SafeAccess

User Manual V 1.0

SafeAccessUser Manual - Features

Content

Firewall ........................................................................................................................................................................................................ 6
State Table .................................................................................................................................................................................................. 7
Network Address Translation (NAT) .............................................................................................................................................. 8
Limitations............................................................................................................................................................................................. 8
High Availability....................................................................................................................................................................................... 8
Limitations............................................................................................................................................................................................. 8
Server Load Balancing ........................................................................................................................................................................... 8
Virtual Private Network (VPN) .......................................................................................................................................................... 9
IPsec ......................................................................................................................................................................................................... 9
OpenVPN ................................................................................................................................................................................................ 9
PPTP Server .......................................................................................................................................................................................... 9
Limitations............................................................................................................................................................................................. 9
Reporting and Monitoring ................................................................................................................................................................... 9
RRD Graphs ........................................................................................................................................................................................... 9
Real Time Information...................................................................................................................................................................... 9
Dynamic DNS ...........................................................................................................................................................................................10
Captive Portal ..........................................................................................................................................................................................10
Limitations...........................................................................................................................................................................................11
Web Proxy ................................................................................................................................................................................................11
DHCP Server and Relay .......................................................................................................................................................................11
Bandwidth HD.........................................................................................................................................................................................11
HAVP Antivirus .......................................................................................................................................................................................12
NTOP NG....................................................................................................................................................................................................12
PF Blocker .................................................................................................................................................................................................12
SARG Reports ..........................................................................................................................................................................................12
IPS/IDS .......................................................................................................................................................................................................13
Hardware Components .......................................................................................................................................................................15
Web GUI Login ........................................................................................................................................................................................15
Dashboard ................................................................................................................................................................................................17
Traffic Graphs .....................................................................................................................................................................................17
System Information .........................................................................................................................................................................18

SafeAccessUser Manual - Features

Services Status ...................................................................................................................................................................................18
Interfaces .............................................................................................................................................................................................19
System Menu ...........................................................................................................................................................................................20
High Latency Optimization ...........................................................................................................................................................20
Automatic Bogon Filters ................................................................................................................................................................20
General Setup .....................................................................................................................................................................................21
Interfaces ..................................................................................................................................................................................................21
Firewall ......................................................................................................................................................................................................22
Aliases....................................................................................................................................................................................................22
NAT .........................................................................................................................................................................................................22
pfBlocker ..............................................................................................................................................................................................22
Rules.......................................................................................................................................................................................................24
Traffic Shaper .....................................................................................................................................................................................24
Virtual IPs ............................................................................................................................................................................................25
Services ......................................................................................................................................................................................................26
Antivirus ...............................................................................................................................................................................................26
BandwidthHD .....................................................................................................................................................................................27
Captive Portal .....................................................................................................................................................................................27
DHCP Server........................................................................................................................................................................................28
IGMP Proxy ..........................................................................................................................................................................................28
NTP .........................................................................................................................................................................................................28
Proxy Filter SquidGuard .............................................................................................................................................................29
Proxy Server .......................................................................................................................................................................................30
IDS/IPS by Snort ...............................................................................................................................................................................30
Key considerations................................................................................................................................................................................32
SafeAccess Troubleshooting Procedures .................................................................................................................................33
Internet Access Interruption .......................................................................................................................................................33
Other Diagnostic Tools included in SafeAccess ................................................................................................................34
Reporting Tools .................................................................................................................................................................................34

SafeAccessUser Manual - Features

License
SafeAccess is Copyright 2005 2015 by NewCom International, Inc.
All rights reserved.
pfSense is Copyright 2004 - 2015 by Electric Sheep Fencing LLC
All rights reserved.
m0n0wall is Copyright 2002-2015 by Manuel Kasper (mk@neon1.net).
All rights reserved.
Redistribution and use in source and binary forms, with or without
modification, are permitted provided that the following conditions are met:
1. Redistributions of source code must retain the above copyright notice,
this list of conditions and the following disclaimer.
2. Redistributions in binary form must reproduce the above copyright
notice, this list of conditions and the following disclaimer in the
documentation and/or other materials provided with the distribution.
THIS SOFTWARE IS PROVIDED "AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
POSSIBILITY OF SUCH DAMAGE.

