wiki:noc2018/agenda/PfsenseBasics

Pfsense Initial Setup

The pfSense project is a free, open source tailored version of FreeBSD for use as a firewall and router with an easy-to-use web interface. There are two ways of installing pfSense.

  • Full installation
  • Embedded Installation

Here you are going to create a pfSense virtual machine using full installation method to install pfSense.

Setting up virtualbox

Downloading pfSense iso image

Creating PFSense VM

  • Start virtualbox and Click on New button (at top-right) to create new virtual machine
  • Enter name of the VM as: pfsense.instXY.ac.lk. You can get your domain and IP details from here

  • Select OS Type: BSD
  • Select Version: FreeBSD (64-bit)
  • Then click on Continue button
  • Set VM's memory size to 1GB and click on Continue button
  • Set VM's hard disk option to Create a virtual hard disk now and then click on Continue
  • Select disk type to VDI
  • Select storage type to Fixed size and Continue
  • Make sure virtual hard disk file name in following format pfsense.instXY.ac.lk
  • adjust the disk size to 10.0GB and click on Create to create the VM

Setting up Network Interface

  • Select the VM from left panel on Virtual box, right click and open Settings
  • Click on the Network title
  • On Adapter 1 While Enable Network Adapter selected choose Attached to be Bridge Adapter. This virtual interface will work as the WAN port of the firewall (Can be connect from out side). On Advanced, select Allow All for Promiscuous Mode.
  • On Adapter 2 While Enable Network Adapter selected choose Attached to be Internal Network. Default name is intnet. keep it that way. This virtual interface will work as our LAN port (Can't connect from out side). On Advanced, select Allow All for Promiscuous Mode.

Setting up boot device and Booting

  • Click on Storage title and select CD ROM icon under the Controller:IDE Click on CD ROM icon under the Attribute on the left side to select
  • Choose Virtual Optical Disk File
  • Locate the PFSense CD image file you downloaded earlier
  • Right click on VM to make a Normal Start VM. You should now see a separate window with PFSense Installation screen

Initial Installation

  • When the pfSense starts booting, a prompt is displayed with some options and a countdown timer. At this prompt, press 1 to get install pfsense by default. If we don’t choose any option it will start to boot option 1 by default.
  • Next, press Enter to Accept copyright notice,
  • Select Install and press OK
  • Select Continue with default keymap
  • Select Auto (UFS) for Partitioning and click OK
  • Now the Installation is finished So it will ask to enter to a manual modification state, Select No and enter.
  • Now Reboot, As soon as it start to reboot power off the vm manually, Go to settings of the vm and remove the iso image from Storage.
  • Then Start the vm

First Bootup

After booting, you will get the a console screen with available options and summaries. pfSense console configuration interface has the basic configuration options in pfSense. You can select these options by typing their index number and pressing enter.

Assign Interfaces

In this pfSense installation we will have two networks as WAN and LAN. For the box to work we need to assign connected NIC's to these networks.

  • To assign interfaces to networks press 1 and enter
  • It will ask you to assign VLANs, press N as we don't need it now.
  • There are two interface’s em0 and em1, pfSense will ask which interface to use as WAN and which interface to use as LAN.
  • To select em0 as WAN interface type em0 and press enter
  • To select em1 as LAN interface type em1 and press enter
  • Do you want to proceed? press y to say yes and enter

Assign WAN IP addresses

  • To change the interface IP address press 2 and enter
  • WAN IP is set by DHCP by default. To change the WAN interface IP Address press 1 and enter.
  • We are going to have a static IP for WAN Interface. So press n and enter to avoid pfSense to configure the interface IP by DHCP.
  • Enter the WAN IP address assigned to you as 192.248.7.XY and enter. Give subnet mask and gateway in the next steps. You can find your IP allocation from the IP table, WANv4 gateway for lab is 192.248.7.254
  • Do the same for IPv6 address, WANv6 gateway for lab is 2401:dd00:2009::ffff
  • Press n and enter to disable http on WAN interface
  • You will be prompted back to main interface after pressing Enter when it prompts.

Assign LAN IP addresses

  • To change the interface IP address press 2 and enter
  • To change the WAN interface IP Address press 2 and enter.
  • Enter the LAN IP address as 10.XY.1.254. Enter subnet mask as 24. We are going to have this IP address as our LAN's gateway IP. Do not give any parameters to gateway on LAN. Just press enter.
  • Enter the LAN IPv6 address as 2401:DD00:2009:WXYZ::FFFF. Enter subnet mask as 64. We are going to have this IP address as our LAN's gateway IPv6. Do not give any parameters to gateway on LAN. Just press enter.
  • To enable DHCP server on LAN press y and press enter
  • For this workshop our LAN DHCP range is 10.XY.1.10 to 10.XY.1.50. Give start and end IP addresses in next steps.

