pfSense 2.x Cookbook - Second Edition

5 (1 reviews total)
By David Zientara
  • Instant online access to over 7,500+ books and videos
  • Constantly updated with 100+ new titles each month
  • Breadth and depth in over 1,000+ technologies
  1. Initial Configuration

About this book

pfSense is an open source distribution of the FreeBSD-based firewall that provides a platform for flexible and powerful routing and firewalling. The versatility of pfSense presents us with a wide array of configuration options, which makes determining requirements a little more difficult and a lot more important compared to other offerings.

pfSense 2.x Cookbook – Second Edition starts by providing you with an understanding of how to complete the basic steps needed to render a pfSense firewall operational. It starts by showing you how to set up different forms of NAT entries and firewall rules and use aliases and scheduling in firewall rules. Moving on, you will learn how to implement a captive portal set up in different ways (no authentication, user manager authentication, and RADIUS authentication), as well as NTP and SNMP configuration. You will then learn how to set up a VPN tunnel with pfSense. The book then focuses on setting up traffic shaping with pfSense, using either the built-in traffic shaping wizard, custom floating rules, or Snort. Toward the end, you will set up multiple WAN interfaces, load balancing and failover groups, and a CARP failover group. You will also learn how to bridge interfaces, add static routing entries, and use dynamic routing protocols via third-party packages.

Publication date:
December 2018
Publisher
Packt
Pages
298
ISBN
9781789806427

 

Chapter 1. Initial Configuration

In this chapter, we will cover the following recipes:

  • Applying basic settings to General Setup
  • Identifying and assigning interfaces
  • Configuring a WAN interface
  • Configuring a LAN interface
  • Configuring optional interfaces
  • Enabling SSH access
  • Generating authorized RSA keys
  • Configuring SSH RSA authentication
  • Accessing the SSH
  • Configuring VLANs
  • Assigning interfaces from the console
  • Configuring a WAN interface from the console
  • Configuring a LAN interface from the console
  • Configuring optional interfaces from the console
  • Configuring VLANs from the console
 

Introduction


pfSense is open source software that can be used to turn a computer into a firewall/router. Its origins can be traced to the FreeBSD packet-filtering program known as PF, which has been part of FreeBSD since 2001. As PF is a command-line utility, work soon began on developing software that would provide a graphical frontend to PF. The m0n0wall project, which provides an easy-to-use, web-based interface for PF, was thus started. The first release of m0n0wall took place in 2003. pfSense began as a fork of the m0n0wall project.

Version 1.0 of pfSense was released on October 4, 2006, and version 2.0 was released on September 17, 2011. A key point in the development of pfSense took place with the release of Version 2.3 on April 12, 2016. This version phased out support for legacy technologies such as Point to Point Tunneling Protocol (PPTP), Wireless Encryption Protocol (WEP), and Single DES, and also provided a face-lift for the web GUI. Version 2.4, released on October 12, 2017, continues this trend of phasing out support for legacy technologies while also adding features. Support for 32 bit x86 architectures has been deprecated, while support for Netgate Advanced RISC Machines (ARM) devices has been added. A new pfSense installer (based on FreeBSD’s bsdinstall) has been incorporated into pfSense, and there is support for the ZFS filesystem, as well as the Unified Extensible Firmware Interface (UEFI). pfSense now supports multiple languages; the web GUI has been translated into 13 different languages.

This chapter will cover the basic configuration steps common to virtually all deployments. Once you have completed the recipes in this chapter, you will have a fully functional router/firewall. By following the recipes in subsequent chapters, you can enhance that functionality by adding specific firewall rules, enabling traffic shaping, adding load balancing and multi-WAN capabilities, and much more.

 

Applying basic settings to General Setup


This recipe describes how to configure core pfSense settings from the web GUI.

Getting ready

All that is required for this recipe is a fresh install of pfSense and access to the web GUI.

Note

On a new install, the default login credentials are Username: admin and Password: pfsense

How to do it...

