Tag Archive : FreeBSD

/ FreeBSD

pfSense 2.0 is out!

September 13, 2011 | Uncategorized | No Comments

UPDATE: It took a little longer than expected, but pfSense 2.0-RELEASE is finally available for download.

As of about 12 hours ago, pfSense 2.0-RELEASE is building, which means it is finally coming out!  Once it has finished building, it should be available for download.  If you were running 1.2.3-RELEASE or 2.0-RC3, it will be time to upgrade!  I'll be writing an article on how to upgrade from 1.2.3 to 2.0 using the environment I configured for my "Budget Laboratory: Part 1 – Multi-WAN Load Balancing with pfSense on VMWare Workstation" article. I may also write a new version of that article building the whole thing from scratch with pfSense 2.0.

Storage Area Networks (SANs) are used in most Enterprise class networks, you’ll also find them at a lot of small and medium businesses. A lot of systems rely on SANs to provide high availability features. A SAN is great to have for setting up shared storage for any type of cluster. Fiber used to be dominant for SAN connectivity. You’d need Fiber Host Bus Adapters (HBAs) in every server you wanted attached to your SAN, and a Fiber switch to connect everything. Then came iSCSI, which works with much cheaper Network Interface Cards (NICs), and can use regular network switches, as well us much cheaper copper cables. At first iSCSI wasn’t as fast as Fiber, topping out at gigabit speeds, so if speed was important, you’d stick with Fiber. Now with 10Gigabit Ethernet being readily available, you can get iSCSI SANs that are both cost effective and high performance.

A full blown hardware SAN is still very expensive, so you’re probably not going to buy one for a Lab. Luckily there are a few ways you can create Virtual SANs for FREE! For Part 2 of my Budget Laboratory series, I’m going to show you how to create an iSCSI Virtual SAN with FreeNAS 8. FreeNAS is another great open source product based on FreeBSD.

This portion of the lab build can be done at absolutely no cost, assuming you already have the required hardware.

*If you followed Part 1 of this series, you should already have VMWare Workstation, which has a free trial, and you will need to use it. VMWare Player is completely free, you should be able to setup your Virtual SAN using it if you so choose, however I’m using VMWare Workstation for the creation of this article.

**I’m using the 64-bit version for this article.

Step 1: Create a Virtual Machine for your Virtual SAN
If you haven’t already, open VMWare Workstation.

 

 

 


From the “Home” screen, click the “New Virtual Machine” button, or hit “CTRL+N”.

 

 

 

 

Select “Custom (advanced)” and click “Next”.

 

 

 

 

Accept the defaults and click “Next”.

 

 

 

 

Select “Installer disc image file (iso):”, browse to the location where you saved your FreeNAS .iso at, then click “Next”.

 

 

 

 

Select “Other”, then select “FreeBSD 64-Bit” from the drop down list, then click “Next”

 

 

 

 

Give your VM a name, then click “Next”.

 

 

 

 

Accept the defaults for the CPU and click “Next”.

 

 

 

 

Accept the defaults for RAM and click “Next”.
UPDATE: The recommended minimum RAM for FreeNAS 8 is 512MB, so you should probably change your RAM to 512MB here. However, I have been running it with 256MB without issues. You can always increase the RAM on your VM later.

 

 

 

 

We’ll be changing the Network settings later, so this page doesn’t matter, click “Next”.

 

 

 

 

Accept the defaults for I/O Controller types, and click “Next”.

 

 

 

 

Select “Create a new virtual disk”, then click “Next”.

 

 

 

 

Select “SCSI”, then click “Next”.

 

 

 

 

Accept the defaults of 8 GB and “Store virtual disk as a single file”, then click Next.

 

 

 

 

Accept the default and click “Next”.

 

 

 

 

Make sure “Power on this virtual machine after creation” is NOT checked, and click “Finish”.

 

 

 

 

BEFORE powering on the Virtual Machine, we need to edit the hardware settings. Click the “Edit virtual machine settings” link on your FreeNAS Virtual SAN Virtual Machine, or hit “CTRL+D”.

