Exploring the KEA DHCP Server in pfSense+ 23.09

Do not use KEA DHCP after 50 days, I got a lot of problems and my devices did not come on the internet and also not got the right IPs.
So I had to switch back to the old ISC DHCP again.

Warning – KEA DHCP is not working 100% in 23.09.1

With the release of pfSense+ 23.09, a significant transition in DHCP services is on the horizon. The move from the traditional ISC DHCP server to the modern KEA DHCP is not just a change; it’s an upgrade that brings several benefits and improvements.

Why Switch to KEA DHCP?

  1. Deprecated ISC DHCP: The ISC DHCP server is now deprecated, signaling a shift towards more advanced and supported solutions like KEA.
  2. Simple Transition Process: You can easily switch to KEA DHCP via System > Advanced > Networking in the pfSense+ interface. A simple toggle from ISC DHCP to KEA DHCP is all it takes, maintaining the simplicity of the process.
  3. No Reboot Required: Remarkably, switching to KEA DHCP doesn’t necessitate a system reboot. This feature ensures minimal disruption in network services.

Key Considerations for Migration

  1. Automatic Migration: pfSense+ is engineered to seamlessly migrate your existing DHCP settings to KEA DHCP, preserving configurations like IP ranges and reservations.
  2. Manual Verification: It’s prudent to manually check that all settings have correctly transferred and KEA DHCP operates as expected.
  3. Advanced Configurations: KEA DHCP offers more flexibility, which might necessitate some manual adjustments for complex configurations.
  4. Documentation and Community Support: Leverage pfSense documentation and forums for any migration challenges or questions.
  5. Backup Your Configuration: Always backup your current configuration before making significant changes like this.

Enhancements with KEA DHCP

KEA DHCP is not just a replacement but an enhancement. It offers:

  1. Unified Configuration: KEA integrates dynamic ranges and static mappings more cohesively.
  2. Static Mappings in Dynamic Range: Static mappings can now coexist within the dynamic range, optimizing address space utilization.
  3. Flexibility in Assignments: KEA allows dynamic and fixed address assignments within the same pool, offering greater flexibility.
  4. Improved Management and Performance: Expect easier management and better performance with KEA, along with advanced features suitable for complex networks.

Post-Migration Steps

After the migration:

  1. Monitor Service Status: Check Status > Dashboard to confirm KEA DHCP service is up and running.
  2. Adjust Watchdog Settings: Update your service watchdog to monitor KEA DHCP instead of the old ISC service.
  3. Review Notifications: Keep an eye on notifications for any alerts related to DHCP service.

In summary, the transition to KEA DHCP in pfSense+ 23.09 is a straightforward yet impactful change. It simplifies the DHCP management while offering improved performance and flexibility. Remember to verify settings post-migration and enjoy the new capabilities of your upgraded system!

Knud ;O)




Understanding the Importance of the Recent OpenSSH Patch in pfSense

Understanding the Importance of the Recent OpenSSH Patch in pfSense

The FreeBSD Project recently issued a crucial security advisory (FreeBSD-SA-23:19.openssh) that highlights a significant vulnerability in OpenSSH—a widely used suite for secure remote communication. This advisory is particularly relevant for users of pfSense, a popular open-source firewall and router software based on FreeBSD.

The Vulnerability: Prefix Truncation Attack

Identified as CVE-2023-48795, the security flaw involves a “Prefix Truncation Attack” in the SSH protocol’s handshake mechanism. Attackers can exploit this vulnerability to manipulate handshake messages silently, potentially weakening client authentication algorithms or disabling keystroke timing attack countermeasures. This vulnerability affects all supported versions of FreeBSD.

Immediate Action Required

Given the severity of the issue, it’s vital for administrators to patch their systems immediately. For pfSense users, this means ensuring their system incorporates the latest FreeBSD patches. The advisory provides detailed steps for updating systems either through binary patches via freebsd-update or by applying source code patches directly.

Workaround and Long-Term Solution

Until systems can be fully updated, a temporary workaround is provided, involving specific changes to the OpenSSH configuration files to mitigate the risk. However, this is only a stopgap measure, and administrators are strongly encouraged to apply the full updates as soon as possible to ensure the integrity and security of their systems.