SafeAccessUser Manual - Features

Introduction
NewCom's SafeAccess security appliance is ideal for corporate networks, rural
locations, small branches and cybercafs that want to optimize their browsing
experience while providing firewall security and intrusion detection/prevention for
their users.
SafeAccess shares your existing NewCom Internet access with your Local Area
Network providing enterprise-class network perimeter protection and exceptional
data throughput in an easy-to-manage, plug-and-protect security appliance.
This user manual is focused on the pfSense version of SafeAccess, a customized
firewall software, with features and configuration scripts fine-tuned to fit NewCom
International customers needs and network architecture.
The manual is divided in three sections: Features, which introduces the reader to
the language behind SafeAccess security and networking functionality; Getting
Started, which shows how to perform basic configuration and reporting operations;
and Troubleshooting, which guide the reader throughout diagnosis, identification
and resolution of most common issues, whether they are a result of the normal
operations of a network, or derived from hardware or software malfunction.

SafeAccessUser Manual - Features

Features
pfSense software includes the features typical in expensive commercial firewalls,
and more in some cases. The following is a list of features currently available in the
pfSense 2.1 release. All of these things are possible in the web interface, without
touching anything at the command line.
In addition to features, this page also includes all limitations of the system of which
we are aware. From our experience and the contributed experiences of thousands of
our users, we understand very well what the software can and cannot do. Every
software package has limitations. Where we differ from most is we clearly
communicate them. We also welcome people to contribute to help eliminate these
limitations. Many of the listed limitations are common to numerous open source and
commercial firewalls.
The following is a list of basic features that gets expanded using packages to
increase options and functionality

FIREWALL

Filtering by source and destination IP, IP protocol, source and destination

port for TCP and UDP traffic
Limit simultaneous connections on a per-rule basis
pfSense software utilizes p0f, an advanced passive OS/network
fingerprinting utility to allow you to filter by the Operating System initiating
the connection. Want to allow FreeBSD and Linux machines to the Internet,
but block Windows machines? pfSense software allows for that (amongst
many other possibilities) by passively detecting the Operating System in use.
Option to log or not log traffic matching each rule.
Highly flexible policy routing possible by selecting gateway on a per-rule
basis (for load balancing, failover, multiple WAN, etc.)
Aliases allow grouping and naming of IPs, networks and ports. This helps
keep your firewall ruleset clean and easy to understand, especially in
environments with multiple public IPs and numerous servers.
Transparent layer 2 firewalling capable - can bridge interfaces and filter
traffic between them, even allowing for an IP-less firewall (though you
probably want an IP for management purposes).
Packet normalization - Description from the pf scrub documentation "'Scrubbing' is the normalization of packets so there are no ambiguities in
interpretation by the ultimate destination of the packet. The scrub directive

SafeAccessUser Manual - Features

also reassembles fragmented packets, protecting some operating systems

from some forms of attack, and drops TCP packets that have invalid flag
combinations."
Enabled in the pfSense software by default
Can disable if necessary. This option causes problems for some NFS
implementations, but is safe and should be left enabled on most
installations.
Disable filter - you can turn off the firewall filter entirely if you wish to turn
your pfSense software into a pure router.

STATE TABLE
The firewall's state table maintains information on your open network connections.
The pfSense software is a stateful firewall, by default all rules are stateful.
Most firewalls lack the ability to finely control your state table. The pfSense software
has numerous features allowing granular control of your state table, thanks to the
abilities of OpenBSD's pf.

Adjustable state table size - there are multiple production pfSense

installations using several hundred thousand states. The default state table
size varies according to the RAM installed in the system, but it can be
increased on the fly to your desired size. Each state takes approximately 1
KB of RAM, so keep in mind memory usage when sizing your state table. Do
not set it arbitrarily high.
On a per-rule basis:
o Limit simultaneous client connections
o Limit states per host
o Limit new connections per second
o Define state timeout
o Define state type
State types - the pfSense software offers multiple options for state handling.
o Keep state - Works with all protocols. Default for all rules.
o Sloppy state - Works with all protocols. Less strict state tracking,
useful in cases of asymmetric routing.
o Modulate state - Works only with TCP. The pfSense software will
generate strong Initial Sequence Numbers (ISNs) on behalf of the
host.
o Synproxy state - Proxies incoming TCP connections to help protect
servers from spoofed TCP SYN floods. This option includes the
functionality of keep state and modulate state combined.
o None - Do not keep any state entries for this traffic. This is very
rarely desirable, but is available because it can be useful under some
limited circumstances.
State table optimization options - pf offers four options for state table
optimization.
o Normal - the default algorithm
o High latency - Useful for high latency links, such as satellite
connections. Expires idle connections later than normal.
o Aggressive - Expires idle connections more quickly. More efficient
use of hardware resources, but can drop legitimate connections.

