Setting up a pfSense Firewall pfSense is a free and open source firewall and router. pfSense is actually a software distribution based on FreeBSD that runs on any x86-64 or ARM hardware. Some of the features provided by pfSense include: • Stateful Firewall: maintains information about all open network connections • Network Address Translation (NAT): port fowarding, 1:1 NATs, etc. • High Availability: CARP & pfsync can support failover of two pfSense boxes • Multi-WAN: multiple Internet connections with load balancing and failover • Server Load Balancing: Distribute load between multiple servers behind pfSense • Virtual Private Network (VPN): IPSec and OpenVPN • Reporting and Monitoring: RRD Graphs and Real Time traffic monitoring • Dynamic DNS: Reger your public IP with a number of dynamic DNS service providers • Captive Portal: Force authentication or redirection to a click through page for network access • DHCP Server and Relay • DNS Server • And More....too many to list... In order to setup pfSense, you need a 64bit x86 or ARM based computer that has at least two network interfaces. One network interface will act as the WAN (wide area network) interface which will connect to your home’s cable modem, whether it be Verizon FiOS, Xfinity/Comcast, etc. The second network interface will connect to your LAN (local area network). In this lab, we are going to install pfSense in a virtual machine, so that you can see the installation process and look around inside of pfSense’s web interface to get familiar with it. Just remember, even though we are installing this in a virtual environment, installing it on a physical machine is no different. Virtual Machine Setup: Let’s create a new virtual machine that has two network interfaces for our pfSense system. During the setup, you’ll notice that we set one virtual interface to “Host Only” and the other one to “NAT”, this is necessary because we need to simulate having two separate networks in our virtual environment. 1. Open VMware Player. 2. Click “Create a New Virtual Machine” which will start the “New Virtual Machine Wizard”. 3. For “Install operating system from”, choose “I will install the operating system later” and click “Next”. 4. For “Guest Operating System”, choose “Other” and for “Version” select “FreeBSD 11 64-bit”. Since pfSense is based on FreeBSD 11, this is the best choice that we have available. This causes VMware to provide us with some defaults for our virtual machine's configuration to work better with FreeBSD. Click “Next”. 5. For “Name”, enter in pfsense, you can leave the default “Location” and then click “Next”. 1 6. The default “Disk Size” should be set to 20GB, and leave “Split virtual disk into multiple files” selected and click “Next”. 7. You should now see a summary of your new virtual machine's configuration options, which we want to customize further, so click the “Customize Hardware...” button. 8. Change “Memory” to “1024 MB”. 9. Select “Network Adapter” on the left side in the list, and then on the right side change the “Network Connection” settings from “NAT” to “Host-only”. This is going to act as our “dummy” WAN interface. The reason it’s a dummy interface, is because we’re not really going to have a WAN interface with our virtual environment, but we need something just to emulate a WAN interface. 10. Now we want to add a second network interface, so click the “Add...” button, select “Network Adapter” in the list and click “Finish”. You should now see a “Network adapter 2” in the list, make sure this one’s “Network Connection” setting is set to “NAT”. This is going to act as our LAN interface in pfSense. 11. You can now click the “Close” button on the “Virtual Machine Settings” window. 12. Now click “Finish”, and it should say that your “Virtual machine created successfully”, and then click “Close”. 13. You should now see pfsense in your virtual machine list, select it and then click “Edit virtual machine settings”. Select the “CD/DVD (IDE)” device on the left and then on the right select “Use ISO image” and then click “Browse...” At the top of the dialog box, select “home” and then open the “iso” folder and you will see a “pfSense-CE-2.4.2- RELEASE-amd64.iso” ISO file, select that and click “Open”. 14. Now click “Save” to close your “Virtual Machine Settings”. 15. Finally, click the “Power On” button to power on your pfsense virtual machine. pfSense Install and Initial Configuration: When you power on your virtual machine, it will boot the pfSense ISO that we connected to it and automatically start the pfSense Installer: 1. On the first screen of the installer, press <ENTER> on “Accept” to accept their license agreement. 