pfSense Home Router – Part 2

torchAt this time, I have installed pfSense a few times and have been running pfSense for about three months. The experience has been very trying at times and so hopefully my personal notes will help others in deciding if pfSense is right for you. Note that I am trying to use pfSense as a home router and caching proxy, and not as a typical business class network firewall, which is what its actual intent.

With the hardware setup, I had to now install the pfSense software and configure it. The SuperMicro MBD-X7SPA-HF-O has an internal USB port that you can use if you want to install pfSense or any operating system to, but in my case, I was going to use a 60GB SSD drive instead as my main operating system drive. There are multiple ways to do the installation, 1) Make a bootable USB drive and boot from that, 2) CD-ROM installation, or 3) Use IPMI to control the system remotely and install from an ISO image. Since my box has no actual CD-ROM drive, I ended up using IPMI, which works quite well, once you get some experience with it. Once I booted via the ISO image (through IPMI), the installer formatted the SSD drive and copied the necessary files. The rest of the configuration could be done through IPMI, or you can simply hookup a keyboard and monitor to the box, like I did.

Rather than cover the installation process in more depth, I will refer you instead to Overclockers, whose guide covers the installation in more depth than I could ever hope to. It was actually the Overclockers guide and this SmallNetBuilder article that inspired me to build my own pfSense box in the first place.

Helpful Setup Tips

The first thing of note is that you should specify “em0” as the LAN connection. This is contrary to the Overclockers guide. The reason is that the IPMI only works through the first Network Port and I would like to be able to access IPMI internally on my LAN only. You will specify “em1” as the WAN connection. (In the BIOS you can specify a specific IP address for the IPMI setup and take note of the MAC Address; you can then setup a DHCP reservation for the IPMI address.)

For DHCP reservations, it is helpful to have a list of MAC addresses and the IP numbers that you are going to give those devices. This way you can add them all at once during the setup and be done with it. Most of the devices in my home now have reserved IP addresses.

You will want to configure the Admin Web Interface to HTTPS and to a different port number. Basement PC Tech has an excellent guide on how to add a certificate to the Admin interface.

You can add FreeIPMI to pfSense. Reference this post on the pfSense Forum on how to install it.

Since this setup will be used as a home router, UPnP is essential for devices such as the PS3 and XBox 360. The best walk through for setting this up is found on Cqrite.com.

Lastly you will want to install your packages. In my case, Squid 2.79, RRD Summary, Sarg, and Cron were the only packages I needed.

Unexpected Problems

My home setup is pretty straight forward, but for unknown reasons, I had major issues with my Sony Blu-ray Player, Apple TV 2.0, and Playon (software for media streaming from a Windows box). I could not quite figure out exactly why all of these devices broke. Essentially media streaming failed to work period on the Blu-Ray Player. What was strange was that the PS3 was fine. It did not quite make sense why NetFlix worked fine on the PS3, but not on the Apple TV or Blu-ray Player. For a while I thought it was some combination of Squid in transparent mode, however after setting up Traffic Shaping in pfSense, it just decided to work one day. I even did a clean install and started from scratch, and I could never get it to work again. I ended up restoring my original configuration to fix it again. I narrowed down the problem to port 443, in which I could not authenticate with the streaming services.

One package that I wanted to try out was HAVP, which acts as an HTTP Proxy with an Anti-Virus scanner. This proved to be problematic for me. With HAVP my internet downloads were slower and unpredictable. HAVP requires lots of CPU speed, and in the end I found that it was not worth it for me. Plus, I could never get NetFlix streaming to work!

pfSense, The Home Router

pfSense was my Summer project this year and it was very interesting. The hardware I put together makes for a very fast home router and you certainly do notice the difference between pfSense and say your typical $200 router. The Squid proxy works well, in fact it is the best proxy solution that I can think of. However, Squid is still a proxy and proxies in general are difficult and can cause minor issues. The firewall aspect of pfSense is superb, I feel that this is the most secure system you can have for the price. The problem I ran into with pfSense is that it is not really meant for home networking. In a sense pfSense is not your typical plug-n-play device, so this makes it really hard for a non-networking person to work with. I find myself conflicted, because I really like everything that pfSense delivers, but feel that third party firmware such as DD-WRT is a better solution for home networking. The firewall is easier to work with on third party firmwares. The other area where pfSense proves too hard is Traffic Shaping. The QOS interfaces of Linux based routers (DD-WRT, NetGear, Tomato, etc) are much easier to work with and while pfSense actually has more options for managing traffic the setup requires more tweaking.

Up until now, my criticisms of pfSense are based on difficulties due to complexity, but one area where pfSense does come up lacking I think, is documentation. The pfSense.org website has a wiki and a forum, but some of the documentation on the wiki is incomplete and so the better resource ends up being the forum. There is an official book: pfSense: The Definitive Guide. The book is definitely a must if you are serious about working with pfSense. There is also a pfSense Cookbook, but that book is rather worthless as it basically covers screenshots of pfSense 2.0, but without any real context as to how the system actually works, so I would not recommend that book. What would work for pfSense is if there was a guide for home networking, that put together screenshots and recommendations for a typical home network router configuration.

Overall, pfSense can work as a home network router, but it does take time to become proficient with it and it is not as simple as your typical home router. After working with it for a few months, I find it to be a great solution for content filtering in schools. It is very affordable and if you are willing to spend the time, it can be a great solution for your security needs.

