# Replacing pfSense with regular FreeBSD



## balanga (Apr 21, 2021)

After a pfSense failure (I suspect hardware) I'm thinking of setting up FreeBSD as a DHCP server and Internet Gateway router. Does anyone know of any howtos for getting this configured. I've been blissfully unaware about how things really work because things are generally hidden out of the way behind pfSense's GUI so I guess it's time to figure out how things actually work since I can't get pfSense working properly on my cobbled together 'emergency' system.

Any tips would be gratefully appreciated.


----------



## mickey (Apr 21, 2021)

Here are some links to get you on the right track:

FreeBSD Handbook- Chapter 32. Advanced Networking
FreeBSD Router/Gateway/Firewall HOW-TO
Configuring FreeBSD as an Internet Gateway
Basically you would start with enabling gatewaying in rc.conf(5):

```
gateway_enable="YES"
ipv6_gateway_enable="YES"
```
and configuring your network interfaces. Depending on the type of your WAN connection this might require setting up net/mpd5 and/or dhcp6c(8) to do PPPoE/DHCPv6 on your WAN link.

For the remaining parts there are a number of choices you might want to investigate before making a decision.

DHCP server:

net/isc-dhcp44-server
net/kea
dns/dnsmasq
DNS services:

local-unbound(8)
dns/bind916
dns/dnsmasq
Available firewalls are described in the Handbook Chapter 31. Firewalls.


----------



## Harry Stone (Apr 23, 2021)

I can't offer any better help than mickey but I do want to say it's not difficult, try it.  I'm posting this on day 1 with my new FreeBSD router and firewall.  Working great and internet speed increased too.


----------



## Deleted member 67440 (Apr 23, 2021)

What about opnsense?
I use it often (usually virtualized) and I really like it


----------



## SirDice (Apr 23, 2021)

While those "canned" solutions are great, actually setting it all up "by hand" is an invaluable learning experience.


----------



## balanga (Apr 23, 2021)

SirDice said:


> While those "canned" solutions are great, actually setting it all up "by hand" is an invaluable learning experience.


Yes, I agree, and ONE DAY I will manage to get it working successfully...

Need to understand networking and routing a lot better.


----------



## SirDice (Apr 23, 2021)

Don't try to do everything at once. Take it step by step. If you try to do everything it'll be quite overwhelming. Start with some basic TCP/IP networking, routing, subnets and masks. That's the basis to work from. Then add DHCP and DNS. Learn how they work, how does DHCP get you an automatic IP address. Then step up to DNS, how does name resolving work. What is the relation and interaction between IP addresses and hostnames. 

Get to know tools like tcpdump(1) and net/wireshark. It helps so much if you can look at the actual packets and understand the basics. The "three-way handshake"; SYN, SYN/ACK, ACK. Learn the basics of some of those flags (you don't need to know all of them, just the important ones). SYN, ACK, RST, FIN.


----------



## balanga (Apr 27, 2021)

mickey said:


> mickey said:
> 
> 
> > Here are some links to get you on the right track:
> ...


Something has got badly screwed up pfSense today and I can't access anything on my network. I'll have to install isc-dhcp somewhere just to be able access my files on my two NAS boxes, I think I'll need to change my LAN name to FUBAR.


----------



## mickey (Apr 28, 2021)

balanga said:


> Something has got badly screwed up pfSense today and I can't access anything on my network. I'll have to install isc-dhcp somewhere just to be able access my files on my two NAS boxes, I think I'll need to change my LAN name to FUBAR.


Sounds to me like the perfect opportunity to dive in and go through with your plan to replace it with a FreeBSD router


----------



## balanga (Apr 28, 2021)

Well  thanks to an excellent write up by vermaden I was able to get started with dhcp...









						Highly Available DHCP Server on FreeBSD
					

Today I would like to share a highly available DHCP server setup on FreeBSD system, but it should be similarly simple on other UNIX and Unix-like systems. I will use the most obvious choice here &#…




					vermaden.wordpress.com
				




It got a bit complicated for a simple home network so used this:-









						simple-dhcpd.conf
					

GitHub Gist: instantly share code, notes, and snippets.




					gist.github.com
				




Well it's s start...


----------



## SirDice (Apr 28, 2021)

Your simple configuration looks good, you really don't need much for it to work. Just make sure it's the _only_ DHCP server on your network. Things can get a little weird if you have two DHCP servers, each with a different configuration.


----------



## balanga (Apr 28, 2021)

I'd like try out a few things on my FreeBSD dhcp server without interfering with pfSense which seems to be performing normally again. I presume there is some way of doing that without them interfering with each other.


----------



## escape (May 6, 2021)

Has anyone experience setting up NAT in the WAN interface when the WAN IP is set using DHCP? (Is this a wrong question under this subject.) I've had the same problems and actually `dhclient` does not have interface "up" and "down" scripts like many Linux distributions have. I've used NAT from `pf` as the pfSense does. If the interface is not up when the rules are read, there are no firewall rules either. Separating in an own file is simple but how to run the NAT `pf` rules after the interface is up by the `dhclient`?

