pfSense 2 Cookbook

By Matt Williamson
    What do you get with a Packt Subscription?

  • Instant access to this title and 7,500+ eBooks & Videos
  • Constantly updated with 100+ new titles each month
  • Breadth and depth in over 1,000+ technologies
  1. Free Chapter
    Initial Configuration
About this book

pfSense is an open source distribution of FreeBSD-based firewall that provides a platform for flexible and powerful routing and firewalling. The versatility of pfSense presents us with a wide array of configuration options, which makes determining requirements a little more difficult and a lot more important, compared to other offerings. Through this book you will see that pfSense offers numerous alternatives to fit any environment's security needs.

pfSense 2.0 Cookbook is the first and only book to explore all the features of pfSense, including those released in the latest 2.0 version. With the help of step-by-step instructions and detailed screenshots of the pfSense interface you will be able to configure every general and advanced feature from creating a firewall rule to configuring multi-WAN failover. Each recipe includes tips and offers advice on variations of the topic or references to other related recipes and additional information that can be found from other sources.

pfSense 2.0 Cookbook covers the gamut of available features and functionality. The first three chapters will take you from a non-existent system to a basic pfSense firewall. The next chapter focuses on configuring any number of the VPN services available, a very important and sought-after feature for anyone implementing a firewall. The following two chapters describe how to configure the most advanced features available in pfSense; features that may only be relevant to the most experienced network admins. Chapter 7 is dedicated to understanding and configuring the "grab-bag" of features that are available in pfSense, but are often stand-alone options and unrelated to each other. The first appendix explains how to use the status monitoring tools available for many of the features. The second appendix wraps up with helping you to decide how and where pfSense may be incorporated into your system and what type of hardware is required based on your throughput needs.

Publication date:
March 2011
Publisher
Packt
Pages
252
ISBN
9781849514866

 

Chapter 1. Initial Configuration

In this chapter, we will cover:

  • Applying basic settings in General Setup

  • Identifying and assigning interfaces

  • Configuring the WAN interface

  • Configuring the LAN interface

  • Configuring optional interfaces

  • Enabling the Secure Shell (SSH)

  • Generating authorized RSA keys

  • Configuring SSH RSA key authentication

  • Accessing the Secure Shell (SSH)

 

Introduction


PfSense is an open source operating system used to turn a computer into a firewall, router, or a variety of other application-specific network appliances. PfSense is a customized FreeBSD distribution based on the m0n0wall project, a powerful but light-weight firewall distribution. PfSense builds upon m0n0wall's foundation and takes its functionality several steps further by adding a variety of other popular networking services.

This chapter covers the core settings needed for almost every pfSense deployment; whether that is a firewall, router, or even a wireless access point! Once pfSense is installed and configured according to the recipes in this chapter, you will have a fully-operation firewall plus router. At its most basic level, a pfSense machine can be used to replace the common home router when more functionality is desired. In more advanced configurations, pfSense can be used to establish a secure tunnel to a remote office, load-balance a web farm, or shape and prioritize all network traffic just to name a few example scenarios. There are literally hundreds of ways to configure and customize a pfSense installation.

Once pfSense is installed, there are two ways to access the system remotely—SSH and the WebGUI. An SSH connection will present you with the same low-level system menu that you would see on the screen if your machine is connected to a monitor. The SSH menu options are basic and very little configuration is done here. The entire configuration described in every recipe in this book is done through the WebGUI interface, unless specified otherwise, which is accessible through the IP address of any interface you configured during installation (such as 192.168.1.1).

 

Applying basic settings in General Setup


This recipe describes how to configure the core system settings in PfSense.

Getting ready

All that's required for this recipe is a base installation of pfSense and access to the WebGUI. Some of these settings will have been configured during the installation process, but can be modified here at any time.

Note

On a new install, the default credentials are:

Username: admin

Password: pfsense

How to do it...

  1. Browse to System | General Setup.

  2. Enter a Hostname. This name will be used to access the machine by name instead of the IP address. For example, we can browse to http://pfsense instead of http://192.168.1.1:

  3. Enter your Domain:

  4. DNS Servers can be specified here. By default, pfSense will act as the primary DNS server and these fields will be blank. However, other DNS servers may certainly be used. Please refer to the Specifying alternate DNS servers recipe in Chapter 2, Essential Services for more information.

  5. Check Allow DNS server list to be overridden by DHCP/PPP on WAN. This ensures that any DNS requests that can't be resolved internally are passed on and resolved by the external DNS servers provided by your ISP.

