How to Pfsense

From Linux - Help
Jump to navigation Jump to search
Pfsense logo.jpg

PAGE WORK IN PROGRESS

How to Pfsense, the basics.

The goal of this document is to provide a full guide to work with Pfsense, you still should always check the Pfsense official documentation website. Still remeber we are speaking here about a Firewall, so any miss configurarion can leak your Firewall into lot of insecurity. For example, never open anything on your WAN, only if really needed. By default the Pfsense box come wiht the WAN totally blocked and the WAN totally open. If you not change too much, you can see this as protected from outside (WAN) and unprotected in the inside (LAN) which is the much used configuration for home networks.

Installation

About the installation of Pfsense is really straightforward and has zero defficulties. So not tu much to say.

Download it from here:

 1. Version = Take the last one. 
 2. File Type = Install.
 3. Architecure = Take AMD64 or I386. 
 4. Installer = USB (in my case).
 5. Console = VGA (or serial, if installation is done with serial cable).

Then press download, and take the time to read the installation guide, here.

First step in Pfsense:

So now it is installed and started, you be prompt in a terminal menu, looking like this:

 PC Engines APU2 - Netgate Device ID: 9d8c339af4f1a1f69b35
 *** Welcome to pfSense 2.4.3-RELEASE-p1 (amd64) on pfsense ***
 --
 WAN (wan)       -> igb0       -> v4: 192.168.1.2/24
 LAN (lan)       -> igb1       -> v4: 192.168.2.1/24
 --
 0) Logout (SSH only)                  9) pfTop
 1) Assign Interfaces                 10) Filter Logs
 2) Set interface(s) IP address       11) Restart webConfigurator
 3) Reset webConfigurator password    12) PHP shell + pfSense tools
 4) Reset to factory defaults         13) Update from console
 5) Reboot system                     14) Disable Secure Shell (sshd)
 6) Halt system                       15) Restore recent configuration
 7) Ping host                         16) Restart PHP-FPM
 8) Shell
 --
 Enter an option: 
    • NOTE: This menu is not always shown the first time it boot after the installation, still you will get the same choice for the IP settings part to configure your device.

Mmm interesting, I definitevely want first to set interface IP address, it is here that you will need to make some chooses:

 1. LAN or VLAN? (This depends on your actual hardware, how much NUC you got?). 
 2. IP settings for the WAN.
 3. IP settings for the LAN & DHCP.

So here for me it is easy I use WAN and LAN (no VLANS), if you want to configure VLANS you should have some notion in order to get it work :-).

 Available interfaces:
 --
 1 - WAN (igb0 - static)
 2 - LAN (igb1 - static)
 --
 Enter the number of the interface you wish to configure: 

Here is interesting to know that in FreeBSD (as for all BSD OS), the ethernet name is not like in Linux, 'ethX' but the name of the actually driver used by the interface, here igb). And it is well documented.

I choose number 1 and use it as a WAN:

 Configure IPv4 address WAN interface via DHCP? (y/n) N
 --
 Enter the new WAN IPv4 address.  Press <ENTER> for none:
 > 192.168.1.2/24
 --
 For a WAN, enter the new WAN IPv4 upstream gateway address.
 For a LAN, press <ENTER> for none:
 > 192.168.1.1
 --
 Configure IPv6 address WAN interface via DHCP6? (y/n) N
 Enter the new WAN IPv6 address.  Press <ENTER> for none:
 > 
 --
 Please wait while the changes are saved to WAN...
 Reloading filter...
 Reloading routing configuration...
 --
 The IPv4 WAN address has been set to 192.168.1.2/24
 --
 Press <ENTER> to continue.

Then we will configure the LAN, I choose again option 2 in the menu:

 Enter the new LAN IPv4 address.  Press <ENTER> for none:
 > 192.168.2.1/24 
 --
 For a WAN, enter the new LAN IPv4 upstream gateway address.
 For a LAN, press <ENTER> for none:
 > 
 --
 Enter the new LAN IPv6 address.  Press <ENTER> for none:
 > 
 Do you want to enable the DHCP server on LAN? (y/n) N  ## In this setup I do not need an DHCP server, but surly you want one so say "Yes".
 --
 Please wait while the changes are saved to LAN...
 Reloading filter...
 Reloading routing configuration...
 --
 The IPv4 LAN address has been set to 192.168.2.1/24
 You can now access the webConfigurator by opening the following URL in your web browser: 
                        http://192.168.2.1/
 --
 Press <ENTER> to continue.

Now it is time to open the webgui for the first time.

Pfsense Webgui:

From here, your firewall is already active and protect's you from the outside (WAN) and from the inside (LAN) everything is open. If you go to http://your_lan_ip or http://pfSense you will see:

Pfsense 001.png

Type here in the username and password, the default one are:

 Username: admin
 Password: pfsense

This will guide you to a pfsense wizard.

Pfsense 002.png
Pfsense 003.png
Pfsense 004.png

Here is asked about:

1. Hostname: Default is pfSense ## (you can change it as you prefer). 2. Domain: Here you should put your own domain. If not, then choose something as: aname.local 3. DNS: choose what ever DNS you prefer to use, as OpenDNS of Google DNS or Your provider DNS. 4. Check or uncheck as prefered. 5. Next.

Pfsense 005.png

Here you can choose a pool from ntp.org and adapt your timezone (this here is important for as example is using OpenVPN and IPSEC), then press Next.

Pfsense 006.png
Pfsense 007.png

Here, normally should not need to make any changes (for a home network), up to see what kind of WAN connection you have, at the end on box only should be active (bogon network).

Pfsense 008.png

Here too, nothing to change if already configured in the shell... As you can see my example was with 192.168.2.1, but in my screenshot you see 192.168.122.2 (but nothing to worry out).

Pfsense 009.png

This is really important: so the default password is pfsense, everyone know it so you need to change it. Best is use a non easy, know or already used password. The best solution is to use an application like pass. Then press Next.

Pfsense 010.png

Press Reload.

Pfsense 011.png

Ok the Wizard is finished, now you can click above on the Pfsense logo and admire your new firewall:

Pfsense 012.png

Pfsense setup general setup & Advanced:

Now if you navigate in: System -> General Setup:

Here you will se the most is done in the Wizard, but you can make some changes in the webconfigurator: as here I make some changes (you can do this too per user basis).

Pfsense 013.png

Then you can go to: System -> Advanced.

Here are some modifications you want to do:

Protocol HTTP HTTPS => choose HTTPS and under will appear: SSL Certificate, with a web default cerftiicate.

Pfsense 014.png

Then scroll to Secure SHell and enable it. The best is here without password (you will need a RSA/DSA key).

Pfsense 015.png

The other options do not need to be changed now, you can make changes later.

From here you have a working Pfsense box been protected by a firewall.