Upload
medloug-moo
View
188
Download
16
Tags:
Embed Size (px)
DESCRIPTION
Graduation project report -pfSense-Contact me :[email protected]
Citation preview
3
Acknowledgments
All praise to ALLAH, the most merciful, kind and beneficent, and the source of all knowledge,
wisdom within and beyond my comprehension.
Heart full thanks for prof. Driss El Ouadghiri, the responsible of the professional license on
systems and networks management, at Science Faculty of Meknes, and he’s my Project
supervisor.
Special thanks go to all the members of jury, Prof. Khalid EL YASSINI, Prof. Abdeslam EL
FERGOUGUI, Prof. Rachid ELOUAHBI and the engineer Mohammed GHALLALI, for agreeing
to lend us their attention and evaluate our work. The thanks also go to all of my Teachers in
science faculty of Meknes.
I am very grateful to M.Ismail Azzouzi and M.Abdelhakim Mesbahi; they guided and helped me
through timely suggestions, valuable advices and specially the sympathetic attitude, which
always inspired me for hard work.
I would also like to thank everyone shared valuable information that helped in the successful
completion of this project.
Finally, I would like to thank my Mother Zoubida Mestari, my brother and sisters and all my big
family members.
Mohamed Loughmari
4
List of Figures
Figure 1. Organization chart of the Court of Appeal Taza ......................................................................... 13
Figure 2. Versions of pfSense ....................................................................................................................... 17
Figure 3. Compact Flash .............................................................................................................................. 19
Figure 4. WRAP ........................................................................................................................................... 20
Figure 5. ALIX ............................................................................................................................................. 20
Figure 6. Soekris ........................................................................................................................................... 20
Figure 7. Asking to set up VLANs ............................................................................................................... 23
Figure 9. Finishing steps of installation ....................................................................................................... 24
Figure 10. Shell menue ................................................................................................................................. 24
Figure 11. option 99 ...................................................................................................................................... 25
Figure 12. The configure console ................................................................................................................. 25
Figure 13. Selecting the simple installation .................................................................................................. 26
Figure 14. Confirmation step ....................................................................................................................... 26
Figure 15. Transferring the system to the media ........................................................................................ 27
Figure 16. asking for reboot ......................................................................................................................... 27
Figure 17. Enabling SSH .............................................................................................................................. 28
Figure 18. Generating RSA key ................................................................................................................... 28
Figure 19. The public Key ............................................................................................................................ 29
Figure 20. Disabling password login ............................................................................................................ 29
Figure 21. Pasting the client public RSA ..................................................................................................... 30
Figure 22. Client configuration .................................................................................................................... 30
Figure 23. Crating ALIAS ............................................................................................................................ 31
Figure 24. Types of ALIAS........................................................................................................................... 31
Figure 25. Using ALIAS ............................................................................................................................... 32
Figure 26. Creating a NAT port forward rule ............................................................................................. 33
Figure 27. Creating a schedule ..................................................................................................................... 34
Figure 28. Schedule repeat ........................................................................................................................... 34
Figure 29. Firewall rule ................................................................................................................................ 35
Figure 30. DMZ rules ................................................................................................................................... 36
Figure 31. Creating a VIP ............................................................................................................................ 38
