Migrating to PFSense

I recently migrated from a SRX210H to PFSense for my internet edge device.

The main motivation for this was the SRX’s pretty awful Java+Flash GUI. The Juniper command line is fantastic, but I’m trying to remove flash from my life, I just can’t deal with it any more.

PFSense has a really nice GUI and it is Unix based, so it was an easy choice.

pfsense

The PFSense install is pretty straightforward, but here are a couple things that I tweaked for my setup (everything is pretty googleable):

  1. Keep an eye on your MBUF usage. That’s basically a memory buffer for your NICs. If you are running a quad port NIC you will probably have to increase it from the Unix command line like I did.
  2. Turn on the Intel temp sensors from the GUI (System>Advanced>Misc)
  3. Setup TRIM. I’m not sure if this was 100% necessary. If you are going to do it, don’t wait until after you rack the server like I did.
  4. Setup manual outbound NAT with a static port for Asterisk. Once again, I’m not sure this was necessary, but the internet claims it is needed for Asterisk to work properly.
  5. Create aliases for commonly used IP ranges (Firewall>Aliases). I have one for the private IPv4 range so that I can easily create outbound rules (! private_IPV4).
  6. Once you have everything working turn off logging for the default drop rules (Status>System Logs>Settings). Watching the logs for the default drop rule will be useful for troubleshooting, but it can be pretty distracting once everything is set-up.

The SSD Question

There seems to be some question on the Internet as to whether PFSense eats SSDs or not. The concern is that things like the state table, and all of the system logs cause SSDs to wear out really fast.

I’m using a 30GB Crucial M4 SSD in mine. I’ve been using SSDs in all of my systems for some time now without any issue, so I’m willing to take the chance.

I’ll update this post if it dies :)

Nortel / Avaya Switch Config Basics

Avaya CLI shares some Cisco commands, but some of the commands are pretty unique (and confusing). Here are a couple simple configs to get you started.

//restore factory defaults

#restore factory-defaults

//setup a switch IP and default gateway

(config)# ip default-gateway 10.10.10.1

(config)#ip address switch 10.10.10.50 netmask 255.255.255.0

//setup a console password

(config)# cli password serial local

(config)# username Reginald PASSWORD rw  //this is saved in clear text in the config :(

//vlan config

(config)# vlan create 55 type port

(config)# vlan name 55 “party LAN”

(config)# vlan add 55 1-24  //here i add ports 1-24 to the vlan

(config)# vlan port 1-24 pvid 55  //in avaya-land you have to manually set the pvid

//remember to save!

#wr mem

 

 

OpenMarmot: OSPF on CENTOS 7

I spent the afternoon building an OSPF router on CENTOS 7. I found a tutorial but it was pretty broken, so I will post my version.

If you are familiar with OSPF on a Cisco router than the syntax should be very familiar. Most of the same commands are used, and you can tab complete, search, and abbreviate just like on a Cisco or Avaya.

The following config was able to neighbor and talk routes with my Juniper gear.

—————————————————————
notes

starting with a centos 7 “infrastructure server” install
logged in as root.

SELinux is on

—————————————————————
—————————————————————
install

//install Quagga
#yum install quagga

//add zebra config rule for selinux. or just turn it off
#setsebool -P zebra_write_config 1

//”fix” permissions on quagga folder
# chmod -R 777 /etc/quagga

//disable firewalld
# systemctl disable firewalld
# systemctl stop firewalld

————————————————————–
————————————————————–
configuration

//the configuration file is located here:
// /etc/quagga/zebra.conf

//start zebra
#systemctl start zebra.service
#systemctl enable zebra.service

//launch command shell
#vtysh

//enter global config
#config t

//set the log file location
(config)# log file /var/log/quagga/quagga.logged

//exit global config
(config)# exit

//save config
#copy run start

//show interface information
#sh int

//configure an interface
#config t
(config)# int enp4s0
(config-if)# ip address 10.6.50.5/24
(config-if)# description “to ospf RAN”
(config-if)# no shutdown

// save config, and then exit vtysh (type “exit” a bunch of times)

—————————————————————-
—————————————————————-
enable ip forwarding using the linux kernel

//enable IP forwarding
# echo “net.ipv4.ip_forward = 1″ >> /etc/sysctl.conf
# sysctl -p /etc/sysctl.conf

