Installing Ubuntu 16.04.3 on a FreeNAS 11.0-U4 Virtual Machine

Mostly a reminder to myself, but feel free to use the instructions. .

  1. Download Ubuntu server edition from here.

Updated 5/06/2018
Having run with a 5Gig zvol partition for a few months, I’ve come to the conclusion that it’s not enough, so I’ve increased it to 35Gib, which seems fine for running pi-hole with a home network of under 5 machines.

I’m going to create a 35 gigabyte zvol partition to install the OS, select Storage and navigate to “Create zvol”

These are my setting, you can adjust to your needs.

Select VM’s from the top bar and click on “Add VM” and add the following. These are my settings for a home which only has a few PC’s, you can of course provision it with more CPU’s and more memory as required. Or, run it for a while and change the virtual CPU’s and Memory Size if you find its not sufficient (the wonders of virtualization 🙂 ).


Select Ubuntu16_04 and click on the devices button.

Click on Add Device and navigate to the zvol you created earlier. Ensure that you select VirtIO as the Mode.

Click on Add Device and select CDROM, then browse to the location of your Ubuntu 16.04 installation ISO.

You may want to change the NIC to a VirtIO as mine is below, the Virtual Machine will work with either options selected.

When done your Ubuntu 16.0.4 install should look like this.

Enable Web VNC access, this will allow you to run thorough the install when you start the VM.

Start the VM

Connect to “Vnc via Web” and install Debian.

Follow the GUI and install Ubuntu, remember not to reboot at the end as you’ll be left at the install screen again. At the end of the installation just press the stop button. At this stage, I usually remove the CDROM device, see graphic below. This is how my VM looks.

When you reboot your VM, connect and disconnect using the “Vnc via Web” button a couple of time. You will be presented with the graphic below. Follow the instructions below to fix the bug, it’s an known issue and hopefully I’ll be able to remove the instructions below when fixed.

Boot Problems

If you find yourself left at the UEFI Interactive shell (see below).

Type exit and follow the steps provided.

  • Select Boot Maintenance Manager
  • Select Boot From File
  • Enter
  • Select <EFI>
  • Select <debian>
  • Select grubx64.efi

This will boot the VM and get you to the login prompt, you may have to follow the steps titled “Fix UEFI boot loader” and make the fix permanent.

Fix UEFI boot loader

Login and type the following.


At this stage in the install, I usually change the IP Address to a static IP address outside my DHCP range and remove the VNC Server from the installation.


Building a new home FreeNAS server

My home server is now 9 years old, so I’m thinking it probably about time that I build a new one. I’ve been very lucky so far, probably best not to chance my luck any more,  as consumer hard drives usually only have a 3-5 year guarantee.

After a bit of thought and research, I’ve decided to change from Linux to FreeNAS, this blog post will track my progress and choices as I build my Server over the next couple of months.


I’m going to start with 16Gb and upgrade if needed (Type dependent on motherboard)

Needs to support 4 SATA drives without an additional PCI card, with the possibility of expansion to 6 drives if needed. I intend to run a few VM’s and a few jails, so I need to buy a motherboard that, if needed, I can put a more powerful CPU in.


The server is going to be in my loft, so I don’t feel the need to keep it small or unobtrusive, that and the airflow should be reasonably good in a larger case. If I decide later to move the server somewhere else in the house, I may repurpose the case.

microATX form factor
MicroATX motherboards are the most popular size for FreeNAS servers, mostly because entry- level server motherboards based on LGA 115x platforms tend to use this form factor.

After a bit of thought about the specifications, I’ve decided to go with the Skyline motherboard and processor, socket LGA 1151, this should be a good starting point, as the motherboard supports 6 SATA port and a whopping 64Gb of memory it should be good for all my needs in the future.

Power Supply

There’s a really good article here about calculation the required power supply wattage. I’m initially going to use 4 drive but might over time upgrade to 6.

  • Each drive will need approximately 35 Watts each.         6 X 35 = 210W
  • Approximately 25W for the motherboard.                                         25W
  • The motherboard supports a maximum CPU wattage of                  80W
  • 4 slots available on the motherboard for memory                4 X 6 = 24W
  • 2 built in fans on the Fractal Design Case + CPU Fan       3 X 30 = 90W

By my calculations that approximately 429W. Multiply the wattage by 1.25 to give a reasonable margin of error gives us about 536.25W

So, I’m looking for a 550 Watt power supply and since it seems to be recommended on the Freenas Forum, I’m going to buy the Seasonic G550 550W 80+ Gold Certified PSU after reading some good reviews about it here and here.

