Firewall / DNS / DHCP / OpenVPN (PIA)

Hey All!

I've been struggling with getting PIA to work on a semi support dd-wrt router (Netgear r6200v2) getting it working only gives me around 7mb down and 2mb up and I have 75/75.. it boiled down to hardware on the router not being powerful enough (even overclocking didn't help)

So, My next idea was to turn an older machine with:

Quad Opteron
16gb DDR
120gb SSD
Dual Gig Nic

Into a do it all (Firewall / DNS / DHCP with OpenVPN)

The problem I am facing is trying to get PFSense install on that older machine, Tried installing via USB and with a Zalman VE 3. Nothing happens with the USB IMG w/ VGA and when trying with the Zalman, I Get a BTX Halt error. I do not own any DVD/CD-Rom drives.

My question to you guys, is what is a GREAT alternative to PFSense that will give me everything I need for free..

thanks in advance.

PS .. I also have a Dell t410 with Dual Xeon, 64gb ram, 6 SSD's and a Perc 6/i .. but that might be a wee bit overkill lol.. currently running ESXi 6. should i Virtualize PFSense instead of using a dedicated machine?

You could virtualise as long as you have a nic that you can dedicate to wan. It isn't recommended for security reasons but for a home network it will be fine.

I'm not sure about alternatives, I think ipcop is one and untangle. But I think you might run in to the same issue. It might be worth picking up an optical drive. If you have a laptop you could even remove the optical drive and use that temporarily.

Thanks Dex, appreciate your reply.

The Server is not a high security concern for me, My main PC is.. the server I use for testing. will it be as secure as installing a bare metal firewall for other machines outside the server?

As far as I know there are no known exploits. The issue is that running it as a VM is more complex than running it on bare metal so the attack surface is increased. That means that because there are more parts to it then there are more potential exploits. Another issue is that you will have an internet facing connection connected directly to your server which is a security risk, although it's unlikely that this would cause a problem. So for a home network it's probably fine, but you wouldn't do it on a professional network unless you really knew what you were doing.

Oh and from what I've read SSDs are a bad idea for pfsense because of constant writes. I've read about people having their SSDs fail within a couple of months when used in pfsense.

I ran into the same issue on newer hardware, I figured out it was what I was the software I was using to write the iso to the usb stick.

Make sure your using win32diskimager.

Yeah i tried win 32 and rufus with no luck.. Hardware is just that old. And its a supermicro mobo so that makes things a bit worse

Thanks for that heads up man, really appreciate it. Think I'm going to run with your advice and Visualize it off the dell, the 6 ssd's will be in a raid 50 and I'm going to pop in 2 1tb hd's for storage and backup so ill also use the HD's
For pfSense / caching.

How does this sound for the pFsense setup w/ squid & snort .. I will also use ESXi Host Caching option for better performance (SSD)

Disk: 100gb /16gb swap
4-cores
8gb ram

Yeah that's massive.

Ah, everything is setup and running smoothly! except, ESXi is connected to the wrong nic and in order for me to connect i have to switch lan and wan temporarily.. and when in ESXi and set the correct one, the wan nic disconnects. anyway around that =\ lol

I haven't used esxi but in Linux you can give the nic a manual configuration with no ip address, if you can figure out how to do that with the wan nic in esxi that should sort it out.

Ah, figured it out.. So I had to manually create a VMKernel on VMnic1 via vSphere and enable Management Traffic, delete the original on VMnic0 and adjust the network adapter in esxi, restarted and poof.

thanks again Dex for all your help.

No worries. Give me a shout if you have any trouble getting your VPN working, I have something like four VPN connections on mine so I have a little experience ;)

As a home/small office firewall, I'd recommend ipcop. Minimal hardware requirements and very reliable.

Link: http://distrowatch.com/table.php?distribution=ipcop

1 Like

Ah Dude.. I actually tested openVPN on pfSense last night, the performance was horrible (using PrivateInternetAccess) my upload was cut in half from 80/80 to 80/35.. having my VPN on the router would be awesome, Netflix and Youtube for the smart TV's and kids iPads could use a boost.

and overall usage performance sort of felt slow. On a speed test, everything looked good, but actually going to a site and waiting for it to load didn't feel fast enough

Are you also running squid? Because I found that using the cache was detrimental to performance. Seems counter intuitive but it's really only worthwhile if there are a lot of users (like an office or something like that) or if you have a really bad internet connection.

Otherwise you could try going to the firewall tab of the advanced settings and making sure the clear invalid DF bits box is unchecked. I'm not sure if it helps but I think if you have that enabled it prevents openvpn from tuning the packet size which results in a lot of fragmentation. You could also try changing the MTU settings for the interface you've assigned the VPN. Try something between 1300 and 1450, that could help. This is what I tried when I was having horrible performance issues, but it turned out the problem was the connection kept getting dropped because the apinger service resets the connection if the latency or dropped packets gets too high. If you see your connection quality turn yellow or red on the main page then you can disable the apinger service or change the thresholds in the advanced settings on the routing page to prevent it from resetting the connection.

Also what DNS servers are you using? If you're still using your ISP's then that could be the problem as your DNS lookups will go to the VPN server then back to your ISP then back to the VPN server and back to you, so that will make browsing seem slower. Try changing it to the google or opendns servers if you haven't already.

Ah, I am going to try all that you suggested right now. I am using SmartDNSProxy.com as my DNS but I have no problem switching it up since they only have 1 Eastern DNS server and I am located in NY/NJ. the Secondary US DNS they have is in the West coast. I will try running google's DNS benchmark and using what it suggests.

I also disabled squid, My performance is OK but not as good as it was before deploying pfSense/squid so I've disabled it for now. Only other Module that I've implemented is Snort.

I will let you know how everything turns out. before I start, do you mind taking a look at PIA's instructions and seeing if there is any tweaks I can add?

https://www.privateinternetaccess.com/pages/client-support/pfsense

thanks again dude.. very helpful.

1 Like