Slides for the August 2018 pfSense Hangout video

1. pfSense 2.4.4 Short Topic Miscellany
August 2018 Hangout
Jim Pingle

2. Youtube Live
● First hangout on Youtube Live!
● May be some rough edges, so let us know if you have any
problems or concerns
If the video looks fuzzy, Youtube
set your auto quality too low
Click the gear and choose 720p!

3. About this Hangout
● Netgate News
● – All topics below are on pfSense 2.4.4 –
● CoDel/FQ_CODEL with Limiters
● Captive Portal Authentication Changes
● Captive Portal Page Customization
● IPsec Speed Improvements
● Certificate Management Changes
● Gateway Group as a Default Gateway

4. Netgate News
● pfSense 2.4.4-RELEASE Coming in early September
– https://www.netgate.com/docs/pfsense/releases/2-4-4-new-features-and-changes.html
● TNSR 18.08 up now on AWS, hardware installs supported in 18.08 and coming soon
– NACM access control, NTP, improved DHCP server, DNS Resolver, IPsec accelerator support, RESTCONF server management
– https://www.netgate.com/docs/tnsr/releases/release-notes-18.08.html
● All past and present pfSense Hangouts are now on Youtube
– https://www.netgate.com/blog/all-pfSense-hangout-videos-available-free-on-youtube.html
● The pfSense Book is now free to access for everyone
– https://www.netgate.com/blog/pfSense-book-available-to-everyone.html
– https://www.netgate.com/docs/pfsense/book/
● Still chances left to win a limited edition MinnowBoard Turbot Dual-Ethernet for taking our pfSense® User survey
– https://www.netgate.com/blog/win-limited-edition-turbot-dual-e.html
● SG-5100 Desktop now available for pre-order
– $799, Shipping mid-September
– Intel® Atom® C3558, 4GB RAM (upgradable), 8GB eMMC (can also take m.2 or SATA)
– 6 Intel 1Gbit/s interfaces (2x igb, 4x ix, all 1Gbit/s copper ports)
– Passively cooled, no rack mount option
– https://www.netgate.com/blog/sg-5100-desktop-available-for-pre-order.html
● pfSense Supplementals I course next month, one-day course that covers popular packages
– https://www.netgate.com/training/pfsense-supplementals-1.html

5. CoDel/FQ_CODEL With Limiters
● CoDel (https://en.wikipedia.org/wiki/CoDel), pronounced "Coddle", is short for Controlled Delay. It is a
scheduling algorithm designed to combat bufferbloat on routers
– It is billed as a “no knobs, just works” algorithm, but there are parameters to tweak if needed
● What is Bufferbloat? (From https://en.wikipedia.org/wiki/Bufferbloat)
– A cause of high latency in packet-switched networks caused by excess buffering of packets
– Bufferbloat can also cause packet delay variation (also known as jitter), as well as reduce the overall network throughput
– When a router or switch is configured to use excessively large buffers, even very high-speed networks can become
practically unusable for many interactive applications like voice over IP (VoIP), online gaming, and even ordinary web
surfing
– You'll notice the effects for example when one download seems to dominate an entire link, or when latency skyrockets as
a file is downloading
● Bufferbloat and speed test at http://www.dslreports.com/speedtest
– Users have reported going from a Bufferbloat score of “F” without this configuration to “A” after
● Due to the way limiters function, using an alternate scheduler requires that traffic be run through a child
queue and not a limiter directly. So in this example, we will make two limiters, and a child queue for each,
and then attach the child queues to a floating rule

6. CoDel/FQ_CODEL With Limiters
● Navigate to Firewall > Traffic Shaper, Limiters tab
● Click + New Limiter: WANDown
– Check Enable
– Bandwidth: Equal to WAN download bandwidth
– Mask: None
– Description: WAN Download
– Queue Management Algorithm: CoDel
● Options will appear after save, but leave them at defaults
– Scheduler: FQ_CODEL
● Options will appear after save, but leave them at defaults
– Queue Length: Can vary depending on the speed of the link, can try at default, or use 1000 which should
be a safe default for most high speed WANs
– ECN: Checked
– Click Save

7. CoDel/FQ_CODEL With Limiters
● Click WANDown to reload the page
● Click + Add New Queue (under WANDown): WANDownQ
– Check Enable
– Mask: None
– Description: WAN Download Queue
– Queue Management Algorithm: CoDel
● Options will appear after save, but leave them at defaults
– ECN: Checked
– Everything else blank/default
– Click Save

