pfSense 2.x Cookbook E-Book

pfSense 2.x Cookbook Second Edition

Copyright © 2018 Packt Publishing

All rights reserved. No part of this book may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written permission of the publisher, except in the case of brief quotations embedded in critical articles or reviews.

Every effort has been made in the preparation of this book to ensure the accuracy of the information presented. However, the information contained in this book is sold without warranty, either express or implied. Neither the author, nor Packt Publishing or its dealers and distributors, will be held liable for any damages caused or alleged to have been caused directly or indirectly by this book.

Packt Publishing has endeavored to provide trademark information about all of the companies and products mentioned in this book by the appropriate use of capitals. However, Packt Publishing cannot guarantee the accuracy of this information.

Commissioning Editor: Vijin BorichaAcquisition Editor: Prachi BishtContent Development Editor: Sharon RajTechnical Editor: Mohit HassijaCopy Editor:Safis EditingProject Coordinator: Drashti PanchalProofreader: Safis EditingIndexer: Pratik ShirodkarGraphics: Tom ScariaProduction Coordinator: Jisha Chirayil

First published: March 2011 Second edition: December 2018

Production reference: 1121218

Published by Packt Publishing Ltd. Livery Place 35 Livery Street Birmingham B3 2PB, UK.

ISBN 978-1-78980-642-7

www.packtpub.com

Mapt is an online digital library that gives you full access to over 5,000 books and videos, as well as industry leading tools to help you plan your personal development and advance your career. For more information, please visit our website.

Why subscribe?

Spend less time learning and more time coding with practical eBooks and Videos from over 4,000 industry professionals

Improve your learning with Skill Plans built especially for you

Get a free eBook or video every month

Mapt is fully searchable

Copy and paste, print, and bookmark content

PacktPub.com

Contributors

About the author

David Zientara is a software engineer living in northern New Jersey. He has over 20 years of experience in IT. In the mid-1990s, David became the lead software engineer for Oxberry LLC, a digital imaging company headquartered in New Jersey. In this capacity, he played a major role in developing a new software package for the company's equipment. In the mid-2000s, David took an interest in computer networking, an interest that led him to learn about m0n0wall and, eventually, pfSense.

David currently is employed with the Prasad Corporation in a consulting position and is also the author of Learn pfSense 2.4 and Mastering pfSense 2.4, also available from Packt Publishing.

About the reviewer

Shiva V. N. Parasram is the director of the Computer Forensics and Security Institute and is a cyber security trainer, pentester, and forensic investigator with 14 years of experience in the field. His qualifications include an MSc in network security (distinction), CCISO, CEH, CHFI, and CCNA. As a Certified EC-Council Instructor (CEI), he has also trained several-hundred people in ethical hacking and forensics, and has recently been selected as the sole trainer for cyber security courses for staff at Fujitsu Trinidad. He is also the author of Digital Forensics with Kali Linux, published by Packt Publishing.

Packt is searching for authors like you

If you're interested in becoming an author for Packt, please visit authors.packtpub.com and apply today. We have worked with thousands of developers and tech professionals, just like you, to help them share their insight with the global tech community. You can make a general application, apply for a specific hot topic that we are recruiting an author for, or submit your own idea.

Table of Contents

Title Page

Copyright and Credits

pfSense 2.x Cookbook Second Edition

About Packt

Why subscribe?

PacktPub.com

Contributors

About the author

About the reviewer

Packt is searching for authors like you

Preface

Who this book is for

What this book covers

To get the most out of this book

Download the color images

Conventions used

Sections

Getting ready

How to do it…

How it works…

There's more…

See also

Get in touch

Reviews

Initial Configuration

Introduction

Applying basic settings to General Setup

Getting ready

How to do it...

See also

Identifying and assigning interfaces

Getting ready

How to do it...

See also

Configuring a WAN interface

Getting ready

How to do it...

How it works...

There's more...

See also

Configuring a LAN interface

Getting ready

How to do it...

How it works...

There's more...

See also

Configuring optional interfaces from the console

Getting ready

How to do it...

How it works...

There's more...

See also

Enabling SSH access

How to do it...

How it works...

There's more...

