1

Introduction to pfSense

What is pfSense ?
pfSense is a complete firewall software package that, when used together with
suitable hardware, provides all the important features of commercial firewall
boxes (including ease of use) at a fraction of the price (free software). pfSense is
based on a stripped-down and heavily customized version of FreeBSD, along
with a web server LightTPD, PHPand a few other utilities. The entire system
configuration is stored in one single XML text file to keep things transparent.
pfSense is probably the second UNIX system to have its boot-time configuration
done with PHP, rather than the usual shell scripts, and to have the entire system
configuration stored in XML format. The pfSense project was based
on m0n0wall, which was the first system of this type. pfSense features a
package system that allows the environment to be extended with new features
and functions.
Background
 Firewall and Router
 Built using FreeBSD
 Started in September 2004
 Built using the very stable m0n0wall project
Features

 Uses a variety of low-cost non-specialist hardware.

 Low memory usage
 Many add-on packages to build a full custom solution
 Including main packages, such
as Squid Proxy, Snort, NTOP,
 Resilient configuration such as
CARP and Multi-Wan Fail-over.
 Clusters for High-Availability (HA)
solutions.
 Supports Multi-Wan
configuration
 Inbound/Outbound Load-Balancing
 Multiple VPN support including IPSEC/PPTP
 Content Security via HAVP
 Variety of Traffic Shaping and Internet Filtering methods
 Real-time and Historical Reporting of Bandwidth and IP usage.

Raid 5 Technology 09-254004117 , 09-785956613

 2

Products

Distributed by Netgate

Hardware Requirements for SOHO Network :

General Hardware Requirements

Minimum CPU 1 Ghz

Minimum RAM 512 MB

Recommended CPU 2.8Ghz

Recommended RAM 2 GB

Minimum Storage Drive 16GB

Raid 5 Technology 09-254004117 , 09-785956613

 3

INSTALLING PFSENSE ON VIRTUAL BOX

How to do it
 Create on Vitrual Box

 Memory Size to 1024 MB ( should least ) and then Next

 Create Virtual Machine >> 16GB ( HDD ) and then Create
 Chose Setting on Network and Enable Adapter 1 for WAN ( Internet Access )
and Enable adapter 2 for LAN ( Internal Network )

*Now , you can install your pfSense OS in your Virtual Box

 Chose Start and select the iso image path in your location

Raid 5 Technology 09-254004117 , 09-785956613

 4

*Now PFsense is Running on Your Virtual Box

 Uncheck IOS Image when Pfsense is rebooting

Devices > Optical Device > pfSense-CE-2.4.2 RELEASE-amd64.iso

 When the booting process is complete

Do you want to set up VLANs now [y|n]?

Press N for NO

Raid 5 Technology 09-254004117 , 09-785956613

 5

Enter the WAN interface or 'a' for auto-detection?

If u don’t know which interface is WAN interface so Press A

The interfaces will be assigned as follows:

WAN -> interfacename

LAN -> interfacename

Do you want to proceed [y|n]?

*Pfsense Defualt IP : 192.168.1.1

Raid 5 Technology 09-254004117 , 09-785956613

 6
Configuring PFSENSE

How to do it
 Browse / 192.168.1.1 to your Web Interface ( Chrome )

 Press Pfsense default Username : admin

Password :pfsense

Raid 5 Technology 09-254004117 , 09-785956613

 7

System > Wizard for Genral Setup Setting

 Enter a Hostname. This name will be used to access the machine by name
instead of the IP address. For example, we can browse to
http:// raid5technology instead of 192.168.1.1

 Enter Domain Name

 DNS Servers can be specified here. By default, pfSense will act as the primary
DNS server and these fields will be blank

 Enter a Time zone and leave the default NTP time server as
0.pfsense.pool.ntp.org.

Raid 5 Technology 09-254004117 , 09-785956613

 8

How to do it
 Access the console from the physical machine or enable SSH and connect
remotely (see the Enabling the Secure Shell (SSH) recipe)
 The home screen will display a list of interfaces, network ports, and IP
addresses:

 Choose option 1 to Assign Interfaces.

 Skip setting up VLANs for now.