  1. In the web GUI, navigate toSystem | General Setup.
  2. In the first section of the page (System), enter a Hostname. This name can be used to access the firewall instead of the IP address:
  1. In the next field, enter the Domain:

  1. The next field is DNS Servers. By default, pfSense will act as the primary DNS server; however, you can specify alternate DNS servers here. The Add DNS Server button causes an additional edit box to appear, into which you can enter another DNS server; you can add as many alternate DNS servers as is necessary:

  1. Check the Allow DNSserver list to be overridden by DHCP/PPP on WAN checkbox (it should be checked by default). This ensures that any DNS requests that cannot be processed internally will be passed on to the external DNS servers, asspecified by your ISP:

  1. In the Localization section, specify a Timezone and leave Timeservers at the default value of 0.pfsense.pool.ntp.org. Specify the appropriate Language (the default is English):

  1. In the webConfigurator section, I’d recommend the default Theme of pfSense. You can set Top Navigation to either Scrolls with page (appropriate for all screen sizes) or Fixed (designed for large screens only). You may also set the number of Dashboard Columns (the default is 2):

  1. When done, click on the Save button.

See also

  • The Configuring the DNS Forwarder recipe in Chapter 2, Essential Services.

 

Identifying and assigning interfaces


This recipe describes how to identify interfaces on a network configuration and how to assign them in pfSense.

Getting ready

You need to identify the MAC addresses for each Ethernet port on your pfSense system before attempting to assign them.

How to do it...

  1. Navigate toInterfaces | Interface Assignments.
  2. Assign a WAN interface, first by selecting the correct MAC address from the drop-down list for the WAN interface:
  1. Repeat this process for the LAN interface, selecting the correct MAC address from the drop-down list for the LAN interface. If necessary, add the LAN interface to the list by following this process:
    1. Click on the Addbutton in theAvailable network portscolumn.
    2. Click on the name of the newly created interface in the Interfaces column (it should be OPT1).
    3. When the configuration page for the interface loads, change Description to LAN.
    4. Click on the Save button at the bottom of the page.
    5. Navigate back to Interfaces | Interface Assignments.
  2. If you want to add optional interfaces, you can do so by repeating step 3 and substituting the name of the optional interface (for example, DMZ) for LAN.
  3. When you are done assigning interfaces, click on the Save button.

See also

  • The Assigning interfaces at the console recipe
 

Configuring a WAN interface


This recipe describes how to configure the Wide Area Network (WAN) interface, which provides access to external networks on our pfSense system.

Getting ready

The WAN interface is your connection to external networks (in most cases, the public internet). You will need a properly configured WAN interface and an internet connection. In this example, we will connect to the internet via an Internet Service Provider (ISP) and a cable modem.

How to do it...

  1. Navigate toInterfaces | WAN.
  2. Check the Enable Interface checkbox (it should be checked by default):
  1. Choose anIPv4 Configuration Type(usually DHCP).
  2. Choose an IPv6 Configuration Type, or leave it set to None.
  3. Leave MAC Address blank. Manually entering a MAC address here is known as MAC address spoofing. You can enter a MAC address here if you want to force your ISP to hand you a different IP address, or a different set of DNS servers. Be warned, however, that the MAC address entered must have a valid manufacturer’s prefix or it won’t work.
  4. Leave MTU, MSS, Hostname, and Alias IP address blank.
  1. Check the Block private networks and loopback addresses checkbox (it should be checked by default). This will block RFC 1918 private addresses from being sent out over the public internet.
  2. Check the Block bogon networks checkbox (it should be checked by default). This will block packets from IP addresses not yet assigned by IANA from being sent or received:
  1. Click on the Save button when done.

How it works...

We must first establish a connection to the internet before we can configure pfSense to allow other networks to access it. The example we provided is a typical WAN configuration for a Small Office/Home Office (SOHO) environment. By setting up the WAN interface as the only interface with direct access to the internet, we are securing the network behind the firewall and establishing complete control over our networks. All networks behind the firewall must now abide by the rules we create.

There's more...

Now that we have configured the WAN interface, we can connect the cable modem to the WAN port on pfSense and check the status of the WAN port by navigating to Status | Interfaces.

See also

  • The Identifying and assigning interfaces recipe in this chapter
  • The Configuring a LAN interface recipe in this chapter
  • The Configuring optional interfaces from the console recipe in this chapter
 

Configuring a LAN interface


This recipe describes how to configure the Local Area Network (LAN) internal interface of our pfSense firewall.

