= Pfsense Initial Setup= The pfSense project is a free, open source tailored version of FreeBSD for use as a firewall and router with an easy-to-use web interface. There are two ways of installing pfSense. - Full installation - Embedded Installation Here you are going to create a pfSense virtual machine using full installation method to install pfSense. == Setting up virtualbox == === Downloading pfSense iso image === - [. Download] pfSense image from lab mirror or you can get it from [https://www.pfsense.org/download/ here]. === Creating PFSense VM === - Start virtualbox and Click on New button (at top-right) to create new virtual machine - Enter name of the VM as: '''pfsense.instXY.ac.lk'''. You can get your domain and IP details from [wiki:noc2018/agenda/IpAllocation here] - Select OS Type: '''BSD''' - Select Version: '''FreeBSD (64-bit)''' - Then click on '''Continue''' button - Set VM's memory size to '''1GB''' and click on Continue button - Set VM's hard disk option to '''Create a virtual hard disk now''' and then click on '''Continue''' - Select disk type to '''VDI''' - Select storage type to '''Fixed size''' and '''Continue''' - Make sure virtual hard disk file name in following format '''pfsense.instXY.ac.lk''' - adjust the disk size to '''10.0GB''' and click on '''Create''' to create the VM === Setting up Network Interface === - Select the VM from left panel on Virtual box, right click and open '''Settings''' - Click on the '''Network''' title - On '''Adapter 1''' While ''Enable'' Network Adapter selected choose Attached to be '''Bride Adapter'''. This virtual interface will work as the WAN port of the firewall (Can be connect from out side). - On '''Adapter 2''' While '''Enable''' Network Adapter selected choose Attached to be '''Internal Network'''. Default name is '''intnet'''. keep it that way. This virtual interface will work as our LAN port (Can't connect from out side). === Setting up boot device and Booting=== - Click on '''Storage''' title and select '''CD ROM icon''' under the '''Controller:IDE''' Click on CD ROM icon under the '''Attribute''' on the left side to select - Choose '''Virtual Optical Disk File''' - Locate the '''PFSense CD image''' file you downloaded earlier - Right click on VM to make a '''Normal Start''' VM. You should now see a separate window with PFSense Installation screen == Pfsense Installation == === Initial Installation === - When the pfSense starts booting, a prompt is displayed with some options and a countdown timer. At this prompt, press '''1''' to get install '''pfsense by default'''. If we don’t choose any option it will start to boot option 1 by default. - Next, press '''Enter''' to Accept copyright notice, - Select Install and press OK - Select "Continue with default keymap" - Select "Auto (UFS)" for Partitioning and click OK - Now the Installation is finished So it will ask to enter to a manual modification state, Select No and enter. - Now Reboot, As soon as it start to reboot power off the vm manually, Go to settings of the vm and remove the iso image from Storage. - Then Start the vm === First Bootup === '''note :''' If you reboot your vm manually you will be prompted straight to the pfSense [#point1 configuration user interface]. But do not worry it will not effect on your firewall After rebooting, you will get the a screen with available interfaces to configure the network. - The first option is presented as '''VLAN’s''', simply here say No by pressing '''n''' and '''enter'''. - There are two interface’s em0 and em1, pfSense will ask which interface to use as WAN and which interface to use as LAN. Press '''a''' and '''enter''' to auto configure the interfaces. please note that in this case pfSense is intelligent to assign correct virtual interfaces as WAN and LAN ports, Because only one interface can be connect from out side. Even if the interfaces are wrong you can assign them correctly later. - It will ask for the '''confirmation''' and you can proceed with '''Y''' and press '''enter''' to continue to the == [=#point1 pfSense Console Configuration] == pfSense console configuration interface has the basic configuration options in pfSense. You can select these options by typing there index number and pressing enter. === Assign WAN & LAN Interfaces === - Note that WAN and LAN Interfaces are assigned by PFSense itself. To change that press '''1''' and '''enter''' - The first step is presented as '''VLAN’s''', simply here say No by pressing '''n''' and '''enter'''. - To select em0 as WAN interface type '''em0''' and press '''enter''' - To select em1 as LAN interface type '''em1''' and press '''enter''' - We do not need optional interfaces so press '''enter''' at the next step - Do you want to proceed? press '''y''' to say yes and '''enter''' === Assign WAN IP addresses === - To change the interface IP address press '''2''' and '''enter''' - WAN IP is set by DHCP by default. To change the WAN interface IP Address press '''1''' and '''enter'''. - We are going to have a static IP for WAN Interface. So press '''n''' and '''enter''' to avoid pfSense to configure the interface IP by DHCP. - Enter the WAN '''IP address assign''' to you and '''enter'''. Give '''subnet mask''' and '''gateway''' in the next steps. You can find your IP allocation from the [wiki:noc2018/agenda/IpAllocation IP table] - Do the same for IPv6 address - Press '''n''' and '''enter''' to disable http on WAN interface - You will be prompted back to main interface. === Assign LAN IP addresses === - To change the interface IP address press '''2''' and '''enter''' - To change the WAN interface IP Address press '''2''' and '''enter'''. - Enter the LAN Ip address as ''' 10.XY.1.254'''. Enter subnet mask as '''24'''. We are going to have this IP address as our LAN's gateway IP. Do not give any parameters to gateway on LAN. Just press enter. - We are not going to have an IPv6 address for LAN at this point. So just Press enter. - To enable DHCP server on LAN press '''y''' and press enter - For this workshop our LAN DHCP range is 10.XY.1.10 to 10.XY.1.50. Give start and end IP addresses in next steps. - Press '''n''' and '''enter''' to disable http on WAN interface - You will be prompt back to main interface. You have now set up both WAN and LAN IP addresses. === Reset WEB Configurator password === This step is optional as This step will reveal you the default user name and password for the webconfigurator. Press '''3''' and '''enter'''. Above the line 'Do you want to proceed' you will see the default username and password on the web access. Note down the default password and Press '''n''' == WebUI and Basic Configurations == pfSense by default allows you to do the configuration through its web user interface. Initially, LAN segment hosts are allowed to login and therefore you need to have a device connected to its LAN. On our lab setup we will simulate the Local Area Network with two vm's GUI vm and a server vm. Download the pre built GUI vm from here and the server vm from here. Import them in to Oracle virtual box from File Import Appliance While importing make sure to Tick '''Reinitialize the MAC address''' of all your network cards. Our lab network will be, {{{ LAN or WiFi of Your Host Machine - - > Bridge Port -- - >em0 -- pfsense | em1 | Virtual Box 'intnet' - -> two other vm's }}} Please double check your vm network connections before powering on them. If all settings are satisfying, power on both Virtual Machines. On your Server vm log in and edit ip configuration `sudo nano /etc/netplan/50-cloud-init.yaml` **Change** IP addresses to match your addresses {{{ network: ethernets: enp0s3: addresses: [10.XY.1.1/24, '2401:DD00:XXXX:WXYZ::1/64'] dhcp4: no dhcp6: no gateway4: 10.XY.1.254 gateway6: 2401:DD00:XXXX:WXYZ::FFFF nameservers: addresses: [10.XY.1.254, '2401:DD00:XXXX:WXYZ::FFFF'] version: 2 }}} And restart the server. Noe log in to your GUI and from your GUI vm browse to !http:// Default admin / pass are admin / pfsense The first visit to the WebGUI will be redirected to the setup wizard, which is also accessible at System > Setup Wizard. Proceed through the wizard as follows: - Step 1: Next - Step 2: - Hostname pfsense.instXY.ac.lk - Domain: - Primary DNS Server: 192.248.1.161 - Secondary DNS Server: 192.248.1.161 - unset Overide DNS option - Step 3: - Time Server hostname: 192.248.1.161 - Timezone: !Asia/Colombo - Step 4: Next - Step 5: Next - Step 6: Change admin password to the class password given for the lab - Step 7: Reload - Finish - Accept After that you will be directed to the Dashboard. === Dashboard === The pfSense dashboard is the main page of the firewall, and it makes monitoring various aspects of the system easy. Returning to the dashboard can be accomplished by clicking the logo in the upper left, or by navigating to Status > Dashboard. The Dashboard is composed of Widgets, each of which display information about a different area of the firewall including, - Firewall Logs - Gateways - Interface Statistics - RSS Feed - Services Status - System Information - Thermal Sensors - Traffic Graphs - Wake on LAN A widget can be added to the dashboard by clicking '''+''' at the top of the screen, then choosing the widget from the list. Once the widget appears, its placement may be changed by dragging its title bar to another location on the screen. The widget will snap into place in one of two columns, and can be reordered as desired. Click '''Save Settings''' at the top of the screen after making any widget layout changes. Some widgets will have their own settings, which may be accessed by pressing the '''wrench icon''' in their title bar. To save these settings use the '''Save''' button inside the widget, not the button at the top of the page. === General Setup === Some basic/common settings are available under System > General Setup. Some useful settings are, - Hostname: The name by which this pfSense router is known. Should only include the portion before the first “.”. - Domain: The domain name in which this pfSense is used. Together with the hostname, this will form the Fully Qualified Domain Name (FQDN) of the firewall. - DNS Servers: >The gateway selection for DNS servers is primarily used for Using Multiple IPv4 WAN Connections. - Time Zone: - NTP Time Server: - Language: The language to use for the GUI. Default is English - Theme: Changes the look and feel of the pfSense GUI, but not the functionality === Only for the LAB === go to Firewall > Rules > WAN > Add to end - Action: pass - Interface: WAN - Address Family: IPv4 - Protocol: TCP - Source: Network : 192.248.4.0/22 - Destination: WAN address - Destination Port: Any, Any - Log: ticked - Description: Allow pfsense access from lab Save and Apply Changes