Figure 32. VIP created ................................................................................................................................. 38
Figure 33. Configuring 1:1 NAT .................................................................................................................. 39
Figure 34. Creating gateway ........................................................................................................................ 40
5
Figure 35. Creating a static route ................................................................................................................ 40
Figure 36. Route static created ..................................................................................................................... 41
Figure 37. SMTP notification configuration ................................................................................................ 41
Figure 38. test e-mail .................................................................................................................................... 42
Figure 39. Captive portal ............................................................................................................................. 43
Figure 40. Selecting local user lanager as the authentication ...................................................................... 43
Figure 41. creating a new user ..................................................................................................................... 44
Figure 42. user manager ............................................................................................................................... 44
Figure 43. Captive portal test ....................................................................................................................... 44
Figure 44. Enabling RIP service .................................................................................................................. 45
Figure 45. Enabling the WOL ...................................................................................................................... 46
Figure 46. Sending the magic packet ........................................................................................................... 46
Figure 47. Storing MAC addresses .............................................................................................................. 46
Figure 48. MAC addresses Stored ............................................................................................................... 47
Figure 49. Wake all MAC addresses Stored ................................................................................................ 47
Figure 50. Using ping.................................................................................................................................... 48
Figure 51. Using traceroute .......................................................................................................................... 48
Figure 52. Backing up the configuration file ............................................................................................... 49
Figure 53. Downloading the configuration file ............................................................................................ 49
Figure 54. Restoring the configuration file .................................................................................................. 50
Figure 55. Configuration file restored ......................................................................................................... 50
Figure 56. Auto configuration backup ......................................................................................................... 51
6
List of Acronyms & Abbreviations
ARP Address Resolution Protocol
BGP Border Gateway BC Protocol
CARP Common Address Redundancy Protocol
CD Compact Disc
CF Compact Flash
DHCP Dynamic Host Configuration Protocol
DMZ Demilitarized Zone
DNS Domain Name System
GPL General Public License
GNU GNU's Not UNIX
GUI Graphical User Interface
HTTP Hypertext Transfer Protocol
ICMP Internet Control Message Protocol
IDS Intrusion Detection System
IP Internet Protocol
IT Information Technology
LAN Local Area Network
MAC Media Access Control
MD5 Message-Digest 5
NAT Network Address Translation
NIC Network Interface Card
NTP Network Time Protocol
OPT Optional interface
OS operating system
PC Personal computer
PPPoE Point-to-Point Protocol over Ethernet
PPTP Point-to-Point Tunneling Protocol
QoS Quality of Service
RAM Random Access Memory
RIP Routing Information Protocol
SDR Regional Sub Direction
SMTP Simple Mail Transfer Protocol
SSH Secure Shell
TCP Transmission Control Protocol
URL Uniform Resource Locator,
VIP Virtual IP
VLAN Virtual LAN
VPN Virtual Private Network
WAN Wide Area Network
Wi-Fi Wireless Fidelity
WOL Wake-on-LAN
XML Extensible Markup Language
7
Abstract
This is a graduation project prepared by Mohamed LOUGHMARI student of the professional license on
systems and networks management, at the science faculty of Meknes. It’s the result of two months
traineeship exerted at Court of Appeal in TAZA.
It aims to elaborate PfSense that is an Open Source Firewall Solution.
This report covers the theoretical part and the practical part of pfSense.
Résumé
Ce travail s'inscrit dans le cadre du projet de fin d’étude, élaboré par Mohamed LOUGHMARI étudiant de
la licence professionnelle en gestion des systèmes et réseaux, de la faculté des sciences de Meknès. C’est le
fruit d’un stage de deux mois à la cour d’appel de Taza.
Il consiste à la mise en œuvre d’une solution Firewall Open Source « PfSense ».
Ce rapport couvre la partie théorique et la partie pratique de pfSense.