See also

Generating authorized RSA keys

Getting ready

How to do it...

How it works...

See also

Configuring SSH RSA key authentication

Getting ready

How to do it...

How it works...

There’s more...

See also

Accessing the SSH

Getting ready

How to do it...

How it works...

See also

Configuring VLANs

Getting ready

How to do it...

How it works...

There's more...

See also

Assigning interfaces from the console

Getting ready

How to do it...

How it works...

See also

Configuring a WAN interface from the console

Getting ready

How to do it...

How it works...

See also

Configuring a LAN interface from the console

Getting ready

How to do it...

How it works...

See also

Configuring optional interfaces from the console

Getting ready

How to do it...

How it works...

See also

Configuring VLANs from the console

Getting ready

How to do it...

How it works...

See also

Essential Services

Introduction

Configuring the DHCP server

Getting ready

How to do it...

How it works...

There's more...

Deny unknown clients

DNS servers

Gateway

Domain name

Default lease time

Maximum lease time

Failover peer IP

Static ARP

Dynamic DNS

Additional BOOTP/DHCP options

See also

Configuring the DHCP6 server

Getting ready

How to do it...

How it works...

There's more...

Prefix delegation

See also

Configuring static DHCP mappings

Getting ready

How to do it...

How it works...

There's more...

See also

Configuring the DHCP relay

Getting ready

How to do it...

How it works...

There's more...

See also

Specifying alternate DNS servers

Getting ready

How to do it...

How it works...

Using the DNS resolver

Using your WAN DNS servers

See also

Configuring the DNS resolver

Getting ready

How to do it...

How it works...

See also...

Configuring a stand-alone DHCP/DNS server

How to do it...

How it works...

Register DHCP leases in DNS resolver

See also

Configuring dynamic DNS

Getting ready

How to do it...

How it works...

Specifying an alternative service using RFC 2136

Adding a wireless access point

Getting ready

How to do it...

How it works...

See also

Firewall and NAT

Introduction

Creating and using aliases

How to do it...

How it works...

There's more...

Using an alias

Editing an alias

Deleting an alias

Bulk importing aliases

See also

Creating a firewall rule

How to do it...

How it works...

There's more...

The source port

Ordering firewall rules

Duplicating firewall rules

Advanced features

See also

Setting a firewall rule schedule

How to do it...

How it works...

There's more...

Selecting dates or days of the week

See also

Creating a floating rule

How to do it...

How it works...

There's more...

See also

Creating a NAT port forwarding entry

Getting ready

How to do it...

How it works...

There's more...

Port redirection

Port redirection example

See also

Creating an outbound NAT entry

How to do it...

How it works...

There's more...

See also

Creating a 1:1 NAT entry

How to do it...

There's more...

See also

Creating an NPt entry

How to do it...

How it works...

Enabling UPnP and NAT-PnP

How to do it...

How it works...

There's more...

Security warning

See also

Additional Services

Introduction

Creating a captive portal without authentication

Getting ready

How to do it...

How it works...

There's more...

See also

Creating a captive portal with voucher authentication

How to do it...

How it works...

There's more...

See also

Creating a captive portal with User Manager authentication

How to do it...

How it works...

See also

Creating a captive portal with RADIUS authentication

Getting ready

How to do it...

How it works...

See also

Configuring NTP

How to do it...

There's more...

Configuring SNMP

Getting ready

How to do it...

There's more...

See also

Virtual Private Networking

Introduction

Choosing the right VPN server

Configuring the IPsec OpenVPN server – peer-to-peer

How to do it...

How it works...

There's more...

Configuring the IPsec VPN service – client/server

How to do it...

How it works...

There's more...

Connecting to the IPsec VPN service

Getting ready

How to do it...

Configuring the OpenVPN service

How to do it...

There's more...

Connecting to the OpenVPN service

Getting ready

How to do it...

There's more...

Configuring the L2TP VPN service

How to do it...

Traffic Shaping

Introduction

Configuring traffic shaping using the traffic-shaping wizard

How to do it...

How it works...

There's more...

See also

Configuring traffic shaping using floating rules

Getting ready

How to do it...

How it works...

There's more...