8. CoDel/FQ_CODEL With Limiters
● Navigate to Firewall > Traffic Shaper, Limiters tab
● Click + New Limiter: WANUp
– Check Enable
– Bandwidth: Equal to WAN Upload bandwidth
– Mask: None
– Description: WAN Upload
– Queue Management Algorithm: CoDel
● Options will appear after save, but leave them at defaults
– Scheduler: FQ_CODEL
● Options will appear after save, but leave them at defaults
– Queue Length: Can vary depending on the speed of the link, can try at default, or use 1000 which should
be a safe default for most high speed WANs
– ECN: Checked
– Click Save

9. CoDel/FQ_CODEL With Limiters
● Click WANUp to reload the page
● Click + Add New Queue (under WANUp): WANUpQ
– Check Enable
– Mask: None
– Description: WAN Upload Queue
– Queue Management Algorithm: CoDel
● Options will appear after save, but leave them at defaults
– ECN: Checked
– Everything else blank/default
– Click Save
● Click Apply Changes

10. CoDel/FQ_CODEL With Limiters
● Navigate to Firewall > Rules, Floating tab
● Add a new rule (bottom of the list if there are other rules)
– Action: Pass
– Quick: Checked
– Interface: WAN
– Direction: Out
– Address Family: IPv4
● If you need both IPv4+IPv6, make two separate rules, one for each family – Combined rules cannot set a gateway
– Protocol: Any
– Source/Destination: Any
– Description: CoDel Limiters
– Click Display Advanced
– Gateway: WAN gateway (Must be set!)
– In / Out Pipe: WANUpQ / WANDownQ
● With floating rules in the outbound direction, "in" traffic is uploads, and "out" traffic is downloads
– Click Save

11. CoDel/FQ_CODEL With Limiters
● Click Apply Changes
● Reset states to force all traffic to use new limits
● Run tests to confirm new behavior
– If the behavior is not as desired, read through
https://forum.netgate.com/topic/112527/playing-with-fq_codel-in-2-4
(mostly near the end of the thread) and make adjustments to
parameters

12. Captive Portal Authentication Changes
● Captive Portal has been integrated into the User Manager for
authentication
● You can now use LDAP for Captive Portal authentication!
● Captive Portal RADIUS entries are migrated to the User Manager on
upgrade
– There should be no difference in behavior on upgrade for existing setups
– If you have duplicates, you can pick one to keep and set all portals to that, then
remove the rest
● Some Portal-specific options are still in Captive Portal settings
● Numerous Captive Portal RADIUS issues were fixed as a result, see the
release notes for details

13. Captive Portal Page Customization
● New default captive portal page with modern design, images,
CSS, etc
– Still adapts based on config changes such as adding a voucher field
automatically when vouchers are enabled
● Easier customization
– Can upload a logo, custom background, and set Terms & Conditions
all without having to edit/upload custom HTML!
● Full customization is still possible in the previous style
● No automatic change on upgrade for users of customized HTML

14. IPsec Speed Improvements
● Asynchronous Cryptography, allows the crypto load to be spread across multiple
cores
● VPN > IPsec, Advanced Settings tab, check Asynchronous Cryptography
– Defaults to enabled for Netgate hardware factory image installs, disabled on CE
● Primarily benefits single tunnel configurations, or at least configurations with less
tunnels than CPU cores
● Performance improvements may disappear or even be slower with larger
numbers of tunnels
● Speed improvements are still being measured but in some cases have been
quite dramatic
– One of our new model firewalls with AES-NI and Async Crypto enabled went from ~400
Mbit/s to over 900 Mbit/s of IPsec (1500 byte packets, MSS clamping enabled)

15. Certificate Management Changes
● Certificate fields have been revamped to conform to RFC 5280
● When creating a new CA or Cert, the default action is to create an internal entry
rather than import
● The only required subject component field is now the Common Name
● The Common Name field has also moved to the top of the list of subject attributes
as it is the most important component
● The E-mail address field has been removed as it was declared deprecated
– If a certificate requires an e-mail address, it can be added as a SAN instead of in the subject
● Some areas did not have full support for the optional Organizational Unit, which
should work everywhere now
● Changes have been synchronized across the CA Manager, Cert Manager, User
Manager, and OpenVPN Wizard

16. Gateway Group as a Default Gateway
● Now a Gateway Group can be used as the Default Gateway
● This replaces the old “Default Gateway Switching” behavior
● Using a gateway group, you can control which gateways can be default and
the order in which they are used
● Works only with Failover type Gateway Groups
– One gateway per tier
● To setup, use System > Routing, Gateways tab, Default Gateway section
● Default state on upgrade attempts to reflect previous chosen behavior
– Visit the page after upgrade and confirm the correct default is selected, or pick a
group to use the new behavior

17. Conclusion
● Questions?
● Ideas for hangout topics? Post on forum, Reddit, etc