Getting ready

The LAN interface is the interface to the internal network through which our nodes will be able to securely connect to other internal nodes and to the internet. An assigned LAN interface is required.

How to do it...

  1. Navigate toInterfaces | LAN.
  2. Check the Enable Interface checkbox:
  1. Choose anIPv4 Configuration Type(usuallyStatic IPv4).
  2. Choose an IPv6 Configuration Type (or leave it set to None).
  3. Enter an IPv4 Address in the appropriate field, and the correct CIDR in the adjacent drop-down box. Leave IPv4 Upstream gateway set to None.
  4. If you enabled IPv6 by setting the IPv6 Configuration Type, enter an IPv4 Address in the appropriate field and the correct CIDR in the adjacent drop-down box.
  5. Leave Block private networks and Block bogon networks unchecked (they should be unchecked by default).
  6. When you are done making changes, click on the Save button. When the page reloads, click on the Apply Changes button.

How it works...

You have just defined your first internal network. If you have been following these recipes in order, you now have met the minimal requirements for a fully functional network. You can now either continue adding networks, or start configuring the rules to regulate traffic between the networks.

There's more...

You can now connect a switch to the LAN port of your pfSense system, and connect nodes to the LAN network.

See also

  • The Identifying and assigning interfaces recipe in this chapter
  • The Configuring a WAN interface recipe in this chapter
  • The Configuring optional interfaces from the console recipe in this chapter
 

Configuring optional interfaces from the console


This recipe describes how to configure optional interfaces (for example, a DMZ network) to pfSense.

Getting ready

The optional network you will create in this network will be a DMZ, which is short for the DeMilitarized Zone. The idea of a DMZ is to have a network where some traffic is allowed to pass and some traffic is not. Typically, traffic in the DMZ is allowed to pass to and from the internet but not to other internal networks. Traffic is allowed to pass from internal networks to the DMZ. Thus, the flow of traffic looks like this:

Internet <<>> DMZ << Internal networks

Unsafe internet traffic, for example, is allowed to enter a web server in the DMZ. LAN traffic is allowed to enter the DMZ as well, for example, if someone on the LAN wants to access the web server as well. However, the key lies in the fact that no DMZ traffic is allowed to access the internal networks.

To configure a DMZ, you will need at least one spare interface, and you will have to have added it using the procedure outlined in theIdentifying and assigning interfacesrecipe. We will assume that you have added at least one such interface (named OPT1).

How to do it...

  1. Navigate toInterfaces|OPT1.
  2. Check the Enable Interface checkbox:
  1. SetDescriptionto DMZ.
  2. Set IPv4 Configuration Type to Static IPv4.
  3. Enter an IPv4 Address and the CIDR. In our case, we will use 192.168.2.1 and select 24 from the CIDR dropdown list.
  4. Leave IPv4 Upstream gateway set to None.
  5. Leave the Block private networks and Block bogon networks checkboxes unchecked (they should be unchecked by default).
  6. When you are done making changes, click on the Save button. When the page reloads, click on the Apply Changes button.

How it works...

Your DMZ network will now allow external (WAN) access. Your LAN network will now be able to access the DMZ, but the DMZ will not be able to access the LAN.

There's more...

You can now attach a switch to your DMZ port to allow you to attach multiple nodes to your DMZ network. If you have been following the recipes in this chapter in order, your network will now look like this:

See also

  • The Identifying and assigning interfaces recipe
  • The Configuring a WAN interface recipe
  • The Configuring a LAN interface recipe
 

Enabling SSH access


This recipe describes how to enable the Secure Shell service in pfSense, thus making remote console login possible.

SSH is a networking protocol that allows encrypted communication between two nodes. Enabling SSH will allow you to gain access to the pfSense console remotely, as if you were at the console.

How to do it...

  1. Navigate toSystem | Advanced.
  2. In the Secure Shell section of the page, check the Enable Secure Shell checkbox:
  1. With the current settings, you will be prompted for a username and password when logging into the console remotely. But by changing theSSHd Key Onlysetting toPublic Key Only, you can set it so that only logins with a public key will be allowed. See the next recipe for details on how to generate an RSA public key.
  2. Leave SSH port set to the default, port 22.
  3. When you are done, click on the Save button.