 

 

 

 

If you followed Part 1 of this series, you’ll need to select “Network Adapter”, then select “Custom: Specific virtual network”, and choose the VMNet that is bridged to the LAN side of your network. For me this is VMNet3. Otherwise you can just choose “Bridged: Connected directly to the physical network”.
After that we need to add another “Hard Disk”, click the “Add…” button.

 

 

 

 

Select “Hard Disk” and click “Next”.

 

 

 

 

Select “Create a new virtual disk” and click “Next”.

 

 

 

 

Select “SCSI” and click “Next”.

 

 

 

 

Set the “Maximum disk size (GB):” to 300, select “Store virtual disk as a single file”, and click “Next”.
Note: Originally I used ten 30GB drives to sort of mimic a physical disk array. Since the virtual drives are all stored on the same physical drive, there’s no real benefit to doing it that way. So in the interest of keeping things simple, a single 300GB drive works fine. If you were going to setup a Virtual SAN for any sort of production use, you’d want to give the VM direct access to several physical drives.

 

 

 

 

Accept the default and click “Next”.

Click “OK” on the Virtual Machine Settings page.

Your Virtual Machine is now ready to power on.

Step 2: Install FreeNAS.
Power on the Virtual Machine.

 

 

 

 

Hit 1 to start the install.

 

 

 

 

Select the 8 GB drive as the destination, then hit “Enter”.

 

 

 

 

Hit “Y” to continue.

 

 

 

 

The installation completes, hit “Enter” to continue.

 

 

 

 

Hit 3 to Reboot.

 

 

 

 

When FreeNAS boots, hit 1 to configure the network, then 1 to select the interface, n, then y, give the interface a name, enter a static IP. Hit “n” for “Configure IPv6”.

Step 3: Configure FreeNAS through the web interface.
Open a web browser and browse to the IP you assigned to your FreeNAS Virtual Machine in Step 2.

 

 

 

You’ll see a flashing “Alert” in the upper right corner letting you know that you need to set a password, so lets take care of that first. Expand “My Account”.

 

 

 

 

Click the “Change Password” link, set and confirm a password, then click “Change Admin Password”.

Next we need to create a volume. Click the “Storage” icon at the top of the page.

 

 

 


Give the volume a name, I named my “SAN1”. Check the disk, and select “ZFS” as the “Filesystem type” then click “Add Volume”.
Note: If you used multiple drives, you’d have a few more options here. Depending on the number of drives selected, different RAID types would become available. With ZFS you’d see RAID-Z and RAID-Z2. For more information on RAID-Z, check out Jeff Bonwick’s blog post over at Oracle. Jeff Bonwick is the inventor of RAID-Z. For more information on RAID-Z2, check out Adam Leventhal’s blog post over at Oracle.

Next we need to create a ZFS Volume, click on the “Create ZFS Volume” button from the Storage page.

 

 

 

I named this volume “ESXi” since we will be using it for an iSCSI LUN to be attached to ESXi in a later lesson. We’ll make the size 150GB by putting “150G” as the size. The rest of of the space will be used in later lessons. Click “Add ZFS Volume” when you are done.
Note: ZFS is a file system with a lot of cool features that started in Solaris. Solaris, like the FreeBSD that FreeNAS is based on, is a flavor of Unix. For more information on ZFS, check out the ZFS page at opensolaris.org.

Next we need to turn the iSCSI service on.

 

 

 

Click the “Services” button at the top of the page, then click the switch next to “iSCSI” to turn the service on.

Now lets configure iSCSI. We’ll start by setting up Authentication, so we can have a little security for our Virtual SAN.

 

 

 


Expand “ISCSI” click “Target Global Configuration” then click “Authentication”, then click “Add iSCSI User”

 

 

 

 

I used “vsan” as my User, you can call it whatever you want, just remember what it is. Set and confirm a “Secret”, you can leave the bottom 3 fields blank, and click “OK”.

Next we need to create a Portal.

 

 

 

Select “Portals”, then click “Add Portal”

 

 

 

 

Here we can just accept the default and click OK. This means it will listen on port 3260 on all IPs for this portal.

Next we need to create a device extent.

 

 

 

Click “Device Extents” then “Add Extent”

 

 

 

 


Give the Extent a name, I named mine “ESXi”, because we’ll be assigning this LUN to ESXi in a later lesson. Select “SAN1/ESXI (150G)” (or whatever you named your ZFS volume earlier) from the drop down for “Disk device” then click “OK”.

