94 PfSense 2 0 and Beyond BSDCan 09

8/8/2019 94 PfSense 2 0 and Beyond BSDCan 09

1/36

pfSense - 2.0 and beyond

Chris Buechler - [email protected]

Scott Ullrich - [email protected]


2/36

History of pfSense

Started as a work project 13 years ago when we needed a

internal firewallOriginally Linux, switched to FreeBSD 2.2Evolution of this path shrunk the firewall down to a Soekris sizeMoatware was startedMet Chris Buechler during this time

Sell a number of productsSales guy moves to FloridaMoatware failsChris and myself debate starting over freshpfSense is forked from m0n0wall roughly 4 years ago

Still going strong today - momentum is snowballing


3/36

pfSense Overview

Customized FreeBSD distribution tailored for use as a

firewall and router.pfSense has many base features and can be extended withthe package system including one touch installations ofpopular 3rd party packages such as SpamD (spam filter)

and Squid (web caching).Includes many features found in commercial products suchas Cisco PIX, Sonicwall, Watchguard, etc.Many support avenues available, mailing lists, forum andcommercial support.

Has the best price on the planet.... Free!


4/36

pfSense Platforms

Live CD

Full InstallEmbeddedDevelopers


5/36

Project statistics

millions of downloads served11,400 forum members~1200 mailing list users (support and discussion)21 developers12 active developers (committed in the last year)

Consistent Google growth


6/36

New features (base)

Layer 7 QoS

New traffic shaperUser ManagerOpenVPN ImprovementsPHP 5Certificate Manager

Routing / Gateways improvementsDashboardLoad balancer changesWeb based PFTOP, TOP

IGMP proxy


7/36

New features (continued)

Complete new interface systemMultiple DynDNS interface supportDHCP Server improvementsPPTP Improvements

New LIBALIAS based in-kernel FTP helperImproved load balancing (incoming and outgoing)


8/36

Layer 7 QoS improvements

Based on regex matching systemDetects BitTorrent very nicelyCan detect between bulk and interactive traffic ?About X% overhead for L7

PF peels off first X bytes of header for inspection via divert


9/36

New traffic shaper

Rewritten from scratch by Ermal LuciSupports HFSC, CBQ, FairQ, PriQUses ALTQNow works on more than 2 interfaces

Supports bridgingPretty much all limitations are now gone!


10/36

User Manager

Full user manager with user and groups supportCan allow an account to specific areasConsolidating all accounts in various areas (VPN users, etc)LDAP authentication support

Per user certificate support


11/36

IPsec

Major overhaul by Matthew Grooms, ipsec-tools committer

and author of Shrew Soft IPsec client - http://shrew.netMultiple Phase 2 per Phase 1Transport mode support added


12/36

IPsecXauth - user and group authentication

pfSense local user database

LDAPMicrosoft Active DirectoryNovell eDirectoryand others...

RADIUSMicrosoft Active Directorymany others

Now a drop-in replacement for Cisco VPN concentrators,PIX firewalls, and routers


13/36

OpenVPN

Major overhaul by Matthew GroomsCan now export a Windows Installer bundled withCertificatesNow considered a first class VPN topology in pfSense


14/36

New interfacesGRE

gifPPP (dial up POTS modems, 3G cellular wireless)Many 3G wireless additionslagg(4) interface bonding

failover

load balanceround robinEtherchannelLACP


15/36

Bridging enhancementsall of if_bridge capabilities supported

18 Advanced configuration options availableSTP and RSTP - fully configurableSPAN port capable


16/36

Certificate Manager

Certificate authority supportGenerate OpenVPN certificatesGenerate user certificatesGenerate HTTPS certificate

Generate IPsec certificatesRevocation supportImport existing certificates


17/36

Routing / Gateway Additions

New gateway group featureFailover threshold supports RTT or packet loss triggersGroups now employ a "Tier" type system

Supports balancing

Supports interface failover orderingCan fail on packet loss % or 100% down situations


18/36

Dashboard

Allows quick access tosystem informationAdded RSS widgetAdded picture widgetAdded gateways widget

with RTT and lossreportingNew AJAX CPU utilizationwidget


19/36

Load Balancer changes(relayd)