How it works...

Enabling Secure Shell in pfSense turns on pfSense’s internal SSH server, which causes pfSense to listen for login attempts on the SSH port (in this case, port 22).

There's more...

Using RSA keys for SSH login is an effective way of securing your system. You can also change the SSH port; this should result in fewer unauthorized login attempts, though you will have to remember the new SSH port.

See also

  • The Generating authorized RSA keys recipe in this chapter
  • The Enabling RSA key authentication recipe in this chapter
 

Generating authorized RSA keys


This recipe describes how to create an authorized RSA key so the user can log in to the pfSense console without using a password.

Getting ready

Linux and macOS users will need the ssh-keygen utility (installed by default in most cases). Windows users will need the puttygen utility.

How to do it...

For Linux/macOS users:

  1. In a Terminal window, type ssh-keygen and pressEnter
  2. Enter the name of the file in which to save the public key (or just accept the default value)
  3. Enter a passphrase for the new key (not necessary, but recommended)
  1. Enter the passphrase a second time for confirmation
  2. The program will now generate an RSA public key and save it to the file

For Windows users:

  1. Start the puttygen utility.
  2. In the Actions section, click on the Generate button to generate a public/private key pair:
  1. Move your mouse over the top section of the puttygen dialog box to generate random activity, as per puttygen's instructions.
  2. Enter a passphrase (not necessary, but recommended).
  3. Click on the Saveprivate key button and specify a filename for the private key (for example, MyPrivateKey.ppk).
  4. Highlight the public key that was created in the textbox and save it to a file (for example, MyPublicKey.txt). Do not use the Save public key button because it adds potentially incompatible text to the file.

How it works...

RSA has become a standard for securing client/server connections. A client generates a public/private key pair—a private key file and a public key file, and a possible passphrase for additional security. Any server can then request the client’s public key and add it to their system; that client can then authenticate without typing in a password.

See also

  • TheEnabling SSH accessrecipe
  • The Configuring SSH RSA key authenticationrecipe
 

Configuring SSH RSA key authentication


This recipe describes how to configure pfSense to use an RSA key rather than a username/password combination for authentication.

Getting ready

Make sure you have enabled SSH access and generated an RSA key (if you completed the last two recipes, you have).

How to do it...

  1. Navigate toSystem | Advanced.
  2. Make sureSSHd Key Onlyis set toPublic Key Only:
  1. Navigate toSystem | User Manager. Click on theUserstab (it should be selected by default).
  2. Click on theEditicon (the pencil) for the admin account.
  3. In the Keyssection, paste the client's public RSA key (that can be the RSA key you created in the previous recipe). When pasted, the key should appear as a single line. Make sure your text editor does not insert any line feeds, or authentication may fail:
  1. When done, click on the Save button.

How it works...

When you connect using an SSH client, instead of asking for a username and password, the SSH server will now use your public RSA key to send a challenge to you. The challenge can only be read if you have the matching private RSA key.

There’s more...

RSA private keys can also be stored encrypted to the client’s computer.The SSH client will prompt you for the decryption password. Once entered, it will be able to use the private key for authentication.

See also

  • TheEnabling SSH accessrecipe
  • TheGenerating authorized RSA keysrecipe
  • TheAccessing the SSH recipe
 

Accessing the SSH


This recipe describes how to access the console from any Linux, macOS, or Windows computer.

Getting ready

The SSH server must be enabled and configured on your pfSense box. You must have an SSH client on your computer.An SSH client is installed by default on Linux and macOS. If you are using Windows, you need to install an SSH client such asPuTTY.

How to do it...

In Linux or macOS, follow these steps:

  1. Launch a Terminal window and type the following: ssh[email protected].
  2. If you are using the default configuration, you will be prompted for a password.
  3. If you are using RSA key authentication, the client will directly connect to the server, or you may be asked for a passphrase. If asked for a passphrase, use the one you created when creating the RSA key.
  4. If you configured SSH to use a different port, you can specify it using the -p option; for example,ssh -p 12345 [email protected].