Conclusion

This advisory serves as a reminder of the constant vigilance needed in maintaining the security of network systems like pfSense. Administrators should take immediate action to apply this patch and regularly monitor for further updates to protect against evolving threats. The quick response and detailed guidance provided by the FreeBSD Security Team reflect the ongoing commitment to security within the open-source community.




Understanding the Security Enhancements in pfSense + Update 23.09.1


Introduction:

The latest pfSense + update, version 23.09.1, marks a significant step forward in network security and functionality. As a widely-used open-source firewall and router software, pfSense is integral to maintaining robust network security. This update addresses several critical vulnerabilities and performance issues, reflecting the ongoing commitment to providing a secure and efficient network environment.

Key Security Fixes in 23.09.1:

  1. TCP Spoofing Vulnerability Patch (FreeBSD-SA-23:17.pf):
    One of the most critical fixes in this release is for a TCP spoofing vulnerability in the pf(4) component. This vulnerability could potentially allow an attacker to intercept and manipulate TCP traffic, posing a significant risk to data integrity and security. The update patches this flaw, thereby enhancing the security of TCP traffic management in pfSense.
  2. ZFS Data Corruption Issues (FreeBSD-EN-23:16.openzfs & FreeBSD-EN-23:18.openzfs):
    ZFS, a key file system used by pfSense, had two notable vulnerabilities that have been addressed in this update. One issue led to potential data corruption, and the other caused high CPU usage by ZFS kernel threads. These fixes not only improve data integrity but also enhance the overall performance of systems using ZFS.
  3. OpenSSL Performance Issues (FreeBSD-EN-23:17.ossl):
    Prior to the update, the ossl(4) module’s AES-GCM implementation occasionally produced incorrect results. Since AES-GCM is widely used for encrypted communications, this fix is crucial for maintaining the confidentiality and integrity of encrypted data.
  4. Kernel Physical Memory Allocator Error (FreeBSD-EN-23:20.vm):
    The update rectified an issue with the kernel’s physical memory allocator, which previously gave incorrect results. This fix is vital for the overall stability and reliability of the pfSense system.

Implications for Network Security:

These security enhancements in the pfSense + 23.09.1 update represent critical steps in safeguarding network infrastructure. By addressing vulnerabilities ranging from TCP spoofing to data integrity in file systems and encryption modules, this update ensures that pfSense continues to offer robust defense mechanisms against a variety of cyber threats.

Furthermore, the resolution of these issues not only enhances security but also contributes to the overall performance and stability of networks utilizing pfSense. Network administrators can now rely on a more secure, efficient, and reliable system for managing their network traffic and security policies.

Conclusion:

The 23.09.1 update for pfSense + underscores the importance of continuous vigilance and proactive measures in network security. By addressing key vulnerabilities and performance issues, pfSense maintains its position as a trusted and capable tool in the arsenal of network security professionals. Users of pfSense are encouraged to apply this update promptly to ensure their networks remain secure and efficient.

For more in-depth details about the 23.09.1 update and its full range of features and fixes, please refer to the official pfSense documentation.


This blog post outlines the security-centric aspects of the pfSense + 23.09.1 update, emphasizing its impact and importance in network security.




Accelerating VPN Performance with SafeXcel Crypto on pfSense 23.09-RELEASE (arm64)

The pfSense 23.09-RELEASE has brought a welcome addition to its suite of security features for Netgate 1100 users: the SafeXcel Crypto setting. This new feature is targeted at enhancing the already robust VPN performance by leveraging dedicated hardware acceleration.

What is SafeXcel Crypto?

SafeXcel Crypto is a hardware acceleration technology that boosts the performance of cryptographic operations. When activated, it allows the system to handle encryption and decryption processes for VPN connections more efficiently. It supports a range of encryption algorithms including AES-CBC, AES-CCM, AES-GCM, and more.

How Does it Benefit VPN Performance?

