1. Issues

/var/log/syslog:

/rc.dyndns.update       IP address could not be be extracted from checkip.dyndns.org                    #1718 /etc/inc/dyndns.class
/rc.dyndns.update       Current WAN ip could not be determined, skipping update process.                #1572 /etc/inc/dyndns.class
/rc.newipsecdns         IPSEC: One or more IPsec tunnel endpoints has changed its IP. Refreshing.       #???? /etc/rc.newipsecdns

http://checkip.dyndns.org
/cf/conf/dyndns*
/etc/rc.dyndns.update
/etc/crontab
/etc/inc/dyndns.class
/etc/inc/vpn.inc

2. Information

pfSense is a customized version of FreeBSD, with a custom kernel configuration, several kernel patches, and a number of additional software packages, amongst other customisations. Installing the entire distribution as its own independent operating system is required.

The usual rc.d scripts added to /usr/local/etc/rc.d/ will not function on a pfSense system. There is no rc.conf and one cannot be created as it will be deleted. A custom startup script must be created in /usr/local/etc/rc.d/ and its name must end with .sh and it must be marked executable (chmod +x), and it will run at boot time. Alternatively if it’s something that can be started with a single command then it can easily be added as a <shellcmd> in config.xml.

Questions:

3G Modem?                       Yes
DHCP Server?                    Yes
Non transparent Proxy?          Yes, install squid package.
Raid support?                   Yes
UPS daemon?                     Yes, install apcupsd package.

3. Preparations

3.1. USB Key

  • Log on as <User>.

  • Attach an empty USB device.

  • Start Rufus with administrative privileges.

  • Select the empty USB device for the Device.

  • Click SELECT.

  • Select the pfSense-CE-memstick-2.6.0-RELEASE-amd64.img.gz file.

  • Click Open.

    Device                                  NO_LABEL (Disk #) [16 GB]
Partition scheme                        MBR
Target system                           BIOS (or UEFI-CSM)
File system                             FAT (Default)
Cluster size                            16 kilobytes (Default)
New volume label                        pfSense-2.3.2-x64

- Check device for bad blocks           1 Pass
+ Quick format
+ Create a bootable disk using          DD Image
+ Create extended label and icon files

  • Click START.

  • Click OK to confirm.

  • Wait for the image writing to finish.

  • Click CLOSE.

  • Detach the USB device.

3.2. VirtualBox

  • Use FreeBSD 64-bit in VirtualBox.

  • Questionable: Check Hardware Clock in UTC Time.

4. Installation

4.1. No RAID

  • Make sure that the computer has 2 or more ethernet ports.

  • Attach the pfSense-CE-memstick-2.6.0-RELEASE-amd64.img.gz USB key.

  • Boot the computer from the USB key.

4.2. With RAID

  • Note: Make sure that the computer has 2 or more ethernet ports.

  • Note: Make sure that the computer has 2 identical hard drives.

  • Optional: Make sure to remove any pfSenseMirror.

    • Type Ctrl+F4 to open a console window.

    • Type gmirror list and press Enter.

    • Type gmirror destroy -f pfSenseMirror and press Enter.

    • Type gmirror clear ada0 and press Enter.

    • Type gmirror clear ada1 and press Enter.

    • Type gmirror list and press Enter.

    • Type Ctrl+F1 to return to pfSense Installer.

  • Attach the pfSense-CE-memstick-2.6.0-RELEASE-amd64.img.gz USB key.

  • Boot the computer from the USB key.

  • Select Accept and press Enter.

  • Select Install and press Enter.

  • Select Continue with default keymap and press Enter.

  • Select Auto (ZFS) and press Enter.

  • Select Disk Info and press Enter.

  • Select Back and press Enter.

  • Select Pool Type/Disks: and press Enter.

  • Select mirror and press Enter.

  • Check ada0.

  • Check ada1.

  • Select OK and press Enter.

  • Select Partition Scheme and press Enter.

  • Select GPT (BIOS) and press Enter.

    >>> Install             Proceed with Installation
T Pool Type/Disks:      mirror: 2 disks
- Rescan Devices        *
- Disk Info             *
N Pool Name             pfSense
4 Force 4K Sectors?     YES
E Encrypt Disks?        NO
P Partition Scheme      GPT (BIOS)
S Swap Size             1g
M Mirror Swap?          NO
M Encrypt Swap?         NO

  • Select Install and press Enter.

  • Select YES to confirm and press Enter.

  • Wait for the installation to finish.

  • Select No to skip opening a shell and press Enter.

  • Select Reboot and press Enter.

