Setting up a pfSense

pfSense is a free and open source firewall and . pfSense is actually a distribution based on FreeBSD that runs on any x86-64 or ARM hardware. Some of the features provided by pfSense include: • : maintains information about all open network connections • Network Address Translation (NAT): port fowarding, 1:1 NATs, etc. • High Availability: CARP & can support failover of two pfSense boxes • Multi-WAN: multiple Internet connections with load balancing and failover • Server Load Balancing: Distribute load between multiple servers behind pfSense • Virtual Private Network (VPN): IPSec and OpenVPN • Reporting and Monitoring: RRD Graphs and Real Time traffic monitoring • Dynamic DNS: Reger your public IP with a number of dynamic DNS service providers • Captive Portal: Force authentication or redirection to a click through page for network access • DHCP Server and Relay • DNS Server • And More....too many to list...

In order to setup pfSense, you need a 64bit x86 or ARM based computer that has at least two network interfaces. One network interface will act as the WAN (wide area network) interface which will connect to your home’s cable modem, whether it be Verizon FiOS, Xfinity/Comcast, etc. The second network interface will connect to your LAN ().

In this lab, we are going to install pfSense in a virtual machine, so that you can see the installation process and look around inside of pfSense’s web interface to get familiar with it. Just remember, even though we are installing this in a virtual environment, installing it on a physical machine is no different. Virtual Machine Setup: Let’s create a new virtual machine that has two network interfaces for our pfSense system. During the setup, you’ll notice that we set one virtual interface to “Host Only” and the other one to “NAT”, this is necessary because we need to simulate having two separate networks in our virtual environment. 1. Open VMware Player. 2. Click “Create a New Virtual Machine” which will start the “New Virtual Machine Wizard”. 3. For “Install operating system from”, choose “I will install the operating system later” and click “Next”. 4. For “Guest Operating System”, choose “Other” and for “Version” select “FreeBSD 11 64-bit”. Since pfSense is based on FreeBSD 11, this is the best choice that we have available. This causes VMware to provide us with some defaults for our virtual machine's configuration to work better with FreeBSD. Click “Next”. 5. For “Name”, enter in , you can leave the default “Location” and then click “Next”.

1 6. The default “Disk Size” should be set to 20GB, and leave “Split virtual disk into multiple files” selected and click “Next”. 7. You should now see a summary of your new virtual machine's configuration options, which we want to customize further, so click the “Customize Hardware...” button. 8. Change “Memory” to “1024 MB”. 9. Select “Network Adapter” on the left side in the list, and then on the right side change the “Network Connection” settings from “NAT” to “Host-only”. This is going to act as our “dummy” WAN interface. The reason it’s a dummy interface, is because we’re not really going to have a WAN interface with our virtual environment, but we need something just to emulate a WAN interface. 10. Now we want to add a second network interface, so click the “Add...” button, select “Network Adapter” in the list and click “Finish”. You should now see a “Network adapter 2” in the list, make sure this one’s “Network Connection” setting is set to “NAT”. This is going to act as our LAN interface in pfSense. 11. You can now click the “Close” button on the “Virtual Machine Settings” window. 12. Now click “Finish”, and it should say that your “Virtual machine created successfully”, and then click “Close”. 13. You should now see pfsense in your virtual machine list, select it and then click “Edit virtual machine settings”. Select the “CD/DVD (IDE)” device on the left and then on the right select “Use ISO image” and then click “Browse...” At the top of the dialog box, select “home” and then open the “iso” folder and you will see a “pfSense-CE-2.4.2- RELEASE-amd64.iso” ISO file, select that and click “Open”. 14. Now click “Save” to close your “Virtual Machine Settings”. 15. Finally, click the “Power On” button to power on your pfsense virtual machine. pfSense Install and Initial Configuration: When you power on your virtual machine, it will boot the pfSense ISO that we connected to it and automatically start the pfSense Installer: 1. On the first screen of the installer, press on “Accept” to accept their license agreement. 2. On the “Welcome” screen, select “Install” using your arrow keys and press . 3. On the “Keymap Selection” screen you can just press to accept the default US keyboard map. 4. On the “Partitioning” screen, select “Auto (UFS)” and press . 5. The installer will now partition your hard drive (erasing anything that was on the hard drive) and then it will install the pfSense software onto the hard drive. 6. When prompted about the “Manual Configuration” select “No” and press . 7. At the “Complete” screen, press to reboot the machine. 8. When the machine reboots, it will boot from the hard drive instead of the CD/DVD drive. 9. By default pfSense wants to set it’s LAN interface to IP address 192.168.1.1, however we want to set it to an IP address that is accessible to the “NAT” VMware interface that we configured the virtual machine with. So at the “Enter an option” prompt, type 2 and press . 10. You should see “2 - LAN (em1 - static)” we want to change the IP address of that interface, so enter 2 again and press . 11. For the IP address enter in 192.168.90.90 and press . 12. When prompted for the subnet bit count, enter 24 and press . 13. When prompted for a gateway address, don’t enter anything, and just press .

