pfsense load balancing

I had the case where I wanted to access my server remotely via SSH when my server was behind my pfsense firewall.
The problem was, I often swap between a wired and wireless connection. I could port forward two different ports, one to the wired network and one to the wireless, but that is one more thing to remember. So I thought I would investigate pfsense load balancing functions so I wouldn't have to remember if I left it on wired or wireless.

First is to set static IPs for the servers wireless and wired connections so I could reference them later. You can do this in the Status > DHCP leases menu.

Second I needed to allow SSH from the WAN to the LAN network. I created a Firewall rule to allow this. You could create two rules to allow SSH to each static IP, but I have other devices on my network, so I just opened it from the WAN port to the whole network. by using the /24 address of the destination.

Now to the fun stuff, load balancing.

You need to create a pool containing the servers you want to load balance to, and a virtual server to forward a port to and use the pool.

In Services > Load Balancer > Pool, click the plus to create a new pool.
Since you wanted pfsense to know what is available, wired or wireless, and send traffic to whatever is available we want to select 'Load Balance'. Give it a description. The servers are listening on port 22 for SSH so we want to balance across that port. Add the static IPs that you set earlier and save.

Now in Services > Load Balancer > Virtual Server, click the plus to create a new virtual server.
Give it a name, the IP address is your WAN IP (or alias for the WAN IP) I wanted to use a non standard port, so chose port 1023, and you select the pool to use, in my case 'Server_SSH_Pool' and save,

Apply changes. I rebooted the server to be sure.

Now get onto the same network that your WAN connects to and try to SSH.

ssh://username@10.1.1.123:1023

where username is the username of an SSH user on the two servers in the load balancer pool.

It should ask you for the password and you should be in.
log out, change the server to connect to the LAN via its other network interface wired or wireless. Then back on machine on your WAN try to SSH again to the same address.

You should now be able to get in from your WAN by using the one IP address and port 1023, no matter if your server is connected to the LAN via wired or wireless. (or a second NIC, it doesn't have to be wired and wireless) You are just load balancing across two different IPs so those could be different servers as well - that's how you load balance HTTP web requests to different web servers to handle load, my case just needed SSH instead.

Raspberry Pi RTC Module

Well I purchased this High Precision Real Time Clock for my Raspberry Pi.

They had a nice article on how to get it working here.

I pretty much followed it exactly and it worked fine, but I am going to relist the steps here in case I need them again later or the article moves etc.

---

# Remove the module blacklist entry so it can be loaded on boot

sudo sed -i 's/blacklist i2c-bcm2708/#blacklist i2c-bcm2708/' /etc/modprobe.d/raspi-blacklist.conf



# Load the module now

sudo modprobe i2c-bcm2708



# Notify Linux of the Dallas RTC device

# on my 256Mb Pi I used.

echo ds1307 0x68 | sudo tee /sys/class/i2c-adapter/i2c-0/new_device

# on my new Pi B+

#echo ds1307 0x68 | sudo tee /sys/class/i2c-adapter/i2c-1/new_device



# Test it out.

sudo hwclock

---

once that was done:

# Add the RTC device on boot

sudo sed -i 's#^exit 0$#echo ds1307 0x68 > /sys/class/i2c-adapter/i2c-1/new_device#' /etc/rc.local

#dont forget to change i2c-0 or i2c-1



echo exit 0 | sudo tee -a /etc/rc.local



#This doesn't cover automatically setting the clock on boot and but you can do so by adding another line (above exit 0) to rc.local with;



hwclock -s

Using Stat command to get file info for a script

I was wanting to get the last modified date of a file to use in a OS X shell script.

It seemed that using the 'stat' command was the way to go in order to get details about the file.

MAC OS X Developer Docs on stat command are here or you can 'man stat' on the command line.

Wading my way through the different formats that could be returned I came up with:

Find the last accessed time on a file

stat -f "%Sa" /path/to/file

Jul 19 12:05:26 2014

Find the last modified time on a file

stat -f "%Sm" /path/to/file

Oct  5 08:46:15 2013

Find the creation time on a file. (ie the Birth time of the inode)

stat -f "%SB" /path/to/file

Jul 18 19:21:39 2014

Not to be confused with %Sc which was the last time the inode changed, not the last change time.

