Mastering pfSense E-Book

Mastering pfSense Second Edition

Copyright © 2018 Packt Publishing

All rights reserved. No part of this book may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written permission of the publisher, except in the case of brief quotations embedded in critical articles or reviews.

Every effort has been made in the preparation of this book to ensure the accuracy of the information presented. However, the information contained in this book is sold without warranty, either express or implied. Neither the author, nor Packt Publishing or its dealers and distributors, will be held liable for any damages caused or alleged to have been caused directly or indirectly by this book.

Packt Publishing has endeavored to provide trademark information about all of the companies and products mentioned in this book by the appropriate use of capitals. However, Packt Publishing cannot guarantee the accuracy of this information.

Commissioning Editor: Vijin BorichaAcquisition Editor: Shrilekha InaniContent Development Editor: Priyanka DeshpandeTechnical Editor: Mohit HassijaCopy Editor: Safis EditingProject Coordinator: Virginia DiasProofreader: Safis EditingIndexer: Mariammal ChettiyarGraphics: Tom ScariaProduction Coordinator: Shantanu Zagade

First published: August 2016 Second edition: May 2018

Production reference: 1040518

Published by Packt Publishing Ltd. Livery Place 35 Livery Street Birmingham B3 2PB, UK.

ISBN 978-1-78899-317-3

www.packtpub.com

Mapt is an online digital library that gives you full access to over 5,000 books and videos, as well as industry leading tools to help you plan your personal development and advance your career. For more information, please visit our website.

Why subscribe?

Spend less time learning and more time coding with practical eBooks and Videos from over 4,000 industry professionals

Improve your learning with Skill Plans built especially for you

Get a free eBook or video every month

Mapt is fully searchable

Copy and paste, print, and bookmark content

PacktPub.com

Did you know that Packt offers eBook versions of every book published, with PDF and ePub files available? You can upgrade to the eBook version at www.PacktPub.com and as a print book customer, you are entitled to a discount on the eBook copy. Get in touch with us at [email protected] for more details.

At www.PacktPub.com, you can also read a collection of free technical articles, sign up for a range of free newsletters, and receive exclusive discounts and offers on Packt books and eBooks.

Contributors

About the author

David Zientara is a software engineer and IT professional living in northern New Jersey. He has 20 years of experience in IT, and he has been the lead software engineer for Oxberry since the mid-1990s. His interest in pfSense prompted him to create a pfSense website in June 2013, and eventually to author this book.

About the reviewer

Shiva V.N. Parasram is a professional cyber security trainer and the owner of the Computer Forensics and Security Institute (CFSI). He is also a Certified EC-Council Instructor (CEI), and his qualifications include an M.Sc. in network security (Distinction), CEH, CHFI, ECSA, CCNA, NSE, and more. He has successfully executed and delivered forensic investigations, penetration tests, and security training for large enterprises, and he is also the author of Digital Forensics with Kali Linux, Packt Publishing.

Packt is searching for authors like you

If you're interested in becoming an author for Packt, please visit authors.packtpub.com and apply today. We have worked with thousands of developers and tech professionals, just like you, to help them share their insight with the global tech community. You can make a general application, apply for a specific hot topic that we are recruiting an author for, or submit your own idea.

Table of Contents

Title Page

Copyright and Credits

Mastering pfSense Second Edition

Dedication

Packt Upsell

Why subscribe?