  6. Enter a Time zone and leave the default NTP time server as 0.pfsense.pool.ntp.org.

  7. I'd recommend the default Theme, pfSense 2.0's new pfsense_ng. The top menus are now static and won't disappear if you scroll down through the content of the page, a great addition to the UI.

See also

  • The Configuring the DNS Forwarder recipe in Chapter 2, Essential Services

  • The Specifying alternate DNS servers recipe in Chapter 2, Essential Services

 

Identifying and assigning interfaces


This recipe describes how to identify a network configuration and assign the appropriate interfaces in pfSense.

Getting ready

You'll need to identify the MAC address for each Ethernet port on your pfSense machine before attempting to assign interfaces.

How to do it...

  1. Access the console from the physical machine or enable SSH and connect remotely (see the Enabling the Secure Shell (SSH) recipe for details).

  2. The home screen will display a list of interfaces, network ports, and IP addresses:

  3. Choose option 1 to Assign Interfaces.

  4. Skip setting up VLANs for now. See the Creating a Virtual LAN recipe in Chapter 5, Essential Services for more information.

  5. Assign each interface to the interface of your choice by matching the MAC address to the interface address on the display:

    Note

    The ability to only configure a single interface is new to pfSense 2.0. Prior versions required a minimum of two (WAN and LAN) interfaces.

How it works...

pfSense, like any other computer operating system, references each NIC by some unique value (fxp0, em0, em1, and so on). These unique identifiers are often associated with the driver being used and make it easier for us humans to use than the associated MAC address (00:80:0c:12:01:52). Taking that concept a step further, an interface is simply a named placeholder for each port: fxp0=WAN, em0=LAN, em1=DMZ, and so on.

There's more...

Now that you know which port is mapped to which interface, you can manage future interface changes through the WebGUI by browsing to Interfaces | (assign).

See also

  • The Accessing the Secure Shell (SSH) recipe

  • The Configuring the WAN interface recipe

  • The Configuring the LAN interface recipe

  • The Configuring optional interfaces recipe

 

Configuring the WAN interface


This recipe describes how to configure the Wide Area Network (WAN) on the external interface of our firewall.

Getting ready

The WAN interface is your connection to the outside world. You'll need a properly configured WAN interface (as described in the previous chapter) and an Internet connection. In this example, a cable modem provides the Internet connection from our local Internet Service Provider (ISP), but pfSense will support every other major connection method.

How to do it...

  1. Browse to Interfaces | WAN.

  2. Check Enable Interface.

  3. Choose an address configuration Type.

  4. Leave MAC address blank. Manually entering a MAC address here is known as "spoofing". Your ISP has no way of verifying MAC addresses, so you can simply make one up. This can be helpful if you're trying to force your ISP to hand you a new IP address or a different set of DNS servers.

  5. Leave MTU, MSS, Hostname, and Alias IP address blank.

  6. Check Block private networks. This setting is usually only checked on a WAN interface.

  7. Check Block bogon networks. This setting is usually only checked on a WAN interface.

  8. Save changes.

How it works...

We must first establish our connection to the Internet before we can configure pfSense to allow our other networks to access it. The example we've performed is typical of many SOHO environments. By placing our firewall as the only machine with direct access to the Internet, we are securing our environment by establishing complete control over the traffic that flows in and out of our networks. All traffic must now pass through our firewall and abide by our rules.

There's more...

We can now connect our WAN device (cable modem) to the WAN Ethernet port we've defined on our pfSense box. Once the connection has been established, we can check the status of our WAN port from Status | Interfaces:

See also

  • The Identifying and assigning interfaces recipe

  • The Configuring the LAN interface recipe

  • The Configuring optional interfaces recipe

 

Configuring the LAN interface


This recipe describes how to configure the Local Area Network (LAN) internal interface of our firewall.

Getting ready

The LAN interface is used to connect your devices to a secure internal network. A properly configured LAN interface is required.

How to do it...

  1. Browse to Interfaces | LAN.

  2. Check Enable Interface.

  3. Choose an address configuration Type.

  4. Enter an IP address and subnet mask. Leave Gateway set to None.

  5. Ensure Block private networks and Block bogon networks are unchecked.

  6. Save the changes.

How it works...

You've just defined your first internal network. If you've been performing the recipes in order, you've now met the minimum requirements for a fully-functioning firewall! You've defined one external network (WAN) and one internal network (LAN). You can now define the rules and relationships to regulate traffic between the two.

