wiki:pfsenseconfig

Version 13 (modified by admin, 7 years ago) ( diff )

--

Configuring pfSense

All the configurations in the pfSense can be easily done using the web configurator. To access the web configurator you have to get in to your client machine. before starting the virtual machine chage the following settings.

  • Go to your pc.'your domain'.ws.learn.ac.lk on vitualbox and go to settings. Under the Network attribute go to Adapter1 tab
  • Change the Attached to: Internal Network. Do not change the name intent
  • Start the vm. Now your Virtual machine is disconnected from the outside network. Only way to access web or network is through the firewall
  • At the moment you will not be able to browse the web.

For blackbox users only

  • If you are using blackbox. Log in to your pc and type. 
    startx

You will get the blackbox GUI.

  • Right click and select xterm
  • On the terminal you get type 
    firefox

Logging Into the Web Interface and Initial setup

  • Open your web browser in the pc virtual machine and go to https://10.1.1.1
  • You might get an error saying your connection is not private. That is because you do not have an valid https certificate. Therefore click Advanced --> Add Exception --> Confirm Security Exception
  • You will get the login page to the pfSense. Give the default username and password (admin,pfsense)
  • You will directed to the setup wizard. click Next for the first two pages
  • Under the General Information,
    • Hostname : pfsense
    • Domain: Your domain (eg: user1.ws.learn.ac.lk)
    • Primary DNS Server : 192.248.1.161
    • Secondary DNS Server: 192.248.1.164
  • Click Next
  • Give time zone as Asia / Colombo and click Next
  • Next page is about Configure WAN Interface. Do not change anything. click Next
  • Next page is about Configure LAN Interface. Do not change anything. click Next
  • In the Next page You will be asked to give a password for admin web login. Type a password and confirm it. click Next (Please remember the given password)
  • Set is done. Click on Reload. You will get a messege Wizard completed. Click on the link to access webConfigurator
  • You will be directed to the pfSense dashboard.

You should be able to browse the web by now.

Configuring The Firewall

Click the menu button on the top right corner. You will see nine tabs. Which means there are many features in the pfSense firewall. We will only see some basic and important features.

Enable SSH

Enabling SSH is important if you need to do some configurations remotely. To enable ssh

  • Go to menu and click System
  • In the drop down list select advanced and you will directed to a configuration page
  • Under Admin Access tab find the topic Secure Shell
  • Tick the Enable Secure Shell check box
  • Click Save

Firewall Rules

  • Go to menu and click Firewall
  • In the drop down list select Rules and you will directed to the firewall rules configuration page
  • You will see three tabs
    • WAN : Traffic coming to WAN port
    • LAN : Traffic coming to LAN port
    • Floating : Advanced Firewall Rules which can apply in any direction and to any or multiple interfaces
  • In the WAN tab you will see two rules already configured
    • Blocking your private network leaking outside
    • Blocking IANA reserved IPv6 addresses leaking outside
  • In the WAN tab you will see three rules already configured
    • Enabling HTTPS, HTTP and SSH (If you enable SSH) to the firewall IP
    • Enable All the LAN IPv4 addresses to connect outside
    • Enable All the LAN IPv4 addresses to connect outside

Now let's create a new rule.

  • In your VM desktop go to left corner and click the icon. From the menu select Terminal Emulator and open a Terminal
  • Try to ping a known host (Your gateway, LEARN DNS or even Google) it should work
  • Now go to your firewall web interface Under the LAN tab click Add and You will be prompted to the Edit Firewall page
  • Set the parameter as follows
    • Action : Block
    • Interface : LAN
    • Address Family : IPv4
    • Protocol : ICMP
    • Source : Single Host or Alias
    • Give your vm's IP address in the text box
    • Destination : any
    • Description : Block ICMP from user host
  • Click save and Click Apply changes in the following page
  • Try ping the an IP from your VM
  • We will do more on rules later

Static NAT

You can Use Static NAT if you have a special requirement Like a Web server inside your LAN. What this does is map your mentioned private IP to an additional public IP

Create virtual IP

We need to create a Additional WAN IP for the NAT.

  • First go to menu and select Firewall, From the drop down list select Virtual IPs
  • In the Virtual IP's Page click on Add Button
  • In the next page set the following
    • Type : IP Alias
    • Interface : WAN
    • Address Type : Single address
    • Address : Give the pc address in the IP table / 24
    • Description : WAN IP for NAT
  • Click Save and Apply changes on the next page

Create NAT

Now lets map the created Public IP and Private IP

  • First go to menu and select Firewall, From the drop down list select NAT
  • In the 1:1 Page click on Add Button
  • In the next page set the following
    • Interface : WAN
    • External subnet IP : Your spare IP address
    • Internal IP : Single host and give your VM's IP in the text box
    • Destination : any
    • Description : NAT For test
  • Click Save and Apply changes on the next page