8
Table Of Contents
Acknowledgments ........................................................................................................................................... 3
List of Figures ................................................................................................................................................. 4
List of Acronyms & Abbreviations ................................................................................................................ 6
Abstract .......................................................................................................................................................... 7
Résumé ............................................................................................................................................................ 7
General Introduction .................................................................................................................................... 11
Part I : Presentation of the Courts of Appeal Taza ..................................................................................... 12
1. Organization ......................................................................................................................................... 13
2. Attributions ........................................................................................................................................... 13
3. Organization chart of the Court of Appeal Taza ................................................................................. 13
4. IT Service .............................................................................................................................................. 14
Part II : Theory of pfSene ............................................................................................................................. 15
Introduction .................................................................................................................................................. 16
1. History and versions ................................................................................................................................. 16
1.1. History ................................................................................................................................................ 16
1.2. Versions .............................................................................................................................................. 16
2. Common Deployments ............................................................................................................................. 17
2.1. Perimeter Firewall ............................................................................................................................. 17
2.2. LAN or WAN Router ......................................................................................................................... 17
2.3. Wireless Access Point ......................................................................................................................... 17
2.4. Special Purpose Appliances ............................................................................................................... 18
3. Interface Naming Terminology ................................................................................................................ 18
3.1. Network divisions ............................................................................................................................... 18
3.2. interface naming ................................................................................................................................ 19
4. Hardware .................................................................................................................................................. 19
4.1. Hardware Architectures .................................................................................................................... 19
4.2. Minimum Hardware Requirements .................................................................................................. 19
4.3. Embedded Hardwar .......................................................................................................................... 19
5. Features List ............................................................................................................................................. 21
Part III : Instalation and Configuration ...................................................................................................... 22
1. Installation ................................................................................................................................................ 23
1.1. Downloading pfSense ......................................................................................................................... 23
9
1.2. Installing Pfsense ............................................................................................................................... 23
1.2.1. VLANs ......................................................................................................................................... 23
1.2.2. Assigning Interfaces .................................................................................................................... 23
1.2.3. Finishing Steps ............................................................................................................................ 23
1.2.4. pfSense default configuration ..................................................................................................... 24
1.2.5. Storing the configfile on a writable media .................................................................................. 25
1.2.6. Accessing the webgui ................................................................................................................... 25
1.2.7. Installing Pfsense to Hard Drive : ............................................................................................... 25
2. Initial Configuration ................................................................................................................................. 27
2.1. The Secure Shell (SSH) ...................................................................................................................... 27
2.1.1. Enabling SSH .............................................................................................................................. 28
2.2. authorized RSA keys .......................................................................................................................... 28
2.2.1. Generating authorized RSA keys................................................................................................ 28
2.2.2. Configuring SSH RSA key authentication ................................................................................. 29
2.2.3. Accessing the Secure Shell (SSH) ................................................................................................ 30
3. General basic configuration ................................................................................................................. 30
3.1. ALIAS ................................................................................................................................................ 31
3.1.1. Creating an ALIAS ..................................................................................................................... 31
3.1.2. Types of aliase : ........................................................................................................................... 31
3.1.3. Using an alias ............................................................................................................................... 32
3.2. NAT port forward rule ...................................................................................................................... 32
3.2.1. Creating a NAT port forward rule ............................................................................................. 32
3.3. Schedule ............................................................................................................................................. 33
3.3.1. Creating a schedule ..................................................................................................................... 33
3.4. Firewall rule ....................................................................................................................................... 34
3.4.1. Creating a firewall rule ............................................................................................................... 35