2. On the “Welcome” screen, select “Install” using your arrow keys and press <ENTER>. 3. On the “Keymap Selection” screen you can just press <ENTER> to accept the default US keyboard map. 4. On the “Partitioning” screen, select “Auto (UFS)” and press <ENTER>. 5. The installer will now partition your hard drive (erasing anything that was on the hard drive) and then it will install the pfSense software onto the hard drive. 6. When prompted about the “Manual Configuration” select “No” and press <ENTER>. 7. At the “Complete” screen, press <ENTER> to reboot the machine. 8. When the machine reboots, it will boot from the hard drive instead of the CD/DVD drive. 9. By default pfSense wants to set it’s LAN interface to IP address 192.168.1.1, however we want to set it to an IP address that is accessible to the “NAT” VMware interface that we configured the virtual machine with. So at the “Enter an option” prompt, type 2 and press <ENTER>. 10. You should see “2 - LAN (em1 - static)” we want to change the IP address of that interface, so enter 2 again and press <ENTER>. 11. For the IP address enter in 192.168.90.90 and press <ENTER>. 12. When prompted for the subnet bit count, enter 24 and press <ENTER>. 13. When prompted for a gateway address, don’t enter anything, and just press <ENTER>. 2 14. When prompted for the LAN IPv6 address, leave it blank and just press <ENTER>. 15. When prompted to enable the DHCP server on the LAN interface, enter n and press <ENTER>. 16. When prompted to “revert to HTTP as the webConfigurator protocoo”, enter n and press <ENTER>. 17. After it reconfigures your network interfaces, you’ll then see a message saying that you can access the webConfigurator by opening the following URL in your web browser: https://192.168.90.90 And press <ENTER> to return to the pfSense main console menu. 18. Let’s access the web interface of pfSense which is what we’ll use to explore pfSense and it’s features. On your host system (not the guest running pfSense) open Firefox and go to https://192.168.90.90 19. You’ll get a message saying that the connection is not secure, that’s because pfSense is using a self-signed SSL certificate, just click the “Advanced” button, and then click the “Add Exception...” button and finally click the “Confirm Security Exception” button. 20. You should now see the pfSense login page. For username enter admin and for password enter pfsense, that’s the default password for all pfSense installations. 21. The first time you go into the pfSense web interface it will take you through the initial configuration wizard: - On the first screen, just click “Next”. - On the global support screen, click “Next”. - On the “General Information” screen, this is where we could rename our pfSense box if we wanted to, but we’ll leave it’s default settings, click “Next”. - On the “Time Server Information” screen, change the Timezone to “America/New_York” and click “Next”. - On the “Configure WAN Interface” this is where you would most likely take the MAC address of your local computer that was hooked up to your cable modem and enter it into the “MAC Address” field for the WAN interface in pfSense. This would spoof the MAC address and make the cable modem think it was still connected to your computer’s network interface card. Not all ISPs still require this, but some do restrict access to their network by MAC address. We are going to leave everything left to their default values, so scroll all the way down and click “Next”. - On the “Configure LAN Interface”, you can leave the default values, since we already set this via the pfSense console earlier, so click “Next”. - On the “Set Admin WebGUI Password”, here we want to change the default admin password from pfsense to something more secure. For our lab, let’s set it to Abc12345, and then click “Next”. - Finally at the last screen click “Reload”. Give it a few seconds and wait for it to say “Congratulations! PfSense is now configured”. Once you see that, you can then click the “pfsense” image icon in the top left corner of the web page to go to pfSense’s dashboard. 3 Exploring the pfSense Web Interface: Let’s look around the pfSense web interface and explorer some of the features of pfSense. The first time you go to the dashboard of pfSense, you’ll have to “Accept” their license. The pfSense dashboard is customizable and allows you to add and remove “widgets” which can show critical information about your pfSense system at a glance. By default, the dashboard will show these three widgets: - System Information: And overview of your pfSense hardware and software.