Embed Size (px)
Citation preview
1
– PfSense – Load Balance & Failover Firewall Configuration
PF-Sense Features:- Network Security
� Stateful Inspection � Transparent layer 2 � Multiple Public IPs � Traffic shaper � QOS/VoIP/SIP support � DoS and DDoS
Protection
� Defense against � SYN/ICMP Flood � Anti-Spoofing � Ability to detect and to � filter based on Operating � System in use
2
Firewall State table � Finely control � Adjustable state table � size � Per-rule basis � State types � Various state table � Optimization options.
Virtual Private Network (VPN)
� IPSec � OpenVPN � PPtP � Encryption: 3DES, AES � 128/256 bits � Authentication: preshared � Key, certification, � Local
Network Address Translation (NAT)
� Port forwarding � 1:1 NAT � Outbound NAT � NAT reflection
Configuration and Management
� Web-basedAdministration � Secure Shell (ssh) access � Console access
Reporting and Monitoring
� RRD Graphs of system,firewall states,throughputs � Real-time data
Captive Portal
� Hotspot wireless network � URL Redirection � Authentication options:none, local or Radius � Radius capabilities
Load Balancing � Outbound � Inbound
Redundancy
� WAN failover
Routing � Static routes � RIP v1 and 2
Pre -Requirements:-
3
pfSense requires a machine with at least a 200 MHz processor, 128 MB RAM, and 128 MB CF for embedded or 1 GB hard disk or microdrive for full installations.
Exact requirements will vary primarily depending on what features you plan to use, how much network throughput you require, and the typical size of your state table.
VM-Ware Installation and Configuration
1.We are using multi WAN connection. ( WAN & WAN A) 2. So we are using 2 external & 1 motherboard Ethernet cards. 3. Onboard card using for LAN another 2 cards for WAN & WAN (A)
4. Install VM-Ware Software on Windows-machine. 5. Now that the network connections are setup, it's time to create the new VM follow the below steps.
VM-Ware creation
� start the new VM wizard using File - New - Virtual Machine or CTRl-N � On the second page, choose Custom Configuration � Check Other guest operating system, and select FreeBSD from the drop down list � Choose a suitable name and location for the VM � uncheck keep it private � Set Use Local System Account in startup / shutdown options, and set Power on Virtual Machine on host
start up � Set the number of processors (if you have the option - I only set it to 1) � 256Mb RAM is more than enough in my experience (unless you run lots of extras) � leave the network type at Use Bridged Connection � leave I/Oadapter type to default � Make sure Create a new Virtual Disc is set is set � leave disc type alone (mine defaults to IDE) � 6Gb is plenty of space unless you want to use squid or some other service that will need lots of disc
space, and you may as well allocate disc space now to avoid future hiccups � The VM is now created and entered in the inventory.
4
Pf-Sense firewall machine network cards.
1. Right click on you new VM in inventory and select settings - we're going to add the extra network connections
2. Click the Add button and click Next in the wizard 3. Select Ethernet Adapter and click Next 4. Select Custom and select VMnet2(Bridged) for your first internet connection (or VMnet3 for the second
one) 5. Click Finish to complete the additional hardware 6. Repeat for each additional internet connection you use.
Your Virtual Machine settings should now look something like this.... Before you start the VM, you can tweak the settings to make it run better under VM-Ware. You can't do this through the GUI, but the setup here: shows how to do this. It is better to do this before you build the VM, if you do it later you have to re-setup the interface assignments.
5
PfSense Installation and Configuration Download the pfsense iso from the link: - ftp://reflection.ncsa.uiuc.edu/pub/pfSense/downloads/
Download the latest version. ( e.g pfsense-1.2.2-LiveCd-Installer )
Step: 1
Select the cd-rom in LiveCd-Installer at VM-Ware
Boot the VM-Ware—FreeBSD machine.
pfSense now will make the finishing touches to configure the interfaces.
After it went through the configuration you'll end up with a shell menu and a number of options. pfSense now is ready to be accessed at the interface you assigned as LAN with the webgui.
6
pfSense default configuration
By default pfSense will have the following configuration.
• WAN is configured as DHCP client, all incoming connections are blocked by default. • LAN is configured at 192.168.1.1/24 and acts as DHCP-Server and offers a DNS-forwarder. • OPTx interfaces are disabled, you have to enable and configure them at the webgui. • WebGUI runs at port 80, username is "admin", password "pfsense". • SSH is disabled.
Storing your configfile on a writable media
If you are planning to run the LiveCD with a writable configmedia run option 98 to assign the drive that should hold your configfile. The LiveCD will browse all available medias on bootup for a valid configfile and use it if found.
Accessing the webgui
You now should modify the configuration to fit your needs at the webgui. Make sure your client got an IP and use your favourite browser to access http://192.168.1.1 using "admin" as user and "pfsense" as password. The easiest way to go through all the basic settings is to run the setup wizard that can be found in the webgui-menu at System>Setup Wizard.
7
Installing pfSense to Hard Disk
If you are satisfied and want to setup pfSense to your hard drive run option 99 from the shell menu now. The configuration you did will be transferred to the hard drive by the installer.