5. CLI Configuration

5.1. One network interface

5.2. Two or more network interfaces

Physical Machine: Acer Aspire M1800

  • Type n to skip setting up VLANs and press Enter.

    rl0     18:0f:76:fa:87:57       (down)  RealTek 8139 10/100BaseTX
rl1     00:13:f7:cc:70:96       (down)  RealTek 8139 10/100BaseTX
nfe0    00:24:21:7d:9a:ec       (down)  NVIDIA nForce MCP73 Networking Adapter

  • Type nfe0 for the WAN interface and press Enter.

  • Type rl1 for the LAN interface and press Enter.

  • Press Enter.

    WAN     -> nfe0
LAN     -> rl1

  • Type y to proceed and press Enter.

  • Type 2 to select Set interface(s) IP address and press Enter.

  • Type 2 to configure the LAN interface and press Enter.

    1. Type 10.30.1.170 for the new LAN IPv4 address and press Enter.

  • Type 24 for the new LAN IPv4 subnet bit count and press Enter.

  • Press Enter.

  • Press Enter.

  • Type n to skip enabling the DHCP server on LAN and press Enter.

  • Type n to skip reverting to HTTP as the webConfigurator protocol and press Enter.

  • Press Enter to continue.

    WAN (wan)       -> nfe0 ->
LAN (lan)       -> rl1  -> v4: 10.30.1.170/24
Virtual Machine: VirtualBox

  • Type n to skip setting up VLANs and press Enter.

    WAN (wan)       -> em0  -> v4/DHCP4: 10.0.2.15/24
LAN (lan)       -> em1  -> v4: 192.168.1.1/24

  • Type 2 to select Set interface(s) IP address and press Enter.

  • Type 2 to configure the LAN interface and press Enter.

  • Type 10.10.10.170 for the new LAN IPv4 address and press Enter.

    1. Type 192.168.25.170 for the new LAN IPv4 address and press Enter.

  • Type 24 for the new LAN IPv4 subnet bit count and press Enter.

  • Press Enter.

  • Press Enter.

  • Type n to skip enabling the DHCP server on LAN and press Enter.

  • Type n to skip reverting to HTTP as the webConfigurator protocol and press Enter.

  • Press Enter to continue.

    WAN (wan)       -> em0  -> v4/DHCP4: 10.0.2.15/24
LAN (lan)       -> em1  -> v4: 10.10.10.170/24

6. GUI Configuration

  • Physical Machine: Browse to https://10.30.1.170.

  • Virtual Machine: Browse to https://10.10.10.170.

  • Internet Explorer: Select Continue to this website (not recommended).

  • Mozilla Firefox: Click Advanced.

  • Mozilla Firefox: Click Add Exception.

  • Mozilla Firefox: Click Confirm Security Exception.

Username:                       admin
Password:                       pfsense

  • Click Login.

  • Click Next.

  • Click Next.

Hostname:                       vbox-efw-mrm
Domain:                         vbox.shoklo-unit.com

Primary DNS Server:             8.8.8.8
Secondary DNS Server:
Override DNS:                   + Allow DNS servers to be overridden by DHCP/PPP on WAN

  • Click Next.

Time server hostname:           0.pfsense.pool.ntp.org
Timezone:                       Asia/Bangkok

  • Click Next.

Configure WAN Interface
    SelectedType:                               DHCP
General configuration
    MAC Address:
    MTU:
    MSS:
Static IP Configuration
    IP Address:
    Subnet Mask:                                32
    Upstream Gateway:
DHCP client configuration
    DHCP Hostname:
PPPoE configuration
    PPPoE Username:
    PPPoE Password:
    Show PPPoE password:                        - Reveal password characters
    PPPoE Service name:
    PPPoE Dial on demand:                       - Enable Dial-On-Demand mode
    PPPoE Idle timeout:
PPTP configuration
    PPTP Username:
    PPTP Password:
    Show PPTP password:                         - Reveal password characters
    PPTP Local IP Address:
    pptplocalsubnet:                            32
    PPTP Remote IP Address:
    PPTP Dial on demand:                        - Enable Dial-On-Demand mode
    PPTP Idle timeout:
RFC1918 Networks
    Block RFC1918 Private Networks:             + Block private networks from entering via WAN
Block bogon networks
    Block bogon networks:                       + Block non-Internet routed networks from entering via WAN

  • Click Next.

Configure LAN Interface
    LAN IP Address:                             10.10.10.170
    Subnet Mask:                                24

  • Click Next.

Set Admin WebGUI Password
    Admin Password:                             ********
    Admin Password AGAIN:                       ********

7. Environment Variables

  • Type cp -a /root/.tcshrc /root/.tcshrc.orig and press Enter.