SafeAccessUser Manual - Features

Conservative - Tries to avoid dropping legitimate connections at the

expense of increased memory usage and CPU utilization.

NETWORK ADDRESS TRANSLATION (NAT)

Port forwards including ranges and the use of multiple public IPs
1:1 NAT for individual IPs or entire subnets.
Outbound NAT
o Default settings NAT all outbound traffic to the WAN IP. In multiple
WAN scenarios, the default settings NAT outbound traffic to the IP of
the WAN interface being used.
o Advanced Outbound NAT allows this default behavior to be disabled,
and enables the creation of very flexible NAT (or no NAT) rules.
NAT Reflection - NAT reflection is possible so services can be accessed by
public IP from internal networks.

Limitations
PPTP / GRE Limitation - The state tracking code in pf for the GRE protocol can only
track a single session per public IP per external server. This means if you use PPTP
VPN connections, only one internal machine can connect simultaneously to a PPTP
server on the Internet. A thousand machines can connect simultaneously to a
thousand different PPTP servers, but only one simultaneously to a single server. The
only available work around is to use multiple public IPs on your firewall, one per
client, or to use multiple public IPs on the external PPTP server. This is not a
problem with other types of VPN connections. PPTP is insecure and should no
longer be used.

HIGH AVAILABILITY
CARP from OpenBSD allows for hardware failover. Two or more firewalls can be
configured as a failover group. If one interface fails on the primary or the primary
goes offline entirely, the secondary becomes active. The pfSense software also
includes configuration synchronization capabilities, so you make your configuration
changes on the primary and they automatically synchronize to the secondary
firewall.
pfsync ensures the firewall's state table is replicated to all failover configured
firewalls. This means your existing connections will be maintained in the case of
failure, which is important to prevent network disruptions.

Limitations
Only works with static public IPs, does not work with stateful failover using DHCP,
PPPoE, or PPTP type WANs.

SERVER LOAD BALANCING

Server load balancing is used to distribute load between multiple servers. This is
commonly used with web servers, mail servers, and others. Servers that fail to
respond to ping requests or TCP port connections are removed from the pool.

SafeAccessUser Manual - Features

VIRTUAL PRIVATE NETWORK (VPN)

The pfSense software offers three options for VPN connectivity, IPsec, OpenVPN,
and PPTP.

IPsec
IPsec allows connectivity with any device supporting standard IPsec. This is most
commonly used for site to site connectivity to other pfSense installations, other
open source firewalls (m0n0wall, etc.), and most all commercial firewall solutions
(Cisco, Juniper, etc.). It can also be used for mobile client connectivity.

OpenVPN
OpenVPN is a flexible, powerful SSL VPN solution supporting a wide range of client
operating systems. See the OpenVPN website for details on its abilities.

PPTP Server
PPTP was a popular VPN option because nearly every OS has a built in PPTP client,
including every Windows release since Windows 95 OSR2. However, it's now
considered insecure and should not be used. See this Wikipedia article for more
information on the PPTP protocol.

Limitations
Because of limitations in pf NAT, when the PPTP Server is enabled, PPTP clients
cannot use the same public IP for outbound PPTP connections. This means if you
have only one public IP, and use the PPTP Server, PPTP clients inside your network
will not work. The work around is to use a second public IP with Advanced
Outbound NAT for your internal clients. See also the PPTP limitation under NAT on
this page.

REPORTING AND MONITORING

RRD Graphs
The RRD graphs in the pfSense software maintain historical information on the
following.

CPU utilization
Total throughput
Firewall states
Individual throughput for all interfaces
Packets per second rates for all interfaces
WAN interface gateway(s) ping response times
Traffic shaper queues on systems with traffic shaping enabled

Real Time Information

Historical information is important, but sometimes it's more important to see real
time information.
SVG graphs are available that show real time throughput for each interface.
For traffic shaper users, the Status -> Queues screen provides a real time display of
queue usage using AJAX updated gauges.

SafeAccessUser Manual - Features

The front page includes AJAX gauges for display of real time CPU, memory, swap and
disk usage, and state table size.

DYNAMIC DNS
A Dynamic DNS client is included to allow you to register your public IP with a
number of dynamic DNS service providers.