In Windows, follow these steps:

  1. Launch PuTTY and, on the initial screen, enter the hostname or IP address of pfSense:

  1. Specify an alternate port if necessary.
  1. If you are using RSA key authentication, navigate toConnection | SSH | Auth | Private keyfile for authentication:
  1. You'll connect and be prompted for a username.
  2. You will then be prompted for a password, or if RSA authentication is used, you will connect directly, or be prompted for a passphrase.

How it works...

SSH allows access to the pfSense console from any computer or device that has an SSH client installed on it.

See also

  • TheEnabling SSH accessrecipe
  • TheGenerating authorized RSA keysrecipe
  • The Configuring SSH RSA auhenticationrecipe
 

Configuring VLANs


This recipe describes how to set up a Virtual LAN (VLAN) from the pfSense web GUI.For example, we could set up a VLAN for developers.

Getting ready

In order to complete this recipe, you must have at least one unassigned interface to use as the parent interface.

How to do it...

  1. Navigate toInterfaces | Assignments, and click on the VLANs tab.
  2. Click on theAddbutton.
  3. Choose aParent Interfacefrom the drop-down menu; this should be a currently unassigned interface:
  1. Enter a VLAN Tag from 2 to 4094 (1 is reserved as the default VLAN tag and should not be used).
  2. Enter aVLAN Prioritylevel from 0 to 7 (or just leave it at the default value of 0).
  3. Enter a briefDescription.
  4. When you are done, click on theSavebutton.
  5. Click on theInterface Assignmentstab.
  6. In theAvailable network portscolumn, select the newly created VLAN in the drop-down box, and click on the Add button:
  1. To configure the VLAN, click on the interface name in theInterfacecolumn.
  2. On the Interfaces configuration page, check theEnable Interfacecheckbox.
  3. Change theDescriptionto an appropriate one for the VLAN (for example, DEV).
  4. Set theIPv4 Configuration Typeto an appropriate value (usuallyStatic IPv4).
  5. Set theIPv6 Configuration Type, or leave it set toNone.
  6. If you set theIPv4 Configuration TypetoStatic IPv4, you must enter theIPv4 Addressand CIDR for the new VLAN. Use a subnet that has not yet been used (for example, 192.168.10.1/24).
  1. Leave the IPv4 Upstream gatewayset to None.
  2. If you set theIPv6 Configuration TypetoStatic IPv6, you must enter theIPv6 Addressand CIDR for the new VLAN.
  3. Leave theIPv6 Upstream gatewayset to none.
  4. Leave theBlock private networksandBlock bogon networkscheckboxes unchecked.
  5. When you are done making changes, click on theSavebutton, and then, when the page reloads, click on theApply Changesbutton.

How it works...

Up to now, we have contemplated networks that correspond to a single network interface. Sometimes, however, we want to decouple logical network groupings from physical interfaces. We may want to have more than one network on a single interface—or, less commonly, have a network span multiple interfaces. We can accomplish this with virtual LANs, or VLANs. By attaching a special header to an Ethernet frame, known as an 802.1Q tag, we can have VLANs. Since the VLAN tag is an integer from 1 to 4094, it would seem that we are limited to 4094 VLANs (or 4093, since we are not supposed to use 1 as a tag), but by using QinQ tagging, we can nest VLAN tags, making it possible to have a much greater number of VLANs on our private network (in fact, a much greater number of VLANs than we would probably ever need).

Note

In step 5 of this recipe, we referenced the VLAN priority level. This is a feature added to pfSense with version 2.3 that allows you to define a class of service for your VLAN. It is a 3 bit field from 0 to 7. Somewhat counter-intuitively, 1 is the lowest priority level (background), while 7 is the highest, and 0 is best effort treatment, which is one step above the lowest priority level.

There's more...

In order to utilize VLANs on your network, you need one or more managed switches. These are switches that recognize 802.1Q tags placed in the Ethernet frame by pfSense, and which will forward the frames to the correct port. Managed switches are never plug and play, they always involve some configuration, so consult your switch’s documentation for details on how to configure it.

See also

  • TheConfiguring VLANs from the consolerecipe

 

Assigning interfaces from the console


This recipe describes how to assign interfaces using the console menu.

Getting ready

In order to complete this recipe, you will need at least one unassigned interface.

How to do it...

