain what's going on and then show you how it'll work with my network.

Speaking of my network, here is the diagram of our little slice of the lab:



Notice that there are IP addresses with a subnet mask of "/30", which is equivalent to 255.255.255.252. This subnet mask will look strange to someone who's just getting their feet wet in networking. You may be used to addresses with a subnet mask of 255.255.255.0 from having to configure or troubleshoot your network card. A lot of people are surprised, then, when they are told that /30 is the most common subnet mask in the world. The reason for this is because they define the subnet to allow only 2 endpoints, which applies very frequently when one router is connected to another router.

There's a reason why I bring this up. With pfSense, you have to define the interfaces with labels and also with IP addresses. The labels aren't just for show with a virtualized installation, though. They also configure the default firewall rules on each port. There are always going to be two interfaces with pfSense*: the WAN interface and the LAN interface. Any additional interfaces get the designation OPT1, OPT2, and so on.

We need to know this because we have to use the right interface to get connected to the webConfigurator. If we picked OPT2, for example, we wouldn't be able to connect.

Here's a rundown of the default firewall rules for each interface:

  • WAN
    • Deny traffic from private networks
    • Deny traffic from bogons
    • Allow webConfigurator access over port 80 or 443
    • Implicit "deny all"
  • LAN:
    • Allow traffic from current subnet
    • Implicit "deny all"
  • Any OPT interface:
    • Implicit "deny all"

Let me head the questions off at the pass...
  • The private networks are 10.x.x.x, 172.16.x.x through 172.31.x.x, and 192.168.x.x. These have been specially set aside by the Internet Assigned Numbers Authority (IANA) to only be used locally and shouldn't be out on the open web.
  • Bogons are bogus IP addresses. Whenever a block of addresses is reserved with the IANA, they remove the bogon label from them. If an address is a bogon, whoever is using it shouldn't be allowed into your internal network. There's a reason they didn't officially reserve address space and you don't need to find out what that reason is.
  • The implicit deny all** comes at the very end of firewall states (rules) and Access Control Lists (ACLs), the latter of which appear in networking equipment as well as file system security including Windows. In pfSense and some other networking technologies, it doesn't even appear in the list. So, when you first look at your rules for OPT interfaces, they are just empty. To allow traffic through, an administrator has to make rules for what can come in. It's kind of like a boy only allowing other boys into his tree house because he thinks girls are icky.

Looking at the interface list above, it would seem like we want to connect to over the WAN interface. And that would normally be true. But, for whatever reason, it just doesn't work when you use pfSense on Hyper-V. Or at least it's very unreliable. Or maybe it has worked for every single one of you except me.

The fact of the matter is that I have a sure-fire way of getting into the web GUI with the LAN interface. I recommend doing it this way so you don't get so frustrated that you throw a phone book at the mailman. I'm not saying I did that or anything...... that would make my defense attorney's job a lot harder.


Okay, let's stop learning and start doing stuff

11. Before I forget, let's enable SSH (Secure Shell) access to the router. This allows you to access the console easily with PuTTY or connect with WinSCP to modify the FreeBSD file system like you would in Windows Explorer.

Enter "14" at the main menu to enable SSH.


If the menu has disappeared from random status messages filling the screen, just hit Enter to refresh.

12. Back at the main menu, enter "2" to set interface IP addresses.

13. It will give you a list of your interfaces. Enter the number for the LAN interface, which is probably "2".


14. You now have to assign an IP address. We are NOT going to assign anything from our diagram yet. What you want to do is pick an address on the same subnet as the computer that you will access the webConfigurator from.

For example, if you're connecting from your PC and the IP address is 192.168.0.5 (with the /24 mask), then you can set it to 192.168.0.6 or 192.168.0.100 or 192.168.0.179. As long as there isn't another computer on the network with that address, you're gravy. If you want to see what addresses are floating around out there, run "arp -a" from the command prompt on your PC, which sends out a broadcast message to get the identity of computers on the subnet.

For me, I can use 192.168.0.30, so I will:


15. It then asks you for your subnet mask.*** Enter it in as the bit count. It has some examples above.


16. Are you ready for my trick?! This is how I show both Hyper-V and pfSense who's boss. When it asks for the upstream gateway address, set it to whichever computer you want to access it from. Don't set it as your modem or other router. That's when I started running into issues.

I will access the webConfigurator from this address. 192.168.0.224 is a computer on my network.