  • Append the following lines to the /root/.tcshrc file.

setenv DELTA_LOCATION                   'VirtualBox'
setenv DELTA_ROOM                       'VirtualBox'
setenv DELTA_SYSTEM_DISK                ''
setenv DELTA_USER                       'IT'
setenv DELTA_WAKE_ON_LAN                'xx:xx:xx:xx:xx:xx'
setenv DELTA_WARRANTY_EXPIRES           '-'
setenv DELTA_WINDOWS_LICENSE_LABEL      '-'

8. 3G Modem

Enable:                 + Enable Interface
Description:            WAN
IPv4 Configuration Type:        PPP
IPv6 Configuration Type:        None

Country:                        Thailand
Provider:                       AIS / DTAC / True Move
Plan:                   - internet
Username:
Password:
Phone Number:           *99#
Access Pint Name (APN): internet
Modem Port:                     /dev/cuaU0.2

  • Check Save.

  • Click Apply changes.

9. Bash

Bootstrapping pkg:

  • Log in as admin.

  • Type pkg and press Enter.

  • Type y to fetch and install and press Enter.

  • Optional: Type pkg help and press Enter.

  • Type pkg update and press Enter.

  • Type pkg upgrade and press Enter.

  • Type cat /etc/version and press Enter.

Installation of Bash:

  • Log in as admin.

  • Optional: Type pkg search bash and press Enter.

  • Optional: Type pkg install bash-4.3.46_1 and press Enter.

  • Type pkg install bash and press Enter.

  • Log off.

======================================================================

bash requires fdescfs(5) mounted on /dev/fd

If you have not done it yet, please do the following:

    mount -t fdescfs fdesc /dev/fd

To make it permanent, you need the following lines in /etc/fstab:

    fdesc   /dev/fd         fdescfs         rw      0       0

======================================================================

10. Dynamic DNS

Configuration of DynDNS account:

Username                        SMRU
Password                        ********

  • Click Log in.

  • Select My Services | My Hosts | Add Host Services.

Hostname:               smru-efw-tst.dyndns.org
Wildcard:               - create "*.host.dyndns-yourdomain.com" alias
Service Type:           * Host with IP address
                        . WebHop Redirect (URL forwarding service)
                        . Offline Hostname
IP Address:             110.77.148.10
                        IPv6 Address (optional):
                        TTL value is 60 seconds.

Mail Routing:           - I have a mail server with another name
                          and would like to add MX hostname...

  • Click Activate.

  • Select Log Out.

  • Close Browser.

Configuration of pfSense:

Disable                 - Disable this client
Service Type            DynDNS (dynamic)
Interface to monitor    WAN
Hostname                smru-efw-tst.dyndns.org
MX
Wildcards               - Enable Wildcard
Verbose Logging         - Enable verbose logging
Username                SMRU
Password                ********
Confirm                 ********
Description

  • Click Save.

11. Captive Portal

12. Proxy

13. Samba

Installation of Samba:

  • Log in as admin.

  • Optional: Type pkg search samba and press Enter.

  • Type pkg install samba43-4.3.3 and press Enter.

  • Wait.

  • Type echo 'samba_server_enable="YES"' > /etc/rc.conf.d/samba and press Enter.

  • Questionable: Type echo 'samba_server_enable="YES"' > /etc/rc.conf.d/samba_server and press Enter.

  • Type echo 'winbindd_enable="YES"' > /etc/rc.conf.d/winbindd and press Enter.

  • Type cd /usr/local/etc/rc.d and press Enter.

  • Questionable: Type ln -s samba_server samba_server.sh and press Enter.

/etc/nsmb.conf
/usr/local/etc/smb4.conf

which samba
samba start
cat /var/log/samba4/log.samba

cp smb.conf /usr/local/etc/smb4.conf
/usr/local/man/man5/smb4.conf.5.gz

14. UPS

Computer        UPS
------------    -----------------------------------------------------------
SMRU-EFW-MRM    APC, Back-UPS RS 1000 FW:7.g9 .I USB FW:g9, BB0100009999
SMRU-EFW-TST    APC, Back-UPS XS 650CI FW:892.R2.I USB FW:R2, 3B1238X15632
TBHF-ANC-MRM    APC, Back-UPS CS 650 FW:817.v9.I USB FW:v9, 4B1301P00379
TBHF-TST-MRM    APC, Back-UPS XS 650CI FW:892.R3 .I USB FW:R3, 3B1249X16620
SMRUWS-IT11     APC, Back-UPS CS 650 FW:817.v9.I USB FW:v9, 4B1301P00457

  • See https://doc.pfsense.org/index.php/2.3_Removed_Packages. apcupsd - no package maintainer, not converted

  • Select System | Package Manager.