Now we’ll setup the Target Global Configuration.

 

 

 

Click “Target Global Configuration”, change the base name if desired (I just changed example.org to fixtheexchange.com for mine), select “CHAP” from the drop down for the “Discovery Auth Method”, and “1” as the “Discovery Auth Group”. Everything else can be kept as-is. Click “Save”.

The last thing we need to do is add a target.

 

 

 

Click “Targets” then “Add Target”.

 

 

 

 

Give your target a name, and an alias. Again, I used ESXi here because that is what this LUN will be used for later on.
Select “Disk” from the drop down for “Type”.
Select “1” from the drop down for “Portal Group ID”.
Select “1” from the drop down for “Initiator Group ID”.
Select “1” from the drop down for “Authentication Group number”.
Click “OK”.

The last thing we need to do is add the Extent to the Target.

 

 

 

Click “Associated Targets.”
Click “Add Extent to Target”.
Select the Target you created earlier in the “Target” drop down.
Select the Extent you created earlier in the “Extent” drop down.
Click “OK”.

That’s it! Your Virtual SAN has been configured. We now have an iSCSI LUN that we will use with ESXi in a later lesson. In Part 3 of the “Budget Laboratory” series, we’ll be installing VMware ESXi 4.1 inside of VMware Workstation 7.

Wait a minute, I thought this was an “Exchange blog”, why is your first article about networking with pfSense?!

Well, in order to create high quality Exchange related content for this site, I’ve been building a lab. There has been some interest in how I’ve setup my lab, so I thought I’d show you. What better way to help people learn Exchange than by showing them how to create a powerful lab environment to run it in? Besides, having a good understanding of boundary systems is very useful when troubleshooting mail flow issues.

Part 1 of my “Budget Laboratory” series is actually optional, and the only part of the lab that will cost anything (assuming you already own the hardware). It will only cost anything if you plan on using your Lab for more than 30 days.

We’ll be building most of this lab using only a single computer. I recommend a quad core CPU with at least 8 GB of RAM, however you may be able to do it with less.

The information in this guide will be useful for much more than a home lab, you could also use this in a production environment for a small business, or even a large enterprise, if scaled and configured properly.

    You will need:

  • A computer with 3 RJ45 (network) ports and a 64bit Operating System (OS).*
  • At least two high speed internet connections.**
  • VMWare Workstation 7. (30 day FREE trial, $100 after that.)
  • pfSense 1.2.3 virtual appliance. (FREE!)***
  • A Wireless Access Point, switch, or combined device.****

*If you don’t have 3 RJ45 ports available, I highly recommend adding Intel Pro 1000 NICs. You can use your on-board NIC for one of the connections. For my setup, I purchased 2 Intel Pro 1000 NICs for $30 each, and used the on-board RealTEK NIC off my motherboard for the 3rd. Why a 64bit OS? Because later on in this series I will show you how to run VMWare ESXi 4.1 inside of VMWare Workstation, and connect it to a virtual SAN. The host OS has to be 64bit for this to work. I’ll be using 64-bit Windows 7 for my examples. You can achieve the same results with your favorite 64bit Linux distribution as a host operating system.

**If you don’t have 2 high speed internet connections, you obviously won’t be able to setup Multi-WAN load balancing. However you can still setup a pfSense firewall inside of VMWare Workstation 7, and route all of your network traffic.

***I’ll be doing another guide for pfSense 2.0 when the final stable build is released for it.

****I’m using a LinkSys WRT330N, which is a combination Wireless Access Point, Router, and 4 port gigabit switch.

Step 1: Connect the modems and switch to your computer.



Multi-WAN Diagram
It should resemble the diagram above. For my setup, I have an old Motorola SB5101 cable modem that I’ve owned for years, and an SMCD3G leased modem from my cable company. This is purely for speed. If you were going to setup Multi-WAN load balancing in a production environment, you’d want to have two unique ISPs. Cable and DSL for example. That way you can have true fault tolerance and high availability. If the connection to one ISP is lost, traffic will still be routed through the other. There’s only one ISP that services the area I live in, so that’s why I have 2 connections to the same ISP. You could add additional connections to ISP(s) for even more speed or fault tolerance, just add more network ports to the computer hosting pfSense.