By activating SafeXcel Crypto, VPN operations are no longer solely dependent on the CPU’s general capabilities. Instead, they utilize dedicated hardware designed specifically for cryptographic functions. This results in:

  • Increased Throughput: Data can be encrypted and decrypted at a faster rate, allowing for higher data transmission speeds through the VPN.
  • Reduced CPU Load: Offloading these tasks from the main CPU helps in reducing the overall load, which is particularly beneficial for systems under heavy use.
  • Enhanced Security: With dedicated resources for cryptographic operations, security protocols can function more robustly.

How to Activate SafeXcel Crypto

Activating SafeXcel Crypto in the new pfSense 23.09-RELEASE is straightforward. Navigate to System > Advanced > Miscellaneous in the pfSense GUI and enable the SafeXcel Crypto option. Make sure to configure your IPsec to use one of the supported ciphers to take full advantage of this feature.

Final Thoughts

The addition of SafeXcel Crypto to pfSense’s security arsenal reinforces Netgate’s commitment to delivering top-notch performance and security. With the ease of activation and the promise of better VPN performance, SafeXcel Crypto is set to be a game-changer for businesses and individuals alike who depend on VPNs for secure, reliable connectivity.




Effortless Upgrade to pfSense+ 23.09 on Netgate 1100: A Quick Guide

Hello, tech enthusiasts! Knud here with a must-know update for all pfSense+ users, especially those with Netgate 1100. The latest release, 23.09, is here, and it’s packed with significant changes and upgrades.

Upgrading to pfSense+ 23.09: Step-by-Step

  1. Initiate the Update: Access the pfSense+ dashboard, and click the ‘Update’ button under the ‘Version’ section.
  2. Backup Is Key: Before updating, navigate to ‘Diagnostics’ then ‘Backup & Restore’ for a necessary backup.
  3. Patience Pays Off: Expect the update to take around 15 minutes. So, relax, and let it complete.

What’s New in 23.09?

  1. PHP Upgrade: PHP has been upgraded to version 8.2.11, ensuring better performance and security【11†source】.
  2. Operating System Upgrade: The base system now uses a more recent point on FreeBSD 14-CURRENT【11†source】.
  3. Improved SCTP Support: Enhancements in PF for firewall rules, NAT, and logging, particularly for SCTP packets【11†source】.
  4. OpenSSL Upgrade: A significant jump from 1.1.1t to 3.0.12, bringing major API and ABI changes, and deprecating weak algorithms【15†source】.
  5. Kea DHCP Server: A new, opt-in feature preview for IPv4 and IPv6 DHCP services【11†source】.
  6. NVMe Storage Device Driver Change: The default driver switched from nvd(4) to nda(4), impacting swap configurations【15†source】.
  7. Security Enhancements: OpenSSL 3.0.x no longer supports SHA1 certificates, impacting OpenVPN and other services【15†source】.

Post-Update Steps:

Once updated, perform another backup to ensure your settings are current.

Final Thoughts:

Upgrading your pfSense+ system to version 23.09 is straightforward but requires careful steps. Remember, patience is crucial during the upgrade process for a smooth transition. Enjoy the new features and improved performance!

Cheers to efficient networking,
Knud ;O)




Setting Up SMTP Mail to Pushover Notification with Docker on Raspberry Pi

Setting Up SMTP Mail to Pushover Notification with Docker on Raspberry Pi

Are you looking for a way to easily push SMTP emails to your Pushover notifications using your Raspberry Pi? With the power of Docker and the smtp-pushover image by mattbun, you can set up a simple solution that allows you to send emails to your Raspberry Pi’s port 25 and have the messages forwarded to your Pushover account. In this guide, we’ll walk you through the process step by step.

Prerequisites:

  1. Raspberry Pi with Docker installed.
  2. Basic understanding of Docker and Docker Compose.
  3. Pushover account with User Key and API Token.