Window 7 Desktop Picture via .bat script

I have a case when I wanted to set my desktop background at startup via a bat script.

put a wallpaper.jpg picture that you want on your desktop somewhere.

Create a [whatever].bat file in a location,

ECHO OFF

reg add "HKCU\Control Panel\Desktop" /v Wallpaper /f /t REG_SZ /d C:\path\to\wallpaper.jpg

RUNDLL32.EXE USER32.DLL,UpdatePerUserSystemParameters ,1 ,True

You could run the .bat now if you want.
To have it apply each time you restart, put a shortcut to the .bat file C:\Users\[your account name]\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup

Installing pfsense on an HP T5720

Well after some time spent on on some unsuccessful projects, after getting inspired from this video

I decided that making my own router would be a good idea!

Some friends of mine had tried pfsense so I thought that I would give that a go.

I had some old hardware that I bough cheap a while ago when I wanted to do something, I just didn't know what. So I decided to use an old HP T5720 Thin Client that I had.

It seemed to be perfect for this setup, a small, silent, power efficient, powerful enough little server.

The HP 5720 has 512Mb of Flash HD, the one I purchased had 1Gb SODIMM RAM already and came with a PCI Riser card. So I put in a 2x 100/1000 PCI Ethernet Card that I had on a server I had and decided to give it a go.

Here is mine when set up:

Parts:

HP T5720 Thin Client with associated parts (power etc) and PCI Riser Card.

1x PCI Ethernet Card

Monitor during install.

Keyboard During install.

External CD drive during install.

I set the BIOS to boot of USB, hooked up my external CD Drive, hooked up the T5720 onboard Ethernet to my ADSL modem and booted off the pfsense Live CD.

I tried the default boot at first, but I kept having ACPI error messages scrolling past. So I rebooted and selected option 2 to start pfsense with ACPI disabled.

When it asked if I wanted to go to Installer or continue with Live CD, I selected Install.

This takes me to the ncurses install menus. I selected the default.

I selected Quick/Easy Install. 

I had some popoups about how it would erase everything etc. but it kicked off. During the install there were some errors, like this, 

but I skipped those and it seemed to install okay.

after install, I shutdown, set the bios to boot from Flash, disconnected the CD drive and started it up.

EDIT - After installing pfsense 2.1.2 on an external hard drive, I was getting booting errors.
I solved them by at the pfsense menu, hitting space, and then 7 to go into the loader prompt and inputting

set kern.cam.boot_delay="10000"
boot

I then once it booted okay, I installed nano as mentioned below, etc, but also added to /boot/loader.conf the line

kern.cam.boot_delay="10000"

in order to make it persistent.

END EDIT

I was then in the main pfsense command line menu.

I still had the ACPI errors scrolling past, so I needed to stop those on the default option at pfsense startup.

I needed to google how to turn it off, but once I found out how it was easy.

I went to the shell (option 8)

and installed nano using: 

pkg_add -r nano

EDIT
on pfsense 2.2.2 you use pkg to install other packages

pkg install nano

END EDIT

To default ACPI to off I modified /boot/device.hints file adding:

hint.acpi.0.disabled="1"

The machine I was on, was also on the ADSL LAN, and not hooked up to my pfsense box.

I could see from the pfsense menu what IP was assigned to my WAN interface so I tried to connect to that using my browser to use the web configuration.

That was denied and is the pfsense default not to allow connections to the webconfigurator over the WAN interface.

you could temporarily disable the packet filter by going to the shell and running: 

pfctl -d

Then you should be able to get to the web configuration over the WAN.

I just hooked my computer up to the pfsense box LAN interface and rebooted both my machine and the pfsense box.

in doing that, I think I bumped the  PCI card, as the pfsense box came up only recognizing the onboard interface.

I reseated and re-powered the pfsense box, and it came back up. But the LAN interface no longer seemed to be a DHCP server and I could't get in to the web GUI.

So how to start the DHCP server on the LAN interface?

Easy, on the console just assign it a static IP and it will ask you if you want to turn on DHCP for the interface.

Give it an IP range and you're back up and running. Your computer on the LAN interface will now be able to get an IP, get to the web configuration, and probably can already access the net if your ADSL is up and has assigned your WAN interface an IP.

So now I will be spending some time, configuring it with all the rules and options I want, maybe adding wireless, maybe mounting the T5720 onto something. Lots to play with now.