PacktPub.com

Contributors

About the author

About the reviewer

Packt is searching for authors like you

Preface

Who this book is for

What this book covers

To get the most out of this book

Download the color images

Conventions used

Get in touch

Reviews

Revisiting pfSense Basics

Technical requirements

pfSense project overview

Possible deployment scenarios

Hardware requirements and sizing guidelines

Minimum hardware requirements

Hardware sizing guidelines

The best practices for installation and configuration

pfSense configuration

Configuration from the console

Configuration from the web GUI

Configuring additional interfaces

Additional WAN configuration

General setup options

Summary

Questions

Further reading

Advanced pfSense Configuration

Technical requirements

SSH login

DHCP

DHCP configuration at the console

DHCP configuration in the web GUI

DHCPv6 configuration in the web GUI

DHCP and DHCPv6 relay

DHCP and DHCPv6 leases

DNS

DNS resolver

General Settings

Enable DNSSEC support

Host Overrides and Domain Overrides

Access Lists

DNS forwarder

DNS firewall rules

DDNS

DDNS updating

RFC 2136 updating

Troubleshooting DDNS

Captive portal

Implementing captive portal

User manager authentication

Voucher authentication

RADIUS authentication

Other settings

Troubleshooting captive portal

NTP

SNMP

Summary

Questions

VLANs

Technical requirements

Basic VLAN concepts

Example 1 – developers and engineering

Example 2 – IoT network

Hardware, configuration, and security considerations

VLAN configuration at the console

VLAN configuration in the web GUI

QinQ

Link aggregation

Add firewall rules for VLANs

Configuration at the switch

VLAN configuration example 1 – TL-SG108E

VLAN configuration example 2 – Cisco switches

Static VLAN creation

Dynamic Trunking Protocol

VLAN Trunking Protocol

Troubleshooting VLANs

General troubleshooting tips

Verifying switch configuration

Verifying pfSense configuration

Summary

Questions

Using pfSense as a Firewall

Technical requirements

An example network

Firewall fundamentals

Firewall best practices

Best practices for ingress filtering

Best practices for egress filtering

Creating and editing firewall rules

Floating rules

Example rules

Example 1 – block a website

Example 2 – block all traffic from other networks

Example 3 – the default allow rule

Scheduling

An example schedule entry

Aliases

Creating aliases from a DNS lookup

Bulk import

Virtual IPs

Troubleshooting firewall rules

Summary

Questions

Network Address Translation

Technical requirements

NAT essentials

Outbound NAT

Example – filtering outbound NAT for a single network

1:1 NAT

Example – mapping a file server

Port forwarding

Example 1 – setting up DCC

Example 2 – excluding a port

Example 3 – setting up a personal web server

Network Prefix Translation

Example – mapping an IPv6 network

Troubleshooting

Summary

Questions

Traffic Shaping

Technical requirements

Traffic shaping essentials

Queuing policies

Priority queuing

Class-based queuing

Hierarchical Fair Service Curve

Configuring traffic shaping in pfSense

The Multiple LAN/WAN Configuration wizard

The Dedicated Links wizard

Advanced traffic shaping configuration

Changes to queues

Limiters

Layer 7 traffic shaping

Adding and changing traffic shaping rules

Example 1 – modifying the penalty box

Example 2 – prioritizing EchoLink

Traffic shaping examples

Example 1 – adding limiters

Example 2 – penalizing peer-to-peer traffic

Using Snort for traffic shaping

Installing and configuring Snort

Troubleshooting traffic shaping

Summary

Questions

Further reading

Virtual Private Networks

Technical requirements

VPN fundamentals

IPsec

L2TP

OpenVPN

AES-NI

Choosing a VPN protocol

Configuring a VPN tunnel

IPsec

IPsec peer/server configuration

IPsec mobile client configuration

Example 1 – Site-to-site IPsec configuration

Example 2 – IPsec tunnel for remote access

L2TP

OpenVPN

OpenVPN server configuration

OpenVPN client configuration

Client-specific overrides

Server configuration with the wizard

OpenVPN Client Export Utility

Example – site-to-site OpenVPN configuration

Troubleshooting

Summary

Questions

Redundancy and High Availability

Technical requirements

Basic concepts

Server load balancing

Example – load balancer for a web server

HAProxy – a brief overview

CARP configuration

Example 1 – CARP with two firewalls

Example 2 – CARP with N firewalls

An example of both load balancing and CARP

Troubleshooting

Summary

Questions

Further reading

Multiple WANs

Technical requirements

Basic concepts

Service Level Agreement

Multi-WAN configuration

DNS considerations

NAT considerations

Third-party packages

Example – multi-WAN and CARP

Troubleshooting

Summary

Questions

Routing and Bridging

Technical requirements

Basic concepts

Bridging

Routing

Routing

Static routes

Public IP addresses behind a firewall

Dynamic routing

RIP

OpenBGPD

Quagga OSPF

FRRouting

Policy-based routing

Bridging

Bridging interfaces

Special issues

Bridging example

Troubleshooting

Summary

Questions

Extending pfSense with Packages

Technical requirements

Basic considerations

Installing packages

Important packages

Squid

Issues with Squid

Squid reverse proxy server

pfBlockerNG

ntopng

Nmap

HAProxy

Example – load balancing a web server

Other packages

Snort

Example – using Snort to block social media sites

FRRouting

Zabbix

Summary

Questions

Further reading

Diagnostics and Troubleshooting

Technical requirements

Troubleshooting basics

Common networking problems

Wrong subnet mask or gateway

Wrong DNS configuration

Duplicate IP addresses

Network loops

Routing issues

Port configuration

Black holes

Physical issues

Wireless issues

RADIUS issues

pfSense troubleshooting tools

System logs

Dashboard

Interfaces

Services

Monitoring

Traffic graphs

Firewall states

States

States summary

pfTop

tcpdump

tcpflow

ping, traceroute and netstat

ping

traceroute

netstat

Troubleshooting scenarios

VLAN configuration problem

Summary

Questions

Assessments

Chapter 1 – Revisiting pfSense Basics

Chapter 2 – Advanced pfSense Configuration

Chapter 3 – VLANs

Chapter 4 – Using pfSense as a Firewall

Chapter 5 – Network Address Translation

Chapter 6 – Traffic Shaping

Chapter 7 – Virtual Private Networks

Chapter 8 – Redundancy and High Availability

Chapter 9 – Multiple WANs

Chapter 10 – Routing and Bridging

Chapter 11 – Extending pfSense with Packages

Chapter 12 – Diagnostics and Troubleshooting

Another Book You May Enjoy

Leave a review - let other readers know what you think

Preface

pfSense is open source firewall/router software based on the FreeBSD packet filtering program PF that can be used as a perimeter firewall, router, wireless access point, DHCP server, DNS server, or VPN endpoint. Mastering pfSense, Second Edition, is a comprehensive guide to installing, configuring, and customizing pfSense.

Who this book is for

The target audience for this book should have at least an intermediate level of knowledge of computer networking. Some knowledge of pfSense is a plus, although it is not required.

The book should appeal to a wide range of technophiles; anyone interested in pfSense who has an aptitude for understanding networking and the resources to follow along with the examples will benefit from this book.

What this book covers

Chapter 1, Revisiting pfSense Basics, covers deployment scenarios for pfSense, hardware requirements, sizing and installation options, and it guides the user through the initial installation and configuration.

Chapter 2, Advanced pfSense Configuration, covers some of the commonly used pfSense services, such as DHCP, DNS, Dynamic DNS (DDNS), captive portal, Network Time Protocol (NTP), and Simple Network Management Protocol (SNMP).

Chapter 3, VLANs, covers how to set up a virtual LAN in pfSense, both from the command line and the web GUI, and provides examples showing how to configure some commercially available managed switches.

Chapter 4, Using pfSense as a Firewall, covers how to implement rules to block, pass, or divert network traffic, as well as virtual IPs, aliases, and scheduling.

Chapter 5, Network Address Translation, covers Network Address Translation (NAT) in depth, including outbound NAT, port forwarding, 1:1 NAT, and Network Prefix Translation (NPt).