—————————————————————-
—————————————————————-
configure ospf

//create config file
#echo “log stdout” >> /etc/quagga/ospfd.conf

//start and enable on startup
#systemctl start ospfd.service
#systemctl enable ospfd.service

//launch vtysh shell and enter global config
# vtysh
# config t

//enter ospf router config
(config)# router ospf

//add the networks for ospf
(config-router)# network 10.6.50.0/24 area 0

//set the ospf router id
(config-router)# router-id 10.6.51.4

————————————————————–

 

Dnsmasq on CENTOS 7

Dnsmasq is a great lightweight server that can provide DHCP, DNS, and TFTP services for a small network.

http://www.thekelleys.org.uk/dnsmasq/doc.html

I didn’t see any Centos 7 specific guides on the internet when I made this, so here is mine.

Dnsmasq will query the file you specify at the end of the config before looking at upstream resolvers (/etc/resolv.conf). Use the same syntax as you would in the host file.

—————————————-
notes

DNSMASQ setup for CENTOS 7

———————————————–

———————————————–
install

//install dnsmasq
#yum install dnsmasq

//turn on the server and make sure it starts on boot
#systemctl start dnsmasq
#systemctl enable dnsmasq

//firewalld configuration
# firewall-cmd –zone=public –add-port=53/tcp
# firewall-cmd –zone=public –add-port=53/udp

# firewall-cmd –permanent –zone=public –add-port=53/tcp
# firewall-cmd –permanent –zone=public –add-port=53/udp

——————————————————–
configuration

//the config file is located at /etc/dnsmasq.conf
//uncomment this line to turn off lookups from the host file
no-hosts
//uncomment and modify this line to add a new file for lookups
addn-hosts=/etc/hosts.dnsmasq

OpenMarmot Bash Script

Here’s a bash script that I am using on my Linux-based “OpenMarmot” switch.

I’m releasing it under APL (Andrew’s Public License) which states: “Use the code however you want. If you work at a cool company in Arizona, you should totally hire me.”  :)

#!/bin/bash

# OpenMarmot Network startup script
# version 1.0
# last edited 09/04/2014

echo “loading OpenMarmot”

# this command makes sure the vlan kernel module is loaded
modprobe 8021q

# logical interfaces

echo “building logical interfaces”
vconfig add eth2 11
vconfig add eth2 63
vconfig add eth2 65

# create bridges
echo “building bridges”
brctl addbr br-vlan11
brctl addbr br-vlan63
brctl addbr br-vlan65

# bring the bridges up
ip link set br-vlan11 up
ip link set br-vlan63 up
ip link set br-vlan65 up

# add interfaces to the bridges
brctl addif br-vlan11 eth2.11
brctl addif br-vlan11 eth1
brctl addif br-vlan11 eth3
brctl addif br-vlan11 eth4
brctl addif br-vlan11 eth5

brctl addif br-vlan63 eth2.63
brctl addif br-vlan65 eth2.65

#enable stp
brctl stp br-vlan11 on
brctl stp br-vlan63 on
brctl stp br-vlan65 on

#bring physical interfaces up
ip link set eth1 up
ip link set eth2 up
ip link set eth3 up
ip link set eth4 up
ip link set eth5 up

# bring the logical interfaces up

ip link set eth2.11 up
ip link set eth2.63 up
ip link set eth2.65 up

echo “setup complete”
echo “welcome to OpenMarmot”

Juniper SRX OSPF Setup

My little Juniper SRX 210H is taking on more and more roles. Over the weekend I worked on building a OSPF network so that all of the routers on my test rack could connect to the internet.

The route export for the default route ended up being pretty simple:

ospf

One thing that tripped me up for awhile is that there is no implicit rule for inter-zone communication. It turns out that if you are trying to pass traffic between two interfaces that are in the same zone then you need a rule to basically “allow all” communication from “zone_A” to “zone_A”. I’m kind of surprised that I haven’t run into this before.

Other than the inter-zone traffic issue, everything else went pretty smoothly. I have a Cisco 1812, a SRX, and a Fortigate chatting away happily.

updates

I haven’t posted on here in a bit because I haven’t really made any real progress on anything. I’ve been working a lot, and I’ve been concentrating on learning C in my free time. Learning C has been distracting me from studying for the CompTIA Linux+, so I will try and get back to studying this weekend if work doesn’t intervene.