There's more...

You can now connect a switch to the LAN interface on your pfSense machine. This will allow you to connect multiple computers to your LAN network.

See also

  • The Identifying and assigning interfaces recipe

  • The Configuring the WAN interfaces recipe

  • The Configuring optional interfaces recipe

 

Configuring optional interfaces


This recipe describes how to create and assign optional network interfaces to our firewall.

Getting ready

The optional network you'll create in this is example is commonly referred to as a DMZ. The idea is taken from the military concept of a de-militarized zone, in which some traffic is allowed to pass and some traffic isn't. The idea is that the area is controlled and clearly separate from your other areas. When applied to networking, a DMZ network follows this pattern:

Internet Traffic | ← DMZ ← LAN Traffic

Unsafe Internet traffic is allowed to enter the DMZ, to access a webserver for example. LAN traffic can also enter the DMZ; it wants to access the webserver too. However, the key lies in the last rule—no DMZ traffic is allowed to enter the LAN.

The DMZ network is our less secure network we'll allow certain external access to. To configure a DMZ, or any other optional network, we'll need an available interface.

How to do it...

  1. Browse to an available interface, Interfaces | OPT1.

  2. Check Enable Interface.

  3. Set Description to DMZ.

  4. Choose an address configuration Type, Static for our example.

  5. Enter an IP address and the subnet mask. We'll use 192.168.2.1 and select 24 from the drop-down list.

  6. Leave Gateway set to None.

  7. Ensure Block private networks and Block bogon networks are unchecked.

  8. Save the changes.

  9. Apply changes.

How it works...

Your DMZ network will allow external (WAN) access. Your DMZ will also allow access from the LAN, but it won't be permitted to send traffic to the LAN. This will allow devices on the Internet to access your DMZ resources (websites, e-mail, and so on) without being able to access any part of your private LAN network.

There's more...

You could now attach a switch to your DMZ interface to connect multiple machines. If you've been following these recipes in order, a diagram of your network would look something like this:

See also

  • The Identifying and assigning interfaces recipe

  • The Configuring the WAN interface recipe

  • The Configuring the LAN interface recipe

 

Enabling the Secure Shell (SSH)


This recipe describes how to enable the Secure Shell (SSH) service in pfSense.

Getting ready

SSH is a networking protocol that allows encrypted communication between two devices. Enabling SSH allows secure access to the pfSense console remotely, just as if you were sitting in front of the physical console.

How to do it...

  1. Browse to System | Advanced | Secure Shell.

  2. Check Enable Secure Shell.

  3. You will be prompted for credentials when you connect (use the same username and password as the webGUI), but checking Disable password login for Secure Shell will allow you to use RSA keys instead. See the next recipe for details.

  4. Leave the SSH port blank to use the default port:

  5. Save the changes and the SSH service will be started.

How it works...

Enabling the Secure Shell turns on pfSense's built-in SSH server to listen to requests on the port you've specified (port 22 by default).

Note

Like all pfSense services (unless otherwise noted), the SSH service will listen on every available interface. Like other services, firewall's rules are used to grant or deny access to these services. See Chapter 3, General Configuration for more information on configuring firewall rules.

There's more...

Changing the SSH authentication method to use RSA keys is a great way to secure access to your system. See the following recipe for details.

Additionally, you can change the port that SSH listens on. Doing so may increase security slightly by reducing the number of unauthorized login attempts, but you will need to remember what you have changed it to, or you will be unable to connect.

See also

  • The Generating authorized RSA keys recipe

  • The Creating a firewall rule recipe in Chapter 3, General Configuration

 

Generating authorized RSA keys


This recipe describes how to create an authorized RSA key so a user can connect to pfSense without being prompted for a password.

Getting ready

Linux and Mac users will need to ensure ssh-keygen is installed on their system (almost all distributions have this installed by default). Windows users will need to download and install the PuTTYGen tool.

How to do it...

Generate an SSH key from a Linux/Mac Client as follows:

  1. Open a terminal and run:

    ssh-keygen
    
  2. Save the key to the default location of /home/user/.ssh/ and specify a pass code (optional, but recommended).

  3. Your public key is now located at /home/user/.ssh/id_rsa.pub.

    Generate an SSH key from a Windows client using PuTTY as follows:

  4. Open PuTTYGen and generate a public/private key pair by clicking the Generate button.

  5. Enter a passphrase (optional, but recommended).

  6. Click the Save Private Key button and choose a location, such as C:\MyPrivateKey.ppk.

  7. Highlight the public key that was generated in the textbox and copy and paste it into a new file, let's say C:\MyPublicKey.txt. (Do not use the Save Public Key button, as that adds comments and other fields that are sometimes incompatible.)