Chapter 6, Traffic Shaping, covers how to use the pfSense's traffic shaping capabilities, using the traffic shaping wizard, by manually adjusting queues, and by creating custom floating rules.

Chapter 7, Virtual Private Networks (VPNs), covers the advantages and disadvantages of VPNs and explains how to use pfSense to set up an IPsec, L2TP, or OpenVPN tunnel. Client-server and peer-to-peer options are covered.

Chapter 8, Redundancy and High Availability, covers load balancing, failover, and implementing redundancy via Common Address Redundancy Protocol (CARP), which allows the user to add one or more backup firewalls.

Chapter 9, Multiple WANs, covers ways to implement redundancy and high availability into internet connections by having multiple internet connections for failover, load balancing, and bandwidth aggregation. This chapter shows how to set up gateways and gateway groups.

Chapter 10, Routing and Bridging, covers bridging and static/dynamic routing, including when bridging network adapters is appropriate, as well when it is necessary to configure static routes and how to do it, and discusses the dynamic routing protocols available for pfSense.

Chapter 11, Extending pfSense with Packages, covers the most significant packages available for pfSense, such as Snort, Squid, HAProxy, and many others.

Chapter 12, Diagnostics and Troubleshooting, covers what to do when things go wrong. A problem-solving methodology is outlined, and common problems and available troubleshooting tools are discussed. A real-world example of troubleshooting is provided.

Appendix A, Assessments, answers to the questions mentioned in the chapters.

To get the most out of this book

I am assuming a basic understanding of networking. Enough knowledge to pass CompTIA's Networking+ exam should be more than enough knowledge. A basic knowledge of computers and how to use a CLI is also necessary. Since pfSense runs on FreeBSD, some experience with BSD and/or Unix-like operating systems such as Linux is helpful, though not strictly necessary. Experience with pfSense is also helpful; I am not assuming any prior knowledge of pfSense although the book does not discuss the initial installation and configuration in depth and instead progresses rapidly to more advanced topics. Readers with no prior knowledge of pfSense may be better served by starting out with a book targeted toward pfSense neophytes such as pfSense 2 Cookbook by Matt Williamson.

Since the focus in the second edition is more toward providing practical examples of pfSense in action, the reader will get more out of the book if they install pfSense and try some of the examples. Thus, having a system on which to install pfSense or being able to run pfSense in a virtual machine will be a plus. The book outlines the hardware requirements and sizing guidelines. If the reader intends to run pfSense in a virtual machine, they should run it on a system that supports 64-bit virtualization. For some of the examples such as VPNs and setting up a CARP failover group, it is helpful to set up a virtual network with multiple instances of pfSense running on the network.

Download the color images

We also provide a PDF file that has color images of the screenshots/diagrams used in this book. You can download it from https://www.packtpub.com/sites/default/files/downloads/MasteringpfSenseSecondEdition_ColorImages.pdf.

Conventions used

There are a number of text conventions used throughout this book.

CodeInText: Indicates code words in text, database table names, folder names, filenames, file extensions, pathnames, dummy URLs, user input, and Twitter handles. Here is an example: "The nslookup utility is available on Linux, Windows, and macOS."

Any command-line input or output is written as follows:

nslookup packtpub.com 8.8.4.4

Bold: Indicates a new term, an important word, or words that you see onscreen. For example, words in menus or dialog boxes appear in the text like this. Here is an example: "Navigate to System | Advanced. Make sure the Admin Access tab is selected and scroll down to the Secure Shell section of the page."

Get in touch

Feedback from our readers is always welcome.

General feedback: Email [email protected] and mention the book title in the subject of your message. If you have questions about any aspect of this book, please email us at [email protected].

Errata: Although we have taken every care to ensure the accuracy of our content, mistakes do happen. If you have found a mistake in this book, we would be grateful if you would report this to us. Please visit www.packtpub.com/submit-errata, selecting your book, clicking on the Errata Submission Form link, and entering the details.

Piracy: If you come across any illegal copies of our works in any form on the internet, we would be grateful if you would provide us with the location address or website name. Please contact us at [email protected] with a link to the material.

If you are interested in becoming an author: If there is a topic that you have expertise in and you are interested in either writing or contributing to a book, please visit authors.packtpub.com.

Reviews

Please leave a review. Once you have read and used this book, why not leave a review on the site that you purchased it from? Potential readers can then see and use your unbiased opinion to make purchase decisions, we at Packt can understand what you think about our products, and our authors can see your feedback on their book. Thank you!

For more information about Packt, please visit packtpub.com.

Revisiting pfSense Basics

While high-speed internet connectivity is becoming more and more common, many in the online world—especially those with residential connections or small office/home office (SOHO) setups—lack the hardware to fully take advantage of these speeds. Fiber-optic technology brings with it the promise of a gigabit speed or greater, and the technology surrounding traditional copper networks is also yielding improvements. Yet many people are using consumer-grade routers that offer, at best, mediocre performance.

pfSense, an open source router/firewall solution, is a far better alternative that is available to you. You have likely already downloaded, installed, and configured pfSense, possibly in a residential or SOHO environment. As an intermediate-level pfSense user, you do not need to be sold on the benefits of pfSense. Nevertheless, you may be looking to deploy pfSense in a different environment (for example, a corporate network), or you may just be looking to enhance your knowledge of pfSense. In either case, mastering the topics in this book will help you achieve these goals.

This chapter is designed to review the process of getting your pfSense system up and running. It will guide you through the process of choosing the right hardware for your deployment, but it will not provide a detailed treatment of installation and initial configuration. The emphasis will be on troubleshooting, as well as some of the newer configuration options.