3.4.2. Advanced features ....................................................................................................................... 36
4. Advanced Configuration .......................................................................................................................... 37
4.1. Virtual IP ........................................................................................................................................... 37
4.1.1. Types of vierual IPs ..................................................................................................................... 37
4.1.2. Creating a virtual IP ................................................................................................................... 37
4.2. 1:1 NAT rule ...................................................................................................................................... 38
4.2.1. Configuring a 1:1 NAT rule ........................................................................................................ 38
4.3. Static route ......................................................................................................................................... 39
4.3.1. Creating a gateway : ................................................................................................................... 39
10
4.3.2. Creating a static route ................................................................................................................. 40
4.4. SMTP e-mail notifications ................................................................................................................. 41
4.4.1. Configuring SMTP e-mail notifications...................................................................................... 41
4.5. Captive portal .................................................................................................................................... 42
4.5.1. Creating a captive portal ............................................................................................................ 42
5. Services ..................................................................................................................................................... 45
5.1. RIP ..................................................................................................................................................... 45
5.1.1. Enabling RIP ............................................................................................................................... 45
5.2. Wake On LAN (WOL)....................................................................................................................... 45
5.2.1. Enabling Wake On LAN (WOL) ................................................................................................ 45
5.2.2. Storing Mac addresses ................................................................................................................ 46
5.2.3. Wake All ...................................................................................................................................... 47
6. Maintenance.............................................................................................................................................. 47
6.1. Ping ..................................................................................................................................................... 47
6.1.1. Using ping .................................................................................................................................... 47
6.2. Traceroute .......................................................................................................................................... 48
6.2.1. Using traceroute : ........................................................................................................................ 48
6.3. Backing up the configuration file ...................................................................................................... 48
6.4. Restoring the configuration file ......................................................................................................... 49
6.5. Automatic configuration file backup ................................................................................................. 50
6.5.1. Installing the AutoConfigBackup Package ................................................................................. 50
6.5.2. Configuring the AutoConfigBackup Package ............................................................................ 50
Conclusion .................................................................................................................................................... 52
References ..................................................................................................................................................... 53
11
General Introduction
"Nothing ever becomes REAL until it is experienced." - John Keats Internships have become an important part of a college student's education. Through internships
students gain experience in different fields, test career interests, establish contacts that can assist with
networking. Under my studies in professional license on systems and networks management at the faculty
of Meknes, I passed two Month of internship on the Court of Appeal of Taza, as a project I had worked on
a theme that belongs to the security IT topic.
Security IT is vital for protecting the confidentiality, integrity, and availability of computer
systems, resources, and data. Without confidentiality, trade secrets or personally identifying information
can be lost. Without integrity, we can not be sure that the data we have is the same data that was initially
sent without availability, we may be denied access to computing resources.
To ensure the Security IT there is many elements, one of the main elements is Firewall, it’s one of
the more important elements that can achieve the goals of security. A firewall can be a hardware device or
a software application and generally is placed at the perimeter of the network to act as the gatekeeper for
all incoming and outgoing traffic.
Considering of what we had said about the importance of Security and how the firewall is the
primary tool for the security, I decide to make an implementation of pfSense which is an open source
firewall solution.
Along this report, I will deploy my work that I have done during the training period in three main
parts:
The first Part will focus on an overview of the Court of Appeal of Taza, where I spent the internship.
The second part is about the theory of pfSense, basic information and its features.
The third part is the practical part of pfSense it will cover the installation and some important
configuration.
Finally this work will close by a general conclusion.
12
Part I
Presentation of the
Courts of Appeal Taza
13
1. Organization
The Courts of Appeal include is a regional sub direction, under the authority of the Prime President,
a number of specialized chambers including a staff room and criminal division.
However, any chamber can properly investigate and prosecute, regardless of the nature of the cases
before these courts.
They also have a public ministry composed of a Prosecutor General of the King and substitutes, one
or more magistrates of the investigation, one or more magistrates of minors, a registry and secretariat of the
Prosecutor General.
In all matters, the audience is held and judgments by a panel of three consultants assisted by a clerk,
unless the law provides otherwise.
The criminal division headquarters, due to the seriousness of the cases entrusted with five
counselors, a chamber president and four councilors.
2. Attributions
The courts of appeal, courts of second instance, examine previous cases in the first instance by the
trial court a second time.
They then treat appeals of decisions rendered by the courts and appeals from orders made by their
presidents.
The criminal chambers Courts of Appeal are competent specific training, to judge crimes.
3. Organization chart of the Court of Appeal Taza
Figure 1. Organization chart of the Court of Appeal Taza
Regional Director
Abdellatif ELGHBAR
IT Service
'' Abd El Hakim Mesbahi ''
Maintenance systems and network
'' Ismail Azzouzi ''
Training students IT
Budget and Equipment
Service
human resource Service
Technical service
14
4. IT Service
The IT has become essential in the organism; in fact it has many tasks for the purchase of computer
equipment, its installation and management of passing information.