See also

Configuring traffic shaping using Snort

How to do it...

How it works...

There's more...

See also

Redundancy, Load Balancing, and Failover

Introduction

Adding multiple WAN interfaces

Getting ready

How to do it...

How it works...

There's more...

Configuring server load balancing

Getting ready

How to do it...

How it works...

There's more...

See also

Configuring a CARP failover group

Getting ready

How to do it...

How it works...

There's more...

See also

Routing and Bridging

Introduction

Routing

Dynamic routing

Bridging

Bridging interfaces

How to do it...

How it works...

There's more...

Adding a static route

How to do it...

How it works...

There's more...

Configuring RIP using routed

How to do it...

How it works...

Configuring BGP using FRR

How to do it...

How it works...

Configuring OSPF using FRR

Getting ready

How to do it...

How it works...

Services and Maintenance

Introduction

A structured approach to problem solving

Enabling Wake-on-LAN

How to do it...

How it works...

There's more...

See also

Configuring PPPoE

How to do it...

How it works...

There's more...

See also

Configuring external logging with a syslog server

Getting ready

How to do it...

Using ping

How to do it...

How it works...

See also

Using traceroute

How to do it...

How it works...

See also

Using netstat

How to do it...

Using pfTop

How to do it...

See also

Using tcpdump

How to do it...

Using tcpflow

How to do it...

Backing Up and Restoring pfSense

Introduction

Backing up pfSense

How to do it...

How it works...

There's more...

See also

Restoring pfSense

How to do it...

How it works...

There's more...

Updating pfSense

How to do it...

How it works...

There's more...

See also

Determining Hardware Requirements

Determining our deployment scenario

Determining our throughput requirements

Determining our interface requirements

Choosing a standard or embedded image

Choosing a form factor

Installing the embedded platform on a desktop/server/laptop

Installing the standard platform on an appliance

Summary

Other Books You May Enjoy

Leave a review - let other readers know what you think

Preface

pfSense is open source router/firewall software based on the FreeBSD operating system. It provides a frontend to Packet Filter (PF), FreeBSD's built-in firewall. Originally introduced in 2006, it has achieved a level of scalability, flexibility, and cost-effectiveness that has made it one of the most popular router/firewall distributions. The flexibility of pfSense means that in most cases there are several options available when configuring options and services. In such cases, determining your specific requirements is critical to optimizing results.

This book tries to make this process of obtaining optimal results as easy as possible. It follows a cookbook-style approach to teach you how to use pfSense's many features after determining your security requirements. This book covers everything from configuring network interfaces and basic services such as DHCP and DNS, to more complex capabilities such as load balancing and failover.

Who this book is for

This book is targeted at those with a beginner- or intermediate-level understanding of computer networking. Basic knowledge of the fundamentals of networking is helpful, although basic networking concepts and terms are explained to the greatest extent possible within the scope of the book. No prior knowledge of pfSense or FreeBSD is assumed.

What this book covers

Chapter 1, Initial Configuration, covers pfSense firewall configuration from the point of initial installation, and covers much of what most users will need to configure, such as setting up WAN, LAN, and optional interfaces; enabling SSH access and generating RSA keys; and adding VLANs.

Chapter 2, Essential Services, includes the services that crucial to virtually every pfSense deployment – namely, DHCP, DHCP6, DNS, and dynamic DNS. This chapter also covers how to configure pfSense for use as a wireless access point.

Chapter 3, Firewall and NAT, covers the basics of creating firewall rules (standard and floating), as well as how to leverage aliases and scheduling to impose rules on a flexible basis. Different forms of Network Address Translation (NAT) are covered, along with two specialized forms of NAT designed to make online gaming easier: UPnP and NAT-PnP.

Chapter 4, Additional Services, is a new chapter covering services that are less commonly enabled but still useful for many home and SOHO deployments. Captive portals are covered, including all forms of authentication currently supported by pfSense, including RADIUS authentication. The chapter also covers the Network Time Protocol (NTP) and the Simple Network Management Protocol (SNMP).