This chapter will cover the following topics:

A brief overview of the pfSense project

pfSense deployment scenarios

Minimum specifications and hardware sizing guidelines

The best practices for installation and configuration

Basic configuration from both the console and the pfSense web GUI

Technical requirements

The following equipment is required for installing and configuring pfSense 2.4:

A 64-bit Intel, AMD, or ARM-based system with a 500 MHz processor or greater, at least 512 MB of RAM, and 1 GB of disk space onto which pfSense will be installed

A USB thumb drive with at least 1 GB of disk space, or blank CD media if you prefer using optical media, which will serve as the installation media

Internet access, for downloading pfSense binaries

A second computer system, for accessing the pfSense web GUI

An Ethernet switch and cabling, or a crossover cable, for connecting the second computer system to the pfSense system

If you want to try out pfSense without doing an actual installation, you can create a pfSense virtual machine. While this chapter does not provide a guide to installing pfSense into a virtual environment, I recommend the following for running pfSense in a virtual machine:

A 64-bit Intel or AMD-based system with a 2 GHz processor or greater, at least 8 GB of RAM, and enough disk space to accommodate the virtual hard drive (likely 8 GB or greater)

Either a Type 1 or Type 2 hypervisor:

Type 1 (bare-metal hypervisor; runs directly on the hardware):

VMware ESXi

Microsoft Hyper-V

Type 2 (requires an OS):

Proxmox (Linux)

Oracle VM VirtualBox (Linux, Windows, mac OS, Solaris)

Most likely you will have to create two virtual machines: one into which pfSense will be installed, and a second from which you will access the web GUI and test the functionality of the virtual pfSense system.

pfSense project overview

The origins of pfSense can be traced to the OpenBSD packet filter known as PF, which was incorporated into FreeBSD in 2001. As PF is limited to a command-line interface, several projects have been launched in order to provide a graphical interface for PF. m0n0wall, which was released in 2003, was the earliest attempt at such a project. pfSense began as a fork of the m0n0wall project.

Version 1.0 of pfSense was released on October 4, 2006. Version 2.0 was released on September 17, 2011. Version 2.1 was released on September 15, 2013, and Version 2.2 was released on January 23, 2015. Version 2.3, released on April 12, 2016, phased out support for legacy technologies such as the Point-to-Point Tunneling Protocol (PPTP), the Wireless Encryption Privacy (WEP) and Single DES, and also provided a facelift for the web GUI.

Version 2.4, released on October 12, 2017, continues this trend of phasing out support for legacy technologies while also adding features and improving the web GUI. Support for 32-bit x86 architectures has been deprecated (security updates will continue for 32-bit systems, however, for at least a year after the release of 2.4), while support for Netgate Advanced RISC Machines (ARM) devices has been added. A new pfSense installer (based on FreeBSD's bsdinstall) has been incorporated into pfSense, and there is support for the ZFS filesystem, as well as the Unified Extensible Firmware Interface (UEFI). pfSense now supports OpenVPN 2.4.x, and as a result, features such as AES-GCM ciphers can be utilized. In addition, pfSense now supports multiple languages; the web GUI has been translated into 13 different languages. At the time of writing, version 2.4.2, released on November 21, 2017, is the most recent version.

Possible deployment scenarios

Once you have decided to add a pfSense system to your network, you need to consider how it is going to be deployed on your network. pfSense is suitable for a variety of networks, from small to large ones, and can be employed in a variety of deployment scenarios. In this section, we will cover the following possible uses for pfSense:

Perimeter firewall

Router

Switch

Wireless router/wireless access point

The most common way to add pfSense to your network is to use it as a perimeter firewall, as shown in the diagram. In this scenario, your internet connection is connected to one port on the pfSense system, and your local network is connected to another port on the system. The port connected to the internet is known as the WAN interface, and the port connected to the local network is known as the LAN interface:

If pfSense is your perimeter firewall, you may choose to set it up as a dedicated firewall, or you might want to have it perform the double duty of a firewall and a router. You may also choose to have more than two interfaces in your pfSense system (known as optional interfaces). In order to act as a perimeter firewall, however, a pfSense system requires at least two interfaces: a WAN interface (to connect to outside networks), and a LAN interface (to connect to the local network).

The perimeter firewall performs two broad functions. The first, monitoring and controlling inbound traffic, should be fairly obvious. Allowing certain traffic on certain ports, while blocking all other traffic, is a core function of all firewalls. The second, monitoring and controlling outbound traffic, might seem less obvious but is also important. Outbound web traffic tends to pass through the firewall unchallenged. This, however, leaves our network vulnerable to malware that targets web browsers. To protect our networks against such threats, we need to monitor outbound traffic as well.

It is commonplace to set up the networks behind the firewall with a split architecture, with assets accessible from the internet being kept separate from the rest of the network. In such cases, the internet-accessible resources are placed on a separate network generally referred to as the demilitarized zone (DMZ). If your network requires such a setup, you can easily do this with pfSense as your perimeter firewall, as we will see later.

In more complex network setups, your pfSense system may have to exchange routing information with other routers on the network. There are two types of protocols for exchanging such information: distance vector protocols obtain their routing information by exchanging information with neighboring routers; routers use link-state protocols to build a map of the network in order to calculate the shortest path to another router, with each router calculating distances independently. pfSense is capable of running both types of protocols. Packages are available for distance vector protocols such as RIP and RIPv2, and link-state protocols such as Border Gateway Protocol (BGP). These protocols will be discussed in greater detail in Chapter 10, Routing and Bridging.

Another common deployment scenario is to set up pfSense as a router. In a home or SOHO environment, firewall and router functions are often performed by the same device. In mid-sized to large networks, however, the router is a device separate from that of the perimeter firewall.