Allow Access

  • First go to menu and select Firewall, From the drop down list select Rules
  • In the WAN tab click on Add Button
  • In the next page set the following
    • Action : Pass
    • Interface : WAN
    • Address Family : IPv4
    • Protocol : any
    • Source : any
    • Destination : Single Host or Alias
    • Give your vm's IP address in the text box
    • Description : Allowing NAT
  • Click Save and Apply changes on the next page
  • Now try to ping to your VM from your PC (use the Public IP address)
  • Now try to ssh to your VM from your PC (use the Public IP address)

Using Alias

Aliases can be used to simplify your configurations. Imagine you have set of devices that needs the same privileges. To set firewall rules you have add rules for each device. With aliases you can bundle them under a name. To create aliases:

Create Aliases

Let's bundle some hosts

  • First go to menu and select Firewall, From the drop down list select Aliases
  • In the IP tab click on Add Button
  • In the next page set the following
    • Name : Famoussites
    • Description : some most visited sites
    • Type : Hosts
    • IP or FQDN : google.com
    • Click Add Host You will get another box too add more hosts
    • Add yahoo.com and facebook.com and click Save, In the next page click Apply Changes

Now let's bundle some ports

  • Go to menu and select Firewall, From the drop down list select Aliases
  • In the Ports tab click on Add Button
  • In the next page set the following
    • Name : Usable ports
    • Description : some most popular ports
    • Type : Ports
    • Port : add port 22,53,25,80,443 then click Save, In the next page click Apply Changes

Now lets use these aliases

  • Go to menu and click Firewall
  • In the drop down list select Rules go to WAN tab
  • Edit the rule you create in the NAT section by clicking the pencil icon
  • Change destination port range from any to other
  • In the Custom text box type ports (Alias name)
  • Click Save and Apply Changes
  • Try to Ping the VM from your PC
  • Try to SSH to the VM from your PC
  • Go to menu and click Firewall
  • In the drop down list select Rules go to LAN tab and click Add
  • Set the parameter as follows
    • Action : Block
    • Interface : LAN
    • Address Family : IPv4
    • Protocol : ICMP
    • Source : Single Host or Alias
    • Give your vm's IP address in the text box
    • Destination : Single Host or Alias
    • Give alias Famoussites
    • Description : Block ICMP from user host
  • Click Save and Apply changes on the next page
  • Try ping to google.com, Yahoo.com, facebook.com from your VM
  • Try ping www.ac.lk

Traffic Management

you are going to test your link speed.

  • In the web page note down the testing host (eg: LIMRAS EONET/ Madurai)
  • click the GO button. It will run the link speed test. After the test note down the parameters (Better if you can run this two or three times)
  • Now go back to your pfSense web interface. Go to menu and click Firewall. Select traffic shaper from the drop down list
  • In the limiter click new limiter
  • Add these in the following webpage
    • Enable : tick the checkbox
    • Name : upload
    • Bandwidth : Bandwidth : 1, Bw type : Mbit/s, Schedule : none
    • Description : Upload badwidth limiter
    • Click Save and click Apply changes
  • Again click new limiter and add these in the following
    • Enable : tick the checkbox
    • Name : download
    • Bandwidth : Bandwidth : 1, Bw type : Mbit/s, Schedule : none
    • Description : Upload badwidth limiter
    • Click Save and click Apply changes
  • Go to menu and click Firewall, In the drop down list select Rules go to LAN tab
  • Edit the rule (by clicking the pencil icon) with the description Default allow LAN to any rule
  • Click Display Advanced button
  • Find the In/Out pipe section. It has drop down boxes.

Left side drop down box is for Inbound traffic to the LAN port, Right side drop down box is for Outbound traffic of the LAN port

  • In the left side box select upload
  • In the right side box select download
  • Save and Apply changes
  • Go to speedtest website again. Repeat the test. Any Changes?

Package Management

  • Go to Menu and Select System. From the drop down list select Packet Manager
  • Click on available Packages

You will see lot of packages. All these packages can be easily installed with !pfSense. You can also configure them within the firewall. But If you are Using these packages, You might need more hardware requirements. For this instance you will install ntopng. You can find a description about ntopng in the available Packages.

  • Find ntopng and click the install button. and Confirm the installation

It will take some time to install. After the instantiation it will give you a message installation successfully completed

  • Now go to menu select Diagnostics. From the drop down list select ntopng settings
  • Set the parameter as follows
    • Enable ntopng : tick the checkbox
    • Keep Data/Settings : tick the checkbox
    • ntopng Admin Password : Give a password and Confirm it
    • Interface : LAN
    • Do not change DNS Mode
    • Local Network : Consider only LAN interface local
    • Historical Data Storage : Untick the chack box (In Actual environment You can enable this, If you have Good amount of Disk space)
    • Click Save
  • Now go to menu select Diagnostics. From the drop down list select ntopng

You will directed to the ntopng login page.

  • Give user name as admin give your password

Currently you have a single LAN device connected. There it will only show communications on that device.

  • Go to Flows tab, You will see all the flows going through the firewall.
  • Ping some known sites and see the changes
  • Browse some web site and see the changes
Note: See TracWiki for help on using the wiki.