Chapter 5, Virtual Private Networking, shows how to set up pfSense to act as the endpoint of a VPN tunnel, both as a peer-to-peer entity with another firewall at the opposite end of the connection, and as a client-server entity with a mobile client at the other end. Recipes are provided covering the three protocols supported by the current version of pfSense: IPsec, OpenVPN, and L2TP.

Chapter 6, Traffic Shaping, is another new chapter. This chapter demonstrates how to leverage the capabilities of pfSense to achieve a certain Quality of Service (QoS), using both the traffic shaper wizard and floating rules for policy-based routing. Deep packet inspection, however, is not possible using the built-in traffic shaper. To make this possible, we need the third-party package known as Snort, and this chapter covers the installation and configuration of Snort.

Chapter 7, Redundancy, Load Balancing, and Failover, covers the essential ways in which pfSense provides for load balancing and failover. Namely, it covers multiple WAN setups (which enable us to aggregate bandwidth and/or provide failover capabilities when we have multiple internet connections), load balancing using pfSense's built-in server load balancing capabilities, and the Common Address Redundancy Protocol (CARP), which allows us to have a completely redundant firewall on standby.

Chapter 8, Routing and Bridging, covers cases that many pfSense deployments may rarely encounter, if ever. This chapter demonstrates how to bridge interfaces, how to add a static route, and the dynamic routing protocols of the Routing Information Protocol (RIP), Border Gateway Protocol (BGP), and Open Shortest Path First (OSPF).

Chapter 9, Services and Maintenance, covers a number of services and utilities, most of which are useful for diagnostics and troubleshooting. Wake-on LAN (WOL), Point-to-Point over Ethernet (PPPoE), and enabling Syslog are covered, as well as command-line utilities such as ping and traceroute.

Appendix A, Backing Up and Restoring pfSense, provides a brief guide to backing up pfSense, restoring pfSense from either the web GUI or SSH/command line interface, and the various options for updating pfSense.

Appendix B, Determining Hardware Requirements, is a brief primer showing how to choose the best pfSense configuration after you determine your firewall requirements. You will even learn how and where to deploy pfSense to fit your environment's security needs.

To get the most out of this book

Following along with the recipes in this book should not require anything more than a basic knowledge of computer networking and some familiarity with computers and software.

You will get the most out of this book if you follow along with a functioning pfSense system. Thus, it will be helpful you have either spare hardware onto which you can install the current version of pfSense, or virtualization software so that you can run pfSense inside a virtual machine (VM). I cannot do full justice to all the variants of VMs available, but I can say that Oracle VM Virtual Box has proven quite useful in preparing the material for this book.

This book does not provide a step-by-step guide on how to install pfSense, but if you need such a guide, you can find one here: https://www.netgate.com/docs/pfsense/install/installing-pfsense.html.

Download the color images

We also provide a PDF file that has color images of the screenshots/diagrams used in this book. You can download it here: http://www.packtpub.com/sites/default/files/downloads/9781789806427_ColorImages.pdf.

Conventions used

There are a number of text conventions used throughout this book.

CodeInText: Indicates code words in text, database table names, folder names, filenames, file extensions, pathnames, dummy URLs, user input, and Twitter handles. Here is an example: "In the Name edit box, enter an appropriate name (for example, WEB_SERVER_IPS)."

Bold: Indicates a new term, an important word, or words that you see onscreen. For example, words in menus or dialog boxes appear in the text like this. Here is an example: "Click on the LAN tab, if it isn't selected already."

Sections

In this book, you will find several headings that appear frequently (Getting ready, How to do it..., How it works..., There's more..., and See also).

To give clear instructions on how to complete a recipe, use these sections as follows:

Getting ready

This section tells you what to expect in the recipe and describes how to set up any software or any preliminary settings required for the recipe.

How to do it…

This section contains the steps required to follow the recipe.

How it works…

This section usually consists of a detailed explanation of what happened in the previous section.

There's more…

This section consists of additional information about the recipe in order to make you more knowledgeable about the recipe.

See also

This section provides helpful links to other useful information for the recipe.

Get in touch

Feedback from our readers is always welcome.

General feedback: If you have questions about any aspect of this book, mention the book title in the subject of your message and email us at [email protected].