  • Select the Available Packages tab.

  • Click nut | 2.3.1 | Network UPS Tools | Install.

  • Click Confirm.

  • Wait.

  • Select Services | NUT.

  • Select the UPS Status tab.

  • Select the NUT Settings tab.

UPS Monitoring                  Local UPS
Power Down Instead of Halt              +

Local UPS Name                  DELTA_Back-UPS_XS_650CI
Local UPS Model                 APC Back-UPS USB                SMRU-EFW-TST
Local UPS Port                  auto (USB only)
Local UPS Generic Type
Local UPS Cable Type

  • Click Change.

  • Select Status | Services.

15. IPsec

16. PF2AD

  • See http://pf2ad.mundounix.com.br/en/index.html.

  • Start Terminal.

  • Log in as admin.

  • Type cd and press Enter.

  • Optional: Type cp -a /etc /etc.orig and press Enter.

  • Optional: Type cp -a /usr /usr.orig and press Enter.

  • Optional: Type cp -a /var /var.orig and press Enter.

  • Type fetch http://projetos.mundounix.com.br/pfsense/2.2.6/samba3/pf2ad.sh and press Enter.

  • Optional: Replace /usr/sbin/pkg install -r pf2ad net/samba36 2> /dev/null by /usr/sbin/pkg install -r pf2ad net/samba36 in the pf2ad.sh file.

  • Type cat pf2ad.sh | sh and press Enter.

  • Wait.

  • Type pkg info and press Enter.

db48-4.8.30.0_2                The Berkeley DB package, revision 4.8
e2fsprogs-libuuid-1.42.12      UUID library from e2fsprogs package
gamin-0.1.10_8                 File and directory monitoring system
gettext-runtime-0.19.6         GNU gettext runtime libraries and programs
glib-2.44.1_2                  Some useful routines of C programming (current stable version)
indexinfo-0.2.4                Utility to regenerate the GNU info page index
krb5-1.14                      Authentication system developed at MIT, successor to Kerberos IV
libffi-3.2.1                   Foreign Function Interface
libiconv-1.14_9                Character set conversion library
libsunacl-1.0                  Wrapper providing SunOS NFSv4 ACL API
openldap-client-2.4.43         Open source LDAP client implementation
pcre-8.37_4                    Perl Compatible Regular Expressions library
perl5-5.20.3_8                 Practical Extraction and Report Language
pkg-1.6.3                      Package manager
pkgconf-0.9.12_1               Utility to help to configure compiler and linker flags
popt-1.16_1                    Getopt(3) like library with a number of enhancements, from Redhat
python2-2_3                    The "meta-port" for version 2 of the Python interpreter
python27-2.7.10_1              Interpreted object-oriented programming language
samba36-3.6.25_1               Free SMB and CIFS client and server for Unix
talloc-2.1.5                   Hierarchical pool based memory allocator
tdb-1.3.8,1                    Trivial Database
tevent-0.9.26                  Talloc based event loop library

  • Close Terminal.

  • Browse to 10.10.10.170.

  • Log in as admin.

  • Select System | General Setup.

DNS Server:                     10.10.10.1
DNS Server:                     8.8.8.8

- Allow DNS server list to be overridden by DHCP/PPP on WAN
+ Do not use the DNS forwarder or Resolver as a DNS server for the firewall

  • Click Save.

  • Select Services | Squid Proxy Server.

  • Select the Local Cache tab.

Cache Dynamic Content:  +

  • Click Save.

  • Select the General tab.

Enable Squid Proxy:             +
Keep Settings/Data:             +
Proxy Interface(s):             LAN
Proxy Port:                     8080

Transparent HTTP Proxy:         -

Enable Access logging:          +

Visible Hostname:               localhost
Administrator's Email:          admin@localhost
Error Language:                 en

  • Click Save.

  • Select the Authentication tab.

Authentication Method:  Winbind NTLM

  • Click Save.

  • Delete Active Directory Users and Computers | vbox.shoklo-unit.com | Computers | VBOX-EFW-MRM on VBOX-AD-SERVER.

  • Select Services | Samba (AD).

  • Select Server Role: | Member of Domain.

  • Select Listen interface | LAN.

Domain:                 vbox.shoklo-unit.com
Workgroup:              VBOX
Username Administrator: Administrator
Password:               ********

  • Click Save.

  • Select Active Directory Users and Computers | vbox.shoklo-unit.com | Computers on VBOX-AD-SERVER.

