= Configuring pfSense =

All the configurations in the pfSense can be easily done using the web configurator. To access the web configurator you have to get in to your client machine. before starting the virtual machine chage the following settings.

 - Go to your '''pc.'your domain'.ws.learn.ac.lk''' on vitualbox and go to '''settings'''. Under the '''Network''' attribute go to '''Adapter1''' tab
 - Change the Attached to: '''Internal Network'''. Do not change the name '''intent'''
 - Start the vm. Now your Virtual machine is disconnected from the outside network. Only way to access web or network is through the firewall
 - At the moment you will not be able to browse the web.

== Logging Into the Web Interface and Initial setup ==

 - Open your web browser in the '''client virtual machine''' and go to https://10.1.1.1 
 - You might get an error saying '''your connection is not private'''. That is because you do not have an valid https certificate. Ignore the error and '''Proceed to''' the web page.
 - You will get the login page to the pfSense. Give the default username and password ('''admin''','''pfsense''') 
 - You will directed to the setup wizard. click '''Next''' for the first two pages
 - Under the General Information,
   * Hostname : '''pfsense'''
   * Domain: '''Your domain''' (eg: user1.ws.learn.ac.lk)
   * Primary DNS Server : '''192.248.1.161'''
   * Secondary DNS Server: '''192.248.1.164'''
 - Click '''Next'''
 - Give time zone as '''Asia / Colombo''' and click '''Next'''
 - Next page is about Configure WAN Interface. Do not change anything. click '''Next'''
 - Next page is about Configure LAN Interface. Do not change anything. click '''Next'''
 - In the Next page You will be asked to give a password for admin web login. Type a password and confirm it. click '''Next''' ('''Please remember the given password''')
 - Set is done. Click on '''Reload'''. You will get a messege '''Wizard completed'''. Click on the link to access webConfigurator
 - You will be directed to the pfSense dashboard.

You should be able to browse the web by now.

== Configuring The Firewall ==

Click the menu button on the top right corner. You will see nine tabs. Which means there are many features in the pfSense firewall. We will only see some basic and important features.

=== Enable SSH ===

Enabling SSH is important if you need to do some configurations remotely. To enable ssh

 - Go to menu and click '''System'''
 - In the drop down list select '''advanced''' and you will directed to a configuration page 
 - Under '''Admin Access''' tab find the topic '''Secure Shell'''
 - Tick the '''Enable Secure Shell''' check box
 - Click '''Save'''

=== Firewall Rules ===
 - Go to menu and click '''Firewall'''
 - In the drop down list select '''Rules''' and you will directed to the firewall rules configuration page 
 - You will see three tabs
   * WAN : Traffic coming to WAN port
   * LAN : Traffic coming to LAN port
   * Floating : Advanced Firewall Rules which can apply in any direction and to any or multiple interfaces
 - In the WAN tab you will see two rules already configured
   * Blocking your private network leaking outside
   * Blocking IANA reserved IPv6 addresses leaking outside
 - In the WAN tab you will see three rules already configured
   * Enabling HTTPS, HTTP and SSH (If you enable SSH) to the firewall IP
   * Enable All the LAN IPv4 addresses to connect outside
   * Enable All the LAN IPv4 addresses to connect outside
Now let's create a new rule.
 - In your VM desktop go to left corner and click the icon. From the menu select '''Terminal Emulator''' and open a Terminal
 - Try to ping a known host (Your gateway, LEARN DNS or even Google) it should work
 - Now go to your firewall web interface Under the LAN tab click '''Add''' and You will be prompted to the Edit Firewall page
 - Set the parameter as follows
   * Action : '''Block'''
   * Interface : '''LAN'''
   * Address Family : '''IPv4'''
   * Protocol : '''ICMP'''
   * Source : '''Single Host or Alias'''
   * Give your vm's IP address in the text box
   * Destination : '''any'''
   * Description : '''Block ICMP from user host'''
 - Click '''save''' and Click '''Apply changes''' in the following page
 - Try ping the an IP from your VM
 - We will do more on rules later

=== Static NAT ===
You can Use Static NAT if you have a special requirement Like a Web server inside your LAN. What this does is map your mentioned private IP to an additional public IP 