Custom - allowing defining update method for providers not specifically

listed here.
DNS-O-Matic
DynDNS
DHS
DNSexit
DyNS
easyDNS
freeDNS
HE.net
Loopia
Namecheap
No-IP
ODS.org
OpenDNS
Route 53
SelfHost
ZoneEdit

A client is also available for RFC 2136 dynamic DNS updates, for use with DNS
servers like BIND which support this means of updating.

CAPTIVE PORTAL
Captive portal allows you to force authentication, or redirection to a click through
page for network access. This is commonly used on hot spot networks, but is also
widely used in corporate networks for an additional layer of security on wireless or
Internet access. For more information on captive portal technology in general, see
the Wikipedia article on the topic. The following is a list of features in the pfSense
Captive Portal.

Maximum concurrent connections - Limit the number of connections to the

portal itself per client IP. This feature prevents a denial of service from client
PCs sending network traffic repeatedly without authenticating or clicking
through the splash page.
Idle timeout - Disconnect clients who are idle for more than the defined
number of minutes.
Hard timeout - Force a disconnect of all clients after the defined number of
minutes.
Logon pop up window - Option to pop up a window with a log off button.
URL Redirection - after authenticating or clicking through the captive portal,
users can be forcefully redirected to the defined URL.

10

SafeAccessUser Manual - Features

MAC filtering - by default, pfSense filters using MAC addresses. If you have a
subnet behind a router on a captive portal enabled interface, every machine
behind the router will be authorized after one user is authorized. MAC
filtering can be disabled for these scenarios.
Authentication options - There are three authentication options available.
o No authentication - This means the user just clicks through your
portal page without entering credentials.
o Local user manager - A local user database can be configured and
used for authentication.
o RADIUS authentication - This is the preferred authentication method
for corporate environments and ISPs. It can be used to authenticate
from Microsoft Active Directory and numerous other RADIUS
servers.
RADIUS capabilities
o Forced re-authentication
o Able to send Accounting updates
o RADIUS MAC authentication allows captive portal to authenticate to
a RADIUS server using the client's MAC address as the user name
and password.
o Allows configuration of redundant RADIUS servers.
HTTP or HTTPS - The portal page can be configured to use either HTTP or
HTTPS.
Pass-through MAC and IP addresses - MAC and IP addresses can be white
listed to bypass the portal. Any machines with NAT port forwards will need
to be bypassed so the reply traffic does not hit the portal. You may wish to
exclude some machines for other reasons.
File Manager - This allows you to upload images for use in your portal pages.

Limitations
"Reverse" portal, i.e. capturing traffic originating from the Internet and entering
your network, is not possible.
Only entire IP and MAC addresses can be excluded from the portal, not individual
protocols and ports.

WEB PROXY
Based on Squid, it is a caching proxy for the Web supporting HTTP, HTTPS, FTP, and
more. It reduces bandwidth and improves response times by caching and reusing
frequently-requested web pages. Squid has extensive access controls and makes a
great server accelerator.

DHCP SERVER AND RELAY

The pfSense software includes both DHCP Server and Relay functionality

BANDWIDTH HD
BandwidthD tracks usage of TCP/IP network subnets and builds html files with
graphs to display utilization. Charts are built by individual IPs, and by default
display utilization over 2 day, 8 day, 40 day, and 400 day periods. Furthermore, each

11

SafeAccessUser Manual - Features

ip address's utilization can be logged out at intervals of 3.3 minutes, 10 minutes, 1
hour or 12 hours in cdf format, or to a backend database server. HTTP, TCP, UDP,
ICMP, VPN, and P2P traffic are color coded.

HAVP ANTIVIRUS
HAVP (HTTP Antivirus Proxy) is a proxy with a ClamAV anti-virus scanner. The
main aims are continuous, non-blocking downloads and smooth scanning of
dynamic and password protected HTTP traffic. Havp antivirus proxy has a parent
and transparent proxy mode. It can be used with squid or standalone. And File
Scanner for local files.

NTOP NG
ntopng is a network probe that shows network usage in a way similar to what top
does for processes. It acts as a Web server, creating an HTML dump of the network
status. It sports a NetFlow/sFlow emitter/collector, an HTTP-based client interface
for creating ntop-centric monitoring applications, and RRD for persistently storing
traffic statistics.
What ntopng can do for me?