Cost so far

  1. Fractal Design – Define Mini                                     £78
  2. Supermicro X11SSL-F-O                                         £176
  3. Intel Core i3-6300                                                    £105
  4. Memory Mr Memory                                                 £172
  5. Seasonic G550 550W 80+ Gold Certified PSU        £87
  6. 4 x Western Digital Red 3TB                                    £400
  7. 2 x SanDisk Ultra Fit 16GB USB 3.0 Flash Drive     £22

The Finished Product



pfsense firewall rules for Ubiquiti Cloud Key

My default pfsense rule is to block everything and only allow specific protocols outward (internet bound) eg.. Port 80 443 etc are allowed. So, this is a reminder to myself of the ports need to allow my Ubiquiti Cloud Key and my Ubiquiti AP AC Lite to communicate with the unifi website. This allows me to control my home network via the internet or use the Ubiquiti phone app when I’m on the move.

You can of course set this up on your pfsense LAN setup (assuming that your network has a similar setup to mine). I’m having to make the assumption that you only allow certain protocols from your network to the internet.

  • Navigate to Firewall > Aliases > IP
  • Click “+Add”
  • Name = Ubiquiti_OUT_Host_WAN
  • Description = Ubiquiti OUT Host Wan
  • Type: Host(s)
  • IP or FQDN =
  • Description =  Unifi FQDN
  • Click [Save]

  • Navigate to Firewall > Aliases > Ports
  • Click “+Add”
  • Name = Ubiquiti_OUT_Ports_WAN
  • Description = Ubiquiti OUT Ports WAN
  • Type Port(s)
  • Port 3478 : STUN Protocol
  • Port 8443 : Ubuquiti Cloud 
  • Port 8543 : Ubiquiti Cloud Access
  • Port 11143 : Ubiquiti Cloud Access
  • Click [Save]

  • Navigate to Firewall > Rules
  • Select the Interface you want to apply the rule to the default is LAN (In my case it’s VL10_MGNT)
  • Click “ ⇑Add”
  • Action: Pass
  • Disabled:  [ ]
  • Interface: LAN (Mine is VL10_MGNT)
  • Address Family: IPv4
  • Protocol: TCP/UDP
  • Source: LAN net (Mine is VL10_MGNT net)
  • Destination:
    • Single Host or alias
    • Ubiquiti_OUT_Host_WAN
  • Destination Port Range:
    • Other
    • Ubiquiti_OUT_Ports_WAN
    • Other
    • Ubiquiti_OUT_Ports_WAN
  • Click [Save]

Updated 14/08/2017 (Last piece of the puzzle)
I was having some difficulty with my Ubiquiti Unifi Cloud Key (I only open up ports explicitly on my firewall, everything is denied by default), every time I rebooted, updated the firmware or software on the device, it would lose its connection to the Unifi Website and I wouldn’t be able to control the devices online or from a mobile device.

After having a discussion on the Unifi Community Website, I came to the conclusion that both the Cloud Key and the Wireless Access Point rely on external time servers (external NTP servers) to update their time and date, and if the time and date was incorrect, it stopped the Cloud Key from authenticating to the Unifi Website.

I do run NTP on my pfSense firewall appliance and this information is passed to most of the devices on my network via DHCP, unfortunately, not the Ubiquiti devices apparently.

So, in the end, I opened up port 123 outward (NTP Time Protocol) on my management VLAN and now everything is working fine.

  • Navigate to Firewall > Rules
  • Select the Interface you want to apply the rule to the default is LAN (In my case it’s VL10_MGNT)
  • Click “ ⇑Add”
  • Action: Pass
  • Disabled:  [ ]
  • Interface: LAN (Mine is VL10_MGNT)
  • Address Family: IPv4
  • Protocol: UDP
  • Source: LAN net (Mine is VL10_MGNT net)
  • Destination:
    • any
  • Destination Port Range:
    • From NTP (123)
    • To NTP (123)
  • Click [Save]

pfSense NTP rule.References
Ubiquiti Community Forum
Cloud Key Port Requirements

Setting up a Raspberry Pi as a VPN router (Updated)

I’ve decided to update the VPN router on my home network using a Raspberry Pi 2, I’m quite impressed at how well it works. I was previously using a HomePlug AV adapter but found this to be a bit of a network bottleneck. So now my Raspberry Pi 2 is connected directly to my router using an ethernet cable.