Each connection to your ISP should go to 1 port on the computer you’ll be setting pfSense up on. One connection goes to the switch for your LAN.

Note: If you are using something similar to the Linksys WRT330N that I have, you want to use one of the LAN switch ports on it for the connection to the pfSense firewall. DO NOT use the “INTERNET” (WAN/uplink) port, it won’t work. You also need to turn off the firewall, NAT, and DHCP server on this device, if it has those features. We’ll be using pfSense to do all of that now. You will need to change the default IP on this device as well. Usually it’s something like 192.168.1.1. We’ll be using x.x.x.1 as the gateway IP for our LAN. These devices usually aren’t smart enough to do VLANs, so if the address space doesn’t match what we configure in pfSense, things aren’t going to work. I changed mine to x.x.x.5. You can use any private address space you like for your LAN. Since mine is a small home lab, I’m using a single 24 bit subnet, so this guide will reflect that.

Step 2: Configure the host.

As I mentioned, I’m using 64bit Windows 7 as my host, so this example is from that. If you’re using a different host OS, you will need to do accomplish the same end result.

First, I recommend labeling your NICs. I gave mine names that matched what they are connected to. If I had 2 different ISPs, I would have given the WAN links the name of the ISP they are connected to, but since I don’t, I named them after the modem model number they are connected to instead.



Next we need to disable TCP/IP on the WAN links. Bring up the properties for each NIC that is connected to your ISP(s).



Make sure both “Internet Protocol Version 6 (TCP/IPv6)” and “Internet Protocol Version 4 (TCP/IPv4)”

The last thing we need to do in this step, is change the binding order of the NICs. In Windows 7 you hit “Alt+N” to bring up the hidden menu in your Network Connections, then select “Advanced Settings”. Move your LAN NIC to the top of the list.



TIP: You can disable TCP/IP on the WAN NICs from the “Advanced Settings”, just select the NIC and uncheck all check boxes for it.

This is done to make sure traffic from the host OS gets routed through the pfSense firewall. If you do not do this, both the host OS, and the pfSense VM will try to pick up an IP address from your ISP(s). Your host will end up connecting to the internet through one of these NICs and not be able to take advantage of the load balancing.

You need to leave TCP/IP enabled on your LAN NIC.

Step 3: Configure VMWare Workstation 7

If you haven’t already installed VMWare Workstation 7, do it now before continuing.

Here we need to configure the NICs for use by our virtual machines. Click “Edit” then “Virtual Network Editor”.



As you can see, I have VMnet0 bridged to one of my Intel Pro 1000 NICs, VMnet2 bridged to the other, and VMnet3 bridged to my motherboards on-board Realtek NIC. VMWare Workstation 7 doesn’t use the labels that we assigned in the host, but you can easily tell which is which. If you look in at the screen shot where I labeled my NICs in Step 2, you can see that VMnet 0 is my connection to the SB5101 modem, VMnet2 is the connection to the SMC modem, and VMnet3 is the connection to the LAN.

Step 4: Configure the pfSense virtual machine settings

Open up the pfSense virtual appliance in VMWare Worksation 7, but do NOT power it on. Bring up the Virtual Machine Settings by clicking “Edit virtual machine settings” or hitting “CTRL+D”.



Make sure you have 3 devices of the type “Network Adapter”, 1 for each NIC we configured in Step 3. Select each “Network Adapter”, make sure “Connected” and “Connect at power on” are both checked. Set the “Network connection” to “Custom: Specific virtual network”, and select one of the VMnet# that you configured in Step 3 for each “Network Adapter”.

Step 5: Configure pfSense from the console.