  1. On the console menu, press1and pressEnter.
  2. The first option will be for setting up VLANs. Since we don’t want to set up VLANs now, pressnandEnter:
  1. You will be prompted to enter the WAN interface name. Here, you must enter the device name for the interface that will be the WAN interface (for example, eth0, eth1, em0, em1, and so on). Enter the appropriate device name and pressEnter.
  2. You will be prompted to enter the LAN interface name, or nothing if finished. You only need to assign the WAN interface (in which case you will be able to log into pfSense using the WAN IP address). However, if you want to assign an interface to LAN, enter the device name and pressEnter. Otherwise, just pressEnter.
  3. If there are more than two network interfaces, you can assign optional interfaces at the console. To do so, enter the device name and press Enter. Otherwise, just pressEnter.
  4. The interface assignments will be listed, and you will be asked whether you want to proceed. PressingnandEnterwill result in no changes being made, while pressingyandEnterwill commit the changes.
  5. If you pressedyandEnter, the changes will be written and the settings will be reloaded. You will then be returned to the console menu.

How it works...

In this recipe, we were able to assign interfaces (which was done earlier in the chapter via the web GUI) from the console. Many configurations can be done from the console—we can even restore earlier configurations and run utilities—and in this book, we will take advantage of this functionality.

See also

  • TheConfiguring a WAN interface from the consolerecipe
  • TheConfiguring a LAN interface from the consolerecipe
  • TheConfiguring optional interfaces from the consolerecipe
  • TheConfiguring VLANs from the consolerecipe
 

Configuring a WAN interface from the console


This recipe describes how to configure the WAN interface from the Console menu.

Getting ready

In order to complete this recipe, the WAN interface must have previously been assigned to one of the available network interfaces.

How to do it...

  1. On the console menu, type2and pressEnter.
  2. pfSense will prompt you for the number of the interface you want to configure. For the WAN interface, this will be1, so type1and pressEnter.
  1. pfSense will ask you if you want to configure the IPv4 WAN address through DHCP. In most cases, you will want to typey, because the WAN interface address will be assigned by your ISP via DHCP. Typeyand press Enter.If you entern, pfSense will prompt you for a WAN IPv4 address, and then the subnet bit count:
  1. pfSense will ask you whether you want to configure the IPv6 WAN address through DHCP6. You can typeyif your ISP supports IPv6 addressing, or typen, in which case IPv6 addressing for the WAN interface will be disabled.
  2. pfSense will ask you whether you want to revert to HTTP for the webConfigurator protocol. Unless you have a reason for not using HTTPS for the web GUI, typenand pressEnter.
  3. The configuration process is now complete. The settings will be saved and pfSense will reload them.

How it works...

This recipe describes how to configure the WAN interface via the console instead of through the web GUI. Note that the options are much more limited than they are in the web GUI. For example, you only have the option to configure an IPv4 address via DHCP or use a static address. None of the other options, such as PPP or PPPoE are available. Also, with IPv6, the only option is DHCP6. If you require more options that are available here, use the web GUI.

See also

  • TheAssigning interfaces from the consolerecipe
  • TheConfiguring a LAN interface from the consolerecipe
  • TheConfiguring optional interfaces from the consolerecipe
  • TheConfiguring VLANs from the consolerecipe
  • TheConfiguring a WAN interfacerecipe
 

Configuring a LAN interface from the console


This recipe describes how to configure theLAN interface from the Console menu.

Getting ready

In order to complete this recipe, theLAN interface must have previously been assigned to one of the available network interfaces.

How to do it...

  1. On the console menu, type2and pressEnter.
  2. pfSense will prompt you for the number of the interface you want to configure. For theLAN interface, this will be2, so type2and pressEnter.
  3. pfSense will prompt you for the new LAN IPv4 address. Enter the new address and pressEnter:

 