Raid 5 Technology 09-254004117 , 09-785956613

 9

In Web Interface : WAN

 Browse to Interfaces | WAN.
 Check Enable Interface.
 Choose an address configuration Type as DHCP

 Check Block private networks. This setting is usually only checked on a

WAN interface.
 Check Block bogon networks. This setting is usually only checked on a
WAN interface
 Save changes

In Web Interface : LAN

Raid 5 Technology 09-254004117 , 09-785956613
 10

 Browse to Interfaces | LAN.

 Check Enable Interface.
 Choose an address configuration Type as Static
 Enter an IP address and subnet mask
 Leave Gateway set to None.

Modifying Admin name and password

 Type new user name & Password

Raid 5 Technology 09-254004117 , 09-785956613

 11

Configuration DHCP Server ,Static Mapping & Relay

How to do it DHCP Server

 Browse to Services | DHCP Server.

 Choose the LAN tab.

 Check Enable DHCP server on LAN interface

 Choose a Range of IP addresses for DHCP clients to use. This range must
be contiguous and within the Available range listed above the Range:

 Save the changes and the DHCP service will be started.

 Apply the changes, if necessary.
 Refresh your client PC to request DHCP

Raid 5 Technology 09-254004117 , 09-785956613

 12

How to do it Static Mapping

 Browse to Status | DHCP Leases to view the list of clients who have issued
DHCP requests.

 Click the “plus” button to add a new static DHCP mapping.

 The MAC address will be pre-filled.
 Enter an IP address, which must be outside the range of dynamically
assigned DHCP addresses.
 The Hostname may be pre-filled. If not, enter one.
 Enter a Description.

 Save the changes.

 Apply changes, if necessary. Scroll to the bottom of the DHCP Server page
and verify that your new mapping exists.
*Client’s CMD >> ipconfig /release >>ipconfig /renew

Raid 5 Technology 09-254004117 , 09-785956613

 13

How to do it DHCP RELAY

 Browse to Services | DHCP Relay.
 Check Enable DHCP Relay on Interface.
 Select the interfaces on which the relay will be applied. Use Ctrl + click to
select multiple interfaces.

 Enter the IP address of the existing DHCP Servers to be used as the

Destination server.

 Save the changes.

Raid 5 Technology 09-254004117 , 09-785956613

 14

Creating Firewall

How to do it
 Browse to Firewall | Rules.

 Select the WAN tab.

 Click the "plus" button to create a new firewall rule.

 Specify the WAN Interface.

 Specify the TCP Protocol.

 Specify any as the Source.

 Specify any as the Source Port Range.

 Specify any as our Destination.

 Specify HTTP as our Destination Port Range.

 Specify a Description as your like

Raid 5 Technology 09-254004117 , 09-785956613

 15

 Save the changes

 Apply changes.

Firewall rules are highly configurable. Details of each firewall rule option are as
follows:

 Action: The type of action defined will be enforced if the rule is matched.

 Pass: If all the criteria match, the packet will be allowed to pass.

 Block: If all the criteria matches, the packet will not be allowed to pass
(some refer to this as a silent drop).

 Reject: If all the criteria match, the packet will be returned to the sender.

 Disabled: Disable a rule without having to delete it entirely.

 Interface: Traffic originating from the specified interface will be subject to
this rule. This is typically the WAN.

 Protocol: Specify the protocol to be matched; this varies depending on

the type of traffic this rule defines.

 Source: This is typically any when referring to incoming traffic.

Raid 5 Technology 09-254004117 , 09-785956613

 16

 Source Port Range: This is typically any when referring to incoming traffic.

 Destination: This is typically the alias or IP address of computer which is

servicing this traffic.

 Destination Port Range: This is typically the specific port of the computer
which is servicing this traffic.

 Log: Enable logging to record packets that match this rule.

 Description: Enter meaningful descriptions that will make it easier to

understand the rule.

Ordering firewall rules

PfSense rules are always evaluated from the top down. The first rule to

match is executed and the rest of the rules are skipped. Many

administrators will include very specific rules at the top and more

generic rules at the bottom. You can ajust the rule by dragging .

Raid 5 Technology 09-254004117 , 09-785956613

 17
Creating Gateway
How to do it...
 Go to System | Routing.
 Click the Gateways tab.
 Click the "plus" button to add a new gateway.
 Select the Interface for the new gateway.
 Specify a Name for the gateway (no spaces allowed).