(Basically you can run through the installer by just accepting all suggestions the installer is offering)
First you get some settings to localize your keyboard or change your console appearance. Change what you need or just go one by accepting the settings
8
Next pfSense will present a list with detected suitable installmedias to you. Please make sure you are not accidently overwriting data you still need. It's recommended to have a dedicated media only for your install. Any other constelations are not officially supported. Choose your media and hit enter to continue.
You should format the disk to prepare it for the installation. Beware this will whipe your entire media!
At the next step pfSense will show you the detected drive geometry. You should leave this the way it was detected as long as you don't run into any troubles while installing with these settings. In case you get errors try to alter your bios settings befor manually entering values here. Setting your drive from auto to lba or chs in bioas already might help to detect the right settings.
9
Now you are at the point of no return: Only hit "Format xxX" if you are really sure there is no valuable data left at this media!
10
The media is now prepared to continue with partitioning. Just hit enter to move on.
pfSense suggests using the complete space of your drive for the installation. You usually should just keep this setting and move on to the next step.
11
In case your partitioning was the same like before as this is a reinstall confirm the changes.
You typically can confirm the following step. If you encounter problems with the bootloader after the installation is done rerun the installation and check "Packet mode" at this screen.
12
Select the just created partition as target for your installation.
Confirm this step. In case you skipped the above settings this is the point where your data on the media will be overwritten.
13
pfSense suggests a setting for your subpartitioning now which you usually should just keep.
After accepting the above settings pfSense is starting to transfer the system to the prepared media.
14
You will be asked after a short time to remove the CD and reboot the system to boot your new install.
The system is now going down for reboot and your installation is finished
15
Configuring pfSense Now you have a fresh pfSense install in front of you. First you skip the wizard by clicking on the pfSense logo because you want to set up all parameters on your own. Now please follow the instructions: You should see this window (Status � System). This is where we start.
16
Now go to the Interfaces tab and chose the WAN-Interface. Change the type to PPPoE and enter the IP you want to use as the management IP and your Internet-Gateway:
Scroll down to the PPPoE settings and give the username and password and hit the save button.
17
After saving is complete you go to the Interfaces tab and chose the LAN-Interface. Bridge the LAN-Interface with the WAN-Interface and disable the FTP Helper. The IP you enter here will be ignored when you activate the bridge mode. For cosmetic purposes you can use the management IP, too. They will not conflict with each other. The management IP given in the WAN-settings will be assigned to the bridge interface, which will be created when activating the bridge.
Hit the save button.
Afterwards hit the apply changes button.
18
After saving is complete you go to the Interfaces tab and chose the WAN A (BSNL)-Interface. Bridge the LAN-Interface with the WAN & WAN A (BSNL)-Interface and disable the FTP Helper. Change the type to static and enter the IP you want to use as the management IP and your Internet-Gateway:
Hit the save button at the end of the page. We have already setup two WAN connections on our firewall.
19
Setting up load balancing and failover
It is time to set up Outgoing Load Balancing and Failover. You will not have any pools. You will create 3 pools.
• Wan (Airtel) BalanceWanA (Bsnl) - used to share out all access on a round robin basis as long as both connections are available
• Wan(Airtel)FailoverWanA(Bsnl) - used when Wan(Airetl) is down - all traffic will use WanA(Bsnl) • WanA(Bsnl)FailoverWan(Airtel) - used when WanA(Bsnl) is down - all traffic will use Wan(Airtel)
Once this is complete visit services -> load balancer
• Delete any pools that are there that do not work
• Click to enter a new pool. • Enter a pool name and description • Set the type to gateway
20
Load Balancer:Pool:Edit Name:Wan1BalanceWan2
Behavior:Load Balancing
Monitor IP:WAN’s Gateway
Interface Name:WAN
click add to pool
Monitor IP:OPT1wan2’s Gateway
Interface Name:OPT1wan2
click add to pool
Save
21
Create new pool
Name:WanFailoverWanA
Behavior:Failover
Monitor IP:WAN’s Gateway
Interface Name:WAN
click add to pool
Monitor IP:OPT1wanA’s Gateway
Interface Name:OPT1wanA
click add to pool
Save
22
Create new pool
Name:WanAFailoverWan
Behavior:Failover
Monitor IP:OPT1wanA’s Gateway
Interface Name:OPT1wanA
click add to pool
Monitor IP:WAN’s Gateway
Interface Name:WAN
Click add to pool
Save
23
You have successfully created 3 Gateways.
The results should look as follows
Set up the basic firewall rules for outgoing access
Add the following to Firewall:Rules on the LAN tab by cliking
Using this page to set the rules Firewall: Rules: Edit and create the 1 Rules defined below
24
You should see that the WAN gateway has a different gateway address then the WAN A (BSNL) gateway. If not then pfsense will not work correctly. You will have to put a bridge between that interface to ensure pfsense has two different gateways. If you have trouble with this please contact me. Basically pfsense does not support the same gateway on multiple networks right now.
25
• Click Save
Now go to Status -> Load Balancer to see if everything is working fine. It should report Online.
When you go to the Firewall � Rules tab now, you will first see the WAN rules. By default no rule exists:
Switch to LAN now by hitting the LAN tab:
Once all of the active rules have been added and Applied the Dual Wan setup is complete!