Actually ipfw and ipf have rc.conf settings to use the NAT. How to set up if.up and if.down? dhclient-script is going to be replaced in the `pkg upgrade`.


----------



## escape (May 6, 2021)

Maby I will need to write it more clearly, the following will stop the firewall rules and there will be no rules set if the WAN link is not up:

```
nat on if0 inet from ! if0 to any -> if0
nat on if0 inet6 from ! if0 to any -> if0
```


----------



## escape (May 6, 2021)

Found. It was the `/etc/dhclient-exit-hooks` as in dhclient-script(). Difficult place to look. I will continue the multiple month tests.


----------



## aragats (May 6, 2021)

SirDice said:


> Just make sure it's the _only_ DHCP server on your network


I have such bad experience ― cellular modems usually have DHCP server enabled, I had one on the network with psSense, but it took awhile before realized that it "intercepts" DHCP requests.


----------



## SirDice (May 6, 2021)

aragats said:


> I have such bad experience


I remember a story from a long time ago. I was working as a network admin for a large insurance company. Suddenly we get a whole bunch of calls from people that couldn't work anymore. After some investigation it turned out to be someone that hooked up his personal laptop to our network (not allowed) and he was running some Windows application (forgot the name of it) to share an Internet connection. That tool was also running a DHCP service and was dishing out IP addresses to our workstations in a completely different subnet. All those people that couldn't work any more got an 192.168.0.x address while our entire network was based on 10.x.x.x addresses. He had a LAN party that weekend, came to work on Monday and forget that the software was still running.


----------



## balanga (May 6, 2021)

So how do you go about setting up a test dhcp server? Keep it on it's own separate physical circuit?


----------



## SirDice (May 6, 2021)

balanga said:


> Keep it on it's own separate physical circuit?


That's the easiest to do.


----------



## astyle (May 7, 2021)

SirDice said:


> I remember a story from a long time ago. I was working as a network admin for a large insurance company. Suddenly we get a whole bunch of calls from people that couldn't work anymore. After some investigation it turned out to be someone that hooked up his personal laptop to our network (not allowed) and he was running some Windows application (forgot the name of it) to share an Internet connection. That tool was also running a DHCP service and was dishing out IP addresses to our workstations in a completely different subnet. All those people that couldn't work any more got an 192.168.0.x address while our entire network was based on 10.x.x.x addresses. He had a LAN party that weekend, came to work on Monday and forget that the software was still running.


ROFLMAO. A common-sense policy would be to do NT Active Directory domain registration, and any machine that's not registered with your workplace's NT domain would be simply not allowed to access anything. Any machine within the NT domain should not use intranet services that originate from a place that is not registered on the NT domain. NT domains have been around since like 1995.


----------



## astyle (May 7, 2021)

balanga said:


> So how do you go about setting up a test dhcp server? Keep it on it's own separate physical circuit?


Yeah, separate physical is best. Next best option is to figure out available subnets - but that takes doing your homework so that you don't accidentally step on somebody else's toes like in SirDice's story.


----------



## Jose (May 8, 2021)

astyle said:


> Yeah, separate physical is best. Next best option is to figure out available subnets - but that takes doing your homework so that you don't accidentally step on somebody else's toes like in SirDice's story.


Separate subnet will not work -- don't do this. Separate VLAN will.


----------



## balanga (May 8, 2021)

Jose said:


> Separate subnet will not work -- don't do this. Separate VLAN will.


I couldn't figure out separate subnets would work since when a system boots up it isn't part of any subnet, it is just looking for an IP address from whichever subnet a dhcp server is on... or have I got that wrong. If VLANs are a possible solution I may try that. Been meaning to set up a VLAN but never really figure out how they work. I did buy a smart switch some time ago with the idea of using a VLAN.


----------



## Jose (May 8, 2021)

balanga said:


> I couldn't figure out separate subnets would work since when a system boots up it isn't part of any subnet, it is just looking for an IP address from whichever subnet a dhcp server is on... or have I got that wrong. If VLANs are a possible solution I may try that. Been meaning to set up a VLAN but never really figure out how they work. I did buy a smart switch some time ago with the idea of using a VLAN.


Exactly. You need an IP address to be a part of a subnet and the purpose of a DHCP server is to give you an IP address (and netmask, which determines the subnet.)

I don't know exactly how VLANs work, but I've heard some rumours about tagging packets. I'm guessing this tagging happens at the data link layer and determines which VLAN you're in.


----------



## balanga (May 8, 2021)

I think I'll spend some time studying this.


----------



## Jose (May 8, 2021)

balanga said:


> I think I'll spend some time studying this.


That's a really nice explanation. I prefer to rely on small, inexpensive "dumb" switches. My thinking is the less that's done in switch firmware, the less likely it is that there's a firmware bug. This approach obviously doesn't scale to large networks, but is relatively easy to implement in my small home network.


----------