Sort network traffic according to many protocols

Show network traffic and IPv4/v6 active hosts
Store on disk persistent traffic statistics in RRD format
Geolocate hosts
Discover application protocols by leveraging on nDPI, ntops DPI framework.
Characterise HTTP traffic by leveraging on characterisation services
provided by block.si. ntopng comes with a demo characterisation key, but if
you need a permanent one, please mail info@block.si.
Show IP traffic distribution among the various protocols
Analyse IP traffic and sort it according to the source/destination
Display IP Traffic Subnet matrix (whos talking to who?)
Report IP protocol usage sorted by protocol type
Act as a NetFlow/sFlow collector for flows generated by routers (e.g. Cisco
and Juniper) or switches (e.g. Foundry Networks) when used together with
nProbe.
Produce HTML5/AJAX network traffic statistics

PF BLOCKER
Introduce Enhanced Aliastable Feature to pfsense. Assign many IP urls lists from
sites like I-blocklist to a single alias and then choose rule action to take.
This package also Block countries and IP ranges.

SARG REPORTS
Sarg - Squid Analysis Report Generator - is a tool that generates reports about
where your users are going on the Internet.

12

SafeAccessUser Manual - Features

Sarg provides information about proxy users' activities: times, bytes, sites, etc. for
those using Squid, Squidguard or dansguardian.

IPS/IDS
PFSense uses Snort, an open source network intrusion prevention and detection
system (IDS/IPS). Combining the benefits of signature, protocol, and anomaly-based
inspection.

13

SafeAccessUser Manual - Features

Getting Started
SafeAccess can be set to protect your network without further intervention due to
its highly automatized functions. It is set as a border security appliance, transparent
to the users and ready to use. Once it has been deployed properly, the administrator
should only perform regular checks to the GUI via web access to verify status of
services. End users should never interact with the web interface.
Troubleshooting procedures can be reviewed in the section Troubleshooting
SafeAccess later in this manual.

14

SafeAccessUser Manual - Features

HARDWARE COMPONENTS
Desktop V ersion

Rack Mountable Version

15

SafeAccessUser Manual - Features

WEB GUI LOGIN

You can connect to your SafeAccess Web GUI via SSL at https://192.168.88.1
Default Username: admin
Default Password: @dm!n

16

SafeAccessUser Manual - Features

DASHBOARD
The dashboard is displayed right after login. You can access the dashboard at any
time by clicking on the SafeAccess icon at the top left corner of your browser:

The dashboard shows your most used widgets for information display and
immediate visualization:

Traffic Graphs
Show real time Input and Output
traffic per interface. You may select
which interface you want to visualize
and which refresh rate from 1 to 10
seconds. The scale can also be
adjusted. For long term graphs you
will need to use RRD graphs from the
status menu

17

SafeAccessUser Manual - Features

System Information
This may be your best source of first glance information. It tells you the system
information and resources utilization. The four last items suggest system health
based on use of memory, storage and CPU.
Notice the current version. The latest stable fine-tuned version is 2.1.5-Release.
Although new versions are available, they will break some components such as
proxy reports, anti-virus protection and other web proxy functions.

Services Status
SafeAccess comes preconfigured with several key services to help enhance your
users web experience and provide you the tools to diagnose and identify issues

18

SafeAccessUser Manual - Features

affecting your network. The services status widget shows whether those services
are running and allows disabling or enabling those services right from the
dashboard.

Interfaces
This simple widget shows the IP Addresses and speed configurations of all your
SafeAccess interfaces.

19

SafeAccessUser Manual - Features

SYSTEM MENU

Your SafeAccess appliance has been fine-tuned to match your specific network
architecture. Advanced System Parameters allow more advanced adjustments of
your system. Do not make changes if you dont know what you are doing. These
settings can affect and potentially cripple your system.

High Latency Optimization

Automatic Bogon Filters

20

SafeAccessUser Manual - Features

General Setup
The General Setup page allows changing you system name, time settings and DNS
servers. Unless you want to change your time settings, you should not need to
change these parameters when running on NewCom International Networks

INTERFACES
From this menu you can
enable, disable and configure
the behavior of your LAN
and WAN interfaces. By
default, your WAN interface
should block traffic from
private and bogon IP Blocks. Bogon is also an informal name for an IP packet on the

21

SafeAccessUser Manual - Features

public Internet that claims to be from an area of the IP address space reserved, but
not yet allocated or delegated by the Internet Assigned Numbers Authority (IANA)
or a delegated Regional Internet Registry (RIR).