  1. pfSense will prompt you for the subnet bit count (the CIDR). Enter the bit count and pressEnter.
  2. pfSense will prompt you for the new LAN IPv4 upstream gateway address. You don’t need to specify an upstream gateway, so just pressEnter.
  3. pfSense will prompt you for the new LAN IPv6 address. If you want to specify an IPv6 address, type it here; otherwise, just pressEnter.
  4. If you entered an IPv6 address, pfSense will prompt you for the subnet bit count (CIDR). Enter the bit count and pressEnter.
  1. If you entered an IPv6 address,pfSense will prompt you for the new LAN IPv6upstream gateway address. You don’t need to specify an upstream gateway, so just pressEnter.
  2. pfSense will ask whether you want to enable the DHCP server on LAN. If you enter y, you will then be prompted for the start and end addresses of the IPv4 client address range. You can enter y and type the start and end addresses, or just enternand set up DHCP later on (recommended).
  3. If you entered an IPv6 address,pfSense will ask if you want to enable the DHCP6server on LAN. If you enter y, you will then be prompted for the start and end addresses of the IPv6client address range. You can enteryand type the start and end addresses, or just enternand set up DHCP6later on (recommended).
  4. pfSense will ask you whether you want to revert to HTTP for the webConfigurator protocol. Unless you have a reason for not using HTTPS for the web GUI, typenand pressEnter.
  5. The configuration process is now complete. The settings will be saved and pfSense will reload them.

How it works...

This recipe described how to set up a LAN interface’s IP address using the console instead of the web GUI. Note that this option also allows you to set up the DHCP (or DHCP6) server, although it does not provide as many options as the web GUI. As with configuring a WAN interface, you may find it necessary to do the configuration via the web GUI, as the console only provides limited options.

See also

  • TheAssigning interfaces from the consolerecipe
  • TheConfiguring a WAN interface from the consolerecipe
  • TheConfiguring optional interfaces from the consolerecipe
  • TheConfiguring VLANs from the consolerecipe
  • TheConfiguring a LAN interfacerecipe
 

Configuring optional interfaces from the console


This recipe describes how to configure optionalinterfaces from the console menu.

Getting ready

In order to complete this recipe,at least one optional interfacemust have previously been assigned to one of the available network interfaces.

How to do it...

  1. On the console menu, type2and pressEnter.
  2. pfSense will prompt you for the number of the interface you want to configure.Type the appropriate number and pressEnter.
  3. pfSense will prompt you for the new LAN IPv4 address. Enter the new address and press Enter.
  4. pfSense will prompt you for the subnet bit count (the CIDR). Enter the bit count and pressEnter.
  5. pfSense will prompt you for the new LAN IPv4 upstream gateway address. You don’t need to specify an upstream gateway, so just pressEnter.
  6. pfSense will prompt you for the new LAN IPv6 address. If you want to specify an IPv6 address, type it here; otherwise, just pressEnter.
  7. If you entered an IPv6 address, pfSense will prompt you for the subnet bit count (CIDR). Enter the bit count and pressEnter.
  8. If you entered an IPv6 address,pfSense will prompt you for the new LAN IPv6upstream gateway address. You don’t need to specify an upstream gateway, so just pressEnter.
  9. pfSense will ask whether you want to enable the DHCP server on LAN. If you entery, you will then be prompted for the start and end addresses of the IPv4 client address range. You can enteryand type the start and end addresses, or just enternand set up DHCP later on (recommended).
  1. If you entered an IPv6 address,pfSense will ask whether you want to enable the DHCP6server on LAN. If you entery, you will then be prompted for the start and end addresses of the IPv6client address range. You can enteryand type the start and end addresses, or just enternand set up DHCP6later on (recommended).
  2. pfSense will ask you if you want to revert to HTTP for the webConfigurator protocol. Unless you have a reason for not using HTTPS for the web GUI, typenand pressEnter.
  3. The configuration process is now complete. The settings will be saved and pfSense will reload them.Repeat the process for as many optional interfaces as you wish to configure.

How it works...

This recipe describes how to set up interfaces such as an interface for a DMZ.

See also

  • TheAssigning interfaces from the consolerecipe
  • TheConfiguring a WAN interface from the consolerecipe
  • TheConfiguring a LAN interface from the consolerecipe
  • TheConfiguring VLANs from the consolerecipe
  • TheConfiguringoptional interfacesrecipe
 

Configuring VLANs from the console


This recipe describes how to add a VLAN from the console menu.

Getting ready

In order to complete this recipe,there must be at least one interface that was not previously assigned.

Note

Do not use the console if you don’t want to have to reassign all the interfaces (for example, WAN, LAN, and any optional interfaces), because the only way to create VLANs from the console is to use theAssign Interfacesoption.

