Misc Docs

pfSense upgrade notes

Home: http://www.pfsense.com/

Apparently a good way to load both full and embedded pfsense systems is by booting a live CD and selecting Install mode. If you disconnect the hard drive of your computer then you will only have the USB connected CF card to install to. You can use the custom install to create several partitions for a multiboot system. If it is indeed an embedded system then you may want to select the embedded kernel near the end of the install. Either way you will have to modify /etc/platform and change pfSense to embedded.

You may find that the device name of your flash card changes when booted in your target machine. It will stop and ask you what the correct device is if so. Sometimes while installing the partition names are not what the script expects and you need to add symlinks to /dev to work around that. just hit CTRL-C and cd into dev then do something like this: 

ln -s da0 da0s1
ln -s da0a da0s1a
ln -s da0b da0s1b

Now you have to restart the install like this: 
/etc/rc.bootup

Or you can change them in fstab.

I like to make 4 BSD slices on the CF card or disk for multiple pfSense images. Then you can quickly use an old known working config file on another partition, or copy the latest config to the others. You can also upgrade one to the latest firmware and fall back to the previous system without a lot of hassle. Use the F1, F2, F3, F4 function keys during boot to select. Eventually you will want to add a serial console so you can control the boot process remotely.

If the hot firmware upgrade procedure doesn't work you can do a fresh install on another card, and copy the config over. or do a restore from the GUI. You can skip everything down to the sub partition creation.

cp -r /cf/ /mnt/ note that if you have a trailing / on cp it acts more like rsync.

VPNs

Which VPN protocol is a good choice for wireless tunnels?

http://www.ivpn.net/pptp-vs-l2tp-vs-openvpn.php http://permalink.gmane.org/gmane.comp.security.firewalls.pfsense.support/21829

Note, Extending the broadcast domain over a flaky WiFi connection may not be a good idea, and pfSense dosn't currently support it.

The wired subnets in main camp are routerd over a VPN to the border router for extra security To get All outgoing traffic from those subnets to run over the VPN you need to set up the config like so:

  • Local Subnet: 10.253.0.0/23
  • Remote Subnet: 0.0.0.0/0

Though you have to switch to manual NAT to do this because for some reason the IPSEC VPN subnet is not natted for outgoing traffic. Actually both pfsense routers have manual nating for different reasons. You may also have problems with pinging the default gateway(s) in the VPN subnets, but they still work, maybe we should ask about that.

DSL modem admin IPs

Modem Number Nic IP
Modem 1 935-6933 dc0 10.255.1.1
Modem 2 935-5214 dc1 10.255.2.1
The modem admin interface is password protected.

Notes: Some modems don't have static routes. so to access them from the OCF lan subnets you need to ssh to the router first and then point your browser at https://localhost:8080

eg. ssh -L8080:10.255.2.1:80 root@route

-- ClifCox - 27 Oct 2010

This topic: OCF > WebHome > OCFIT > Misc
Topic revision: 2017 Jul 13, clif
This site is powered by FoswikiCopyright © by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding Foswiki? Send feedback