Name            Type            Description
------------    --------        -----------
VBOX-DESKTOP    Computer
vbox-efw-mrm    Computer

  • Start Terminal.

  • Log in as admin.

  • Type net ads info and press Enter.

LDAP server: 10.10.10.1
LDAP server name: VBOX-AD-SERVER.vbox.shoklo-unit.com
Realm: VBOX.SHOKLO-UNIT.COM
Bind Path: dc=VBOX,dc=SHOKLO-UNIT,dc=COM
LDAP port: 389
Server time: Sun, 31 Jan 2016 09:47:21 ICT
KDC server: 10.10.10.1
Server time offset: 1

  • Type wbinfo -u and press Enter.

administrator
guest
krbtgt
dalai

  • Type ps ax | grep -i smb and press Enter.

20166  -  Ss    0:00.01 /usr/local/sbin/nmbd -D -s /usr/local/etc/smb.conf
20981  -  Is    0:00.03 /usr/local/sbin/smbd -D -s /usr/local/etc/smb.conf
21675  -  Ss    0:00.01 /usr/local/sbin/winbindd -s /usr/local/etc/smb.conf
21811  -  I     0:00.04 /usr/local/sbin/winbindd -s /usr/local/etc/smb.conf
21922  -  I     0:00.00 /usr/local/sbin/smbd -D -s /usr/local/etc/smb.conf
73956  -  S     0:00.00 /usr/local/sbin/winbindd -s /usr/local/etc/smb.conf
74289  -  S     0:00.00 /usr/local/sbin/winbindd -s /usr/local/etc/smb.conf

  • Type ps ax | grep -i squid and press Enter.

 2326  -  R     0:00.00 (squid-1) -f /usr/pbi/squid-amd64/local/etc/squid/squid.conf (squid)
26200  -  Is    0:00.00 /usr/local/sbin/squid -f /usr/pbi/squid-amd64/local/etc/squid/squid.conf
26813  -  S     0:27.36 (squid-1) -f /usr/pbi/squid-amd64/local/etc/squid/squid.conf (squid)

  • Close Terminal.

  • Log on as <domain user>.

  • Open Control Panel | Internet Options.

  • Select the Connections tab.

  • Click LAN settings.

  • Check Use a proxy server for your LAN.

Address:                        vbox-efw-mrm.vbox.shoklo-unit.com
Port:                   8080
+ Bypass proxy server for local addresses

  • Click OK.

  • Click OK.

  • Close Control Panel | Internet Options.

  • Log on as <domain user>.

  • Browse to www.google.com/ncr.

  • Start Terminal.

  • Type ls -al /var/squid/logs and press Enter.

  • Type cat /var/squid/logs/access.log and press Enter.

  • Type tail -f /var/squid/logs/cache.log and press Enter.

Shared object "libpopt.so.0" not found, required by "ntlm_auth"
2016/01/31 13:39:21 kid1| WARNING: ntlmauthenticator #Hlpr0 exited
ln -s /usr/local/lib/libpopt.so.0 /usr/pbi/squid-amd64/local/lib/libpopt.so.0
ln -s /usr/local/lib/libgssapi_krb5.so.2.2 /usr/pbi/squid-amd64/local/lib/libgssapi_krb5.so.2.2
ln -s /usr/local/lib/libkrb5.so.3.3 /usr/pbi/squid-amd64/local/lib/libkrb5.so.3.3
ln -s /usr/local/lib/libk5crypto.so.3.1 /usr/pbi/squid-amd64/local/lib/libk5crypto.so.3.1
ln -s /usr/local/lib/libcom_err.so.3.0 /usr/pbi/squid-amd64/local/lib/libcom_err.so.3.0
ln -s /usr/local/lib/libtalloc.so.2 /usr/pbi/squid-amd64/local/lib/libtalloc.so.2
ln -s /usr/local/lib/libtevent.so.0 /usr/pbi/squid-amd64/local/lib/libtevent.so.0
ln -s /usr/local/lib/libtdb.so.1 /usr/pbi/squid-amd64/local/lib/libtdb.so.1
ln -s /usr/local/lib/libwbclient.so.0 /usr/pbi/squid-amd64/local/lib/libwbclient.so.0
ln -s /usr/local/lib/libkrb5support.so.0.1 /usr/pbi/squid-amd64/local/lib/libkrb5support.so.0.1
ln -s /usr/local/lib/libintl.so.8 /usr/pbi/squid-amd64/local/lib/libintl.so.8

  • Close Terminal.

  • Note: Not working.

  • Type tail -f /var/squid/logs/cache.log and press Enter.

