How to setup a “fair use” bandwidth limiter for pfSense.  What I mean by “fair use” is as follows.

  • If there is only one user downloading, give them the full download speed available
  • If another user starts to download, then dynamically throttle the existing user and share the bandwidth approximately 50/50
  • As other users join in, throttle all connections to provide equal bandwidth to all users.

 

Overview

This example uses pfSense 2.1

  • Create a Download Limiter (a Fake Pipe) (name it something like DownloadLimit)
    • Set the total Download Bandwidth such as 10 Mbps, enable it and save
    • Create a Child Queue under the Download Limiter and name it something like Queue_OUT
      • set the slots to “Destination addresses”, enable it and save
  • Creat a Upload Limiter (a Fake Pipe) (name it something like UploadLimit)
    • Set the total Upload Bandwidth such as 1 Mbps, enable it and save
    • Create a Child Queue under the Upload Limiter and name it something like Queue_IN
      • set the slots to “Source address”, enable it and save
  • Create a new Firewall Rule under LAN
    • Action: Pass
    • Protocol: TCP/UDP (or any)
    • Source: Lan subnet
    • Advanced Features -> In/Out: Queue_IN / Queue_OUT
    • Save and activate this rule
  • Reload the state table by Diagnostics -> States -> Reset States
  • Refresh your browser becuase resetting the states kills all existing connections
  • Monitor the Limiters or the Traffic Graph to see the new limits in place
Small Business IT Tips:  – Virtualization

Using Virtual Machines to run your business services is probably the cheapest and easiest way to boost your business efficiency and lower costs.

Some ideas where you can use virtualization

  • Maintain your old systems.  You know that old Windows XP laptop that runs your entire payroll system, that you have to lug around to your accountant every quarter because a software update would cost $10K.  Clone it to a virtual machine, or create a new Windows XP virtual machine and install your payroll software.  Now you can run payroll from your new Core i7 MacBook Pro.
  • Consolidate all of your servers.  Maybe you have a web server, an Exchange server, a radius server, a database server, a firewall, and a file server and you’re IT guy thinks he’s super awesome for getting them all to fit in a nice floor mount network rack that you managed to get used at a second hand office supplies warehouse.  Great! But did you ever stop to think about how much power all of those machines are going to use?  According to a 2009 IBM study, the average server used 425 Watts at “average load”… that means you could be using about 2500 WATTS!  That is a pretty great reason to consolidate all of your servers and have it pay for itself.
  • Phone Systems.  Who says you need one of those large phone system boxes hanging on your wall that can only be serviced by an outside contractor.  How about a Voice Over IP Sytem…All Running from a Virtual Machine.  You just blew my mind!
  • Support old hardware.  If you have an old plotter, printer, scanner, or other piece of old hardware that doesn’t have drivers for the new operating systems, virtualize it.
  • Recover your ancient backups.  Frequently I get contacted to recover data from really old media or software that can’t be accessed any more.  Solution,  load up an old virtual machine that supported that media.
  • Run an in-house mail or webserver with instant failover and recovery.  With virtual machines your can create snapshots, do live syncs, and be up and running from a crash or a hack in a matter of minutes.

The best part about virtualization is that there are paid versions… and there are FREE ones.  Personally I think the best one is VirtualBox . Virtualbox does have a few limitations but it’s cost of free is great, and without going into the extensive details about what a Hypervisor is or how different types of hypervisors work.  Just know this,  they are all pretty flexible and most can do pretty much the same thing.

For a good performing Virtual Machine Host, all that you need to provide is a decently powerful machine and as much RAM as you want to buy.  You could in theory run all of the suggested ideas above from a single machine with a Quad core processor and about 8GB of RAM running the free Ubuntu Linux OS.  Of course, server class hardware would be best, but it’s not required.

To find out how Gridstorm can help you Virtualize your systems, call 614-655-1000

What’s wrong with your internet connection? –  pfSense Router, Gateway, Intrusion Detection, and a whole lot more

This Small Business IT tip might just help your business to save some operating expenses and start you on the path to easy I.T. infrastructure management.

The Problem
Maybe your business started as 1 or 2 employees in an office with a desk, a phone, a computer, and an internet connection.  Then it grew to 4-5 employees connected together by a small network switch to share files and the internet connection.  Now you have 10, 15, 30 or more employees all sharing the same internet connection; fighting for bandwidth, trying to check email, browse websites, and transfer files to and from clients.

Then there’s the intern.  He was hired on for some part time work that couldn’t afford a full time salary, but for what he lacks in pay, he surely makes up for by using the company internet connection for bit-torrent downloads, music streaming, games, and other things.

Sure you could fire the intern, but then you have to go looking for another source of cheap labor, and chances are that future interns may come with the same issues.

So instead, why not just fix the root of the problem; your router.

Many small businesses are still using the router that was provided by their Internet Service Provider (ISP). The ISP issued routers are almost always very basic and provide the bare essentials to get their service to your network. Usually DHCP, NAT Routing, and basic Firewalling. They typically do not do any advanced packet filtering, Quality of Service, Intrusion Detection, user authentication, or even wireless. So the control over your internet connection is limited to basically providing internet access and that’s it.

In comes pfSense. pfSense is an operating system based on FreeBSD and is designed to quickly setup a complete router, Gateway, Intrusion Detection, and a whole lot more very quickly. The best part about pfSense is that it can be run from very old hardware. The current minimum requirements are a Pentium 100MHz processor and 128MB of RAM. Even though you “can” run pfSense on the minimum hardware I would suggest at least a Pentium 4 or AMD Athlon XP processor and at least 1-2GB of RAM. Newer hardware is better because if it breaks, you have a chance of getting a replacement quicker (and everything eventually breaks in I.T.).