I rebuilt my laptop recently and I did not install flash. I’m going to see if I can go without it, and if so I will remove it from my desktop as well. So far I think the biggest challenge is going to be music. All of the online music streaming that I use (pandora, amazon,..) seems to be flash based. Most of the newer youtube videos use HTML5 (?) so that works at least. Flash for Linux is several versions behind other platforms (not a big priority for adobe i guess) and I consider it to be a big security risk.

Proxmox 3.3 has been released. I’m pretty excited about this, mostly because they went to a HTML5 Console. The old one is Java based, and can be kind of a pain to use. I’ll probably get a test server up and running in the next week or so.

There’s been some noise lately about some Linux vulnerabilities that have been discovered (openSSL, bash,..). I wish people would treat their Linux gear like their Windows gear: it needs to be patched on a regular basis, and enterprise hardware should be replaced after a reasonable service life. Linux systems aren’t invulnerable; they needs to be maintained like anything else.

 

 

Studying For Certifications

I’ve started studying for the CompTIA Linux+, and unfortunately I’m not making much progress. I’m kind of stuck on figuring out how I am going to study for it.

My old process that I used for the CCNA was to buy a study guide on Amazon and read through it and take paper notes. This ended up being a big waste of time. Paper notes are really hard to study from. I took paper notes on the entire CCNA book but I didn’t use them once for studying. Instead I created documents for each chapter on my computer. This worked pretty well but I ended up spending a lot of time struggling with the formatting in Calligra and libreOffice (MS Office is one of the few things I miss from my Windows days).

calligra_font[Calligra changes the font style seemingly at random]

The JNCIA was my first attempt to study based off of the published exam objectives. I broke the objectives into two massive documents, and slowly went through them filling out the information for each objective. This worked pretty well because Juniper had published two PDF study guides that followed the objectives pretty much in order. I was still struggling massively with Calligra. Unfortunately LibreOffice had a major bug where it wouldn’t open files from a network share so it was unusable as well.

Now I am working on the CompTIA Linux+ and unfortunately the study guide I have does not follow the exam objectives at all. I don’t want to spend a ton of time reading the book, only to end up with a bunch of useless notes. Instead I am going to make text files with the objectives, and then hunt through the book to fill in the details. That is going to be kind of a slow process, but it seems to be the best way to do it.

If I get another Juniper cert it is going to get even worse. As far as I can tell there  aren’t any study guides for the Juniper exams past the JNCIA. I have no idea how people study for them, other than just relying on work experience and crossing their fingers..

Juniper DHCP

I recently separated my wireless from the rest of my network by directly attaching it to my Juniper SRX210H and putting it in its own zone. That way I can make major network changes while still being able to listen to Pandora :)

The main change that I needed to make was to configure a DHCP server, and allow DHCP and DNS system services in the wireless zone.

The DHCP config is pretty straight forward:

dhcp

Here’s the full list of setup tasks:

  1.  create a wireless vlan
  2. create a L3 interface for the vlan (10.55.2.1)
  3.  add the SRX interface to the vlan
  4. create a new zone for wireless
  5. add the physical interface and the L3 interface to the zone, and allow DHCP and DNS “system-services” through
  6. create a policy to allow traffic from the wireless zone out to the internet
  7.  create a source NAT rule for the new wireless zone
  8. setup the dhcp server
  9. check with the operational command:

> show system services dhcp binding

Circling back to the Linux+ Cert

Let’s take a time machine back to June 12th 2013. I had just completed the CompTIA Security+ Certification exam and had decided that the CompTIA Linux+ was going to be my next challenge. The Linux+ cert seemed like a good choice because I was really interested in Linux, and I needed more Linux stuff for my resume.

studyGuides

Fast forward a little to September 2013. I became aware of an upcoming opening in the network team at work and decided to switch focus from the Linux+ to the CCNA.

In the year between then and now I’ve managed to achieve both the CCNA and the JNCIA, and I got a firm start on a new career as a network tech in the process.

Lately I have been debating whether pursuing higher level vendor-specific networking certifications (CCNP, JNCIS-ENT) is worth the time and money. The network environment I support uses a large variety of vendors, and it is looking likely to get more diverse in the future. One constant is that most of the hardware runs Linux, and my home environment is all Linux.

I think it is time to start studying for the Linux+ cert again.

© 2014 Marmotsoft

Theme by Anders NorenUp ↑