Errata: Although we have taken every care to ensure the accuracy of our content, mistakes do happen. If you have found a mistake in this book, we would be grateful if you would report this to us. Please visit www.packt.com/submit-errata, selecting your book, clicking on the Errata Submission Form link, and entering the details.

Piracy: If you come across any illegal copies of our works in any form on the Internet, we would be grateful if you would provide us with the location address or website name. Please contact us at [email protected] with a link to the material.

If you are interested in becoming an author: If there is a topic that you have expertise in and you are interested in either writing or contributing to a book, please visit authors.packtpub.com.

Reviews

Please leave a review. Once you have read and used this book, why not leave a review on the site that you purchased it from? Potential readers can then see and use your unbiased opinion to make purchase decisions, we at Packt can understand what you think about our products, and our authors can see your feedback on their book. Thank you!

For more information about Packt, please visit packt.com.

Initial Configuration

In this chapter, we will cover the following recipes:

Applying basic settings to General Setup

Identifying and assigning interfaces

Configuring a WAN interface

Configuring a LAN interface

Configuring optional interfaces

Enabling SSH access

Generating authorized RSA keys

Configuring SSH RSA authentication

Accessing the SSH

Configuring VLANs

Assigning interfaces from the console

Configuring a WAN interface from the console

Configuring a LAN interface from the console

Configuring optional interfaces from the console

Configuring VLANs from the console

Introduction

pfSense is open source software that can be used to turn a computer into a firewall/router. Its origins can be traced to the FreeBSD packet-filtering program known as PF, which has been part of FreeBSD since 2001. As PF is a command-line utility, work soon began on developing software that would provide a graphical frontend to PF. The m0n0wall project, which provides an easy-to-use, web-based interface for PF, was thus started. The first release of m0n0wall took place in 2003. pfSense began as a fork of the m0n0wall project.

Version 1.0 of pfSense was released on October 4, 2006, and version 2.0 was released on September 17, 2011. A key point in the development of pfSense took place with the release of Version 2.3 on April 12, 2016. This version phased out support for legacy technologies such as Point to Point Tunneling Protocol (PPTP), Wireless Encryption Protocol (WEP), and Single DES, and also provided a face-lift for the web GUI. Version 2.4, released on October 12, 2017, continues this trend of phasing out support for legacy technologies while also adding features. Support for 32 bit x86 architectures has been deprecated, while support for Netgate Advanced RISC Machines (ARM) devices has been added. A new pfSense installer (based on FreeBSD’s bsdinstall) has been incorporated into pfSense, and there is support for the ZFS filesystem, as well as the Unified Extensible Firmware Interface (UEFI). pfSense now supports multiple languages; the web GUI has been translated into 13 different languages.

This chapter will cover the basic configuration steps common to virtually all deployments. Once you have completed the recipes in this chapter, you will have a fully functional router/firewall. By following the recipes in subsequent chapters, you can enhance that functionality by adding specific firewall rules, enabling traffic shaping, adding load balancing and multi-WAN capabilities, and much more.

Applying basic settings to General Setup

This recipe describes how to configure core pfSense settings from the web GUI.

Getting ready

All that is required for this recipe is a fresh install of pfSense and access to the web GUI.

How to do it...

In the web GUI, navigate to

System | General Set

up

.

In the first section of the page (

System

), enter a

Hostna

me

. This name can be used to access the firewall instead of the IP address:

In the next field, enter the Domain:

The next field is DNS Servers. By default, pfSense will act as the primary DNS server; however, you can specify alternate DNS servers here. The Add DNS Server button causes an additional edit box to appear, into which you can enter another DNS server; you can add as many alternate DNS servers as is necessary:

Check the Allow DNSserver list to be overridden by DHCP/PPP on WAN checkbox (it should be checked by default). This ensures that any DNS requests that cannot be processed internally will be passed on to the external DNS servers, asspecified by your ISP:

In the Localization section, specify a Timezone and leave Timeservers at the default value of 0.pfsense.pool.ntp.org. Specify the appropriate Language (the default is English):

In the webConfigurator section, I’d recommend the default Theme of pfSense. You can set Top Navigation to either Scrolls with page (appropriate for all screen sizes) or Fixed (designed for large screens only). You may also set the number of Dashboard Columns (the default is 2):

When done, click on the Save button.