In larger networks, which have several network segments, pfSense can be used to connect these segments. Traditionally, using a router to connect multiple networks requires multiple network interfaces on the router. However, with VLANs, we can use a single network interface card (NIC) to operate in multiple broadcast domains via 802.1q tagging. VLANs are often used with the ever-popular router on a stick configuration, in which the router has a single physical connection to a switch (this connection is known as a trunk), with the single Ethernet interface divided into multiple VLANs, and the router forwarding packets between the VLANs. One of the advantages of this setup is that it only requires a single port, and, as a result, it allows us to use pfSense with systems on when adding another NIC would be cumbersome or even impossible: for example, a laptop or certain thin clients. We will cover VLANs in greater depth in Chapter 3, VLANS.

In most cases, where pfSense is deployed as a router on mid-sized and large networks, it would be used to connect different LAN segments; however, it could also be used as a WAN router. In this case, pfSense's function would be to provide a private WAN connection to the end user.

Another possible deployment scenario is to use pfSense as a switch. If you have multiple interfaces on your pfSense system and bridge them together, pfSense can function as a switch. This is a far less common scenario, however, for several reasons:

Using pfSense as a switch is generally not cost effective. You can purchase a five-port Ethernet switch for less than what it would cost to purchase the hardware for a pfSense system. Buying a commercially available switch will also save you money in the long run, as they likely would consume far less power than whatever computer you would be using to run pfSense.

Commercially available switches will likely outperform pfSense, as pfSense will process all packets that pass between ports, while a typical Ethernet switch will handle them locally with dedicated hardware made specifically for passing data between ports quickly. While you can disable filtering entirely in pfSense if you know what you're doing, you will still be limited by the speed of the bus on which your network cards reside, whether it is PCI, PCI-X, or PCI Express (PCI-e).

There is also the administrative overhead of using pfSense as a switch. Simple switches are designed to be Plug and Play, and setting up these switches is as easy as plugging in your Ethernet cables and the power cord. Managed switches typically enable you to configure settings at the console and/or through a web interface, but in many cases, configuration is only necessary if you want to modify the operation of the switch. If you use pfSense as a switch, however, some configuration will be required.

If none of this intimidates you, then feel free to use pfSense as a switch. While you're not likely to achieve the performance level or cost savings of using a commercially available switch, you will likely learn a great deal about pfSense and networking in the process. Moreover, advances in hardware could make using pfSense as a switch viable at some point in the future. Advances in low-power consumption computers are one factor that could make this possible.

Yet another possibility is using pfSense as a wireless router/access point. A sizable proportion of modern networks incorporate some type of wireless connectivity. Connecting to a network's wireless is not only easier, but in some cases, running an Ethernet cable is not a realistic option. With pfSense, you can add wireless networking capabilities to your system by adding a wireless network card, provided that the network card is supported by FreeBSD.

Generally, however, using pfSense as a wireless router or access point is not the best option. Support for wireless network cards in FreeBSD leaves something to be desired. Support for the IEEE's 802.11b and g standards is okay, but support for 802.11n and 802.11ac is not very good.

A more likely solution is to buy a wireless router (even if it is one of the aforementioned consumer-grade units), set it up to act solely as an access point, connect it to the LAN port of your pfSense system, and let pfSense act as a Dynamic Host Configuration Protocol (DHCP) server. A typical router will work fine as a dedicated wireless access point, and they are more likely to support the latest wireless networking standards than pfSense. Another possibility is to buy a dedicated wireless access point. These are generally inexpensive and some have such features as multiple SSIDs, which allow you to set up multiple wireless networks (for example, you could have a separate guest network which is completely isolated from other local networks). Using pfSense as a router, in combination with a commercial wireless access point, is likely the least-troublesome option.

Hardware requirements and sizing guidelines

Once you have decided where to deploy pfSense on your network, you should have a clearer idea of what your hardware requirements are. As a minimum, you will need a CPU, motherboard, memory (RAM), some form of disk storage, and at least two network interfaces (unless you are opting for a router on a stick setup, in which case you only need one network interface). You may also need one or more optional interfaces.

Minimum hardware requirements

The starting point for our discussion on hardware requirements is the pfSense minimum specifications. As of January 2018, the minimum hardware requirements are as follows (these specifications are from the official pfSense site, https://www.pfsense.org):

CPU – 500 MHz (1 GHz recommended)

RAM – 512 MB (1 GB recommended)

A pfSense installation requires at least 1 GB of disk space. If you are installing on an embedded device, you can access the console either by a serial or VGA port. A step-by-step installation guide for the pfSense Live CD can be found on the official pfSense website at: https://doc.pfsense.org/index.php/Installing_pfSense.

Version 2.3 eliminated the Live CD, which allowed you to try out pfSense without installing it onto other media. If you really want to use the Live CD, however, you could use a pre-2.3 image (version 2.2.6 or earlier). You can always upgrade to the latest version of pfSense after installation.

Installation onto either a hard disk drive (HDD) or a solid-state drive (SSD) is the most common option for a full install of pfSense, whereas embedded installs typically use CF, SD, or USB media. A full install of the current version of pfSense will fit onto a 1 GB drive, but will leave little room for installation of packages or for log files. Any activity that requires caching, such as running a proxy server, will also require additional disk space.

The last installation option in the table is installation onto an embedded system using the Netgate ADI image. Netgate currently sells several ARM-based systems such as the SG-3100, which is advertised as an appliance that can be used in many deployment scenarios, including as a firewall, LAN or WAN router, VPN appliance, and DHCP or DNS server. It is targeted towards small and medium-sized businesses and may appeal to home and business users seeking a reliable firewall appliance with a low total cost of ownership. Storage (without upgrading) is limited to 8 GB of eMMC Flash, which would limit which packages could be installed. Another Netgate option is the SG-1000, which is a bare bones router with only 2 Ethernet ports, 512 MB of RAM and 4 GB of eMMC Flash.