2016/02/04 11:01:28 kid1| Starting new negotiateauthenticator helpers...
dlopen: Cannot open "/usr/lib/libgssapi_spnego.so.10"

  • Log in as admin.

  • Select System | Package Manager.

  • Select the Available Packages tab.

  • Click the squid3 | Install Squid3 package button.

  • Click Confirm.

  • Wait.

ls -al /usr/lib/libgss*
pkg install bind-tools-9.10.3P3
pkg install krb5-1.14

  • Log off.

  • Log in as admin.

  • Select System | General Setup.

DNS Server:                     10.10.10.1
DNS Server:                     8.8.8.8

- Allow DNS server list to be overridden by DHCP/PPP on WAN
+ Do not use the DNS forwarder or Resolver as a DNS server for the firewall

Timezone:                       Asia/Bangkok
Timeservers:                    10.10.10.1 0.pfsense.pool.ntp.org
Language:                       English

  • Click Save.

dig -x 10.10.10.1
dig -x 10.10.10.100
dig -x 10.10.10.170

  • Select Services | Squid Proxy Service.

  • Select the Local Cache tab.

  • Check Cache Dynamic Content.

  • Click Save.

  • Select the General tab.

  • Check Enable Squid Proxy.

  • Check Keep Settings/Data.

  • Select Proxy Interface(s) | LAN.

  • Type 8080 for the Proxy Port.

  • Uncheck Transparent HTTP Proxy.

  • Check Enable Access Logging.

  • Click Save.

pkg delete -f openldap-client

fetch http://pkg.freebsd.org/freebsd:10:x86:64/latest/All/openldap-sasl-client-2.4.43.txz
fetch http://pkg.freebsd.org/freebsd:10:x86:64/latest/All/msktutil-0.5.1_2.txz
fetch http://pkg.freebsd.org/freebsd:10:x86:64/latest/All/cyrus-sasl-2.1.26_12.txz
fetch http://pkg.freebsd.org/freebsd:10:x86:64/latest/All/cyrus-sasl-gssapi-2.1.26_7.txz

pkg add msktutil-0.5.1_2.txz
pkg add cyrus-sasl-gssapi-2.1.26_7.txz

  • Log off.

  • Log in as admin.

mkdir -p squid
cp -a /usr/local/pkg/squid.inc      /usr/local/pkg/squid.inc.orig               # Optional
cp -a /usr/local/pkg/squid_auth.xml /usr/local/pkg/squid_auth.xml.orig          # Optional
cp -a /usr/local/pkg/squid_js.inc   /usr/local/pkg/squid_js.inc.orig            # Optional

cp -a /usr/local/pkg/squid.inc      squid/squid.inc.orig
cp -a /usr/local/pkg/squid_auth.xml squid/squid_auth.xml.orig
cp -a /usr/local/pkg/squid_js.inc   squid/squid_js.inc.orig

cp -a squid/squid.inc      /usr/local/pkg
cp -a squid/squid_auth.xml /usr/local/pkg
cp -a squid/squid_js.inc   /usr/local/pkg

  • Select Services | Squid Proxy Service.

  • Select the Authentication tab.

Authentication Method:                  Active Directory (Kerberos)
Authentication Server:                  10.10.10.1
Authentication server port:

NT Domain:
Secondary NT Servers:

Active Directory Domain:                vbox.shoklo-unit.com
Active Directory user:                  Administrator
Active Directory password:              ********
Active Directory Domain Controller:     vbox-ad-server
Active Directory Domain Version:        2008 with AES

  • Click Save.

  • Select Status | Services.

  • Select squid | Squid Proxy Server Service | Restart Service.

  • Optional: Select Services | Squid Proxy Server.

  • Optional: Select Real Time.

  • Delete Active Directory Users and Computers | vbox.shoklo-unit.com | Computers | VBOX-EFW-MRM on VBOX-AD-SERVER.

  • Type kdestroy and press Enter.

  • Type kinit Administrator and press Enter.

  • Type the public Administrator password from Delta Windows Tools and press Enter.

  • Type klist and press Enter.

Ticket cache: FILE:/tmp/krb5cc_0
Default principal: Administrator@VBOX.SHOKLO-UNIT.COM

Valid starting     Expires            Service principal
02/04/16 10:59:15  02/04/16 20:59:15  krbtgt/VBOX.SHOKLO-UNIT.COM@VBOX.SHOKLO-UNIT.COM
        renew until 02/05/16 10:59:08

  • Type rm -rf /usr/pbi/squid-amd64/local/etc/squid/PROXY.keytab and press Enter.