FIREWALL

Aliases
Aliases act as placeholders for real hosts, networks or ports. They can be used to
minimize the number of changes that have to be made if a host, network or port
changes. You can enter the name of an alias instead of the host, network or port in
all fields that have a red background. If an alias cannot be resolved (e.g. because you
deleted it), the corresponding element (e.g. filter/NAT/shaper rule) will be
considered invalid and skipped.
You may create an alias for a group of critical news sites and then use the alias for
firewall rules instead of having to use all the URLs in the alias. It enables
resourcefulness and simplifies more complex configurations.

NAT
The most common function is port forward, which allow a device in the private LAN
to be a server to the public WAN through specific ports. You will need to determine:

Interface
Protocol
Source (WAN IPs allowed to use this port forward rule)
Redirect Target IP
Redirect Target Port

For more advanced NAT options, visit

https://doc.pfsense.org/index.php/Main_Page

pfBlocker
One of the most popular and used packages added to SafeAcces is pfBlocker, a
simplified but powerful firewall add-on that enables global filtering of traffic based
on its origin IP. IP blocks are grouped by country regions, so that if you want to

22

SafeAccessUser Manual - Features

block traffic from a specific known spamming source you can do it.

During troubleshooting processes and malicious attacks it is also useful to be able to

block specific regions or blocks of IP addresses.

23

SafeAccessUser Manual - Features

Rules
SafeAccess comes with preconfigured firewall rules to allow common traffic and
troubleshooting remote access from NewCom International NOC. These rules are
shown as follows:

If you need to create a new rule to allow or prevent certain type of traffic to go
through or towards your SafeAcess appliance, you need to understand these basic
concepts of pfSense firewalls:
1. Traffic can be passed (allowed), blocked (dropped) or rejected (reported as
not allowed to the sender). Use blocked instead of rejected unless you need
to actively tell the sender you cannot receive this type of traffic (very rare).
2. A rule affects only one protocol. Identify what protocol you want to pass or
block in the rule.
3. Unless you have advanced Layer 7 regular expressions to let the firewall
process a packet based on its content, you need to specify the type of traffic
via ports.
4. You can categorize traffic based on a combination of parameters such as
schedules, regular expressions, ports, protocols, IP flags, etc., that can create
thousands of possibilities.
5. There is an intrinsic block everything else rule at the end of the rules list.

Traffic Shaper
SafeAccess provides traffic shaping based on queues. If you want to prioritize
certain type of traffic you need to understand the basics of traffic QoS and shaping.
A regular queue set will look like this, where there are certain traffic types being
processed and allowed based on their priority.

24

SafeAccessUser Manual - Features

Traffic Shaping and queuing in pfSense can be accomplished in several ways. The
easiest to implement is ALTQ-based shaping with the Traffic Shaping Wizard.
Traffic Shaping configuration is based at Firewall > Traffic Shaping.

What is traffic shaping?

Traffic shaping (also known as "packet shaping") is the control of computer network
traffic in order to optimize or guarantee performance, lower latency, and/or
increase usable bandwidth by delaying packets that meet certain criteria. More
specifically, traffic shaping is any action on a set of packets (often called a stream or
a flow) which imposes additional delay on those packets such that they conform to
some predetermined constraint (a contract or traffic profile).

Limitations

Use of The Traffic Shaping Wizard is recommended to create a default set of rules
from which to start. The rules created by the wizard cope well with VOIP traffic, but
may need tweaking to accommodate other traffic not covered by the wizard.
There are several wizards available, the exact choices depend on the version in use.
As an example, look at shaping P2P traffic. Assuming the wizard was used, qP2P will
exist under WAN(s) and LAN(s). When a P2P app is launched, traffic will show in
these queues if it was matched by the rules created by the wizard. These queues are
designed to carry the bulk P2P traffic, which normally slows a connection down.
Other generic traffic, like web pages (HTTP), email, IM, VOIP etc. will go into other
queues.
Queue sizes and bandwidths are sized appropriately for most configurations by the
wizard, unlike older versions. In some cases they may need to be manually adjusted,
but for the majority of cases it is unnecessary.

Virtual IPs
If your WAN interface may handle more than one IP because you have been assigned
a block, you will need to declare them here and use them for NAT or other rules.

25

SafeAccessUser Manual - Features

SERVICES

The services menu is a dynamic component of the SafeAccess appliance set of

features. It provides rapid access to all services provided to the Local Area Network,
the Wide Area Network and all configuration settings for packages installed.

Antivirus
The antivirus is a transparent process that runs on all files being downloaded via
http (not https) and uses CLAM Antivirus as engine.