Hardware sizing guidelines

The minimum hardware requirements are general guidelines, and you may want to exceed these minimums based on different factors. It may be useful to consider these factors when determining what CPU, memory, and storage device to use:

For the CPU, requirements increase for faster internet connections.

The following general guidelines apply: the minimum hardware specifications (Intel/AMD CPU of 500 MHz or greater) are valid up to 20 Mbps. CPU requirements begin to increase at speeds greater than 20 Mbps.

Connections of 100 Mbps or faster will require PCI-E network adapters to keep up with the increased network throughput.

If you intend to use pfSense to bridge interfaces—for example, if you want to bridge a wireless and wired network, or if you want to use pfSense as a switch—then the PCI bus speed should be considered. The PCI bus can easily become a bottleneck. Therefore, in such scenarios, using PCI-e hardware is the better option, as it offers up to 31.51 GBps (for PCI-e v. 4.0 on a 16-lane slot) versus 533 MBps for the fastest conventional PCI buses.

If you plan on using pfSense as a VPN server, then you should take into account the effect VPN usage will have on the CPU. Each VPN connection requires the CPU to encrypt traffic, and the more connections there are, the more the CPU will be taxed. Generally, the most cost-effective solution is to use a more powerful CPU. But there are ways to reduce the CPU load from VPN traffic. Soekris has the vpn14x1 product range; these cards offload the CPU of the computing intensive tasks of encryption and compression. AES-NI acceleration of IPSec also significantly reduces the CPU requirements.

If you have hundreds of simultaneous captive portal users, you will require slightly more CPU power than you would otherwise. Captive portal usage does not put as much of a load on the CPU as VPN usage, but if you anticipate having a lot of captive portal users, you will want to take this into consideration.

If you're not a power user, 512 MB of RAM might be enough for your pfSense system. This, however, would leave little room for the state table (where, as mentioned earlier, active connections are tracked). Each state requires about 1 KB of memory, which is less memory than some consumer-grade routers require, but you still want to be mindful of RAM if you anticipate having a lot of simultaneous connections. The other components of pfSense require 32 to 48 MB of RAM, and possibly more, depending on which features you are using, so you have to subtract that from the available memory in calculating the maximum state table size:

256 MB

~22,000 connections

512 MB

~46,000 connections

1 GB

~93,000 connections

2 GB

~190,000 connections

Installing packages can also increase your RAM requirements; Snort and ntop are two such examples. You should also probably not install packages if you have limited disk space. Proxy servers in particular use up a fair amount of disk space, which is something you should probably consider if you plan on installing a proxy server such as Squid.

The amount of disk space, as well as the form of storage you utilize, will likely be dictated by what packages you install, and what forms of logging you will have enabled. Some packages are more taxing on storage than others. Some packages require more disk space than others. Proxies such as Squid store web pages; anti-spam programs such as pfBlocker download lists of blocked IP addresses, and therefore require additional disk space. Proxies also tend to perform a great deal of read and write operations; therefore, if you are going to install a proxy, disk I/O performance is something you should likely take into consideration.

You may be tempted to opt for the cheapest NICs. However, inexpensive NICs often have complex drivers that offload most of the processing to the CPU. They can saturate your CPU with interrupt handling, thus causing missed packets. Cheaper network cards typically have smaller buffers (often no more than 300 KB), and when the buffers become full, packets are dropped. In addition, many of them do not support Ethernet frames that are larger than the maximum transmission unit (MTU) of 1,500 bytes. NICs that do not support larger frames cannot send or receive jumbo frames (frames with an MTU larger than 1,500 bytes), and therefore they cannot take advantage of the performance improvement that using jumbo frames would bring. In addition, such NICs will often have problems with VLAN traffic, since a VLAN tag increases the size of the Ethernet header beyond the traditional size limit.

The pfSense project recommends NICs based on Intel chipsets, and there are several reasons why such NICs are considered reliable. They tend to have adequately sized buffers, and do not have problems processing larger frames. Moreover, the drivers tend to be well-written and work well with Unix-based operating systems.

For a typical pfSense setup, you will need two network interfaces: one for the WAN and one for the LAN. Each additional subnet (for example, for a guest network) will require an additional interface, as will each additional WAN interface. It should be noted that you don't need an additional card for each interface added; you can buy a multiport network card (most of such cards have either two or four ports). You don't need to buy new NICs for your pfSense system; in fact, it is often economical to buy used NICs, and except in rare cases, the performance level will be the same.

If you want to incorporate wireless connectivity into your network, you may consider adding a wireless card to your pfSense system. As mentioned earlier, however, the likely better option is to use pfSense in conjunction with a separate wireless access point. If you do decide to add a wireless card to your system and configure it for use as an access point, you will want to check the FreeBSD hardware compatibility list before making a purchase.

The best practices for installation and configuration

Once you have chosen your hardware and which version you are going to install, you can download pfSense.

Browse to the

Downloads

section of

pfsense.org

and select the appropriate computer architecture (

32-bit

,

64-bit

, or

Netgate ADI

), the appropriate platform (

Live CD

,

memstick

, or

embedded

), and you should be presented with a list of mirrors. Choose the closest one for the best performance.

If the system hangs during the boot process, there are several options you can try. The first menu that appears, as pfSense boots, has several options. The last two options are

Kernel

and

Configure Boot Options

.

Kernel

allows you to select which kernel to boot from among the available kernels.