  • Questionable: Type msktutil -c -b "CN=COMPUTERS" -s HTTP/vbox-efw-mrm -k /usr/pbi/squid-amd64/local/etc/squid/PROXY.keytab --computer-name VBOX-EFW-MRM --upn HTTP/vbox-efw-mrm --server vbox-ad-server.vbox.shoklo-unit.com --verbose --enctypes 28 and press Enter.

  • Type msktutil -c -b "CN=COMPUTERS" -s HTTP/vbox-efw-mrm.vbox.shoklo-unit.com -k /usr/pbi/squid-amd64/local/etc/squid/PROXY.keytab --computer-name VBOX-EFW-MRM --upn HTTP/vbox-efw-mrm.vbox.shoklo-unit.com --server vbox-ad-server.vbox.shoklo-unit.com --verbose --enctypes 28 and press Enter.

  • Select Active Directory Users and Computers | vbox.shoklo-unit.com | Computers on VBOX-AD-SERVER.

Name            Type            Description
------------    --------        -----------
VBOX-DESKTOP    Computer
VBOX-EFW-MRM    Computer

  • Type ls -al /usr/pbi/squid-amd64/local/etc/squid/PROXY.keytab and press Enter.

-rw-------  1 root  proxy  854 Feb  4 10:59 /usr/pbi/squid-amd64/local/etc/squid/PROXY.keytab

  • Select Services | Squid Proxy Server.

  • Select the General tab.

  • Click Save.

  • Type ls -al /usr/pbi/squid-amd64/local/etc/squid/PROXY.keytab and press Enter.

-rw-------  1 proxy  proxy  854 Feb  4 10:59 /usr/pbi/squid-amd64/local/etc/squid/PROXY.keytab

  • Optional: Type tail -f /var/squid/logs/cache.log and press Enter.

2016/02/04 11:01:28 kid1| Starting new negotiateauthenticator helpers...
dlopen: Cannot open "/usr/lib/libgssapi_spnego.so.10"                                                   <---------------------------------
pkg which /usr/lib/libgssapi_spnego.so.10
cd /usr/lib
ls -al /usr/lib/libgss*
ls -al libgss*
file libgss*
fetch ftp://ftp.freebsd.tsc.ru/pub/FreeBSD/releases/amd64/10.1-RELEASE/usr/lib/libgssapi_spnego.so.10
cd

  • Optional: Type tail -f /var/squid/logs/access.log and press Enter.

  • Optional: Select Services | Squid Proxy Server.

  • Optional: Select Real Time.

  • Log off from VBOX-DESKTOP.

  • Log on as Dalai on VBOX-DESKTOP.

  • Browse to www.google.com/ncr.

  • Log in as admin.

  • Install pfSense 2.3.

  • See https://forum.pfsense.org/index.php?topic=104906.0.

  • Optional: Install squid 3.4 package.

  • Select System | Package Manager.

  • Select the Available Packages tab.

  • Click the squid | install button.

  • Click Confirm.

  • Wait.

  • Select System | General Setup.

    DNS Server:                     10.10.10.1
DNS Server:                     8.8.8.8

- Allow DNS server list to be overridden by DHCP/PPP on WAN
+ Do not use the DNS forwarder or Resolver as a DNS server for the firewall

Timezone:                       Asia/Bangkok
Timeservers:                    10.10.10.1 0.pfsense.pool.ntp.org
Language:                       English

  • Click Save.

dig -x 10.10.10.1
dig -x 10.10.10.100
dig -x 10.10.10.170

  • Select Services | Squid Proxy Service.

  • Select the Local Cache tab.

  • Check Cache Dynamic Content.

  • Click Save.

  • Select the General tab.

  • Check Enable Squid Proxy.

  • Check Keep Settings/Data.

  • Select Proxy Interface(s) | LAN.

  • Type 8080 for the Proxy Port.

  • Uncheck Transparent HTTP Proxy.

  • Check Enable Access Logging.

  • Click Save.

pkg delete -f openldap-client

fetch http://pkg.freebsd.org/freebsd:10:x86:64/latest/All/openldap-sasl-client-2.4.43.txz
fetch http://pkg.freebsd.org/freebsd:10:x86:64/latest/All/msktutil-0.5.1_2.txz
fetch http://pkg.freebsd.org/freebsd:10:x86:64/latest/All/cyrus-sasl-2.1.26_12.txz
fetch http://pkg.freebsd.org/freebsd:10:x86:64/latest/All/cyrus-sasl-gssapi-2.1.26_7.txz

pkg add msktutil-0.5.1_2.txz
pkg add cyrus-sasl-gssapi-2.1.26_7.txz

  • Log off.