 Specify the IP address for the gateway—it must be a valid address on the
chosen interface.
 We may assign an alternative Monitor IP, or leave it blank to be filled with
the gateway's IP address by default.
 Add a Description, such as My new gateway


 Save the changes.

 Apply changes, if necessary.

Raid 5 Technology 09-254004117 , 09-785956613

 18

Configuring Traffic Shaper (QOS)

How to do it
 Browse to Firewall | Traffic Shaper
 Chose to Limiter and New Limiter
 Check on Enable Limiter
 Name for Upload and Set Bandwidth to ?? kbit/s
 Again for Download

Bandwidth Limit in LAN Interface :

 Browse Firewall | Rules

 Chose LAN Net to edit
 Drag down and In/out pipe – In for Upload and Out Download
 Browse in your web www.speedtest.net to test your client bandwidth

Raid 5 Technology 09-254004117 , 09-785956613

 19

*before you need to test your original bandwidth in this lab

 Allowing Bandwidth for VVIP under Limiting Rule:

 Your VVIP IP need to be static ( see also in previous lab )
 Browse Firewall|Rules
 Chose LAN Tab and Press add rule to the top of list
 Chose Action > Pass
 Specify Single host or alias as a Source and Chose your VVIP IP

 Save the changes.

 Apply changes, if necessary.

*Test Your BW again , Your VVIP BW is running to default BW not under in your
limitation

Raid 5 Technology 09-254004117 , 09-785956613

 20

Routing & Bridging

Routing
Routing takes place on layer 3 (the Network layer) of the OSI model. Whereas
switches are store and-forward devices that use MAC addresses, routers are
store-and-forward devices that use IP addresses. Routers (and layer 3 switches,
which also act as routers but lack some of their advanced functionality) allow us
to move data between networks. A router is responsible for maintaining tables of
information about other routers on the network, and there are several different
protocols available to enable a router to learn the topology of the network.

Bridge
Network bridging takes place at layer 2 (the Data link layer) of the OSI model.
There are several different types of bridges. A simple bridge isn't much different
than a repeater, except
for the fact that the two network
segments it connects may
use different types of media
(for example, one segment
may use 100 Base-T cabling
and the other may use 1000
Base-T) and the fact that bridges
use a store-and forward
mechanism to forward packets,

Raid 5 Technology 09-254004117 , 09-785956613

 21

thus creating two separate collision domains.

Static Route

How to do it
 Browse to System | Routing.
 Click the Gateways tab.
 Click the "plus" button to add a new gateway.
 Select the Interface for the new gateway.
 Specify a Name for the gateway (no spaces allowed).
 Specify the IP address for the gateway; it must be a valid address on the
chosen interface.
 We may assign an alternative Monitor IP, or leave blank to be filled with
the gateway's IP address by default.
 Add a Description, such as My new gateway.

Raid 5 Technology 09-254004117 , 09-785956613

 22

 Save the changes.

 Apply changes, if necessary.

 Browse to System | Routing.

 Click the Routes tab.
 Click the "plus" button to add a new route.
 Enter the IP Address of the Destination network.
 Choose the Gateway we've defined above.
 Add a Description, such as Static route

Bridging Interfaces

How to do it

Raid 5 Technology 09-254004117 , 09-785956613

 23

 Browse to Interfaces | (assign)

 Click the Bridges tab.
 Click the "plus" button to create a new bridge.
 Select the Member Interfaces with Ctrl + click
 Add a Description, such as LAN OPT Bridge:

 Save the changes

Creating Virtual LAN

A VLAN allows a single physical switch to host multiple Layer-2 networks by
separating ports with VLAN tags. A VLAN tag defines a separate virtual network.
The pfSense firewall can attach to each VLAN by defining VLAN tags on the
firewall interfaces.

How to do it

 Browse to Interfaces | (assign).

 Click the VLANs tab.
 Click the "plus" button to add a new virtual LAN.
 Select a Parent Interface. Refer to the interface assignment page as a
reference (shown in the following screenshot). In this case, OPT1 is
assigned to interface vlan 2 and we'll select that.
 Sp
ecify a
VLAN
tag, any
integer

Raid 5 Technology 09-254004117 , 09-785956613

 24

from 1 to 4094.
 Add a Description, such as My OPT virtual LAN.

 Save the changes.