Previously, I installed a DNS server (Unbound) as a caching recursive DNS server, this service resided on the same machine that I ran my VPN router on. Now however, after a bit of research I’ve decided to let my VPN’s DNS servers answer all the requests from my VPN connected devices.

I now run a separate DHCP/DNS server on my home network (DNSMasq) with a DNSCrypt wrapper that encrypts all the DNS requests that don’t go through my VPN Router.

Home VPN Setup

What you need

You will need some knowledge of networking and/or some IT knowledge.
A Raspberry Pi 2 or 3 running the current Raspian Jessie Lite – 2016-03-18.

Configure a static IP address

The new version of of the dhcpcd daemon included in the Jessie image doesn’t seem to read /etc/network/interfaces as it used to So if you configure a static IP in the usual way, you’ll end up with 2 IP addresses.

The workaround is to configure a static IP address as you would normally, then disable dhcpcd daemon. Then if you decide later to provision your Pi for something else, it’s easily reversible.

The above shows that the router’s IP address (Gateway) is, yours may be different, so remember to change it to suite your circumstances. You may well have to changing the network address if your network address differs from mine, which is

Setting up your VPN server

Next, you need to install openvpn on your raspberry pi and test it, I’ve provided an extensive list of VPN providers in the references section (right at the bottom) feel free to choose one after installing openvpn (make sure the VPN provider you choose, support openvpn).

First off, you need to install openvpn. You can do this by typing the following at the prompt.

After you’ve installed openvpn, you’ll need to choose a VPN provider. Ensure that the one you choose, supports Linux and Openvpn. If it’s a good provider, they will provide you with the option of downloading an OpenVPN configuration file, which should have the extension (.ovpn). After you’ve downloading the file to your Raspberry Pi, change the extension to a (.conf) extension and copy it to the “/etc/openvpn/” directory of your Raspberry Pi.

Test that the VPN actually works.

If it’s working as expected, then press ctrl-c to exit.

Enable VPN after reboot

You should get a message similar to this (see below), the “your_vpn_provider@” will of course be what you’ve called your file.

Fire-walling the interface and enabling forwarding

Below is the shell script that I wrote (with the help of online resources). What it does is firewall the tunnel interface and the internal eth0 interface. In the event of the openvpn daemon shutting down, or the connection to your VPN provider going down, all traffic stops being forwarded.

The only part that will need changed, is the “Home_Network” variable which is currently set to my home network ( and the VPN_DNS variable, which are the DNS servers supplied by your VPN provider. Download the script (or cut and paste) to your pi.

To change permission on the script (make it executable), type the following.

Run the script and apply the firewall.

I want to make the firewall rules persistent, so I’m going to install a package called iptables-persistent.

Make the rules apply at startup

If at any time you re-run the script after updating or changing it, then you will have to re-run the iptables-persistent program, to apply the updated rules after reboot. The command for that is.

Enable IPv4 forwarding

Edit the sysctl.conf file to enable IPv4 forwarding.

Uncomment the following.

Save the changes and run the following to make the change permanent.

You should get the following output.

Start VPN now

Testing your VPN Connection

IP Address:
Subnet :      
Default Gateway: (IP address of your now working Raspberry Pi VPN Router)
DNS Server :       (The IP address of your VPN provider’s DNS Servers)

Here’s a screenshot of my Windows 10 virtual machine with the static IP of the details above.

Windows 10 Network Settings

As you can see below, I’m currently in Canada (hurahh!), the DNS leak test shows one ip which is the same as my exit node IP.

VPN Connection

Here’s a good resource, with instructions on setting up a PC with a static IP address.


You can either install ntopng from the Raspberry Pi repository or you can install the new version, using the instructions provided on the ntopng website.

Installing ntopng (using the repository – Current Version 1.2.1 (r1.2.1)

Update repository

Upgrade software

Install ntopng from the repository

Installing ntopng from the ntopng website

Got to the ntop website and follow the instructions provided.

I got the following error message when I tried to run the program.

To fix this, I had to install a couple of libraries, instructions to fix the issue below.