Step 1: Pull the Docker Image

The first step is to pull the smtp-pushover Docker image from the GitHub Container Registry. Open a terminal on your Raspberry Pi and execute the following command:

docker pull ghcr.io/mattbun/smtp-pushover:main@sha256:bb4a333892e612edbff843c0a8c79112ff0e61a2e605ebcce4755701513f5f38

Step 2: Configure Docker Compose

Create a docker-compose.yml file in a directory of your choice. Copy and paste the following configuration into the file:

version: '3'

services:
  smtp-pushover:
    restart: unless-stopped
    container_name: smtp-pushover
    image: ghcr.io/mattbun/smtp-pushover
    ports:
      - "25:25"
    environment:
      - PORT=25
      - PUSHOVER_USER="YOUR_PUSHOVER_USER_KEY"
      - PUSHOVER_TOKEN="YOUR_PUSHOVER_API_TOKEN"

Replace YOUR_PUSHOVER_USER_KEY and YOUR_PUSHOVER_API_TOKEN with your actual Pushover User Key and API Token.

Step 3: Start the Service

In the same directory where you created the docker-compose.yml file, open a terminal and run the following command to start the Docker container:

docker-compose up -d smtp-pushover

The -d flag stands for “detached mode,” which will run the container in the background.

Step 4: Sending Emails to Port 25

You’re all set! You can now send emails to the port 25 on your Raspberry Pi. Any emails sent to this port will be forwarded to your Pushover account as notifications.

Conclusion

With just a few simple steps, you’ve set up your own SMTP server using Docker on your Raspberry Pi and configured it to forward emails to your Pushover notifications. This can be a convenient way to receive important alerts and messages directly on your mobile device. Remember to keep your Pushover User Key and API Token secure and never share them publicly. Happy notifying!

For more information and options, you can refer to the official smtp-pushover repository.




Enhancing Your Network Security with pfBlockerNG-devel: A Quick Guide

Are you concerned about the security of your home network? Worried about malicious websites, ads, and unwanted content infiltrating your online experience? Look no further than pfBlockerNG-devel, a powerful package for pfSense that allows you to take control of your network’s security by implementing various blocking mechanisms. In this guide, we’ll walk you through the installation and key configuration steps to get the most out of pfBlockerNG-devel without overwhelming you with technical details.

Installation

To get started, open up your pfSense dashboard and navigate to the System Package Manager. Here, you’ll find a list of available packages. Search for “pfBlockerNG-devel” and install it. Once the installation is complete, you’ll be guided through a wizard that will assist you in setting up pfBlockerNG.

Initial Configuration

After installation, ensure that you enable “floating rules” and “kill states.” These settings are important for the proper functioning of pfBlockerNG.

GeoIP Blocking

One powerful feature of pfBlockerNG-devel is the ability to block traffic based on geographical locations. If there are countries you prefer not to have contact with, you can easily set up inbound blocking rules for them. This adds an extra layer of security to your network.

DNSBL (DNS Blocking)

DNSBL, or DNS Blocking, is an essential tool to prevent access to malicious, ads, and unwanted websites. pfBlockerNG-devel supports this feature by allowing you to add various blacklists. However, it’s important not to go overboard, as blocking too much might hinder your internet usage. Consider enabling lists like “ads_basic,” “malicious,” “easylist,” and “firebog_malicious” under DNSBL groups.

Moreover, the “shalalist” category offers site-blocking options for aggressive, cost traps, drugs, finance, gambling, and spyware-related websites. The “ut1” category includes aggressive, dangerous sites, DDOS, drugs, gambling, malware, phishing, sects, and cheater-related sites. Be selective in your choices to maintain optimal internet usability.

IP Blocking

In the IP blocking section, you can prevent outbound traffic to specific IP addresses. This is useful for devices that may have IP addresses hardcoded in their software, bypassing your DNS. Prioritize blocking known malicious IPs by using the PRI1 and TOR deny outbound lists. Additionally, maintain a whitelist to permit outbound traffic to trusted IPs.

Regular Updates

Remember, changes you make within pfBlockerNG-devel need an update to take effect. Go to “Firewall” and select “pfBlockerNG Update” to ensure your settings are current.

DNS Provider and Security

For enhanced security, consider configuring your external DNS provider. One recommended option is Quad9, known for its comprehensive blocklists and secondary DNS service. Quad9 not only blocks potentially harmful sites but also secures your DNS requests against potential fakes. This extra layer of protection prevents malicious actors from redirecting you to counterfeit websites.

Conclusion

Enhancing your network security with pfBlockerNG-devel doesn’t have to be overwhelming. By following this quick guide, you can set up an effective security solution for your home network. Remember to strike a balance between protection and usability, and stay updated with the latest threat intelligence to keep your online experience safe and smooth.