2 14. When prompted for the LAN IPv6 address, leave it blank and just press . 15. When prompted to enable the DHCP server on the LAN interface, enter n and press . 16. When prompted to “revert to HTTP as the webConfigurator protocoo”, enter n and press . 17. After it reconfigures your network interfaces, you’ll then see a message saying that you can access the webConfigurator by opening the following URL in your web browser: https://192.168.90.90 And press to return to the pfSense main console menu. 18. Let’s access the web interface of pfSense which is what we’ll use to explore pfSense and it’s features. On your host system (not the guest running pfSense) open Firefox and go to https://192.168.90.90 19. You’ll get a message saying that the connection is not secure, that’s because pfSense is using a self-signed SSL certificate, just click the “Advanced” button, and then click the “Add Exception...” button and finally click the “Confirm Security Exception” button. 20. You should now see the pfSense login page. For username enter admin and for password enter pfsense, that’s the default password for all pfSense installations. 21. The first time you go into the pfSense web interface it will take you through the initial configuration wizard: - On the first screen, just click “Next”. - On the global support screen, click “Next”. - On the “General Information” screen, this is where we could rename our pfSense box if we wanted to, but we’ll leave it’s default settings, click “Next”. - On the “Time Server Information” screen, change the Timezone to “America/New_York” and click “Next”. - On the “Configure WAN Interface” this is where you would most likely take the MAC address of your local computer that was hooked up to your cable modem and enter it into the “MAC Address” field for the WAN interface in pfSense. This would spoof the MAC address and make the cable modem think it was still connected to your computer’s network interface card. Not all ISPs still require this, but some do restrict access to their network by MAC address. We are going to leave everything left to their default values, so scroll all the way down and click “Next”. - On the “Configure LAN Interface”, you can leave the default values, since we already set this via the pfSense console earlier, so click “Next”. - On the “Set Admin WebGUI Password”, here we want to change the default admin password from pfsense to something more secure. For our lab, let’s set it to Abc12345, and then click “Next”. - Finally at the last screen click “Reload”. Give it a few seconds and wait for it to say “Congratulations! PfSense is now configured”. Once you see that, you can then click the “pfsense” image icon in the top left corner of the web page to go to pfSense’s dashboard.

3 Exploring the pfSense Web Interface: Let’s look around the pfSense web interface and explorer some of the features of pfSense.

The first time you go to the dashboard of pfSense, you’ll have to “Accept” their license. The pfSense dashboard is customizable and allows you to add and remove “widgets” which can show critical information about your pfSense system at a glance. By default, the dashboard will show these three widgets: - System Information: And overview of your pfSense hardware and software. - Netgate Service And Support: Support information (click the X to close this). - Interfaces: And overview of the WAN and LAN interfaces. You can click the red plus button to add other widgets to the Dashboard, like the “Traffic Graphs” widget.