17. For the IPv6 address, you can just hit Enter. Feel free to type one in if you'd like to use IPv6.

18. Do you want to enable the DHCP server on LAN? No.

19. Do you want to revert to HTTP as the webConfigurator protocol? If you are brand new to pfSense, I'd just say yes.

HTTP is insecure but simpler. With HTTPS, you will have to set up Certification Authorities and configure the trust chains. It's not hard to get going with self-signing, but we won't go into it now. To be honest, I've only done it once. It could be different than I remember.

20. It does some processing and then gives a nice little message that you can access the webConfigurator at the listed address.

Great! Let's do just that! I'm super excited!!

On the computer at 192.168.0.224:


AHH what?? I literally spent like 100 hours writing this post and this is what happens?!

Okay, I knew that was going to happen. We need to do two things first.

(Keep in mind... it could have just worked for you. How pfSense determines your technological karma is mysterious and unknowable... at times just cruel.)

21. Pull up an elevated command prompt and enter the following:

route add -p <IP address of router> mask 255.255.255.255 <IP address of router again>

This basically forces the computer to know that the router exists. It creates a direct connection.

22. Reboot the router. At the main menu, Enter 5 and then confirm it.

Now, it might take a little time for pfSense to get all its ducks in a row. Just to be clear, that is not a technical term... it's an idiom.

Come back to your browser in 5-10 minutes and try the router's IP address again. If you're still having issues, reboot the router once more.

Here it is, folks:

Smells like victory in here.


The username is admin
The password is pfsense               (all lowercase)


Pause button


I never cease to amaze myself with how many extra words I can fit into something without even trying. I could be the next Faulkner if I had any sort of, like, word goodness. But we'll go ahead and pause for part 3

In part 3 (which might turn into part 4 and then 5), we'll walk through the setup wizard--yes, a setup wizard on an amazing piece of networking technology and it rocks--and make sure we can connect from all the interfaces.

In conclusion, I understand the importance of properly selecting the correct words to make bold.











* You actually could configure pfSense with just one network card. You would need to configure two VLANs and assign them both to the same port, then configure routing between them. Traffic going through the port uses a subinterface as well as the interface itself. This process is known as "Layer 3 Switching". The device itself is often called a "Router on a Stick."
** There is an alternative method for managing security that uses an explicit deny. This means that everything can come unless it has been denied.
*** To find your subnet mask, run "ipconfig" from the command prompt on the computer you will access the webConfigurator from. If your address starts with 192, it's extremely likely that the bit count for the mask is 24. Starts with 172? 16. Start with 10? That's kind of a mixed bag, so I'd double-check.

Posted by at No comments:
Labels: , , , ,

Saturday, December 20, 2014

Prepping Hyper-V to Use pfSense - Series, Part 1: The Synergy of Hyper-V and pfSense

I wanted to get a post out tonight that I've been working on pretty hard, which will be the first of what I call "Marathon Guides", but my brain and body have been taxed to the limit this week. Earlier, I was trying to add up just how little sleep I've had in the past few days and I just couldn't do it. I couldn't put small numbers together into slightly larger numbers.

Oh... the best thing I did in my state of lunacy? I did a System Restore on my machine while trying to fix a program, not realizing what it would do to the virtual hard disks in Hyper-V. It actually wasn't as bad as I thought it would be... but take my advice and don't ever do that.

Of course, I'm still going to post something... so I picked something that's entertaining by itself. Now I don't have to be.

Expect lots of typos and omitted words, sentences, paragraphs, etc. In fact, if I manage to hit the Publish button at all, I'll be ecstatic tomorrow.

Meet pfSense

Now, I'm sure plenty of readers have "met" pfSense and know it pretty well, but this is a Microsoft-centric blog. The idea of using something that's not Microsoft, not even Linux, but *gasp* Unix-based via FreeBSD can be a little jarring. It's a whole different planet.

When I finally got to start planning out my lab, I knew right off the bat that the environment wasn't going to be simple. It was going to be extremely complex. I wanted to run into problems and learn why they occur and how to fix them and how to prevent them. So I just started slicing up the network into a bunch of different subnets. Of course, with different subnets comes the need for routers. 

When you're dealing with virtual machines and shared adapters, the concept of routing gets a little fuzzy. Of course, that didn't stop me. I just threw a whole lot of RRAS at the problem. But using Routing and Remote Access, outside of DirectAccess and VPN infrastructure, creates a problem in itself. To be clear, there's nothing really wrong with RRAS routers... but there's not a whole lot right either. That's because there just isn't much of anything. They're super simple services running on the backbone of Windows Server like a fly on a giant's back. I quickly realized it wasn't ideal.