Optimizing Network Performance: A Quick Guide to Checking Your pfSense Dashboard

In today’s fast-paced digital world, a reliable and speedy internet connection is crucial. If you’re experiencing a drop in your internet speed, there might be a simple solution lurking within your network setup. In this brief guide, we’ll show you how to quickly diagnose potential issues using your pfSense dashboard, ensuring that your network is operating at its full potential.

Step 1: Access Your pfSense Dashboard

To get started, make sure you have access to your pfSense dashboard. You can usually do this by opening a web browser and entering the IP address of your pfSense router. Once you’re logged in, follow these steps.

Step 2: Check Interface Connections

Navigate to the “Interfaces” section of your pfSense dashboard. Here, you’ll find an overview of how your ports are connected. It’s essential to confirm that all ports are configured to their maximum speed. In a network setup with a maximum of 1000baseT full-duplex, ensure that all ports are set to this speed for optimal performance.

Step 3: Verify Port Speeds

If you notice a sudden drop in your internet speed, the first thing to check is whether all ports are still operating at their fastest speed. A simple misconfiguration can cause ports to revert to lower speeds, which can drastically impact your network’s performance. If any ports are not set to the maximum speed, adjust their settings accordingly.

Step 4: Monitor CPU and Memory Usage

Moving on to the pfSense dashboard, keep an eye on the CPU and memory usage. Excessive resource consumption can lead to slowdowns and reduced network performance. Ideally, both metrics should remain within acceptable ranges. If you notice unusually high CPU or memory usage, investigate further to identify any unnecessary processes or activities that might be causing the strain.

Step 5: Streamline Package Installation

While it might be tempting to install various packages on your router/firewall, remember that each added package consumes resources. To maintain optimal performance, only install the packages that you genuinely need. Unnecessary packages can eat up valuable CPU and memory, potentially leading to network bottlenecks and slower speeds.

Conclusion

A quick visit to your pfSense dashboard can often reveal the underlying causes of a drop in internet speed. By ensuring that all ports are configured correctly, monitoring CPU and memory usage, and being selective about the packages you install, you can maintain a high-performing network that meets your needs.

Remember, even the most advanced network setups can encounter issues, but with a little vigilance and these simple steps, you can keep your network running smoothly and enjoy a seamless online experience.




Enhance pfSense Reliability with Watchdog: Auto-Restart Your Services

Introduction:

In the world of network security and management, pfSense has established itself as a reliable and versatile firewall and router solution. It offers a wide range of features to ensure the stability and security of your network. One such feature that can greatly enhance the reliability of your pfSense setup is the Watchdog package. Watchdog allows you to monitor and automatically restart essential services, ensuring your network remains operational even in the face of service disruptions.

Installing Watchdog:

To get started with Watchdog, you’ll first need to install the package. Fortunately, this process is straightforward. Follow these steps:

  1. Log in to your pfSense web interface.
  2. Navigate to the “Services” menu, then select “Services Watchdog.”
  3. In the Watchdog package settings, you can choose which services you’d like to monitor for potential downtime. This selection is crucial, as it determines which services Watchdog will keep an eye on.

Automated Service Monitoring and Restarting:

Once you’ve selected the services you want to monitor, Watchdog takes over, constantly checking the health of those services. If a monitored service goes down, Watchdog will automatically restart it. This feature is invaluable for maintaining the uptime and overall performance of your network.

Here’s how Watchdog’s automated monitoring and restarting process works:

  1. Watchdog Monitors: Watchdog regularly checks the status of the selected services, ensuring they are up and running as expected.
  2. Service Failure Detected: If Watchdog detects that a service has gone down or become unresponsive, it triggers an automatic restart.
  3. Seamless Recovery: Watchdog restarts the failed service without any manual intervention, ensuring minimal disruption to your network operations.

Push Notifications for Instant Alerts:

Staying informed about your network’s status is crucial, especially when critical services experience disruptions. Watchdog offers integration with various notification platforms, such as Pushover, Telegram, Slack, and email. Pushover, for instance, is a popular choice for sending notifications directly to your mobile device.

