= Pfsense Initial Setup= The pfSense project is a free, open source tailored version of FreeBSD for use as a firewall and router with an easy-to-use web interface. There are two ways of installing pfSense. - Full installation - Embedded Installation Here you are going to create a pfSense virtual machine using full installation method to install pfSense. == Setting up virtualbox == === Downloading pfSense iso image === - [. Download] pfSense image from lab mirror or you can get it from [https://www.pfsense.org/download/ here]. === Creating PFSense VM === - Start virtualbox and Click on New button (at top-right) to create new virtual machine - Enter name of the VM as: '''pfsense.instXY.ac.lk'''. You can get your domain and IP details from [wiki:noc2018/agenda/IpAllocation here] - Select OS Type: '''BSD''' - Select Version: '''FreeBSD (64-bit)''' - Then click on '''Continue''' button - Set VM's memory size to '''1GB''' and click on Continue button - Set VM's hard disk option to '''Create a virtual hard disk now''' and then click on '''Continue''' - Select disk type to '''VDI''' - Select storage type to '''Fixed size''' and '''Continue''' - Make sure virtual hard disk file name in following format '''pfsense.instXY.ac.lk''' - adjust the disk size to '''10.0GB''' and click on '''Create''' to create the VM === Setting up Network Interface === - Select the VM from left panel on Virtual box, right click and open '''Settings''' - Click on the '''Network''' title - On '''Adapter 1''' While '''Enable''' Network Adapter selected choose Attached to be '''Bridge Adapter'''. This virtual interface will work as the WAN port of the firewall (Can be connect from out side). On Advanced, select '''Allow All''' for Promiscuous Mode. - On '''Adapter 2''' While '''Enable''' Network Adapter selected choose Attached to be '''Internal Network'''. Default name is '''intnet'''. keep it that way. This virtual interface will work as our LAN port (Can't connect from out side). On Advanced, select '''Allow All''' for Promiscuous Mode. === Setting up boot device and Booting=== - Click on '''Storage''' title and select '''CD ROM icon''' under the '''Controller:IDE''' Click on CD ROM icon under the '''Attribute''' on the left side to select - Choose '''Virtual Optical Disk File''' - Locate the '''PFSense CD image''' file you downloaded earlier - Right click on VM to make a '''Normal Start''' VM. You should now see a separate window with PFSense Installation screen === Initial Installation === - When the pfSense starts booting, a prompt is displayed with some options and a countdown timer. At this prompt, press '''1''' to get install '''pfsense by default'''. If we don’t choose any option it will start to boot option 1 by default. - Next, press '''Enter''' to Accept copyright notice, - Select '''Install''' and press '''OK''' - Select '''Continue with default keymap''' - Select '''Auto (UFS)''' for Partitioning and click '''OK''' - Now the Installation is finished So it will ask to enter to a manual modification state, Select '''No''' and enter. - Now Reboot, '''As soon as it start to reboot power off the vm manually''', Go to settings of the vm and remove the iso image from Storage. - Then Start the vm === First Bootup === After booting, you will get the a console screen with available options and summaries. pfSense console configuration interface has the basic configuration options in pfSense. You can select these options by typing their index number and pressing enter. === Assign Interfaces === In this pfSense installation we will have two networks as WAN and LAN. For the box to work we need to assign connected NIC's to these networks. - To assign interfaces to networks press '''1''' and enter - It will ask you to assign VLANs, press '''N''' as we don't need it now. - There are two interface’s '''em0''' and '''em1''', pfSense will ask which interface to use as WAN and which interface to use as LAN. - To select em0 as WAN interface type '''em0''' and press '''enter''' - To select em1 as LAN interface type '''em1''' and press '''enter''' - Do you want to proceed? press '''y''' to say yes and '''enter''' === Assign WAN IP addresses === - To change the interface IP address press '''2''' and '''enter''' - WAN IP is set by DHCP by default. To change the WAN interface IP Address press '''1''' and '''enter'''. - We are going to have a static IP for WAN Interface. So press '''n''' and '''enter''' to avoid pfSense to configure the interface IP by DHCP. - Enter the WAN '''IP address assign''' to you and '''enter'''. Give '''subnet mask''' and '''gateway''' in the next steps. You can find your IP allocation from the [wiki:noc2018/agenda/IpAllocation IP table] - Do the same for IPv6 address - Press '''n''' and '''enter''' to disable http on WAN interface - You will be prompted back to main interface after pressing Enter when it prompts. === Assign LAN IP addresses === - To change the interface IP address press '''2''' and '''enter''' - To change the WAN interface IP Address press '''2''' and '''enter'''. - Enter the LAN IP address as ''' 10.XY.1.254'''. Enter subnet mask as '''24'''. We are going to have this IP address as our LAN's gateway IP. Do not give any parameters to gateway on LAN. Just press enter. - Enter the LAN IPv6 address as '''2401:DD00:XXXX:WXYZ::FFFF'''. Enter