See also

The Configuring the DNS Forwarder recipe in Chapter 2, Essential Services.

Identifying and assigning interfaces

This recipe describes how to identify interfaces on a network configuration and how to assign them in pfSense.

Getting ready

You need to identify the MAC addresses for each Ethernet port on your pfSense system before attempting to assign them.

How to do it...

Navigate to

Interfaces | Interface Assignments

.

Assign a

WAN

interface, first by selecting the correct MAC address from the drop-down list for the

WAN

interface:

Repeat this process for the

LAN

interface, selecting the correct MAC address from the drop-down list for the

LAN

interface. If necessary, add the LAN interface to the list by following this process:

Click on the

Add

button in the

Available network ports

column.

Click on the name of the newly created interface in the

Interfaces

column (it should be

OPT1

).

When the configuration page for the interface loads, change

Description

to

LAN

.

Click on the

Save

button at the bottom of the page.

Navigate back to

Interfaces

|

Interface Assignments

.

If you want to add optional interfaces, you can do so by repeating step 3 and substituting the name of the optional interface (for example,

DMZ

) for

LAN

.

When you are done assigning interfaces, click on the

Save

button.

See also

The

Assigning interfaces at the console

recipe

Configuring a WAN interface

This recipe describes how to configure the Wide Area Network (WAN) interface, which provides access to external networks on our pfSense system.

Getting ready

The WAN interface is your connection to external networks (in most cases, the public internet). You will need a properly configured WAN interface and an internet connection. In this example, we will connect to the internet via an Internet Service Provider (ISP) and a cable modem.

How to do it...

Navigate to

Interfaces

|

WAN

.

Check the

Enable Interface

checkbox (it should be checked by default):

Choose an

IPv4 Configuration Type

(usually DHCP).

Choose an

IPv6 Configuration Type

, or leave it set to

None

.

Leave

MAC Address

blank. Manually entering a MAC address here is known as MAC address spoofing. You can enter a MAC address here if you want to force your ISP to hand you a different IP address, or a different set of DNS servers. Be warned, however, that the MAC address entered must have a valid manufacturer’s prefix or it won’t work.

Leave

MTU

,

MSS

,

Hostname

, and

Alias IP address

blank.

Check the

Block private networks and loopback addresses

checkbox (it should be checked by default). This will block RFC 1918 private addresses from being sent out over the public internet.

Check the

Block bogon networks

checkbox (it should be checked by default). This will block packets from IP addresses not yet assigned by IANA from being sent or received:

Click on the Save button when done.

How it works...

We must first establish a connection to the internet before we can configure pfSense to allow other networks to access it. The example we provided is a typical WAN configuration for a Small Office/Home Office (SOHO) environment. By setting up the WAN interface as the only interface with direct access to the internet, we are securing the network behind the firewall and establishing complete control over our networks. All networks behind the firewall must now abide by the rules we create.

There's more...

Now that we have configured the WAN interface, we can connect the cable modem to the WAN port on pfSense and check the status of the WAN port by navigating to Status | Interfaces.

See also

The I

dentifying and assigning interfaces

recipe in this chapter

The C

onfiguring a LAN interface

recipe in this chapter

The C

onfiguring optional interfaces from the console

recipe in this chapter

Configuring a LAN interface

This recipe describes how to configure the Local Area Network (LAN) internal interface of our pfSense firewall.

Getting ready

The LAN interface is the interface to the internal network through which our nodes will be able to securely connect to other internal nodes and to the internet. An assigned LAN interface is required.

How to do it...

Navigate to

Interfaces | LAN

.

Check the

Enable Interface

checkbox:

Choose an

IPv4 Configuration Type

(usually

Static IPv4

).

Choose an

IPv6 Configuration Type

(or leave it set to

None

).

Enter an

IPv4 Address

in the appropriate field, and the correct CIDR in the adjacent drop-down box. Leave

IPv4 Upstream gateway

set to

None

.

If you enabled IPv6 by setting the

IPv6 Configuration Type

, enter an