Indeed, the IT department hasn’t in any case the right to make mistakes, it is vital for the body. This
is explained by the fact that it who is responsible for managing the emails so communication with the
outside and inside of the body.
It must also deal with the receipt of information from partners and must be converted and integrated
into their databases.
Indeed if the IT department is no longer operational, no further communication could be done and it
would be simply impossible to manage the company (delivery, order, inventory management, data backup
....).
As we see in the organization chart, the IT department of the SDR is composed of two people:
Mr. Abdelhakim Mesbahi IT manager whose mission is to optimize the treatment and computer systems
by providing technical assistance to users. It is responsible for:
-Maintenance of computer equipment in the legal district.
- Monitoring the state of hardware.
- Market monitoring installation of electrical and computer networks.
- Receiving hardware by companies.
- Control of the company in case work.
- support all IT projects of the company and ensure reliability, consistency and evolution of
information systems technically and functionally.
- Advise the Department when considering new solutions (software selection, equipment, network
architecture ...).
- Define the needs of the region and monitoring technology.
Mr. Ismail el Azzouzi Training Officer and host student:
- Training people.
- Monitoring computer programs minister of justice.
- The coaching officials in IT for the Judicial District.
-Other administrative tasks.
15
Part II
Theory of pfSene
16
Introduction
PfSense is a free, open source customized distribution of FreeBSD tailored for use as a firewall and
router, entirely managed in an easy to use web interface. This web interface is known as the web-based
GUI configurator or WebGUI for short. No FreeBSD knowledge is required to deploy and use pfSense.
PfSense is an open source operating system used to turn a computer into a firewall, router, or a
variety of other application-specific network appliances.
PfSense is a customized FreeBSD distribution based on the m0n0wall project, a powerful but light-
weight firewall distribution.
PfSense builds upon m0n0wall's foundation and takes its functionality several steps further by
adding a variety of other popular networking services.
1. History and versions
1.1. History
The pfSense project was started in September 2004 by Chris Buechler and Scott Ullrich. Chris is a
long time contributor to the m0n0wall project. m0n0wall is a great embedded firewall, but one of the great
things about its design is also a limitation to expandability. m0n0wall runs entirely from RAM, the entire
OS and all applications are loaded into RAM at boot time. This is a great design for embedded systems, for
performance and reliability reasons. However m0n0wall is not capable of being installed into a normal file
system on a hard drive. Hence many desirable functions can't be reasonably implemented.
1.2. Versions
Each version of pfSense is based on a specific -RELEASE version of FreeBSD. Below is a table that lists
recent versions of pfSense and the underlying FreeBSD version upon which they are based.
pfSense
Version
pfSense
Branch FreeBSD Version
FreeBSD
Branch Release Status
1.2 RELENG_1_2 6.2-RELEASE-
p11 RELENG_6_2 Outdated, no longer supported.
1.2.1 RELENG_1_2 7.0-RELEASE-p7 RELENG_7_0 Outdated, no longer supported.
1.2.2 RELENG_1_2 7.0-RELEASE-p8 RELENG_7_0 Outdated, no longer supported.
1.2.3 RELENG_1_2 7.2-RELEASE-p5 RELENG_7_2 Outdated, no longer supported.
2.0 RELENG_2_0 8.1-RELEASE-p4 RELENG_8_1 Outdated, no longer supported.
2.0.1 RELENG_2_0 8.1-RELEASE-p6 RELENG_8_1
Outdated, no longer
supported. Includes
fixes/enhancements from after 2.0.
17
2.0.2 RELENG_2_0 8.1-RELEASE-
p13 RELENG_8_1
Outdated, no longer
supported. Includes
fixes/enhancements from after 2.0.1.
2.0.3 RELENG_2_0 8.1-RELEASE-
p13 RELENG_8_1
Current stable supported
release. Includes fixes/enhancements
from after 2.0.2.