  • Log in as admin.

mkdir -p squid
cp -a /usr/local/pkg/squid.inc      /usr/local/pkg/squid.inc.orig               # Optional
cp -a /usr/local/pkg/squid_auth.xml /usr/local/pkg/squid_auth.xml.orig          # Optional
cp -a /usr/local/pkg/squid_js.inc   /usr/local/pkg/squid_js.inc.orig            # Optional

cp -a /usr/local/pkg/squid.inc      squid/squid.inc.orig
cp -a /usr/local/pkg/squid_auth.xml squid/squid_auth.xml.orig
cp -a /usr/local/pkg/squid_js.inc   squid/squid_js.inc.orig

cp -a squid/squid.inc      /usr/local/pkg
cp -a squid/squid_auth.xml /usr/local/pkg
cp -a squid/squid_js.inc   /usr/local/pkg

  • Select Status | Services.

  • Select squid | Squid Proxy Server Service | Restart Service.

ls -al /var/log/squid           # Optional

  • Select Services | Squid Proxy Service.

  • Select the Authentication tab.

Authentication Method:                  Active Directory (Kerberos)
Authentication Server:                  10.10.10.1
Authentication server port:

NT Domain:
Secondary NT Servers:

Active Directory Domain:                vbox.shoklo-unit.com
Active Directory user:                  Administrator
Active Directory password:              ********
Active Directory Domain Controller:     vbox-ad-server
Active Directory Domain Version:        2008 with AES

  • Click Save.

  • Questionable: Select Status | Services.

  • Questionable: Select squid | Squid Proxy Server Service | Restart Service.

  • Select Services | Squid Proxy Server.

  • Select Real Time.

  • Delete Active Directory Users and Computers | vbox.shoklo-unit.com | Computers | VBOX-EFW-MRM on VBOX-AD-SERVER.

  • Type kdestroy and press Enter.

  • Type kinit Administrator and press Enter.

  • Type the public Administrator password from Delta Windows Tools and press Enter.

  • Type klist and press Enter.

Credentials cache: FILE:/tmp/krb5cc_0
        Principal: Administrator@VBOX.SHOKLO-UNIT.COM

  Issued                Expires               Principal
Feb  4 10:36:44 2016  Feb  4 20:36:44 2016  krbtgt/VBOX.SHOKLO-UNIT.COM@VBOX.SHOKLO-UNIT.COM

  • Type rm -rf /usr/local/etc/squid/PROXY.keytab and press Enter.

  • Type msktutil -c -b "CN=COMPUTERS" -s HTTP/vbox-efw-mrm.vbox.shoklo-unit.com -k /usr/local/etc/squid/PROXY.keytab --computer-name VBOX-EFW-MRM --upn HTTP/vbox-efw-mrm.vbox.shoklo-unit.com --server vbox-ad-server.vbox.shoklo-unit.com --verbose --enctypes 28 and press Enter.

  • Select Active Directory Users and Computers | vbox.shoklo-unit.com | Computers on VBOX-AD-SERVER.

Name            Type            Description
------------    --------        -----------
VBOX-DESKTOP    Computer
VBOX-EFW-MRM    Computer

  • Type ls -al /usr/local/etc/squid/PROXY.keytab and press Enter.

-rw-------  1 squid  squid  1832 Feb  4 11:54 /usr/local/etc/squid/PROXY.keytab

  • Optional: Type cat /usr/local/etc/squid/squid.conf and press Enter.

  • Optional: Type tail -f /var/squid/logs/cache.log and press Enter.

  • Optional: Type tail -f /var/squid/logs/access.log and press Enter.

  • Optional: Select Services | Squid Proxy Server.

  • Optional: Select the Real Time tab.

  • Log off from VBOX-DESKTOP.

  • Log on as Dalai on VBOX-DESKTOP.

  • Browse to www.google.com/ncr.

  • Type 1 to select Assign Interfaces and press Enter.

  • Type n.

  • Type em1 for the WAN interface and press Enter.

  • Type em0 for the LAN interface and press Enter.

  • Press Enter.

  • Type y to proceed and press Enter.

  • Type 2 to select Set interface(s) IP address and press Enter.

  • Type 1 to configure the WAN interface and press Enter.

  • Type y to configure IPv4 address WAN interface via DHCP and press Enter.

  • Type n to skip configuring IPv6 address WAN interface via DHCP6 and press Enter.

  • Press Enter.

  • Type n to skip reverting to HTTP as the webConfigurator protocol and press Enter.

  • Press Enter to continue.

  • See https://doc.pfsense.org/index.php/Locked_out_of_the_WebGUI.

# which pciconf     --> /usr/sbin/pciconf
# which usbdevs     -->

# usbconfig list