Example Setup
There is no way I can go through all of the features and possible configurations for a pfSense (that’s why you hire a professional) . But here is an overview of a typical hardware setup and a look at some of the most useful addon packages.

Hardware

  • Computer (an old but good one)
    • IBM Thinkcentre M52 8215
    • Pentium 4
    • 1GB DDR2-533 RAM
    • 40GB Hard Drive
    • 16x DVD-ROM Drive
    • Build in Network Card for Wan (NIC1)
  • Network Card for Lan (NIC 2)
    • Intel PRO/1000 GT Desktop Adapter

You can install tons of “packages” that add functionality to pfSense, but even without adding any packages, you get a full featured router, gateway, firewall.

Lets start with pfSense as a firewall.  To setup, you need to download the install cd image from www.pfSense.org and burn it to a CD, then boot from that CD.
pfsense install screen

After the initial install you should get a screen similar to this, where you would configure things like IP address and the location to your internet gateway and DNS servers.  At this point, your pfSense computer becomes an appliance and all of the management and configuration takes place on another computer on your network.

pfsense after install

So from another computer on your network you will login to pfSense using the IP address that you assigned to your new pfSense appliance, setup a few basic parameters and finish with a fully operational firewall.

pfsense webui login

The firewall by default is setup for semi-restrictive access but can easily be reconfigured to lock down any services you don’t want your users to get to, or you can open up ports to your internal web server, mail server or other company servers.  The install and setup is really quick especially if you have done it before.  In about 30-45 minutes you can have a rugged and powerful solution that performs very well when compared against enterprise (expensive $$) equipment from vendors such as Cisco, Juniper, and SonicWall.  And this solution lets you add tons of features that vendors usually charge $1000′s for.

 

Some Basic Addon Packages To Start With

Squid, is an addon that provides proxy service that can be used to more efficiently share your limited internet bandwidth, block unwanted traffic, limit each user’s connection speed and authenticate users; among other things.  Squid can block many of the typical user caused network slow downs.

Snort, is an Intrusion Detection Service that can be setup to detect when malicious attempts are being made to access your network.  It can also help to detect when your internal network has been infected with a virus, malware, or has become part of a botnet.

pfBlocker, this is a new package that combines a few older packages into one sure blocker.  It can block entire countries, specific threats, or address ranges.

mailreport, this package can send you daily, weekly or monthly emails and graphs to let you know how your router or your internet connection is doing.

 

The best part about pfSense is how easily customizable it is, but the hardest part about pfSense is how customizable it is.

If you want to look into setting up a pfSense router at your business or just need help configuring a portion of it, give us a call, we’ve done it before.

614.655.1000

info@gridstorm.net

Quick Tip: DD-WRT + RADIUS + pfSense

Getting RADIUS authentication to work with pfSense and DD-WRT.

 

pfSense is a pretty easy setup so go over to www.pfsense.org and download the LiveCD with installer and either setup a physical machine or use your favorite virtual machine software to create a test environment.  I am using VirtualBox on Ubuntu Linux but since VirtualBox can be easily installed on Windows, Mac or Linux, it’s perfect for quick testing anywhere.  In this tutorial, I will be adding a new wireless access point to an existing network that already has a gateway and broadband modem so if something doesn’t work, it wont affect network access for anyone else.

Here is a list of equipment

  • VirtualBox 4.1.0 (Under Ubuntu Linux 11.04 Host)
  • pfSense 1.2.3 VM (with freeradius package installed)
  • ASUS RT-N10+ (rev B1) with DD-WRT v24-sp2 build 16785

1. Install pfsense virtual machine

pfsense logo

2. Setup virtual network adapters for pfsense (such as LAN: 192.168.1.10, WAN: 192.168.1.11)

3. Log in to the pfSense webUI (http://192.168.1.10) and install the freeradius package located under the menu System -> Packages

4. Goto Services -> FreeRADIUS

5. Create a new test user with a username and password that will be used by your mobile computer or device to login to the wireless network

6. Goto the Clients tab and create a new client that will be used to link DD-WRT as a client to pfSense (for my setup, I used the IP address 192.168.1.2 since that is the address assigned to my testing access point) also enter a secure Shared Secret password that will also be entered in DD-WRT

pfsense radius client

7. Goto the Settings tab and make sure that LAN is selected for Listening interface and note the port number (default: 1812)

pfsense settings tab

8. Login to your DD-WRT router webUI, goto Wireless -> Basic Settings and enter a wireless network name (SSID) such as myRadiusNet

9. Goto Wireless -> Radius and select the following options in the screenshot while using the Shared Secret password you entered earlier into pfSense

dd-wrt wireless radius tab

10. Goto Wireless -> Wireless Security and select the following option in the screenshot while using the pfSense LAN ip address that you setup previously.

dd-wrt wireless security tab

11. Save and Apply all of your settings and then try logging into your new radius wireless network.

 

Troubleshooting

If you get login failures or rejected login messages try looking at the pfsense radius log first to see if dd-wrt is at least trying to authenticate.

Login to the pfSense shell with option 8)Shell

pfsense login terminal screen

then show the radius log with the following command

tail /var/log/radius.log

You should see a line like the one at the bottom that contains something like “Auth: Login OK:”  If you don’t see anything in this log then you likely have a problem with DD-WRT.  If you are sure that you have the configurations correct than the first thing you should do is reflash your DD-WRT router with a more recent (or a different) build number.  That seems to instantly fix the issues I ran into.

pfsense radius log details

As for getting Windows clients to work with freeradius and pfSense.  I will save that pain for another post.  That issue is related to self signed certificates so if you want this to work quickly then buy a valid certificate online.

Back to top