Room362.com

Blatherings of a security addict.

pfSense Without Internets

| Comments

A while back I needed to set up a pfSense box for CTF/example stuff that didn’t and wouldn’t ever have Internet connectivity. Doesn’t seem like much of a task right? Just pop it in and go. Problem is that you loose the use of the packages that help make pfSense so awesome.

Once I figured it out at that time, I made a Forum post so that anyone running into the same issue wouldn’t have to struggle as much:

https://forum.pfsense.org/index.php?topic=55504.0

Most things never disappear from the Internet but I was looking for an old forum post I had bookmarked regarding some persistence methods that I noticed was no longer there since the forum owner had gotten rid of the forum as too much hassle. I get it, but when I went to Archive.org to get saved they didn’t have a copy. So this is what this post is for, to save that content just in case it disappears.

Also, here is a bug report for the “issue” (been open since 2012):


If you are following:

and you are getting:

Unable to communicate with 192.168.1.100 Please verify DNS and interface configuration, and that pfSense has functional Internet connectivity.

because you are using the repo to enable a offline (non internet connected) host to be able to utilize packages all you have to do is:

  1. Go into Services –> DNS Forwarder and add a Host Override
1
2
3
4
Host: www
Domain: pfsense.org
IP Address: 127.0.0.1
Description: null routed record to enable offline repo

Then make sure you have the IP or hostname of your package repository web server in the /pkg_mgr_settings.php (on 2.0, follow the guidelines on the doc above for older versions). After that you should be good to go. Of course this is barring any Firewall blockages you might have in place so be sure to test connectivity from the pfSense box to the web server.

So, that was just the beginning, it’s actually better to not null-route it but make the following entries:

1
2
3
4
files.pfsense.org - 192.168.1.100
files.pfsense.com - 192.168.1.100
www.pfsense.org - 192.168.1.100
www.pfsense.com - 192.168.1.100

If your package web server is 192.168.1.100. Next is the problem of not having the packages themselves. So wget -mk -np http://files.pfsense.org/packages/ gave me a directory that I plopped into my already existant packages directory (created from the git clone as described in the documentation) but the problem I ran into was the php files being rendered still (which made any packages that pulled php files get the rendered version instead of source).

So you need to add a .htaccess file in the packages directory with the following:

1
2
3
RemoveHandler .php .phtml .php3
RemoveType .php .phtml .php3
php_flag engine off

Make sure that AllowOverride all is enabled if you are running Apache to host the package site, if not, you’ll have to google how to allow .htaccess files for your particular server. (or if you server doesn’t support htaccess files then how to enable source disclosure)

After those alterations I seem to be off to the races for the most part. Some packages pull from other websites, but altering the package_8.xml or just rerouting the dns seems to solve most of those issues.

Comments