Now it’s time to boot your pfSense VM. When it boots, you should see a screen like this:



Your interfaces may not be assigned, mine weren’t, and pfSense was unable to automatically detect them. If this happens, it may take a little trial and error to get them assigned correctly. Press 1 then hit enter to assign them. Your WAN links should pick up an IP address from either your ISP, or your cable modem, if they use DHCP. If you get it wrong the first time, you can usually tell which one is the correct LAN interface by looking for the interface that does not pick up an IP address at the top of the screen. If you see “0.0.0.0”, that is most likely your LAN interface, write down the interface number, and run the assignment again. If you own a static IP address, you will need to configure it later. The LAN interface assignment is what is important here, once you have the correct interface assigned for the LAN, the rest of the configuration will be done through the web management console.

You can change the LAN IP by hitting 2, or use the default, it’s up to you.

Step 6: Configure pfSense from the web interface.

Open a web browser and go to http://192.168.1.1 (or whatever you changed the LAN IP to.). The default username is “admin” and the default password is “pfsense” (don’t forget to change these!). You’ll be greeted with a configuration wizard, click “Next”.



Enter your information, I used my ISPs DNS. Click “Next”
The time zone settings will come up, select your time zone and click “Next”.
Now you will asked to configure the WAN interface. If you have a static IP from your ISP, here is where you’ll configure it, UNLESS that is handled by your modem. If your modem gets the static IP assignment from your ISP, you will want to leave this as DHCP so it will pick up a private address from your modem.
The next page lets you change the LAN IP, if you did that in Step 5, or just want to use the default, you can just click “Next” and move on.
Finally we’ll set the WebGUI password. After you change it, you’ll have to log back on.

Next we need to configure the second WAN interface. Click “Interfaces” then “OPT1”.



Make sure “Enable Optional 1 interface” is checked. You can change the name here, I labeled mine “WAN2”. If you have a static IP for your other ISP connection, you’ll want to configure it here. If you only own 1 static IP, you should probably leave this set as DHCP. Again, if your modem handles your public IP, you should probably leave this as DHCP.

Next we will create a Load Balancer Pool. Click on “Services” then “Load Balancer”. When the page loads, click the icon to create a new pool.



Give the pool a name, I called mine “LoadBalancer”. Make sure the type is set to “Gateway”, and Behavior is set to “Load Balancing”.
Add both WAN IP’s to the pool. I use the gateway for each WAN interface as the monitor IP.
Click “Save” when you are done.
Create a second pool for Failover, just set the type to “failover” for this one.



You should have 2 pools as shown above when you’re done.

We’re almost done, the last thing we need to do, is setup some firewall rules. Click “Firewall” then “Rules”. When the page loads, select the “LAN” tab.



We don’t want all traffic to be load balanced. You can’t load balance SSL and other encrypted traffic, those types of connections need to use the same IP every time. pfSense processes rules from the top down. You’ll notice the load balancer rule is at the bottom. Anything we don’t want load balanced needs to be in a rule ABOVE it. I’ll show you how to create a rule to NOT load balance a protocol, using HTTPS as an example. First click the icon to create a new rule.



Your settings should match the screen shot above. Using the failover gateway we configured will ensure these protocols still work with minimal interruption if one of our WAN links goes down.

Now lets tell it to load balance everything else, you probably already had a “Default LAN -> Any” rule, just click the icon to edit it.



Your rule should look like the screen shot above. Save it, then apply the changes.

That’s it! All of your network traffic should now be flowing through the pfSense virtual machine. To verify that the load balancing is working, go to a site like www.whatismyip.com, and refresh the page a couple times. The IP shown should change back and forth between the external IPs of your WAN links every time the page loads.

If you want to test the speed out, you can use a site like www.speedtest.net, however these results can be a little inaccurate due to the “Speed Boost” that a lot of ISPs use these days. I have a 12Mbps down and 2Mbps up package from my ISP, and these are the results I get after setting up the load balancing:



If you want to test the fail over, simply unplug one of your WAN links and try surfing the web. You should still be able to even with one link down. Plug it back in, and it should automatically start load balancing again.

If I pull the plug on one of my WAN links and run a speed test, this is the result:



As you can see there’s quite a difference in bandwidth with the load balancing.

Just for fun I took a look at what World of Warcraft thought my “effective bandwidth” was…


176Mbps, don’t I wish!

I hope you’ve enjoyed this guide, stay tuned for Part 2 of my “Budget Laboratory” series, where I’ll show you how to setup a virtual SAN using freeNAS and VMWare Workstation 7.