I also had a bunch of other hurdles to get over. I'd come up with a solution for one problem and then another and another, all the while making progress, sure, but not really seeing the big picture. I had questions like these:
  • How can I reduce the overhead on all these RRAS "routers", each one running a full server operating system? (I tried Server Core but RRAS loses almost all functionality.)
  • Without having to use Threat Management Gateway 2010, which I hate and is on its last breath, how will I direct traffic to internal servers which use the same port?
  • How will I handle things like low-layer firewalling and load-balancing beyond DNS round robin?
  • How can I tighten security but not be overly intrusive?
  • How can I gain better control over the traffic coming in from the WAN when I'm stuck with a crappy modem/router from Time Warner Cable?
  • Should I buy more hard drives or pay rent for once?
It was pretty frustrating. The tools I'd discover would cost too much or overlap poorly with something else or be more trouble than it was worth.

And then... I discovered pfSense. It did not have those issues... and not only did it satisfy all of the criteria listed above... it added about 100 times more functionality than what I had even dreamed of. And all of that for the low, low cost of absolutely nothing.

The Free Firewall, Router, Switch, Proxy, Reverse Proxy, Load Balancer, Remote Access Server, Traffic Sniffer, Packet Inspector, Antivirus, Toolbox, IDS, IPS, and Master of L2 Transparency

pfSense. It's the love of my life. 

Honestly, I think that it is the best testament to open-source development in any arena. I could just keep on gushing, but you get the point. It's just the greats!

And you may be thinking, "Wow. That's gotta be ridiculously hard to set up." Wrong. Those features aren't what made it so popular. What made it popular is how it can walk the greenest networking guy or gal through the initial configuration in about 30 minutes. You can have a working router and firewall on the network in less time than it takes to get pizza delivered.

All that being said, it starts to get a little finicky when you try to bring it in the Microsoft hypervisor platform. VMware? No problem. Embedded kernel on custom hardware? Perfection. But with Hyper-V, you have to learn some tricks. I'll teach you some of these while I walk through the process of replacing one of my RRAS routers with a shiny new FreeBSD bad boy.

A Version for Every Occasion... okay, well, actually just two occasions


Running pfSense on Hyper-V, one of the issues you'll see is that the virtual network adapters need some special consideration. For the network cards and some other components, their configuration will vary based on the version. 

There are currently two popular releases of pfSense:
  • 2.1.5 Full Release
  • 2.2.0 Beta
If you're reading this before the official release of 2.2.0, the decision on which one to pick is simple.

If you are only going to use it for simple purposes such as a router, switch, or firewall: 

Use the beta version, 2.2.0. 

The reason is that the virtual NICs will work without any special treatment. However, there aren't very many packages available for this version yet, so you're stuck with the features included by default. This will change in the future. The 2.2.0 full release should be a pretty great improvement.

If you would like to configure advanced features like forward/reverse proxy (such as for Lync Server 2013), IDS, inspection of certificates and protocols, antivirus, etc:

Use 2.1.5. 

All of the really advanced features are developed by third parties and they generally do not match their update cycles with beta releases. For version 2.1.5, you must use Legacy Network Adapters in Hyper-V. This isn't a major inconvenience, but occasionally you will have to go into the shell to cycle the interfaces to resume connectivity. They also seem to respond to certain interface bindings differently, but this could just be the version difference.

You can find both versions at https://www.pfsense.org/download/. You want the LiveCD option because Hyper-V can not read .img files.

Configuring the Virtual Machine Settings

Note: Despite what I said above, I am going to use 2.1.5 for this router so that I can show legacy NIC setup.

1. Let's create the VM. In Hyper-V Manager, select New --> Virtual Machine in the right column.


2. Specify the name to be displayed in Hyper-V (and SCVMM, if applicable) and choose a location for the configuration files. Click Next.


3. You must select Generation 1 because pfSense runs on FreeBSD. Click Next.

4. 512 MB of memory, non-dynamic, is more than enough for pfSense. You could honestly get away with dropping it down even lower, perhaps as far down as 128 MB. 

With those RRAS routers I was running, they would regularly suck up more than a GB of RAM. That's way too much for a networking device.

Click Next.

5. If you are going to install the 2.2.0 Beta, go ahead and select a Virtual Switch. If you are using 2.1.5 like I will be, it doesn't matter what you put here because we're going to delete this adapter anyway. Click Next.


6. The hard disk size doesn't need to be any larger than 4-5 GB for a simple router or firewall. If you plan on going a little nuts with the add-on packages, bump it up to 10 GB or so. That definitely smokes the space requirements of RRAS.

One thing I like to do is create fixed-size disks, or "thick provisioned" disks as they're called with VMware, when they are this small. The standard VHDX created from the wizard is a dynamically-expanding disk. It will display the total size within the guest, but it only takes up space on the Hyper-V host for actual data within the disk. Fixed disks are faster and there isn't much of a downside with such low disk requirements.