If you have a reason to suspect that the FreeBSD kernel being used is not compatible with your hardware, you might want to switch to the older version. Configure Boot Options launches a menu (shown in the preceding screenshot) with several useful options. A description of these options can be found at: https://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/. Toggling [A]CPI Support to off can help in some cases, as ACPI's hardware discovery and configuration capabilities may cause the pfSense boot process to hang. If turning this off doesn't work, you could try booting in Safe [M]ode, and if all else fails, you can toggle [V]erbose mode to On, which will give you detailed messages while booting.

While booting, pfSense provides information about your hardware, including expansion buses supported, network interfaces found, and USB support. When this is finished, the graphical installer will launch and you will see the copyright and distribution notice.

Select

Accept

and press

Enter

to accept these terms and conditions and continue with the installation.

The installer then provides you with three options:

Install pfSense

,

Rescue Shell

, and

Recover config.xml

. The

Rescue Shell

option launches a BSD shell prompt from which you can perform functions that might prove helpful in repairing a non-functional pfSense system.

For example, you can copy, delete and edit files from the shell prompt. If you suspect that a recent configuration change is what caused pfSense to break, however, and you saved the configuration file before making the change, the easiest way to fix your system may be to invoke Recover config.xml and restore pfSense from the previously-saved config.xml file.

The next screen provides keymap options. Version 2.4.2 supports 99 different keyboard layouts, including both QWERTY and Dvorak layouts. Highlighting a keymap option and pressing

Enter

selects that option. There's also an option to test the default keymap, and an option to continue with the default keymap.

Select

Accept

and press

Enter

when you have selected a keymap.

Next, the installer provides the following disk partitioning options:

Auto (UFS)

,

Manual

,

Shell

, and

Auto (ZFS)

. The first and last options allow you to format the disk with the

Unix File System (UFS)

and Oracle's

ZFS

respectively.

There are advantages and disadvantages to each filesystem, but the following table should help in your decision. Note that both filesystems support file ownership, and file creation/last access timestamps.

Filesystem

UFS

ZFS

Original release

August 1983 (with BSD 4.2)

November 2005 (with OpenSolaris)

Maximum volume size

273 bytes (8 zebibytes)

2128 bytes (256 trillion yobibytes)

Maximum file size

273 bytes (8 zebibytes)

264 bytes (16 exbibytes)

Maximum filename length

255 bytes

255 bytes

Case sensitive

Yes

Yes

Support for filesystem-level encryption

No

Yes

Data deduplication

No

Yes

Data checksums

No

Yes

In general, UFS is the tried-and-true filesystem, while ZFS was created with security in mind and incorporates many newer features such as filesystem-level encryption and data checksums.

Manual

, as the name implies, allows you to manually create, delete and modify partitions. There are several choices for partition types; you can even create an

Apple Partition Map (APM)

or a

DOS

partition, if that suits you. The

Shell

option drops you to a BSD shell prompt from which you can also manually create, delete and modify partitions, using shell commands.

If you chose ZFS, the next screen will present a series of options that allow you to further configure your ZFS volume.

Pool Type/Disks

allows you to select the type of redundancy. The default option is

stripe

, which provides no redundancy at all. The

mirror

option provides for duplicate volumes, in which the array continues to operate as long as one drive is functioning. The

raid10

option combines mirroring and striping (it is an array of mirrored drives). It requires at least four drives; the array continues to operate if one drive fails; up to half the drives in the RAID can fail so long as they aren't all from the same subset.

The next three options,

raidz1

,

raidz2

, and

raidz3

, are non-standard RAID options. Like RAID levels 5 though, they achieve redundancy through a parity stripe, although the parity stripe in Z1, Z2 and Z3 are dynamically sized. RAID-Z1 requires at least three disks/volumes and allows one of them to fail without data loss; RAID-Z2 requires four disks/volumes and allows two to fail; RAID-Z3 requires five disks/volumes and allows three to fail.

If your ZFS RAID is configured correctly, the installer will next present you with a series of ZFS-specific options. You can change the

Pool Name

(the default is

zroot

), toggle Force 4K Sectors on or off depending on whether or not you want sectors to align on 4K boundaries, and toggle

Encrypt Disks

on or off. You can also select a partition scheme for the system.

The default is

GUID Partition Table (GPT)

, but the legacy

Master Boot Record (MBR)

is also supported. You can set it up to boot in

BIOS mode

,

Unified Extensible Firmware Interface (UEFI) mode

, or, if your system supports it, both modes. UEFI-based systems, by specification, can only boot from GPT partitions, while some BIOS-based systems can boot from GPT partitions (and all BIOS-based systems can boot from MBR partitions). There is also support for the FreeBSD patch that fixes a bug that prevents GPT partitions from booting on some Lenovo systems (

GPT + Lenovo Fix

). You can also set the

Swap Size

, toggle

Mirror Swap

on or off, and toggle

Encrypt Swap

on or off.

After you have made all desired modifications you can proceed; the installer will format all selected volumes, extract the archive files and install pfSense. You will also be given an option to open a shell prompt to make any final modifications. Otherwise, you can reboot the system and run the newly installed copy of pfSense.

If you were unable to install pfSense on to the target media, you may have to troubleshoot your system and/or installation media. If you are attempting to install from the CD, your optical drive may be malfunctioning, or the CD may be faulty.

You may want to start with a known good bootable disc and see if the system will boot off of it. If it can, then your pfSense disk may be at fault; burning the disc again may solve the problem. If, however, your system cannot boot off the known good disc, then the optical drive itself, or the cables connecting the optical drive to the motherboard, may be at fault.

In some cases, however, none of the aforementioned possibilities hold true, and it is possible that the FreeBSD boot loader will not work on the target system. If so, then you could opt to install pfSense on a different system.