subnet mask as '''64'''. We are going to have this IP address as our LAN's gateway IPv6. Do not give any parameters to gateway on LAN. Just press enter. - To enable DHCP server on LAN press '''y''' and press enter - For this workshop our LAN DHCP range is 10.XY.1.10 to 10.XY.1.50. Give start and end IP addresses in next steps. - When it asks to enable dhcp for IPv6 press '''n''' as we are not to enable dhcpv6 at this time - Press '''n''' and '''enter''' to disable http on WAN interface - You will be prompt back to main interface. You have now set up both WAN and LAN IP addresses. === Reset WEB Configurator password === This step is optional as This step will reveal you the default user name and password for the webconfigurator. Press '''3''' and '''enter'''. Above the line 'Do you want to proceed' you will see the default username and password on the web access. Note down the default password and Press '''n''' == WebUI and Basic Configurations == pfSense by default allows you to do the configuration through its web user interface. Initially, LAN segment hosts are allowed to login and therefore you need to have a device connected to its LAN. On our lab setup we will simulate the Local Area Network with two vm's GUI vm and a server vm. Download the pre built GUI vm from here and the server vm from here. Import them in to Oracle virtual box from File Import Appliance While importing make sure to Tick '''Reinitialize the MAC address''' of all your network cards. Our lab network will be, {{{ LAN or WiFi of Your Host Machine - - > Bridge Port -- - >em0 -- pfsense | em1 | Virtual Box 'intnet' - -> two other vm's }}} Please double check your vm network connections before powering on them. If all settings are satisfying, power on both Virtual Machines. On your Server vm log in and edit ip configuration `sudo nano /etc/netplan/50-cloud-init.yaml` '''Change''' IP addresses to match your addresses {{{ network: ethernets: enp0s3: addresses: [10.XY.1.1/24, '2401:DD00:XXXX:WXYZ::1/64'] dhcp4: no dhcp6: no gateway4: 10.XY.1.254 gateway6: 2401:DD00:XXXX:WXYZ::FFFF nameservers: addresses: [10.XY.1.254, '2401:DD00:XXXX:WXYZ::FFFF'] version: 2 }}} And restart the server. Noe log in to your GUI and from your GUI vm browse to !http:// Default admin / pass are admin / pfsense The first visit to the WebGUI will be redirected to the setup wizard, which is also accessible at System > Setup Wizard. Proceed through the wizard as follows: - Step 1: Next - Step 2: - Hostname: pfsense - Domain: instXY.ac.lk - Primary DNS Server: 192.248.1.161 - Secondary DNS Server: 192.248.1.161 - unset Overide DNS option - Step 3: - Time Server hostname: 192.248.1.161 - Timezone: !Asia/Colombo - Step 4: Next - Step 5: Next - Step 6: Change admin password to the class password given for the lab - Step 7: Reload - Finish - Accept After that you will be directed to the Dashboard. === Dashboard === The pfSense dashboard is the main page of the firewall, and it makes monitoring various aspects of the system easy. Returning to the dashboard can be accomplished by clicking the logo in the upper left, or by navigating to Status > Dashboard. The Dashboard is composed of Widgets, each of which display information about a different area of the firewall including, - Firewall Logs - Gateways - Interface Statistics - RSS Feed - Services Status - System Information - Thermal Sensors - Traffic Graphs - Wake on LAN A widget can be added to the dashboard by clicking '''+''' at the top of the screen, then choosing the widget from the list. Once the widget appears, its placement may be changed by dragging its title bar to another location on the screen. The widget will snap into place in one of two columns, and can be reordered as desired. Click '''Save Settings''' at the top of the screen after making any widget layout changes. Some widgets will have their own settings, which may be accessed by pressing the '''wrench icon''' in their title bar. To save these settings use the '''Save''' button inside the widget, not the button at the top of the page. === General Setup === Some basic/common settings are available under System > General Setup. Some useful settings are, - Hostname: The name by which this pfSense router is known. Should only include the portion before the first “.”. - Domain: The domain name in which this pfSense is used. Together with the hostname, this will form the Fully Qualified Domain Name (FQDN) of the firewall. - DNS Servers: >The gateway selection for DNS servers is primarily used for Using Multiple IPv4 WAN Connections. - Time Zone: - NTP Time Server: - Language: The language to use for the GUI. Default is English - Theme: Changes the look and feel of the pfSense GUI, but not the functionality === Only for the LAB === go to Firewall > Rules > WAN > Add to end - Action: pass - Interface: WAN - Address Family: IPv4 - Protocol: TCP - Source: Network : 192.248.4.0/22 - Destination: WAN address - Destination Port: Any, Any - Log: ticked - Description: Allow pfsense access from lab Save and Apply Changes Now you can use your host machine's web browser to login to your pfsense box web configurator using its WAN address. == Interfaces == In this menu we can re-do assigning interfaces, assigning IP addresses etc. As we have already done that using CLI, we will skip this.