New Firewall Status!

So a couple weeks ago I wrote about the new firewall setup.

Quick update on the status of that.  I built it out.  Got it working.  yay!

294989But I want more cool stuff.  So I have a business class fiber line run to the house with 5 static IP’s.  So I decided to see if I could get pfsense to do failover router.  You know, because why not.  I tried to get pfsense to install on this old thin client I had.  No go.  WAY TOO OLD!!!

So I moved on.  I too my esxi box and with the second nic ran it to another small unused switch of mine.  I then configured esxi with a second virtual switch that uses that NIC on the new physical switch.  I know, I could do that with vlans.  Duh!  But I am waiting for a cable for my switch so I can configure said vlans.

vSphere ClientSo with this new physical port I was able to build a pfsense box in my virtual environment.  I configured it with dual nics, 1 in each switch.  As you can see here.   My routers are named voot1 and voot2.  Named after the voot runner from the show Invader Zim.   My main network scheme is based on characters and vehicles from this show.

So now I have a physical router configured with one of my public ip’s   x.x.x.253.  Internal its configure as x.x.x.2.  I then configured my CARP ips.  You create a virtual IP for both lan and wan.   External is x.x.x.250, internal is x.x.x.1.

pfsense - New Page (1)

Set the outbound nat to use the .250 address and we are golden.  Setup all the carp sync settings to push the settings to the backup pfsense.  This works BEAUTIFULLY.   I was so amazed as how easy it is.  I just make a change pretty much anywhere in the main router and its automatically sync’d to the backup.

Once the backup is sync’d it’s time to test.   Reboot the primary.  Network dropped and didn’t come back up until the primary fully booted…

stewiegriffin-familyguy

Ok.  I got it.  The arp change caused some problems with the esxi side.  There is a switch security feature that blocked it.  You have to set the switch to accept promiscuous mode….. $%^& I think my switch is a slut.samantha_jones_promiscuitypromiscuous

 

Ok.  So now that my switch is acknowledged as a slut, it works.  Reboot primary router and the backup comes online, takes over the gateway x.x.x.1 and the external x.x.x.250.  This is awesome for various servers that I have in different datacenters that have ip security configured.

So this all went great, but the original reason for the upgrade was my old hardware choked itself out with my ipsec tunnel to AJ doing the encryption/decryption.  So we need to get the tunnel back up.   We got some time over this weekend to get the tunnel working.  We now copy back and forth at 30mbps.  30!!!!!   Fully maxing my fiber line over a secured tunnel and my cpu was only at 25%.  WIN!!!

 

BUT!!!!!! We have this awesome failover working…. will the tunnel come up on the backup too?   *checks the backup router* well the ipsec tunnel config was sync’d.  So what happens if I reboot the primary now….

NO EFFING WAY!!!!!  My tunnel re-establishes to AJ on the backup router too!!! HAHAHAHA this is awesome.

So Aj had asked me about a raspberry pi project on friday called pi-hole.  From the website..

“The Pi-hole is an advertising-aware DNS server that prevents ads from being downloaded. Once installed, configure your router to have DHCP clients use the Pi as their DNS server and then any device that connects to your network will have ads blocked without any further configuration. Alternatively, you can manually set each device to use the Raspberry Pi as its DNS server.”

But it seems like something that screams virtual machine.  I didn’t want to tie up a raspberry pi just for dns.  Turns out pi-hole doesn’t require pi hardware.  So it is possible to put in a vm.  So I configure a tiny ubuntu server and install pi-hole.

curl -L install.pi-hole.net | bash

Very simple.  But it works.  So I build out the vm.  Export it as an ovf and ship it off to AJ over the new tunnel.  He brings it up in his virtual environment and gets it working on his end.  Now to update our respective DHCP servers to tell our networks to use the new adblocking dns.   But… what if it’s down.  Ads/banners coub-1137363

There is a tunnel…. use each others as a backup!!!  Beautiful.

No my pi-hole is the primary on my network, AJ’s is secondary, and if both are down for some reason the network defaults to google.  services_ DHCP server

How well does pi-hole work?  Why do I keep saying pi-hole?  It sounds dirty.

pi-hole pi-hole pi-hole pi-hole pi-hole pi-hole pi-hole pi-hole

Yep.  Still sounds dirty.  But I got distracted.

Pi-hole Admin Console

That is insane…. 1726 ad’s blocked today.  We were gone for 4 hours and it’s still that high.  Crazy.  But you should see some sites without their ad’s.   Interesting.

This week/weekend has been pretty cool for getting some network stuff done.

 

2 thoughts on “New Firewall Status!”

  1. Hello,

    I just found your article, created a debian 8.6 VM (minimal install, 10.0.1.8) and installed pi-hole. I currently have another VM with pFsense installed and all my devices pointing to that for DNS (10.0.1.1). In pfsense I went into SYSTEM/GENERAL SETUP and put the pi-hole VM (10.0.1.8) as the DNS Server 1. Only issue is that I’m not getting anything blocked or requests in pi-hole. Whenever I restart pfsense or pi-hole VM I get two requests and then nothing.

    1. So if your device uses pfsense as it’s DNS your router then uses your ISP. What you would want to do is modify your dhcp settings and have it give out the pi-hole IP as one of the dns addresses in the DHCP. This will force your devices to use the pi-hole dns instead of router->isp.

Leave a Reply

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload the CAPTCHA.