The point is obvious. There is more than one way to burn a book. And the world is full of people running about with lit matches. Every minority ... feels it has the will, the right, the duty to douse the kerosene, light the fuse. Every dimwit editor who sees himself as the source of all dreary blanc-mange plain porridge unleavened literature, licks his guillotine and eyes the neck of any author who dares to speak above a whisper or write above a nursery rhyme.”
~Ray Bradbury

Spread Spectrum – 6 – Establish Routes & Rules

Google+ Pinterest LinkedIn Tumblr +

Now that the aliases are set up, we can configure routing.  Select System -> Routing.

 

This screen will show all VPN connections and their interfaces.  Each individual interface to be used as a potential gateway has to have testing parameters so that the firewall knows whether that interface is up and can be used.  

First, you need to figure out some addresses that can be used for ping checks; if the ping doesn’t come back or is slow, pfSense will route to a better connection.  You need to set IP addresses that are close and have fast ping times.  I suggest DNS servers such as:

  • 8.8.8.8
  • 8.8.4.4
  • 1.1.1.1
  • 1.0.0.1

 

Once you know what test IP’s to use, edit each VPN interface and set the following (leave all others to their defaults):

  • Gateway name : gwusnord1204 , for example
  • Gateway monitoring : enable
  • Monitor IP : here you put one of the IP’s listed above, something that can be pinged from this interface to determine if it’s up and has a good connection.  Note – each IP has to be unique, you can’t use 8.8.8.8 for all connections.
  • Description : something like the gateway name
  • Poll interval : 1000
  • Alert interval : 2000

Once each interface is shaped, you can create the Gateway Groups.  Go to System -> Routing -> Gateway Groups and add a new group.

Once you select Add Group, it’ll look like the screenshot at right.  This is the first routing group, call it  VPNSerialGroup.

The premise of the VPNSerialGroup is to try one VPN interface, then the next, then the next…   With spread spectrum VPN your source IP address changes constantly, messing with secure sites.  This route is used when you go to web banking or other secure sites, making your HTTPS connection not drop during use.

You want to rank the VPN connections in order of preference or just go top-down.  Click on each INTUSNORDxxx interface and change “Never” to Tier 1, change the next to Tier 2 and so on.

Leave WAN* and other interfaces alone and set to the default “Never” – these routing groups are only for VPN interfaces.

Set “Trigger Level” to “Packet Loss or High Latency” – this will fall through to the next interface if something is wrong with the current one.

Save when finished.

After the VPNSerialGroup is added, do the same to add the VPNSS group.  It’s setup is identical to the above but for a major difference – set all VPN interfaces to Tier 1.

This routing group is the heart of using pfSense for a Spread Spectrum VPN, this is what causes connections to randomly go over various interfaces.

(Please note I was lazy with the connections and screenshots, my screenshot at right only shows a single connection – you should have four or more from the previous steps.)

Time to add rules.  Usually firewall rules are used to allow/deny traffic to and from locations, but in this case we’re putting in rules to tell the firewall that it’s not only okay to route to a different interface but under what conditions to do so.

Let’s first add rules to the LAN section – these rules apply from the internal segment of the Local Area Network.

We’ll be adding three rules to the very bottom: NoVPN for direct traffic, VPNSerial for one-by-one and !NoVPN (not-NoVPN) for the default, which is spread spectrum.

 

NoVPN

First is the exception – from IP’s in this group, route straight out to the default gateway, no VPN.

From the Rules/LAN dialogue above, select Add with the down arrow to add a new rule at bottom.  It’s parameters are as follows:

  • Action: Pass
  • Interface : LAN
  • Address family : IPv4
  • Protocol : Any
  • Source : Single Host or Alias : NoVPN
  • Description : NoVPN Direct
 

Select the Advanced Options / Display Advanced.  From there:

  • Gateway: WAN (hard set this to the default WAN interface, though “Default” does work in most cases)
 
Save when done.

Serial VPN

Next, the hosts that should use the VPN, but only one channel at a time.  This is helpful for obstinate websites, banking sites, etc.

From the Rules/LAN dialogue above, select Add with the down arrow to add a new rule at bottom.  It’s parameters are as follows:

  • Action: Pass
  • Interface : LAN
  • Address family : IPv4
  • Protocol : Any
  • Source : Single Host or Alias : VPNSerial
  • Description : SerialVPN
 

Select the Advanced Options / Display Advanced.  From there:

  • Gateway: VPNSerialGroup
 
Save when done.

SSVPN

Lastly, the default group.  If not NoVPN and not VPNSerial (handled above, then all else goes through the Spread Spectrum route.

From the Rules/LAN dialogue above, select Add with the down arrow to add a new rule at bottom.  It’s parameters are as follows:

  • Action: Pass
  • Interface : LAN
  • Address family : IPv4
  • Protocol : Any
  • Source : INVERT MATCH : Single Host or Alias : NoVPN
  • Description : SSVPN Default
 

Select the Advanced Options / Display Advanced.  From there:

  • Gateway: VPNSS
 
Save when done.

These are the last steps – time to test what we’ve put together.

Share.

Leave A Reply

Secured By miniOrange