12/7/2018 Configure a professional firewall using pfSense

END USERS HACKING HUMOUR INTERVIEWS OPINONS REVIEWS ALL ARTICLES

ISSUES BOOKS

Con gure a professional

rewall using pfSense
BY SLOAN MILLER IN HACKING 2008-6-26 PERMALINK TAGS: SECURITY FIREWALL

The guide will take you through the setup of the pfSense rewall with one WAN interface, one
LAN interface and one Opt1-WiFi Interface.

This guide was written for Linksys, Netgear, and D-link users with no rewall or router experience.
No experience is needed with FreeBSD or GNU/Linux to install and run pfSense. When you are
nished, management of pfSense will be from a web interface just like any of the SOHO
rewall/router appliances.

pfSense is a web-based rewall project that is similar, in terms of functionality, to the software in
rewall appliances sold by Linksys, Netgear and D-Link. pfSense covers all the basic
requirements offered by those appliances but offers so much more--in fact, it is really in a class
by itself since it would be very di cult to nd a commercial alternative that would provide what
pfSense has to offer (or, anything cheaper than $2,000–$5,000).

As mentioned above, in this article I will explain how to setup the pfSense rewall with one WAN
interface, one LAN interface and one Opt1-WiFi Interface. This set-up allows you to offer wireless
Internet to the surrounding community. The WiFi subnet will not be able to access the LAN: it will
be able to connect to the Internet only. You can choose to eliminate the Opt1-WiFi setup: this will
leave you with a rewall more similar to the "conventional" appliances.

One of the very unique uses for your new rewall could be to offer
wireless Internet to your neighbors at a reduced cost

One of the very unique uses for your new rewall could be to offer wireless Internet to your
neighbors at a reduced cost. This connection can be via an encrypted access point, where the
network key is only given to approved users, or an open access point where you control access
to the Internet with the captive portal function built in to pfSense. A portal landing page will be
http://freesoftwaremagazine.com/articles/configure_professional_firewall_using_pfsense/ 1/7
12/7/2018 Configure a professional firewall using pfSense

presented whenever a user tries to connect to the Internet at the beginning of the session. Each
user will need to have their user name and password entered into the rewall in advance of the
rst connection.

There are many advanced features that pfSense can offer with one-click installation which are
listed at the end of this article. See the pfSense's web site. There is an active user forum and an
pfSense Wiki.

Two good reasons to use pfSense

1. pfSense is a very powerful and stable project with advanced features. Users of pfSense
have reported that it performs well even with hundreds of computers operating behind the
rewall. pfSense has all the features of the SOHO units and much more. You can have
multiple network subnets separate from each other using rewall rules. For example, you
could have separate subnets for each business function; or separate Accounting,
Marketing, Sales, and R&D from each other, while giving each one access to the Internet; or
set up a HotSpot for your business, allowing users to access the Internet but not the
company LAN (which usually contains a POS (Point Of Sale) system and/or proprietary
information and non public computer systems).

2. If you are an experienced FreeBSD, GNU/Linux or Unix user you may wish to add
applications from the FreeBSD repository. While running additional applications on a
rewall can increase your exposure to potential risk of being hacked, it can still be
extremely useful to add a few applications to pfSense. Once you get pfSense installed you
can nd a list of authorized ports under the System Packages tab. These can be installed
with one click. The FreeBSD.org packages are added by the user via the shell the way it has
been done for years. These FreeBSD.org packages are not o cially supported by pfSense.

Install Guide
Download, ISO preparation, and interface selection.
Here is the link to the pfSense download area This will take you to a mirror near you. This CD we
will install from is a Live CD. A Live CD will allow you to test your hardware and pfSense without
actually installing onto the hard drive. You will need to change your BIOS to boot from the CD and
then boot from the CD image that you create from the ISO image. This CD is also an installer CD--
more on this later.

Users of pfSense have reported that it performs well even with hundreds
of computers operating behind the rewall

http://freesoftwaremagazine.com/articles/configure_professional_firewall_using_pfsense/ 2/7
12/7/2018 Configure a professional firewall using pfSense

The ISO image for this guide will be pfSense-Full-Update-1.2-RELEASE.tgz . You will rst
need to decompress this le using gzip to get to the ISO. Then, create the bootable CD. A good
program to use is cdrecord via the GNU/Linux command line.

Use this command:

sudo cdrecord -v speed=20 dev=/dev/sr0 pfSense-1.2-RC3-LiveCD-Installer.iso

If you use Linux, your device ( dev ) may vary. There is also a good utility for Windows for
creating ISOs called Deep Burner, which is freeware, but it's not released under a free license.