Creating Captive

A captive portal is a web page that is displayed before a user is allowed to

browse the web. This is most often seen at commercial Wi-Fi hotspots where you
must pay for service before you are allowed to surf the web. In other scenarios,
captive portals are used for authentication or end-user agreements.

How to do it

 Browse Service|Captive Portal

 Click the "plus" button to add a new zone

Raid 5 Technology 09-254004117 , 09-785956613

 25

 As Description a Zone name as Raid 5

 Save the changes
 From the Captive portal tab, click Enable captive portal.
 Choose Interfaces; we'll select our LAN as our interface.

 Specify an Idle timeout; we'll say 10 minutes.

 Specify a Hard timeout; we'll leave the default of 60 minutes.
 Click Enable logout popup window so that users may log themselves out
when they are finished.
 Specify a Redirection URL, say http://www.google.com.

 Browse to System | User Manager.

 Click the Users tab.
 Click the "plus" button to add a new user.
 Enter a Username.
 Enter and confirm a Password.
 Enter a Full name:

Raid 5 Technology 09-254004117 , 09-785956613

 26

 Save the changes:

Raid 5 Technology 09-254004117 , 09-785956613

 27

Configuring Multi WAN Loadbalancing & failover

We will configure load-balancing for two separate WAN interfaces. Make sure
that the WAN interfaces are first properly configured .

Raid 5 Technology 09-254004117 , 09-785956613

 28

Configuring Squid Proxy

How to do it

 Browse System |Packet Manager

 Chose Available Tabs and Text in search box as Squid

 Click to install Squid Proxy

 Browse Service |Squid Proxy Server
 Chose Local Cache
 HDD Cache size as 512 MB ( Depend on your requirements )
 Max Object size as 4 MB ( Depend on your requirements )
 Specified a Squid Memory Cache Setting by default
 Save the changes:

Raid 5 Technology 09-254004117 , 09-785956613

 29

 Chose General
 Enable Squid Proxy

 Chose LAN Interface

 Proxy port as Def 3218
 Enable as HTTP Transparent Proxy
 Enable as Access Log ( to check user’s log )
 Save the changes
 Browse Status | Services

Raid 5 Technology 09-254004117 , 09-785956613

 Introduction to VPN 30

Virtual Private Networking (VPN) is a cornerstone of modern computer

systems. A VPN connection allows a remote user to securely connect
to a network and access resources as if he were connected locally.

If you decide to implement a VPN, you can choose from several different forms
of VPN deployments .The most common ones are the following:

Client-server: In this scenario, a VPN tunnel is used to connect one or more

mobile clients to the local networks. The encryption provided by the VPN
guarantees that data privacy is maintained. This is probably the most likely
deployment scenario you will be using if you configure a VPN with pfSense.

Peer-to-peer: In this scenario, a VPN tunnel is created between two networks; for
example themain corporate office and a satellite office location. The general
idea is that setting up a VPN is cheaper than a leased line between the two
locations. Instead of having a router on one end and a mobile client on the
other end, there is a router on each end of the tunnel.

Hidden network: This is not as common a deployment scenario, but is

nonetheless worth mentioning. In some cases, data may be too sensitive to
place on the main corporate network, and this data may reside on a subnet
that is physically disconnected from the rest of the network. If this is the case, a
VPN can provide us with a means of connecting to this subnet.

Raid 5 Technology 09-254004117 , 09-785956613

 31
Using Ping & Tracert
Ping :
 Browse to Diagnostics | Ping.
 Set Host to the IP Address or hostname of the machine we're trying to ping.
 Choose the Interface to initiate the ping from.
 Select a Count, the default of 3 is generally adequate

Traceroute :

 Browse to Diagnostics | Traceroute .

 Set Host to the IP Address or hostname of the machine we're trying to ping.
 Choose the Interface to initiate the ping from.
 Select a Count, the default of 3 is generally adequate

Raid 5 Technology 09-254004117 , 09-785956613

 32

Backup & Restore

How to do it

 Browse to Diagnostics | Backup/restore.

 Select the Backup/Restore tab.
 Set the Backup area to ALL. For a list of all available areas, see
the following Backup areas section.
 Leave Do not backup package information unchecked.
 Leave Do not backup RRD data checked.
 Click Download configuration.
 Save the file to a secure location.

Raid 5 Technology 09-254004117 , 09-785956613