  • When it asks to enable dhcp for IPv6 press n as we are not to enable dhcpv6 at this time
  • Press n and enter to disable http on WAN interface
  • You will be prompt back to main interface.

You have now set up both WAN and LAN IP addresses.

Reset WEB Configurator password

This step is optional as This step will reveal you the default user name and password for the webconfigurator. Press 3 and enter.

Above the line 'Do you want to proceed' you will see the default username and password on the web access. Note down the default password and Press n

WebUI and Basic Configurations

pfSense by default allows you to do the configuration through its web user interface. Initially, LAN segment hosts are allowed to login and therefore you need to have a device connected to its LAN. On our lab setup we will simulate the Local Area Network with two vm's GUI vm and a server vm.

Download the pre built GUI vm from mirror1 or mirror2 and the server vm from mirror1 or mirror2 .

Import them in to Oracle virtual box from File Import Appliance

While importing make sure to Tick Reinitialize the MAC address of all your network cards.

Our lab network will be,

     LAN or WiFi of Your Host Machine  - - > Bridge Port -- - >em0 -- pfsense
                                                                          |
                                                                         em1
                                                                          |
                                                                 Virtual Box 'intnet' - -> two other vm's

Please double check your vm network connections before powering on them. If all settings are satisfying, power on both Virtual Machines.

On your Server vm log in and edit ip configuration sudo nano /etc/netplan/50-cloud-init.yaml

Change IP addresses to match your addresses

network:
    ethernets:
        enp0s3:
            addresses: [10.XY.1.1/24, '2401:DD00:2009:WXYZ::ABCD/64']
            dhcp4: no
            dhcp6: no
            gateway4: 10.XY.1.254
            gateway6: 2401:DD00:2009:WXYZ::FFFF
            nameservers:
              addresses: [10.XY.1.254, '2401:DD00:2009:WXYZ::FFFF']
    version: 2

And restart the server vm.

Now log in to your GUI vm and from your GUI desktop firefox app, browse to http://<pfSense-LAN-address>

Default admin / pass are admin / pfsense

The first visit to the WebGUI will be redirected to the setup wizard, which is also accessible at System > Setup Wizard. Proceed through the wizard as follows:

  • Step 1: Next
  • Step 2:
    • Hostname: pfsense
    • Domain: instXY.ac.lk
    • Primary DNS Server: 192.248.1.161
    • Secondary DNS Server: 192.248.1.161
    • unset Overide DNS option
  • Step 3:
    • Time Server hostname: 192.248.1.161
    • Timezone: Asia/Colombo
  • Step 4: Next
  • Step 5: Next
  • Step 6: Change admin password to the class password given for the lab
  • Step 7: Reload
  • Finish
  • Accept

After that you will be directed to the Dashboard.

Dashboard

The pfSense dashboard is the main page of the firewall, and it makes monitoring various aspects of the system easy. Returning to the dashboard can be accomplished by clicking the logo in the upper left, or by navigating to Status > Dashboard.

The Dashboard is composed of Widgets, each of which display information about a different area of the firewall including,

  • Firewall Logs
  • Gateways
  • Interface Statistics
  • RSS Feed
  • Services Status
  • System Information
  • Thermal Sensors
  • Traffic Graphs
  • Wake on LAN

A widget can be added to the dashboard by clicking + at the top of the screen, then choosing the widget from the list. Once the widget appears, its placement may be changed by dragging its title bar to another location on the screen. The widget will snap into place in one of two columns, and can be reordered as desired.

Click Save Settings at the top of the screen after making any widget layout changes.

Some widgets will have their own settings, which may be accessed by pressing the wrench icon in their title bar. To save these settings use the Save button inside the widget, not the button at the top of the page.

General Setup

Some basic/common settings are available under System > General Setup. Some useful settings are,

  • Hostname: The name by which this pfSense router is known. Should only include the portion before the first “.”.
  • Domain: The domain name in which this pfSense is used. Together with the hostname, this will form the Fully Qualified Domain Name (FQDN) of the firewall.
  • DNS Servers:

    The gateway selection for DNS servers is primarily used for Using Multiple IPv4 WAN Connections.

  • Time Zone:
  • NTP Time Server:
  • Language: The language to use for the GUI. Default is English
  • Theme: Changes the look and feel of the pfSense GUI, but not the functionality

Only for the LAB

go to Firewall > Rules > WAN > Add to end

  • Action: pass
  • Interface: WAN
  • Address Family: IPv4
  • Protocol: TCP
  • Source: Network : 192.248.4.0/22
  • Destination: WAN address
  • Destination Port: Any, Any
  • Log: ticked
  • Description: Allow pfsense access from lab

Save and Apply Changes

Now you can use your host machine's web browser to login to your pfsense box web configurator using its WAN address.

Interfaces

In this menu we can re-do assigning interfaces, assigning IP addresses etc. As we have already done that using CLI, we will skip this.

Last modified 11 months ago Last modified on Dec 13, 2018, 6:40:04 AM