Now that you have set your BIOS to boot from CD and you have created your bootable CD, you
can boot into pfSense on your PC. You will need to have at least two network cards installed—
although I recommend three. The third is necessary for the WiFi subnet, giving you:

one for the WAN (your ISP);

one for your private LAN;
one for your WiFi internet-access-only subnet.

Check the FreeBSD hardware compatibility list rst to make sure your hardware is supported.

You can now boot into pfSense. As the bootloader comes up the Free BSD screen 7 options are
listed. You can wait for the default option (1) to boot up. Take a sheet of paper and write down
the initials for the "valid interfaces": you will need them in a moment. Mine are fxp0 , fxp1 ,
and fxp2 . The next choice you will be asked to make is "Do you want to set up VLAN's now
[y|n]?" Select "no" or "n".

Then you are asked to "Enter your LAN interface name", enter one from the sheet of notes you
just created. I enter 'fxp1'.

Next you are asked to "Enter your WAN interface name". I enter fxp2 . The next option is "Enter
the Optional 1 interface name". Here I enter my last 'fxp0'.

You should then see:

The interfaces will be assigned as follows:

LAN -> fxp1

WAN -> fxp2

OPT1 -> fxp0

Do you want to proceed [y|n]?

(Make sure you enter "y" here).

http://freesoftwaremagazine.com/articles/configure_professional_firewall_using_pfsense/ 3/7
12/7/2018 Configure a professional firewall using pfSense

pfSense is now running in RAM and almost fully functional. If you wish you may plug your LAN
interface into a hub or switch and connect via the web interface. pfSense is by default assigned
an IP of 192.168.1.1. Open your browser and check it out, or proceed to the hard drive install. To
run from RAM you can skip to the "Web interface con guration" section of this guide.

pfSense is now running in RAM and almost fully functional

If you choose to login, the user name is "admin" and the password is "pfsense".

Hard drive install

Here is how to complete a hard drive installation.

Transition to the console in order to begin the "hard drive installation". This section is "pfsense
console setup": Select "99".

This is a curses based install. It works best if you use an entire hard disk. If there is any data on
the disk, make sure that you have copied it to another location. You can, as a rule of thumb,
accept the default settings that are presented during the curses-based installation.

Pictures of the pfSense installation are available in pfSense's forums.

Here is a list of operations, shown graphically by the tutorial:

Note: If you would like to see the instructions as a Wink tutorial, you can see pfSense's
Wink tutorial. However, the instructions here follow.

Remember to remove the CD from the drive when you reboot.

After rebooting, you should be presented with the "pfsense console setup" for a second
time. At this moment you can unplug your monitor cable and manage this rewall via a
browser, or you could select option 8 and explore it using a shell.

Make sure your computer's interface is in the 192.168.1.0 subnet, because pfSense's LAN
interface is by default 192.168.1.1. The default username and password for the web GUI
are "admin" "pfsense".

Select System→Setup Wizard now.

This wizard will guide you through the initial installation of pfSense. Click "next"

General Information: enter primary and secondary DNS (name servers) if you wish. Click
"next"

Select TimeZone and then Click "next"

On the Wide Area Network Information page scroll down and click "next"

http://freesoftwaremagazine.com/articles/configure_professional_firewall_using_pfsense/ 4/7
12/7/2018 Configure a professional firewall using pfSense

On the LAN interface page you may select a Subnet IP address of your choice or stay with
the default of 192.168.1.1. If you stay with the default, you will need to con gure your
computers so that they are on the same subnet, or have DHCP enabled on your network
PCs.

The password page: you should select a password that consists of at least 8 letters and
numbers, lowercase and uppercase. Save this new password in a secure place. Now that
you have selected a new password you will be required to login again.

Go to "Interfaces" tab on the top row and select "Opt 1: Enable the opt 1 interface". Enter the
IP of the Opt 1 interface under the IP Con guration section, "192.168.2.1". Scroll to the
bottom and select "save"

On the top bar, select "Firewall→Rules"; select the "Opt 1" tab; and click on the plus to add a
rule. Change protocol to "any". Under "Destination", check the "not" box. In "Type", select
"LAN subnet". In "Description", enter allow all to net - > ! LAN subnet . Save the
changes, and then in the next window, select "Apply Changes".