One important thing to remember about your pfSense firewall, is that by default all outbound traffic (LAN → WAN) is allowed, and all inbound traffic (WAN → LAN) is blocked. That simply means that machines on your local area network will be able to talk out and download stuff from the internet (WAN interface), but no one can make any connection into your local area network from the internet. They also can not access your pfSense box from the internet, by default pfSense only allows access to it’s web interface from the local area network.

The Interfaces section allows you to decide on how you want your interfaces (in our case WAN and LAN) configured. Generally, once you have your pfSense box configured you won’t really need to mess with those settings anymore.

I recommend immediately going to the Firewall → Rules area to look at your firewall rules (which there aren’t many by default) and make any necessary changes you need to them.

If you need to setup any type of port forwarding to allow connections from the internet to go to a specific machine on your local network, you can look under Firewall → NAT → Port Forward. This is useful if you have a machine on your network that is running a web server or perhaps an SSH server, you can setup a port forward to allow you to connect to your local machine from outside of your home network...but be very careful when you start poking holes through your firewall...if you can get access to your machine, then that means other people can as well.

I recommend looking through the Services section, there are a large number of services that come with pfSense, including a DHCP server, DNS server, NTP, Wake-On-LAN, Captive Portal, etc. The captive portal is especially useful for securing wireless networks. If you’ve ever connected to the “ruwireless” (Rutgers open wireless network), that drops you into a captive portal, which basically means that before you can do anything on the wireless network, you are sent to a web page where you have to perform some type task before you can get access to the network. In the case of Rutgers, you have to either say that you are going to be “Guest” or you have to log in with your Rutgers NetID and password before you can get access to Rutgers’ wireless network. You can the do same thing for your home wireless, where even if someone gets your WPA2 encryption password, they still can’t do anything on your network until they’ve authenticated past the captive portal...and again, that’s built right into pfSense without any additional work.

4 The VPN section allows you to setup a VPN server on your pfSense box so that you can remotely connect to your home network from any device. I highly recommend using the OpenVPN “wizard” which will guide you through the entire installation process. Afterwards, go to the System → Package Manager and install the “-client-export” package which makes it very easy to export the VPN configuration files so that you can put them on any type of client system (Android, iOS, Windows, Mac, , and anything else that supports OpenVPN).

The Status section allows you to see a lot of details about the different services that are running on your pfSense box as well as system logs and traffic graphs. The traffic graphs are absolutely invaluable when trying to troubleshoot why your home internet is slow...you can quickly see which machines are using up the most bandwidth and then if you want to you can even impose limits on specific machines.

The Diagnostics section is exactly as it sounds, when you are having problems with your network or internet connection, the diagnostic tools available (arp table, dns lookup tool, packet capturing, ping, route and state tables, traceroute, etc) will help you quickly track down where the problem is. This section also include the Backup & Restore utility, which I HIGHLY recommend that you use to backup your pfSense configuration on a regular basis. The backup that it creates can be used to quickly restore your pfSense box if you ever need to reinstall it or replace it. I’ve replaced a number of pfSense boxes over the years, and using the restore utility to simply restore the last backup, has been an absolute life safer and has always worked 100% perfectly every time. You’ll also note that the Halt System and Reboot options for your pfSense box are located in this section.

The System section includes an Advanced area for making advanced changes to your pfSense box, which I don’t recommend using unless you really know what you are doing. The Package Manager allows you to see what extra packages you can install on your pfSense box, however since we are on a restricted network environment in our lab it will not pull up any available packages (sorry). If you do setup pfSense box for your self, I highly recommend looking into the “snort” package, it’s a great package for monitoring network traffic and looking for possible attacks on your network. The User Manager area is where you can manage accounts on your pfSense box, which includes the “user” accounts that you would setup for VPN client connections that you want to allow to your VPN server.

There are a lot of great resources online for learning how to setup pfSense and also how to take advantage of some of the more powerful features like high availability and load balancing. Here are a few URLs to get you started: • https://doc.pfsense.org/index.php/Installing_pfSense • https://doc.pfsense.org/index.php/Boot_Troubleshooting • https://doc.pfsense.org/index.php/OpenVPN_Remote_Access_Server

5