Setting up pfSense

Over here I configured a firewall to replace the old single system based firewall. One of the guys at work recommended installing pfSense as a VM to replace the firewall. pfSense from the firewall aspect is wrapped around pf, the BSD Packet Filter software. I’ve used it on my old OpenBSD system so I’m somewhat familiar with it from the ruleset. Plus I already have the firewall running so it wasn’t a big deal to at least give it a shot. I downloaded the FreeBSD based .iso and created a Virtual Machine using a basic configuration of 1 CPU, 1 Gig of Ram, and 20 Gigs of space (mainly logs). As it’s a VM, I can add resources as needed. I also added the three interfaces I configured for the Firewall.

Booting to the ISO comes up with a simple menu for access to other features or by default starts installing the package. Next up is to configure the console. Next I selected the ‘Quick/Easy Install’ as I didn’t have all that much experience with the tool and really don’t have a complicated environment except for the Wireless Access Point for the third interface. “Are you SURE?” is next and basically says it’ll just install pfSense and erase the disk. Again, no problem as it’s a VM. If it tanks, I kill it and build a new one (case in point, I’m writing this after I’ve had pfSense up for a bit and am building a second VM to remind me what I did for this posting 🙂 ).

Okay and it’s on its way (wait, it is asking a question about the Kernel; just continue).

And it’s done. Took about 2 minutes even with swapping between there and here.

Reboot and let it start up. I’ve disabled all three interfaces for this one as I didn’t want it interfering with the current running one. It does come up with a start menu which will let me configure it. WAN is em0, LAN is the internal network, default to 192.168.1.1. In this case, reIPs to 192.168.1.2. This is also the web interface which is where I can configure the system.

Login for a new system is ‘admin’, ‘pfsense’. Change it of course.

Once in, a wizard starts up to help configure the system. First, do you want to upgrade to Gold 🙂 Next is to configure the hostname and gateway. Set the ntp server and zone. Next is configuring the WAN DHCP information. Since it’s DHCP and no special settings, Next. Configure the LAN Interface is next. As it’s already configured, I left it at the initial settings. Next, reset the admin account password. And done, click the Reload button and the firewall is ready to use.

As I have a Wireless connection as well, I needed to add the interface in. Under Interfaces, select (assign) to show the existing three. It shows the first two; WAN and LAN and an Available network port for the third interface. Click Add and it becomes ‘Opt1’. Click on it and it takes you to the configuration page for the interface. Initially it’s not configured. I select Static IPv4 from the IPv4 Configuration Type drop down and entered the new IP address for the IPv4 Address (192.168.10.2 for purposes of the instruction). I did not check the Reserved Networks checkboxes. Click the Enable checkbox at the top and click the Save button. It tells you the configuration has changed and that you need to Apply Changes. Note that this stays as a reminder even if you close the browser tab.

Next is the Firewall drop down. As I have no reason to permit inbound traffic to my system, I left the WAN configuration at default of ‘All incoming connections’…’will be dropped’. LAN configuration was also left at default.

The OPT1 (Wireless) interface had two rules added.

As I wanted it to pass traffic to and from the ‘net, I added an Allow to Any rule. Interface: Opt1, Address Family: IPv4, Protocol: any (note the default is tcp; it caught me initially 🙂 ). Finally Source Opt1 Net, Destination any. Description is ‘Default allow OPT1 to any rule’.

Not done though. I don’t want Wireless traffic permitted on the internal network so I added a second rule. This one is Action Reject, Protocol any (don’t forget, default is TCP), Source OPT1 net, Destination LAN net. Description: Drop inbound traffic to Internal.

And as far as the firewall configuration is concerned, I’m done. I did want to use some of the other features so I started poking around the menus a bit. I set up two services: DHCP, DNS, and NTP.

I set up DHCP to be enabled on the LAN interface and added a network range of 192.168.1.150 to 192.168.1.199. I set up the DNS server to be 192.168.1.1 (the pfSense server). Default gateway is the also the pfSense server so that can be blank. I added a Domain search list of ‘internal.pri’ as I use that for all my behind the firewall domains. I also enabled the rrd statistics graphs as I’m used to using rrdtool.

I can also enable DHCP on the Wireless lan but since I have an Apple Extreme WAP, it already handles that for me so I ignored it.

For DNS, I only needed to use the General Settings as it wasn’t all that complicated. I did Enable Forwarding Mode but left everything else alone. As I started adding VMs though, I added the IPs to DNS.

In order for CygWin on my Windows 10 system to use it as DNS, I had to manually enter the ‘internal.pri’ in the DNS suffix for this connection box:

Settings
Network and Internet
Ethernet
Change adapter options
Click on Network 2
Change settings of this connection
Click on the Internet Protocol Version 4 item
Click Properties
Click Advanced
Make sure the IP addresses and Default gateways are right (should be)
Click the DNS tab
Make sure the DNS servers are correct (again should be)
Under the DNS suffix for this connection add internal.pri.

For NTP, I added a few more pool servers as it works best with at least 3 and I set up 5. I did enable RRD graphs for NTP.

And that’s it. You can check out stats for the various services by looking under Status and troubleshoot under Diagnostics.

All in all it seems to be working as desired.

This entry was posted in Computers. Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *