Embed Size (px)
Citation preview
TLN – Wireless Statistics Subcommittee
October, 2013
pfSense
Summary pfSense is a distribution of FreeBSD that has been tailored for user as a firewall/router. It offers many
features that would be useful for public wifi. It is a free, open source application that can be used as a
wireless gateway to provide your public wifi network with a customizable captive portal, and stat
collection capabilities that will satisfy state collection requirements.
System requirements The minimum system requirements for a gateway with less than 10Mbps of throughput are:
• CPU – 100MHz
• RAM – 128MB
• CD-ROM Drive for initial install
• 1GB hard drive
Hardware specs should be scaled up to manage higher throughput loads. But generally speaking, any PC
built within the last five years should be more than adequate.
Web interface Everything configurable in
pfSense can be done from the
web interface. After an initial
setup wizard you will be sent to a
dashboard page that can be
customized with various widgets
that show different kinds of
various information. Some of the
more useful include traffic
graphs, firewall logs, and the
captive portal status.
A number of the configuration
pages deal with lists of items, list
of firewall rules, aliases,
schedules, routes, etc. and they generally have the same icon set for manipulating these lists.
adds a new item, deletes an item, and edits an item. Most of the buttons in the web
interface can be hovered over for a brief explanation.
Console interface
TLN – Wireless Statistics Subcommittee
October, 2013
Low level operations can be done from the
console interface. Console access via secure
shell can be enabled in the System >
Advanced page of the web interface to
allow remote access to the command
console. Shell commands can be run
through the Diagnostics > command prompt
page on the web interface, but this
functionality is still experimental, and SSH is
generally more convenient. Log in via SSH
as root with the admin password set for the
web console.
Network Configuration
PfSense PC
Access Point(s)
Public Network switch or VLAN
LAN interface
Wireless netowrk
Access Point(s)
Firewall/Router
WAN Interface
Internet
Systems running pfSense should have at least two NICs, and can replace the existing gateway for your
wireless network. The pfSense PC will act as the primary DHCP and DNS servers to wifi clients, and the
WAN interface will connect to your greater network. An initial setup wizard is available to guide users
through new installations. Assuming there is an existing wireless network on site that is structured
similarly to the diagram above, replacing the existing wireless gateway with a pfSense system should
only require a minimal working knowledge of computer networks, DHCP, and DNS.
Firewall rules Like most other firewalls, pfSense’s rules are applied per-interface. Packets matching a rule can be
allowed, blocked or dropped. Basic match criteria include: Protocol, the source and destination address
these can be scaled to include a single host or entire network source and destination port range.
TLN – Wireless Statistics Subcommittee
October, 2013
Advanced firewall rule features • Source OS – match rules based on Operating system
• TCP flags – match based on flags TCP flags that are set or cleared
• Schedule – Match rule to a time schedule, (can be used to set hours)
• Gateway – if multiple WAN interfaces exist, this option will send packets matching the rule to a
specific gateway.
• In/out – Sets a limiter to use for inbound and outbound traffic.
• Ackqueue/queue – Used to place matched packets into traffic shaping queues.
• Layer7 – performs deep packet inspection for matching rule
Floating rules Normally, firewall rules are set to a specific interface. Floating rules can apply to any interface, going in
any direction. These are primarily used to put packets in the appropriate shaping queues.
TLN – Wireless Statistics Subcommittee
October, 2013
Schedules Schedules can be used to define a set of times in which a firewall rule should be active. Each schedule
consists of one or more time ranges which can be set to specific days or a weekly recurrence.
To make a schedule click the new button, then set the days of the week or the calendar date you want
the schedule to be in effect using the calendar in the month section, then a time. Then, select a time
range using the start and stop time fields. Click add time to save the time rage to the schedule. Add as
many time ranges as are needed to the schedule and click save.
These schedules can be easily used to limit
wireless access to hours when the library is
open and to keep wireless inaccessible during
scheduled closures. Since the firewall rules are
evaluated on a first match basis, a rule
blocking for closed days, should be placed
above a rule setting weekly hours.
TLN – Wireless Statistics Subcommittee
October, 2013
Traffic Shaping The pfSense traffic shaper comes with a handful of wizards for configuring traffic shaping. The wizard
will allow you to set link bandwidth, select a queue scheduling algorithm, and prioritize common
protocols. The wizard will generate a set of queues and ACKqueues for each interface, as well as a set of
floating firewall rules for each protocol prioritized.
Limiters Limiters are used to simulate lower bandwidth or
lower quality connections over an interface. In
most cases simply setting the bandwidth limits
are sufficient, but you can also set a delay for the
connection, and simulate a certain percentage of
packet loss. Traffic is assigned to a limiter using
the in/out option in the firewall rules editor.
Layer 7 Layer 7 uses deep packet inspection to adjust
the behavior of the firewall. A layer 7 rule
group can be set to block traffic, place it in a
shaping queue, or place it through a limiter.
Captive portal The captive portal allows you to set up an authenticated or unauthenticated splash screen. The captive
portal will need to be configured in order to track usage statistics with pfSense.
Captive portal settings
TLN – Wireless Statistics Subcommittee
October, 2013
• Max concurrent connections – sets the number of users that can load the captive portal page at
the same time. This can probably be left alone.
• Idle timeout – sets the amount of time a session can be inactive before it is logged off.
• Hard timeout – sets maximum time limit on sessions
• Logout popup – opens a popup window with a logout button, useful for ending sessions.
• Pre-authentication redirect – sets a redirect variable that can be used on the captive portal
page, or on error pages.