To set up push notifications in pfSense:

  1. Navigate to the “System” menu, then select “Advanced.”
  2. Under the “Notifications” tab, configure your preferred notification platform. For Pushover, provide your user key and application key.

Benefits of Using Watchdog:

  1. Enhanced Reliability: Watchdog helps maintain the operational continuity of your network by automatically recovering from service failures.
  2. Reduced Downtime: With automated service restarting, downtime is minimized, leading to improved user experiences and increased productivity.
  3. Proactive Alerts: Receive instant notifications about service disruptions, allowing you to address issues promptly and avoid prolonged outages.
  4. Ease of Use: Watchdog’s intuitive interface and integration options make it accessible to users of varying technical expertise.

Conclusion:

Incorporating the Watchdog package into your pfSense setup is a wise decision to ensure the stability and reliability of your network. By automating the monitoring and restarting of critical services, you can mitigate downtime and provide a seamless experience for your users. Additionally, the integration of push notifications keeps you informed, allowing you to take swift action when issues arise. So, take advantage of Watchdog, keep your services running smoothly, and enjoy a secure and uninterrupted network environment.




Setting Up DNS Resolver (Unbound) in pfSense to Use Quad9

Introduction:
In today’s digital landscape, having a robust and secure DNS resolver is essential for ensuring a smooth and safe browsing experience. One popular option is Quad9, a DNS service that emphasizes privacy and security. In this guide, we will walk you through the process of setting up the DNS Resolver (Unbound) in pfSense to use Quad9 for your DNS queries.

Menu System – General Setup

  1. Access General Setup:
    Log in to your pfSense web interface and navigate to System > General Setup.
  2. Update Primary DNS Server:
    In the “DNS Server Settings” section, locate the primary DNS server. Change the IP address to 9.9.9.9 and set the hostname to dns.quad9.net.
  3. Configure Secondary DNS Server:
    For the secondary DNS server, set the IP address to 149.112.112.112 and the hostname to dns.quad9.net.
  4. DNS Resolution Behavior:
    Ensure that the “DNS resolution Behavior” is set to Use local DNS, fall back to remote DNS servers (default).
  5. IPv6 Configuration (Optional):
    If you’re not using IPv6, you can skip the IPv6 configuration settings in the General Setup.

Menu Services – DNS Resolver – General Settings

  1. Enable DNS Resolver:
    Go to Services > DNS Resolver and ensure that the Enable checkbox is selected.
  2. SSL/TLS Certificate:
    Keep the default SSL/TLS Certificate setting, as it is set to the webConfigurator default.
  3. Network Interfaces:
    Under “Network Interfaces,” select All to allow DNS resolution on all available interfaces.
  4. Outgoing Network Interfaces:
    Choose WAN as the outgoing network interface for DNS queries.
  5. System Domain Local Zone Type:
    Set the “System Domain Local Zone Type” to Transparent.
  6. DNSSEC Configuration:
    Since Quad9 already uses DNSSEC, you don’t need to enable DNSSEC in the pfSense settings.
  7. Enable Forwarding Mode:
    Make sure that “Enable Forwarding Mode” is enabled. This allows Unbound to forward DNS queries to external DNS servers like Quad9.
  8. SSL/TLS for Outgoing DNS Queries:
    Enable the “Use SSL/TLS for outgoing DNS Queries to Forwarding Servers” option. This ensures encrypted communication between pfSense and Quad9.

Conclusion:

Setting up the DNS Resolver (Unbound) in pfSense to use Quad9 is a straightforward process that enhances your network’s security and privacy. By following the steps outlined in this guide, you’ve configured your pfSense firewall to route DNS queries through Quad9’s secure and reliable servers. With a strong emphasis on protecting user data and thwarting malicious activities, Quad9 ensures a safer online experience for you and your network users. Now you can enjoy faster, more secure, and private browsing while benefiting from the robust capabilities of pfSense and Quad9.

Remember, the digital landscape is constantly evolving, and staying proactive about your network’s security is paramount. Periodically revisit your DNS resolver settings and consider exploring other security-enhancing features within pfSense to ensure your network remains protected.