If you would also like to create a fixed disk, select "Attach a virtual hard disk later." 


Feel free to review the summary by hitting Next or just finish the wizard by hitting Finish.

7. Right-click the newly-created VM and click Settings...


8. Ah, yes. The Settings window. 

If you just did a dynamically-expanding disk in step 6, skip on ahead to step 9.

This is how you create the fixed-size disk:

Click the "IDE Controller 0" line.



With "Hard Drive" selected, click Add.



For "Virtual Hard Disk", click New.



Click Next at "Before You Begin" and at "Choose Disk Format." We're using the VHDX format.

At the "Choose Disk Type" screen, select "Fixed size." Click Next.


Give it a name and location. Click Next.


Under "Create a new blank virtual hard disk", enter the size of the new disk in GB. 4 is enough for a router/firewall. Give yourself 10 GB if you're setting up advanced features.


Click Next to see the summary or Finish to complete the wizard. It can take a few minutes to create the disk, so go grab a donut.

9. If you are using versions 2.1.5, select "Network Adapter" and then click Remove on the right side of the window.



We now need to add our network adapters by clicking "Add Hardware" at the top of the column. 

If you are using the 2.2.0 Beta, just select "Network Adapter" and click Add. Keep in mind that you already set one up during VM creation.


For version 2.1.5, select "Legacy Network Adapter" and click Add.

It automatically brings you to the configuration screen for that adapter. Select a Virtual Switch to connect to:


Create as many adapters as you need. It's important to note that you are limited to 4 adapters when you use Legacy NICs. 

10. Select DVD Drive in the column. Under Media, select "Image file", then click Browse. Find your pfSense ISO (it's zipped when you download it).


Click Open.

11. You may optionally add a few logical cores to the machine from your host's processor:


12. Finally, scroll down to "Automatic Start Action" in the column:


Set the machine to automatically start at the 0 second mark. 0 should be reserved for very important services that all the other machines depend on. Things with fewer dependencies but still considerably important, like SQL Server, should start at 30 seconds to a minute. Pretty much everything else can be set to 120 seconds, or longer if your VMs take their sweet time waking up.

Here is everything that is changing in my settings (except for Auto-Start):


Click OK when you're ready.


Installing pfSense

1. In Hyper-V Manager, right-click the VM and click Start.

By the way, this is what it looks like when you run out of RAM on your server. Oops. =)


AND with that, I think we've found a great stopping point! Looks like I just turned this into a series article.

However, I am going to use this as an opportunity to show how to fix this. Fortunately, I have another node I can move to. If this was your only server, I would recommend configuring dynamic memory on your other VMs. If their desired resources are exceeding the allotted maximum dynamic memory, it's a sign that you're stretching yourself too thin as is.




Running Out of RAM on a Hyper-V Node

As you saw above, I ran out of RAM on one of my servers. Given that the new machine only had 512 MB of RAM and my nodes have 32 GB each, I'd say I sized the machine pretty well.

So the simple solution is to move stuff around and make it all fit. But wait a second! Let's check Task Manager.


Why wouldn't it fit?! It's only at 91% utilization.

Here's why:

This is a live Performance Monitor report pulled from Hyper-V's performance counters.
Starting in Server 2012, they changed the way that memory is allocated between the host and its guests. Basically, you shouldn't be worried about the host running out of memory, which means fewer STOP errors and less crying. The reason that there is a large disparity between "available RAM" between these two sources is because Hyper-V is accounting for spiking. This is called buffering for a virtual machine--giving it more RAM that it doesn't need in case it suddenly needs it.

As far as moving this VM off the server, it's pretty straight-forward. Right-click the server and select "Move..."


Move its storage (the first option is for a Hyper-V Failover Cluster)...


You can pick anything you want on the next screen. You might be picky about folder placement. Honestly, though, the config files can be on an entirely different server and this would still work. I'm just going to do "single location."

For the new location, I don't recommend putting it somewhere temporarily to grab it later. Just a) connect to a share on the destination computer, b) configure a share to use, or c) move it to another location on the source computer, then cut and paste. You do 'c' if you can't figure out which configuration and/or snapshot file belongs to that VM. Honestly, straight up file transfer is better. It's just nice to be able to perform the move operation because the machine can stay up while it transfers.




Click below to continue to part two:

The Synergy of Hyper-V and pfSense (Part 2) - Connecting to the webConfigurator


Posted by at No comments:
Labels: , , , ,
Subscribe to: Comments (Atom)