How it works...

RSA keys have become a standard for securing client/server connections for any service which chooses to take advantage of it. A client generates a key pair—a private key file and a public key file (an optional pass-phrase can be specified for enhanced security). Now, any server administrator can request that client's public key and add it to their system. The client can then securely authenticate without typing in a password.

There's more...

RSA key authentication is most often associated with SSH access, and is often referred to as SSH keys but that is misleading. RSA keys are generic and not specific to SSH. Although SSH often uses them, RSA keys can be used by any type of service that chooses to support them, such as VPN, VoIP, FTP, and so on.

See also

  • The Enabling the Secure Shell (SSH) recipe

  • The Configuring SSH RSA key authentication recipe

 

Configuring SSH RSA key authentication


This recipe describes how to configure pfSense to use an RSA key rather than a password for SSH authentication.

Getting ready

Make sure that SSH is already enabled and you have generated a public key for your client.

How to do it...

  1. Browse to System | Advanced | Secure Shell.

  2. Check Disable password login for Secure Shell (RSA key only).

  3. Edit the user we will associate with the client's public key from System | User Manager | Edit admin.

  4. Select Click to paste an authorized key and paste our client's public RSA key here. When pasted, the key should appear as a single line. Be sure your text editor didn't insert any line feed characters or authentication may fail.

  5. Save the changes.

How it works...

When we connect using an SSH client, we won't be asked for a password. Instead, the SSH server will use its copy of the public RSA key to send a challenge that can only be read if you posses the matching private key.

There's more...

RSA private keys can also be stored encrypted on the client machine. The SSH client will prompt for a decryption passphrase for the private key before being able to use it for authentication with the server.

See also

  • The Enabling the Secure Shell (SSH) recipe

  • The Generating authorized RSA keys recipe

  • The Accessing the Secure Shell (SSH) recipe

 

Accessing the Secure Shell (SSH)


This recipe describes how to access the pfSense console from any Linux, Mac, or Windows client computer.

Getting ready

SSH must be enabled and configured on our pfSense box. Linux and Mac users will have the SSH client installed by default. Windows users will have to download and install PuTTY.

How to do it...

Connect via SSH from a Linux/Mac client as follows:

  1. Open a terminal window and run:

    ssh admin@192.168.1.1
    
  2. If you are using the default configuration, you'll then be prompted for a password.

  3. If you are using RSA key authentication, you'll connect directly or be asked to enter the pass-phrase associated with your key. If you need to specify the location of your private key file, you can use the -i option as follows:

    ssh -i /home/matt/key/id_rsa admin@192.168.1.1
    
  4. If you've configured pfSense to use a different port, you can specify that using the -p option, as in the following example:

    ssh -p 12345 admin@192.168.1.1
    

    Connect via SSH from a Windows client with PuTTY as follows:

  5. Open PuTTY and specify your hostname or IP address.

  6. Specify an alternative port if necessary (default is port 22).

  7. If you are using RSA key authentication, browse to your private key file from Connection | SSH | Auth | Private key file for authentication.

  8. You'll connect and be prompted for a username.

  9. You'll then be prompted for a password, or if RSA authentication is used, you'll connect directly or be prompted for your pass-phrase.

How it works...

SSH allows access to the pfSense console menu from any computer that has an SSH client. You can even access the console from your phone if you install an SSH client on your mobile device.

See also

  • The Enabling the Secure Shell (SSH) recipe

  • The Generating authorized RSA keys recipe

  • The Configuring SSH RSA key authentication recipe

About the Author
  • Matt Williamson

    Matt Williamson is the founder of Blue Key Consulting – a computer systems design and development firm located in the New York City area. Before forming his consulting business, Matt developed software for a number of companies in the insurance and financial research industries. A long-time user of pfSense, Matt has incorporated pfSense in a number of roles throughout a variety of his own systems and those of his clients. His personal website and blog can be found at http://www.bunkerhollow.com.

    Browse publications by this author
Latest Reviews (2 reviews total)
Awesome Price for all the books
It fully met my high expectations!
pfSense 2 Cookbook
Unlock this book and the full library FREE for 7 days
Start now