How to do it...

  1. From the console menu, type1and pressEnter.
  2. pfSense will ask if VLANs should be created now. Typeyand pressEnter.
  3. pfSense will next warn you that if you proceed, all existing VLANs will be cleared. Typeyand pressEnter:
  1. pfSense will list all the VLAN-capable interfaces. Although, technically, you can make a previously-assigned interface into the parent interface of a VLAN, it is not recommended. Type the name of one of the unassigned interfaces (for example, eth0, eth1, em0, or em1) and pressEnter.
  2. pfSense will next prompt you for the VLAN tag. Type the VLAN tag and pressEnter.
  3. Repeat steps 4 and 5 for as many VLANs as you wish to create.When you are done, pressEnter.
  4. pfSense will prompt you for the name of the WAN interface; type in the name and pressEnter.
  5. pfSense will prompt you for the name of the LAN interface; type in the name and press Enter.
  6. pfSense will prompt you for the name of the Optional 1 interface. You can create a VLAN by using the name of the VLAN interface(s) assigned in steps 4 and 5. The name of the interface will have two numbers separated by a period. The first number will be the device number of the interface; the second number (after the period) will be the VLAN tag. Thus if the device name is em, and em2 is the parent interface of a VLAN tagof 3, the interface name will be em2.3. Type the interface name and pressEnter.
  7. When you are done assigning interfaces, pressEnter.
  8. pfSense will ask you whether you want to proceed. Type y and pressEnter. Take note of the name of the newly created VLAN (for example, OPT1).
  9. You now have assigned a VLAN, but the VLAN doesn’t have an IP address. To set the VLAN’s IP address, type2and press Enter.
  10. Find the newly created VLAN in the list of interfaces and type the appropriate number and pressEnter.
  11. pfSense will prompt you for the VLAN’s IPv4 address. Type in the address and pressEnter.
  12. pfSense will prompt you for the subnet bit count (CIDR) of the address. Type in the bit count and pressEnter.
  13. pfSense will prompt you for theIPv4upstream gateway address. Since you don't need one, pressEnter.
  14. PfSense will prompt you for the VLAN’s IPv6 address. You can type in an IPv6 address or just pressEnter.
  15. If you entered an IPv6 address, pfSense will prompt you for the subnet bit count (CIDR). Enter the bit count and pressEnter.If you didn’t enter an IPv6 address, skip to step 20.
  1. If you entered an IPv6 address,pfSense will prompt you for theIPv6upstream gateway address. Since you don't need one, pressEnter.
  2. pfSense will ask you whether you want to enable the DHCP server on the VLAN. Type y if you want to enable the DHCP server, and then type the range of available addresses. Otherwise, type n and pressEnter.
  3. If you entered an IPv6 address pfSense will ask you whether you want to enable the DHCP6 server on the VLAN. Type y if you want to enable the DHCP6 server, and then type the range of available addresses. Otherwise, typenand pressEnter.
  4. pfSense will ask you whether you want to revert to HTTP for the webConfigurator protocol. Unless you have a reason for not using HTTPS for the web GUI, typenand pressEnter.
  5. pfSense will save the changes, and reload them. VLAN configuration is now complete.

How it works...

This recipe describeshow to set up VLANs from the console. The process is somewhat cumbersome, but if you need to create a VLAN and don't have access to the web GUI, it can be done.

See also

  • TheConfiguring VLANsrecipe

About the Author

  • David Zientara

    David Zientara is a software engineer living in northern New Jersey. He has over 20 years of experience in IT. In the mid-1990s, David became the lead software engineer for Oxberry LLC, a digital imaging company headquartered in New Jersey. In this capacity, he played a major role in developing a new software package for the company's equipment. In the mid-2000s, David took an interest in computer networking, an interest that led him to learn about m0n0wall and, eventually, pfSense.

    David currently is employed with the Prasad Corporation in a consulting position and is also the author of Learn pfSense 2.4 and Mastering pfSense 2.4, also available from Packt Publishing.

    Browse publications by this author

Latest Reviews

(1 reviews total)
Excellent promotion! Great books and a very good price! May more such actions!

Recommended For You

Book Title
Access this book, plus 7,500 other titles for FREE
Access now