26

SafeAccessUser Manual - Features

BandwidthHD
This service nests itself under the https port so it can be used remotely. It drops
your top 20 IPs in a list for easy inspection and it breaks the traffic down into
individual graphs for a variety of services.
BandwidthD tracks usage of TCP/IP network subnets and builds html files with
graphs to display utilization. Charts are built by individual IPs, and by default
display utilization over 2 day, 8 day, 40 day, and 400 day periods. Furthermore, each
ip address's utilization can be logged out at intervals of 3.3 minutes, 10 minutes, 1
hour or 12 hours in cdf format, or to a backend database server. HTTP, TCP, UDP,
ICMP, VPN, and P2P traffic are color coded.

Captive Portal
Captive portal is configured throughout a wizard-like process in which you
determine which users will require authentication before being granted access to
the Internet
You can specify authorization via

MAC address (bypass the portal)

IP Addresses (bypass the portal)
User Database

The html content for the captive portal must be created elsewere and uploaded into
the portal page

27

SafeAccessUser Manual - Features

DHCP Server
By default, SafeAccess is configured as DHCP server for the LAN 192.168.88.0/24;
and providing addresses in the range from IPs 1 through 254

IGMP Proxy
SafeAccess can act as multicast proxy for specific applications. This allows relaying
multicast traffic among interfaces based on IP addresses and TTL (time to live)
numbers.

NTP
This service is provided to LAN users. Do not confuse with NTP server settings to
synchronize SafeAccess with an Internet Time Server.
If you have a NMEA compliant GPS unit connected to the serial port you may also
use that as reference in order to provide stratum I Network Time Services

28

SafeAccessUser Manual - Features

Proxy Filter SquidGuard

SquidGuard provides category based URL filtering to SafeAccess. It relies on the
Proxy Server Squid. Adv, Gamble, Porn, and Warez are blocked by default.
Categories:
adv

hacking

recreation_travel

aggressive

hobby_cooking

recreation_wellness

alcohol

hobby_games-misc

redirector

anonvpn

hobby_games-online

religion

automobile_bikes

hobby_gardening

remotecontrol

automobile_boats

hobby_pets

ringtones

automobile_cars

homestyle

science_astronomy

automobile_planes

hospitals

science_chemistry

chat

imagehosting

searchengines

costtraps

isp

sex_education

dating

jobsearch

sex_lingerie

downloads

library

shopping

drugs

military

socialnet

dynamic

models

spyware

education_schools

movies

tracker

finance_banking

music

updatesites

finance_insurance

news

urlshortener

finance_moneylending

podcasts

violence

finance_other

politics

warez

finance_realestate

porn

weapons

finance_trading

radiotv

webmail

fortunetelling

recreation_humor

webphone

forum

recreation_martialarts

webradio

gamble

recreation_restaurants

webtv

government

recreation_sports

29

SafeAccessUser Manual - Features

Proxy Server
SafeAccess proxy server has been tuned to fit most common proxy and cache
requirements. The proxy service can be restarted from the dashboard and its
settings can be adjusted from this section.
Key parameters:

Transparent Proxy
Bypass for private addresses
Proxy port: 3128
Custom options: regular syntax to allow caching some dynamic content of
frequent use such as antivirus and windows updates

IDS/IPS by Snort
Snort is an intrusion detection and prevention system. It can be configured to simply
log detected network events to both log and block them.

Snort operates using detection signatures called rules. Snort rules can be custom
created by the user, or any of several pre-packaged rule sets can be enabled and
downloaded. The Snort package currently offers support for these pre-packaged
rules:
1.
2.
3.
4.

Snort VRT (Vulnerability Research Team) rules,

Snort GPLv2 Community Rules,
Emerging Threats Open Rules, and
Emerging Threats Pro Rules.

The Snort GPLv2 Community Rules and the Emerging Threats Open Rules are both
available for free with no registration required. The Snort VRT rules are offered in
two forms. One is a registered-user version which is free, but requires registration
at http://www.snort.org. The registered-user free version only provides access to
rules that are 30-days old or more in age.

30

SafeAccessUser Manual - Features

Free subscription to public list has been preloaded in your SafeAccess appliance
but there is no liability or obligation as with the rest of the components.
Effective IPS/IDS use requires some monitoring and learning process. After a few
hours of traffic you may see some warnings that require further action in order to
be effective.

Recognized valid alerts should be processed further, whether it is done by blocking

the IPs related or ignoring them so they dont become firewall blocks later on.