==== Create virtual IP ====
We need to create a Additional WAN IP for the NAT.
 - First go to '''menu''' and select '''Firewall''', From the drop down list select '''Virtual IPs'''
 - In the Virtual IP's Page click on '''Add''' Button
 - In the next page set the following
   * Type : '''IP Alias'''
   * Interface : '''WAN'''
   * Address Type : ''' Single address'''
   * Address : Give the Spare address in the [wiki:ipallocation IP table] / 24
   * Description : WAN IP for NAT
 - Click '''Save''' and '''Apply changes''' on the next page

==== Create NAT ====
Now lets map the created Public IP and Private IP
 - First go to '''menu''' and select '''Firewall''', From the drop down list select '''NAT'''
 - In the '''1:1''' Page click on '''Add''' Button
 - In the next page set the following
   * Interface : '''WAN'''
   * External subnet IP : Your spare IP address
   * Internal IP : '''Single host''' and give your VM's IP in the text box
   * Destination : '''any'''
   * Description : NAT For test
 - Click '''Save''' and '''Apply changes''' on the next page

==== Allow Access ====
 - First go to '''menu''' and select '''Firewall''', From the drop down list select '''Rules'''
 - In the '''WAN''' tab click on '''Add''' Button
 - In the next page set the following
   * Action : '''Pass'''
   * Interface : '''WAN'''
   * Address Family : '''IPv4'''
   * Protocol : '''any'''
   * Source : '''any'''
   * Destination : '''Single Host or Alias'''
   * Give your vm's IP address in the text box
   * Description : '''Allowing NAT'''
 - Click '''Save''' and '''Apply changes''' on the next page

 - Now try to ping to your VM from your PC (use the Public IP address)
 - Now try to ssh to your VM from your PC (use the Public IP address)

=== Using Alias ===
Aliases can be used to simplify your configurations. Imagine you have set of devices that needs the same privileges. To set firewall rules you have add rules for each device. With aliases you can bundle them under a name. To create aliases:
==== Create Aliases ====
Let's bundle some hosts
 - First go to '''menu''' and select '''Firewall''', From the drop down list select '''Aliases'''
 - In the '''IP''' tab click on '''Add''' Button
 - In the next page set the following
   * Name : '''Famoussites'''
   * Description : '''some most visited sites'''
   * Type : '''Hosts'''
   * IP or FQDN : google.com
   * Click '''Add Host''' You will get another box too add more hosts
   * Add yahoo.com and facebook.com and click '''Save''', In the next page click '''Apply Changes'''

Now let's bundle some ports
 - Go to '''menu''' and select '''Firewall''', From the drop down list select '''Aliases'''
 - In the '''Ports''' tab click on '''Add''' Button
 - In the next page set the following
   * Name : '''Usable ports'''
   * Description : '''some most popular ports'''
   * Type : '''Ports'''
   * Port : add port 22,53,25,80,443  then click '''Save''', In the next page click '''Apply Changes'''

Now lets use these aliases
 - Go to menu and click '''Firewall'''
 - In the drop down list select '''Rules''' go to WAN tab
 - Edit the rule you create in the NAT section by clicking the '''pencil''' icon
 - Change destination port range from '''any''' to '''other'''
 - In the Custom text box type ports (Alias name)
 - Click '''Save''' and '''Apply Changes'''
 - Try to Ping the VM from your PC
 - Try to SSH to the VM from your PC

 - Go to menu and click '''Firewall'''
 - In the drop down list select '''Rules''' go to LAN tab and click '''Add'''
 - Set the parameter as follows
   * Action : '''Block'''
   * Interface : '''LAN'''
   * Address Family : '''IPv4'''
   * Protocol : '''ICMP'''
   * Source : '''Single Host or Alias'''
   * Give your vm's IP address in the text box
   * Destination : '''Single Host or Alias'''
   * Give alias Famoussites
   * Description : '''Block ICMP from user host'''
 - Click '''Save''' and '''Apply changes''' on the next page
 - Try ping to google.com, Yahoo.com, facebook.com from your VM
 - Try ping www.ac.lk

=== Traffic Management ===

=== Package Management ===