Changes between Initial Version and Version 1 of Cnbp2019/Agenda/pfSenseadvancedSetup


Ignore:
Timestamp:
Mar 10, 2019, 5:33:02 AM (6 years ago)
Author:
admin
Comment:

--

Legend:

Unmodified
Added
Removed
Modified
  • Cnbp2019/Agenda/pfSenseadvancedSetup

    v1 v1  
     1= Advance Configurations =
     2Maintaining a pfSense can be problematic if the configurations are not fine tuned to meet your network requirements.
     3
     4== pfSense Advanced Settings ==
     5The advanced settings available under System > Advanced. There are there for additional tweaking or for those who need the functionality given.
     6== Admin Access ==
     7=== webConfigurator ===
     8These will change settings related to web interface of your pfSense instance
     9    • Protocol: HTTPS
     10    • TCP Port: defaults to 443 but you may change to a non-common port in production
     11    • Max Processes: 2 (number of webConfigurator processes to run allowing more users/browsers to access the GUI concurrently)
     12    • Alternate Hostnames: pfsense.instXY.ac.lk (this is, if you need to access webUI by its domain name) and many more...
     13
     14=== Secure Shell ===
     15You need to enable ssh to access its CLI remotely. SSH key methods and port number can be configured
     16
     17=== Serial Communication ===
     18If you desire to use serial communication as of a router or a switch you may configure these options.
     19
     20=== Console Options ===
     21If you dont tick the option, it will allow anyone to access the physical console of the pfSense server
     22
     23== Firewall & NAT ==
     24
     25In production, depending on number of hosts and concurrent connections, you may need to increase values of '''Firewall Maximum States''' or '''Firewall Maximum Table Entries'''.
     26If you tick '''Disable Firewall''' option, it will convert the pfSense in to a normal routing device, remember it will remove NAT functions as well.
     27
     28== Networking ==
     29You may control IPv6 capabilities of the pfSense from this section and enable/disable IPv6 on the device.
     30We recommend not to touch this.
     31By any chance, if you need to change WAN interface addresses regularly, it is a good option to tick '''Reset All States'''
     32
     33== Notifications ==
     34In production environment, it is a good idea to configure SMTP settings for your pfsense.
     35
     36
     37
     38== Package Manager ==
     39You will find the package manager which controls installing and uninstalling of different 3rd party packages from System drop down menu.
     40
     41=== Installed Packges ===
     42You can Remove , Update , Reinstall any installed package using this tab.
     43
     44=== Available Packages ===
     45Any new 3rd party packages can be installed very easily using this tab and it gives a nice UI where you can search what you want and install if available.
     46
     47Search for '''mailreport''' and click '''+ Install''' and confirm. It will take some time to install and once it shows '''Success''' go to '''Status > Email Reports'''
     48With this package you can add custom email reports based on given Schedules.
     49
     50== Routing ==
     51Static routing for gateways are done on this page located at System > Routing
     52
     53== Gateways ==
     54Your upstream and any downstream routers / L3 devices that are connected through routed interfaces must be configured on this page. One gateway for each interface and for each address family. Initially, two gateways for WAN interface should have been created to define IPv4 and IPv6 addresses of your WAN gateway.
     55Also on to the bottom of the page, you will find the selected gateways as your default Gateways.
     56
     57=== Add New Gateway ===
     58If you have a L3 device as your downstream and if you have defined vlans on it then you must define a static route pointing those vlans. This must be accomplished by creating a new gateway and creating static routes.
     59To add a new gateway click '''+ Add''' button on Gateways page
     60    • Select the interface facing that end point (WAN or LAN)
     61    • Address Family
     62    • Name: something identifiable
     63    • Gateway: IP address of the gateway or the interface address of the L3 device connected on the other side. Consider Address Family as well
     64    • Description: Some description about the gateway or the link
     65and save.
     66
     67=== Static Routes ===
     68To create a new static route, Click '''+ Add''' on Static Route Page,
     69    • Define your Destination Network and Mask, eg: 172.16.0.0 / 16 , 2401:dd00:2009:WX10:: / 60
     70    • Gateway: Select Gateway that is on that routed link
     71    • Description: Add a suitable description
     72Make sure you add the reverse route to the other device as well.
     73
     74== Update ==
     75You may update your installation using this menu, we will skip it for the workshop.
     76
     77== User Manager ==
     78You can create multiple users to give access in handling pfSense authentication. System > User Manager is responsible in creating and maintaining Local users as well as remote users like LDAP or Radius.
     79To create a new user you can use + Add and give,
     80    • Username
     81    • Password
     82    • Full Name (optional)
     83    • Expiration Date (optional) and click Save
     84Once the new User is created click on the edit (Pencil) mark to add user privileges.
     85On Effective Privileges of the edit page can be used to customize how that user can interact with pfSense. Click Add and select one or more privileges according to the needs
     86If you have more than one user with specific custom privileges, the best way assigning them is to create a user group with common privileges and assign users to that.
     87You may create a group on Groups tab with
     88    • Group Name
     89    • Scope: Local
     90    • Description
     91Once the group is created go to edit and assign privileges and users.
     92On Settings tab you may specify Session timeouts and Authentication Refresh Times as per your institute policy.