31

Troubleshooting
SafeAccess works out of the box provided the network (WAN) side delivers IP
addressing via DHCP and the customer has a LAN Switch for their LAN computers
and devices via DHCP as well.
Understand your network topology and even have a diagram of your connections in
order to figure out issues that may sound obvious but will rule out those wiring and
power related issues that often get overlooked.

KEY CONSIDERATIONS

Power
o Outages
o Circuit breakers
o 220v or 110v
CAT-5 wiring
o Are all cables tested and working?
o Extended Ping Test among problematic devices
LAN Access from SafeAccess appliance
o Do devices get an IP address from SafeAccess?
o Can they ping their default gateway 192.168.88.1?

SafeAccessUser Manual - Features

Can they ping other simple devices in the LAN like Network Printers
and VoIP gateways/phones?
Internet Access from ISP
o Can an individual PC directly connected to ISP browse?
o

These simple considerations help rapidly pinpoint the culprit and focus your time
on solving the real issue. The following are some advanced tools that will help you
resolve issues related to the proper functioning of SafeAccess
As with any other network service, follow these basic instructions before contacting
your provider:
Restart all equipment in this sequence, waiting 30 seconds between each device: ISP
router/modem, SafeAccess, PC.

SAFEACCESS TROUBLESHOOTING PROCEDURES

Internet Access Interruption
If you cant browse with any device in your LAN behind SafeAccess, identify what
type of service interruption you have:

A) You can browse only to https sites but not http

B) You cannot browse any site but you can ping IP 8.8.8.8 successfully
C) You cannot browse nor ping anything

Problem A means there is a Web Proxy issue

Restart all equipment in this sequence, waiting 30 seconds between each device: ISP
router/modem, SafeAccess, PC.
Problem B means there is a DNS issue. Go to step 2
Problem C means there is a Network Issue. Go to step 1
(1) Connect a PC directly to the LAN port of the SafeAccess and reboot the PC. Try
browsing again. Try more than one Ethernet cable. If successful, there may be a
problem with your LAN switch or Ethernet wiring. If it still fails continue with
next step.
(2) Try to ping from your PC to IP 8.8.8.8. If successful, you have network
connectivity and Internet access but there may be a DNS or web proxy problem;
change the DNS configuration of your Laptop to use 8.8.8.8 and try browsing
again. If you can browse now, your SafeAccess can be reconfigured temporarily
to use DNS servers 8.8.8.8 and 8.8.4.4. Report the problem to NewCom NOC.
If you cannot browse, but the ping was successful, there may be a problem in the
way SafeAccess handles DNS requests. Contact NewCom NOC
(3) If ping to 8.8.8.8 does not work try connecting your PC directly to the ISP
router/modem, restart your ISP router or modem and restart your PC. If Ping
still fails contact your ISP and follow their troubleshooting steps because there
is no Internet Access from the ISP. If Ping succeeds proceed with step 4

33

SafeAccessUser Manual - Features

(4) Reconnect your PC to the LAN port of the SafeAccess and connect the WAN
port of the SafeAccess to the ISP modem or router. Restart all equipment in
this sequence, waiting 30 seconds between device: ISP router/modem,
SafeAccess, PC. Try browsing. If it fails, try ping to 8.8.8.8 which should
succeed because this was already tested in step 3.
(5) Connect to SafeAccess web administration and contact NewCom NOC for
further trobubleshooting.

Other Diagnostic Tools included in SafeAccess

ARP Table: shows the MAC addresses to IP tables from the SafeAccess
standpoint. This is useful to identify hardware manufacturers for
problematic IPs
DNS Lookup: Helps troubleshoot DNS issues and provides Whois
information on hostnames and IPs from SafeAccess standpoint.
NMAP: Allows port scanning from the SafeAccess standpoint
NTOPng: Shows advanced visualization of network traffic for know
protocols. Blocked by default from the WAN interface. You may need to
temporarily create a rule to allow incoming traffic to destination port 3000
from the WAN interface.
Packet Capture: Allows quick visualization of packets in the selected
interface without having to use tcpdump from the CLI. You may use basic
filters and level of detail.
States: Shows network connections and allows for closing those connections
in real time.
Ping and Traceroute

Reporting Tools
These tools are found under the Status menu

RRD Graphs
o System
o Traffic
o Packets
o Quality
o Queues
o VPN
Sarg Reports
o View reports shows Web Proxy usage reports

Per User

Per Destination

Per Date
Services: shows the status of all services
System Logs
Traffic Graphs: shows traffic in real time, including hosts

34