Restart ntopng

Change the default ntopng login

Fire up your favorite browser and point it at the IP address of your new VPN router. For me that would be

Your may have used a different IP address, all you need to do is append the port number to the IP address.

After installing ntopng, I would suggest that you change the admin password after you login, the default login are as follows.

Default login – admin
Default password – admin

Screenshots of ntopng.

All hosts currently using my VPN router on my home network.

List of hosts using my VPN router.

Showing  one host on my network, and as you can see, you can look at the traffic type, ports, peers and protocols. It’s a great addition if you’re sharing your VPN with others in your family or friends. It allows you to see if someone is hogging your bandwidth or doing something a bit suspect.

It’s a really great program and if you find it useful then I would definitely buy a licence, because the paid version has a lot more functionality. If you want to see what the paid version looks like, restart your VPN router and connect to ntop, it runs the pro version for 10 minutes before defaulting to the community version.Host on ntopIf you like it they you can purchase a licence for the pro version from here. Alternatively, if you have a little cash you can also make a donation to the project.


Simple Stateful Firewall – ArchLinux
OpenVPN – Open Source – Website
How To Use Systemctl to Manage Systemd Services and Units – DigitalOcean
Wikipedia – Virtual Private Network
Networking – Pi as a VPN Router
15 best VPN Providers
Geospoofing with the Raspberry Pi
VPN Provider shuts down after Lavabit case undermines security
How do I know if my VPN provider is trustworthy? (Lifehacker)
How NSA Proof Are VPN Providers?
How (and why) to set up VPN today
Electronic Frontier Foundation
VPN Creative – What is my IP address
DNS Leak Test
IP and DNS Detect
Selective VPN routing : [Solution – DSVR]
iptables ipv4 firewall – Debian Firewall Wiki

Draft investigatory Powers Bill

GCHQ Mass Surveillance
Theresa May unveils UK surveillance measures in wake of Snowden claims
UK cyber-spy law takes Snowden’s revelations of mass surveillance and sets them in stone
UN privacy head slams ‘worse than scary’ UK surveillance bill
Investigatory Powers Bill: what’s in it, and what does it mean?
Don’t spy on us

Setting up a Raspberry Pi as an IPv6 gateway using Hurricane Electric.

First thing you’ll need to do is register at the Hurricane Electric Website and create your own tunnel. I’m not going to go over that since there’s a lot of help on the Hurricane Electric Website about it. These instructions only apply to you, after you’ve registered as a user, and set up your tunnel on their website.

Take a note of your Tunnel details from the Hurricane Electric website, you’ll need them to set up your Linux IPv6 Gateway. The IPv6 addresses are used for documentation purposes only, see RFC 3849 (no point showing everyone on the Internet my home IPv6 address range).

HE Server IPv4 Endpoint
Static IPv6 assignment from my routable range 2001:DB8:8:7aa::1
Client IPv6 Endpoint 2001:DB8:7:7aa::2

Ok first thing to do is enable IPv6 support on your raspberry pi, at the prompt type.

To make the change permanent, you will have to edit the modules file and have your pi load it at start-up (reboot). To do this edit the modules file, type the following.

Your modules file should look similar to this after to append the “ipv6” line at the end.

You need to edit /etc/network/interfaces and add your own data to the bottom of the file. Two bits of data, the first bit goes after your own network adaptor (usually eth0). and the second part after that.

  • Adding static IPv6 address from my routable range.
  • Adding the Hurricane Electric Tunnel interface (called he-ipv6)
  • Please note that the IP’s are on different networks.

The IPv6 and IPv4 setting below will of course be yours and not the ones I’ve made up for the purpose of showing how it’s done 🙂

Now we’ll deal with DNS, you have two options, you can either use your ISP’s DNS server and hope that it’s set up to deal with IPv6 resolution, or you can use free public recursive DNS servers. I’m going to use Google’s public recursive DNS servers which I know work.

To set this up, you’ll need to edit the /etc/resolv.conf file and add the DNS servers in. Type the following at the prompt.

Add the following and save.

Testing the Tunnel

Before we go any further, were going to bring the tunnel up and test it.

At the prompt, type the following.

To test, type the following.

You should get similar results to me.

If your results are similar to above then your raspberrypi is connected to the IPv6 Internet (Hurrah!) :-). If not then check your IPv6 settings and ask for help on the HE forum here.

Now we need to bring the interface down, we’ll bring it back up again after we’ve firewalled it.


Continue reading