Layer3 balancingLayer7 balancingNew monitoring features

Send/expect

DNSHTTPHTTPS


20/36

Web based pftop


21/36

Web based top


22/36

IGMP Proxy

Useful for Video in some casesSome phone systems use IGMP for overhead speakersIP TVGaming


23/36

New interface system

All interfaces treated equally - no special status forLAN/WAN.Multi interface PPPoE support (WAN)Multi interface PPTP support (WAN)

Allows just one interface to be assigned (appliance mode)QinQ VLAN supportInterface groups


24/36

DHCP Server improvements

Dynamic DNS client name registration supportDefinable NTP ServersLDAP URI IntegrationNow allows duplicate IP address registration for multiple

MAC addressesNetwork booting related additions

Next-serverFilenameroot-path-string


25/36

New features (packages)

Jails

FreeSWITCHSquid 3AvahiOpen-VM ToolsPHP ServiceOpenVPN Client Export Utility (Windows)TFTP Server (useful for upgrading Cisco/HP Switches, etc)


26/36

Appliance building

pfSense builder system can now automatically generatecustom "Appliances" from an overlay file.Simply add files that you want to include into a directory anddefine the directory in pfsense_local.sh custom_overlaydirective

We will go over a quick appliance build later in thispresentation


27/36

FreeSWITCH Appliance

Can be run on pfSense directly or as a dedicated appliance.

Features:Voice MailVoice Mail to e-mail (one or more email addresses, also canbe sent to special email addresses for SMS Text

Messages)Auto AttendantMusic on Hold (.wav)RecordingsFollow Me

Text to Speech (flite)


28/36


Features Continued:Call ParkCall ForwardDISA (Direct Inward/Outward System Access)

Call QueuesSIP (TLS) and SRTP and more.Simple to call between multiple systems using the Internet.Call Eavesdrop (aka barge)Call Recording

Call Intercept by Group, Global, Extension


29/36


Features Continued:Call ParkGoogle 411

Email: [email protected]

Wiki: http://doc.pfsense.org/index.php/FreeSWITCH

IRC: #pfsense-freeswitch


30/36

DNS Server Appliance

Many features removed such as DHCP Server, VPN, etc

Two versions released so far, newest based on FreeBSD 8Based on TinyDNS from DJ BernsteinAutomatically synchronizes changes to 5 other hostsAutomatically fail to backup records on host failure usingICMP

Automatically fail to backup record if WAN RTT > XAutomatically fail to backup record if RTT to host Y.Y.Y.Y >XZone transfer support for the BIND folks

Configuration data stored in master config.xml file


31/36

Creating an appliance(overview)

Install FreeBSD 7Follow http://devwiki.pfsense.org/DevelopersBootStrapAndDevIsoExcute these shell commands:

cd /home/pfsense/tool/builder_scripts

cp builder_profiles/pfDNS/pfsense_local.sh./build_iso.sh
http://devwiki.pfsense.org/DevelopersBootStrapAndDevIso


32/36

Creating your own appliance(Overview)

cd/home/pfsense/tools/builder_scripts/builder_profiles/cp -R pfDNS MyAppliance && cd MyAppliance

grep -R "pfDNS" * | cut -d":" -f1 | sort -u

README

config/config.xmlcopy_overlay/boot/beastie.4th

copy_overlay/etc/inc/globals.inccopy_overlay/usr/local/share/dfuibe_lua/conf/pfSense.

luapfsense_local.sh

Edit the above files to your liking


33/36

Building your appliance(overview)

cd /home/pfsense/tools/builder_scriptscpbuilder_profiles/MyAppliance/pfsense_local.sh .

./build_iso.shSee http://devwiki.pfsense.org/CreatingAnAppliance
http://devwiki.pfsense.org/CreatingAnAppliancehttp://devwiki.pfsense.org/CreatingAnAppliance


34/36

BSD Perimeter milestones

Chris is now working Full TimeBSD Perimeter coordinating MIPS port for RouterStationpfSense book will be released in the next couple monthsCommercial support is growing with satisfied customers

Sponsored IPsec improvementsSponsoring various misc projects on behalf of customer,IGMP package for 1.2.*, etc


35/36

Questions?

Comments?


36/36

Thanks for attending!

[email protected]

[email protected]

94 PfSense 2 0 and Beyond BSDCan 09

Documents

Transcript of 94 PfSense 2 0 and Beyond BSDCan 09