Safari 6 HTTPS SSL Timeouts

Safari 6After upgrading to Mac OS X 10.8 Mountain Lion, I started to experience problems with Safari 6 and some HTTPS connections. For example I could no longer log into Amazon or even browse forums who used SSL connections. Ironically, I found a post on Apple’s forums that described some of my symptoms, but since the support forums are HTTPS, I could not use Safari. Luckily Firefox still worked. The problem on Apple’s forum went on about SSL Certificate issues and the solution is described on this blog posting, but this problem was specific to Mac OS X 10.7.4 Lion. There is also a bug that has to do with specifying a proxy in Mountain Lion. This seemed more plausible to me, since I use pfSense with Squid Proxy in transparent mode at home, however this also would not explain why only SSL connections had issues and regular HTTP sites worked fine.

Solution

After much research, it seems the simplest solutions work best. I had to manually specify my MTU setting from 1500 to 1492 in System Preferences – Network – Advanced… – Hardware – MTU. This immediately resolved my Amazon logging in issue.

pfSense Home Router – Part 1

torchOver the years, my home office has become a museum of sorts for wireless routers. There on a shelf sits my old reliable Linksys WRT54GS with upgraded antennas, next to it is a Linksys WRT350N, and lastly a Netgear WNR3500L. My current router sits in the office as well, that is a Netgear WNDR3800. The WNDR3800 is less than a year old and performs quite well, but then Western Digital announced they were getting into the wireless router business and announced the My Net N900, which is interesting since it includes 7 Gigabit Ethernet ports! But alas, I could not justify upgrading to a new wireless router in less than a year. With each router upgrade I have looked at three features: speed of actual CPU, internal memory, and DD-WRT compatibility. Home routers are essentially computers that route network traffic. The faster their CPU and more memory they have the faster they can operate. On slower ISP connections, you do not notice it as much, but once you upgrade your internet connection and add more devices to your home network, the more your router’s performance becomes impacted. Hence the WNDR3800 works better than the slower WNR3500L it replaced. I am mostly talking about the wired connections, since wireless speeds can vary and I tend to prefer wired connections. The more I thought about it, the more I came to the conclusion that I was really trying to upgrade the CPU and memory in my router; the wireless radio was adequate and the built-in 4-port switch was already being supplanted by a dedicated 8-port switch. In general wireless routers are a good value. They combine a wireless radio, a network switch, and routing capabilities for around $150 or less. The WD N900 looks like an even better value, given the 7-ports, but in my case, I wanted to separate the three main functions. Hence my search for the perfect home router began. (more…)

Set Default Fonts in Safari 6

Safari 6With the release of Safari 6, the default font settings preferences have been removed. If you still want to set default fonts without using a custom style sheet you can still use Terminal commands to set them. Another workaround is to use the Quickstyle Safari Extension.

Below are some example commands for Terminal:

Proportional Font:

defaults write com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2StandardFontFamily 'Lucida Grande'
defaults write com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2DefaultFontSize 16

Fixed Width Font:

defaults write com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2FixedFontFamily Monaco
defaults write com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2DefaultFixedFontSize 12

The Fix My PC Dilemma

ToolsAfter working in Information Technology for several years, you come to a certain understanding about the balance between work and personal time. For many people starting out in IT, the temptation to dedicate yourself 24/7 to work is hard to resist. There always seems to be a pending disaster or a deadline that must be met. With some experience you eventually learn that the world is always coming to an end. It has been that way since the beginning of time itself. Dedicating yourself fully to work is not going to change that! Once you figure out for yourself, where and when to draw the line and give yourself some time back, you end up tackling another dilemma, which I call the “Fix My PC” dilemma. When you are computer proficient, it is not just work that wants your skills, it is also friends and family. You end up being asked many times to fix people’s laptops or desktops. Since you are a nice guy, you have a hard time turning these people down, especially when they are your friends and family. However, just like work, you need to set some limits, since this is still taking away from your personal time.

Rule 1: It’s Not Always Free

It is a bad idea to let people think your skills have no value. In my case, I charge a modest fee to look at people’s computer problems outside of work. My time is valuable to me, and so charging a fee makes me feel better and I can invest the money back into my technology interests. It always amazes me when people balk at me charging them. It must be that they do not recognize the value of my work or they simply want something for free.

Rule 2: I’m Doing You A Favor

If you agree to look at someone’s computer, make sure that they understand you are doing them a favor. They have to make it convenient for you. The last thing you want to do is agree to something and then find out you have to drive to someone’s house at an inconvenient time for you.

Rule 3: Identify and Diagnose Their Problem

There are very few times that I have been asked to look at Macintosh. Almost always the computer is a Windows machine. After spending years working with Windows, there are multiple tweaks, fixes, and customizations that can be done to make Windows machines work better. You could dedicate multiple days to just tweaking Windows. Remember, you do not have the time and energy to fix every problem, just concentrate on the problem that they asked you to look at. Most often people tend to not communicate well, and so I have had many people tell me that they wanted their computer to run faster and then find out that they really wanted something else entirely. Once you find out what it is they want you to fix, tell them how it can be fixed and let them decide what they want to do. Many times you find that there is a component failure and there really is nothing for you to fix; they will have to spend money on replacing the component or buying a new computer.

Rule 4: Know When To Walk Away

Do not spend you time installing Windows Updates, running malware or anti-virus checks! These chores are something the user needs to do. If you can avoid these time consuming tasks do so. Where ever possible configure these things to run on their own; Microsoft and other software vendors provide schedule features in most of their software. If you cannot schedule these tasks, educate the user to do them on their own.

Final Thoughts

These days I devote most of my time to building my own computers, instead of fixing other people’s stuff. Every now and then I will do someone a favor and fix their Windows problem, but I resign myself to not having to fix every problem. Life is too short to spend countless hours in front of a keyboard.