Go to the Top row and select Status→Interfaces

Move the cable from your current rewall to the WAN port for pfSense and connect the LAN
cable to the LAN port on you new pfSense rewall. At this point you should power cycle
your Broadband provider's equipment (turn it off for 30 seconds, then turn it back on).
Sometimes when your MAC address changes on your rewall, your broadband provider will
need to be involved to reset your con guration.

Under the WAN interface section, you may see your external IP address. If this is the case
you are, most likely, good to go.

Go to the "Services" tab, then "DHCP server". Select the "Opt 1" tab and enable the DHCP
server for that interface. In the "Range" section, enter the IP address range for your DHCP
server.

Scroll to the bottom to select "save", and you are ready to go.

Setting up your Wi-Fi for the Opt1-Wi-Fi interface

Run a cat-5 cable from the Opt1-Wi interface that you set up earlier to the access point you plan
to have on its own subnet. This subnet is separated from your LAN via rewall rules. This AP will
connect directly to the internet and have no access to your LAN. Many of the SOHO
rewall/routers have a default IP address of 192.168.0.1 or 192.168.1.1. Change this to a
different IP address so it will work on this install, and not have the same IP address as your new
pfSense box. I selected 192.168.2.5.

You can use this same process on your LAN for a second access point
with an IP address on the same LAN subnet that is encrypted
http://freesoftwaremagazine.com/articles/configure_professional_firewall_using_pfsense/ 5/7
12/7/2018 Configure a professional firewall using pfSense

Then, disable the DHCP server on this appliance so your pfSense box can now hand out the
addresses. This way when you are looking under Diagnostic→ARP tables you can easily see who
is on your connection. Enable the DHCP server under the Services→DHCP server, tab click on the
Opt 1 interface, and on the top, check the box "enable DHCP Server". You will need to set the
Range of the DHCP server which will regulate how many IP addresses you will give out.

The key to this functioning properly is to make sure that when the rewall rule is set up for the
Opt1 Wi interface is that the protocol section be set to "any". By default when the rule is set up
it is TCP. If this is not set properly access will be limited and for our purposes would not work.

You can use this same process on your LAN for a second access point with an IP address on the
same LAN subnet that is encrypted. This wireless network connection is for your use only, not
your neighbors. Disable the DHCP server on the second Access Point and let pfSense handle that
function. You can regulate access by using the built in captive portal capability found under
Services→Captive Portal. An equally effective way for an encrypted network is to only give your
network key passphrase to select people.

Get help
If you encounter di culty you can post questions related to the pfSense forums.

Advanced Features for pfSense

This section outlines some of the advanced features available in pfSense. These are features
that in the past were generally available on proprietary and expensive rewalls.

Tra c Shaping - This gives you the ability to prioritize tra c. For example if you use VOIP
you will want to give that top priority. Also you may want to move torrent tra c down the
priority list so that it does not slow down web sur ng tra c

Clustering - Linking two or more computers into a seperate network to take advantage of
parallel processing of those compters

Load Balancing - If you are running multiple web servers you can spread the tra c evenly to
each server. This will help to prevent any one server from becoming overburdened

Failover - You can set up two rewalls with pfSense if one fails the other will automatically
kick in. If you have multiple Internet connections and one fails the other will take over

Captive Portal - Control Access to the internet. Like coffee shops use when they offer free
WiFi

The below services will install with one click in pfSense. Installing these features is a snap.
There are tutorials available for some of the below packages on the pfSense wiki. If no
tutorial is available help is available on the pfSense forums
http://freesoftwaremagazine.com/articles/configure_professional_firewall_using_pfsense/ 6/7
12/7/2018 Configure a professional firewall using pfSense

Snort - Lightweight network intrusion detection system

Squid - High performance web proxy cache

FreeRadius - Implementation of the RADIUS protocol

IMSpector - an Instant Messenger proxy with logging capabilities

nmap - A utility for network exploration or security auditing

ntop - Shows network usage in a way similar to top

Darkstat - A packet sniffer and a network statistics gatherer and much much more.

pfSense will also allow you to add packages from the standard FreeBSD repository, although any
uno cial packages are not supported by pfSense.

Resources
HOWTO Add a Wireless Interface. You can skip this tutorial if you are planning on adding an
external Access Point as outlined above. This tutorial is for those who want an internal WiFi
interface.

*Graphical Tutorials

License
Verbatim copying and distribution of this entire article are permitted worldwide, without
royalty, in any medium, provided this notice is preserved.

http://freesoftwaremagazine.com/articles/configure_professional_firewall_using_pfsense/ 7/7