• After authentication redirect URL – Landing page, if nothing is set users will land on whatever
page they were trying to access before authenticating on the captive portal page.
• Per-user bandwidth – limit the maximum upstream or downstream bandwidth that can be used
by an individual. This is equivalent to setting up a limiter for each host that authenticates
through the captive portal.
• Authentication – set authentication method
o No authentication
o Local user manager
o RADIUS
• HTTPS – use the https fields to load a certificate, and key if you wish the captive portal to use
SSL.
• Portal page contents – use this setting to upload the html for the splash page.
• Logout page contents – used to customize the logout popup, if enabled.
• Pass-through MAC – this section allows you to add MAC addresses that can bypass the captive
portal altogether.
• Allowed IP addresses – adding addresses to this list will allows that address to be accessible to
unauthenticated wireless users.
• Allowed hostnames – the same as allowed IPs, but for DNS names
• Vouchers – For captive portals using authentication, the voucher system generates codes that
can be used to grant time limited access through the captive portal without an username and
password.
• File manager – use this section to upload any images, or other resources that will be used in the
captive portal page. Only files uploaded through this system will be accessible from the captive
portal. The uploaded version will have the prefix “captiveportal-“ (“logo.jpg” will become
“captiveportal-logo.jpg”)
Captive portal status
TLN – Wireless Statistics Subcommittee
October, 2013
The captive portal status window shows the currently active sessions on the wireless network. All
sessions will have a username of unauthenticated when the portal is not using authentication. Session
can be terminated using the delete button on the right of the list.
Traffic Graphs The traffic graph
offers a real-time
look at upstream and
downstream traffic.
RRD Graphs RRD graphs provide more long term statistics of
not only bandwidth usage bandwidth usage, but
many other system statistics as well. RRD graphs
are average shorter time samples into larger
ones, allowing it to keep statistics going back
years.
In addition to recording network bandwidth
usage, the RRD graphs also track CPU and
memory usage, state table statistic, and captive portal utilization. The captive portal graphs show both
the currently logged in users, and the total number of currently logged in users, and the total number of
users that have logged in for a given time period. This can be very helpful in tracking overall usage
trends, however the averaging on the longer term graphs may lead to results that aren’t quite what the
State is asking for.
TLN – Wireless Statistics Subcommittee
October, 2013
Stat collection The features for recording long term usage statistics are not quite ideal given the requirements set out
by the state. Recording the number of sessions that the captive portal authenticates is possible out of
the box. There are two places where this session data can be located, status > Captive portal. This show
the current active sessions. Secondly, captive portal activity is located logged in status > system logs >
portal auth. This log file is rotated frequently, so if you’re planning to pull statistics form it, it would be
best to set up a syslog server. pfSense’s syslog setting are set in status > system logs > settings. The
collection methods in this document focus on using the session table.
Collecting session stats Assuming your timeouts are set long enough so that sessions form the beginning of the day will not
timeout before closing, the captive portal db should contain every session started that day. The number
of daily users can then be recorded form the captive portal status page. The drawbacks to using the
captive portal status page as a data source are that it would have to be done manually, late in the day.
Also any changes to the portal configuration while it’s up will clear the current session DB, spoiling your
data collection for that day.
Automated stat collection This section contains scripts and sections of code that are designed to work with pfSense version 2.0.3,
later version may require modification. It is possible to automate the recording of the total number of
sessions. This snippet of php code will return the number of active sessions on the captive portal
<?php require("captiveportal.inc"); if (file_exists("{$g['vardb_path']}/captiveportal.d b")) { $captiveportallck = lock('captiveportaldb') ; $cpcontents = file("/var/db/captiveportal.d b", FILE_IGNORE_NEW_LINES | FILE_SKIP_EMPTY_LINES); unlock($captiveportallck); } else $cpcontents = array(); $concurrent = count($cpcontents); echo $concurrent; ?> Save this to a php file in /usr/local/www and it should be accessible remotely. This method still won’t be
able to count captive portal sessions that were cleared due to a restart or change in the captive portal’s
settings.
Automated Stat reporting A convenient method for collecting these daily session statistics is to store them in a database. A table
with three fields is necessary; an ID, a timestamp field which defaults to the current time, and an integer
field that will record the quantity of sessions.
Schedule the recording server to run the following php script after closing;
<?php $con = mysql_connect("dbhost","dbuser","dbpassword" );
TLN – Wireless Statistics Subcommittee
October, 2013
if (!$con){die('Could not connect: ' . mysql_error( ));} mysql_select_db("statdatabase", $con); $wificount = @mysql_real_escape_string(trim(file_get_contents('h ttp://pfsense.host/statoutputmethod.php'))); mysql_query("INSERT INTO `sessioncounttable` (`quan tity`) VALUES ('$wificount')"); mysql_close($con); echo 'It worked!'; ?>
Packages A number of packages exist that can be installed to enhance the functionality of pfSense. They are
located in System > Packages. I haven’t tried any of them in production and are marked as being in alpha
or beta status, so use at your own risk. Some of the more interesting ones include:
• Mailreport – Sends more detailed mail notifications.
• NRPE v2 – Nagios monitoring plugin, useful if Nagios is used to monitor systems on your
network.
• Open-VM-Tools – Vmware tools for FreeBSD.
• pfflowd – converts packet filter status messages to cisco netflow datagrams. Could be useful in
finding hosts that consume high levels of bandwidth.
• Darkstat – offers per-host network monitoring.
• Anyterm – web based terminal access.