Another possibility is to install pfSense onto a hard drive on a separate system, then transfer the hard drive into the target system. In order to do this, go through the installation process on another system as you would normally until you get to the

Assign Interfaces

prompt. When the installer asks if you want to assign VLANS, type

n

. Type

exit

at the

Assign Interfaces

prompt to skip the interface assignment. Proceed through the rest of the installation; then power down the system and transfer the hard drive to the target system. Assuming that the pfSense hard drive is in the boot sequence, the system should boot pfSense and detect the system's hardware correctly. Then you should be able to assign network interfaces. The rest of the configuration can then proceed as usual.

If you have not encountered any of these problems, the software should be installed on the target system, and you should get a dialog box telling you to remove the CD from the optical drive tray and press

Enter

. The system will now reboot, and you will be booting into your new pfSense install for the first time.

pfSense configuration

If installation was successful, you should see a screen similar to the one shown in the following screenshot:

Some of the initial configuration must be done at the console, while some aspects of the configuration, such as VLAN and DHCP setup, can be done from either the console or the web GUI.

Configuration takes place in two phases. Some configuration must be done at the console, including interface configuration and interface IP address assignment. Some configuration steps, such as VLAN and DHCP setup, can be done both at the console and within the web GUI. On initial bootup, pfSense will automatically configure the WAN and LAN interfaces, according to the following parameters:

Network interfaces will be assigned to device IDs

em0

,

em1

, and so on

The WAN interface will be assigned to

em0

, and the LAN interface will be assigned to

em1

The WAN interface will look to an upstream DHCP server for its IP address, while the LAN interface will initially be assigned an IP address of

192.168.1.1

You can, of course, accept these default assignments and proceed to the web GUI, but chances are you will need to change at least some of these settings. If you need to change interface assignments, select 1 from the menu.

Configuration from the console

On boot, you should eventually see a menu identical to the one seen on the CD version, with the boot multi or single user options, and other options. After a timeout period, the boot process will continue and you will get an Options menu. If the default interface assignments are unsatisfactory, select 1 from the menu to begin interface assignment. This is where the network cards installed in the system are given their roles as WAN, LAN, and optional interfaces (OPT1, OPT2, and so on).

If you select this option, you will be presented with a list of network interfaces. This list provides four pieces of information:

pfSense's device name for the interface (

fxp0

,

em1

, and so on)

The MAC address of the interface

The link state of the interface (

up

if a link is detected;

down

otherwise)

The manufacturer and model of the interface (Intel PRO 1000, for example)

As you are probably aware, generally speaking, no two network cards have the same MAC address, so each of the interfaces in your system should have a unique MAC address.

To begin the configuration, select

1

and

Enter

for the

Assign Interfaces

option.

After that, a prompt will show up for VLAN configuration.

If you wish to set up VLANs, see

Chapter 3

,

VLANs

. Otherwise, type

n

and press

Enter

. Keep in mind that you can always configure VLANs later on.

The interfaces must be configured, and you will be prompted for the WAN interface first.

If you only configure one interface, it will be assigned to the WAN, and you will subsequently be able to log in to pfSense through this port.

This is not what you would normally want, as the WAN port is typically accessible from the other side of the firewall.

When at least one other interface is configured, you will no longer be able to log in to pfSense from the WAN port. Unless you are using VLANs, you will have to set up at least two network interfaces.

In pfSense, network interfaces are assigned rather cryptic device names (for example, fxp0, em1, and so on) and it is not always easy to know which ports correspond to particular device names. One way of solving this problem is to use the automatic interface assignment feature.

To do this, unplug all network cables from the system, and then type

a

and press

Enter

to begin auto-detection.

The WAN interface is the first interface to be detected, so plug a cable into the port you intend to be the WAN interface.

The process is repeated with each successive interface.

The LAN interface is configured next, then each of the optional interfaces (OPT1, OPT2).

Once you have finished configuration, type

y

at the

Do you want to proceed?

prompt, or type

n

and press

Enter

to re-assign the interfaces.

Option two on the menu is

Set interface(s) IP address

, and you will likely want to complete this step as well. When you invoke this option, you will be prompted to specify which interface's IP address is to be set.

If you select

WAN interface

, you will be asked if you want to configure the IP address via DHCP. In most scenarios, this is probably the option you want to choose, especially if pfSense is acting as a firewall. In that case, the WAN interface will receive an IP address from your ISP's DHCP server. For all other interfaces (or if you choose not to use DHCP on the WAN interface), you will be prompted to enter the interface's IPv4 address.

The next prompt will ask you for the subnet bit count. In most cases, you'll want to enter

8

if you are using a Class A private address,

16

for Class B, and

24

for Class C, but if you are using classless subnetting (for example, to divide a Class C network into two separate networks), then you will want to set the bit count accordingly.

You will also be prompted for the IPv4 gateway address (any interface with a gateway set is a WAN, and pfSense supports multiple WANs); if you are not configuring the WAN interface(s), you can just hit

Enter

here.

Next, you will be prompted to provide the address, subnet bit count, and gateway address for IPv6; if you want your network to fully utilize IPv6 addresses, you should enter them here.

The advantages of IPv6 over IPv4 will be discussed more fully in Chapter 2, Advanced pfSense Configuration.

We have now configured as much as we need to from the console (actually, we have done more than we have to, since we really only have to configure the WAN interface from the console). The remainder of the configuration can be done from the pfSense web GUI.

Configuration from the web GUI

The pfSense web GUI can only be accessed from another PC. If the WAN was the only interface assigned during the initial setup, then you will be able to access pfSense through the WAN IP address. Once one of the local interfaces is configured (typically the LAN interface), pfSense can no longer be accessed through the WAN interface. You will, however, be able to access pfSense from the local side of the firewall (typically through the LAN interface). In either case, you can access the web GUI by connecting another computer to the pfSense system, either directly (with a crossover cable) or indirectly (through a switch), and then typing either the WAN or LAN IP address into the connected computer's web browser.