2.1 HEAD
(master)
(TBD, at least 8.3-
RELEASE-p5) RELENG_8_3
Next release, mainly adding IPv6
support.
2.2 (future) (TBD, Likely 9.x-
RELEASE) RELENG_9 Next future release.
Figure 2. Versions of pfSense
2. Common Deployments PfSense is used in about every type and size of network environment imaginable, and is almost
certainly suitable for your network whether it contains one computer, or thousands. This section will
outline the most common deployments.
2.1. Perimeter Firewall
The most common deployment of pfSense is as a perimeter firewall, with an Internet connection
plugged into the WAN side, and the internal network on the LAN side.
PfSense accommodates networks with more complex needs, such as multiple Internet connections,
multiple LAN networks, multiple DMZ networks, etc.
Some users also add BGP (Border Gateway Protocol) capabilities to provide connection
redundancy and load balancing.
2.2. LAN or WAN Router
The second most common deployment of pfSense is as a LAN or WAN router. This is a separate
role from the perimeter firewall in midsized to large networks, and can be integrated into the perimeter
firewall in smaller environments.
- LAN Router
In larger networks utilizing multiple internal network segments, pfSense is a proven solution to
connect these internal segments. This is most commonly deployed via the use of VLANs with 802.1Q
trunking. Multiple Ethernet interfaces are also used in some environments.
- WAN Router
For WAN services providing an Ethernet port to the customer, pfSense is a great solution for
private WAN routers. It offers all the functionality most networks require and at a much lower price point
than big name commercial offerings.
2.3. Wireless Access Point
Many deploy pfSense strictly as a wireless access point. Wireless capabilities can also be added to
any of the other types of deployments.
18
2.4. Special Purpose Appliances
Many deploy pfSense as a special purpose appliance. The following are four scenarios we know of,
and there are sure to be many similar cases we are not aware of. Most any of the functionality of pfSense
can be utilized in an appliance-type deployment.. As the project has matured, there has been considerable
focus on using it as an appliance building framework, especially in the next release. Some special purpose
appliances will be made available in the future.
- VPN Appliance
Some users drop in pfSense as a VPN appliance behind an existing firewall, to add VPN
capabilities without creating any disruption in the existing firewall infrastructure. Most pfSense VPN
deployments also act as a perimeter firewall, but this is a better fit in some circumstances.
- DNS Server Appliance
PfSense offers a DNS (Domain Name System) server package based on TinyDNS, a small, fast,
secure DNS server. It isn't laden with features.
- Sniffer Appliance
One user was looking for a sniffer appliance to deploy to a number of branch office locations.
Commercial sniffer appliances are available with numerous bells and whistles, but at a very significant cost
especially when multiplied by a number of branch locations. PfSense offers a web interface for tcpdump
that allows the downloading of the resulting pcap file when the capture is finished. This enables to capture
packets on a branch network, download the resulting capture file, and open it in Wireshark for analysis.
PfSense is not nearly as fancy as commercial sniffer appliances, but offers adequate functionality
for many purposes at a vastly lower cost.
- DHCP Server Appliance
One user deploys pfSense installs strictly as DHCP (Dynamic Host Configuration Protocol) servers
to hand out IP addresses for its network.
3. Interface Naming Terminology
3.1. Network divisions
- LAN
The LAN interface is the first internal interface on the firewall. Short for Local Area Network, it is
most commonly the private side of a router which often utilizes a private IP address scheme. In small
deployments, this is typically the only internal interface.
- WAN
The WAN interface is used for the Internet connection, or primary Internet connection in a multi-
WAN deployment. Short for Wide Area Network, it is the untrusted public network outside of the router.
Connections from the Internet will come in through the WAN interface.
- OPT
OPT or Optional interfaces refer to any interfaces connected to local networks other than LAN.
OPT interfaces are commonly used for second LAN segments, DMZ segments, wireless networks and
more.
- OPT WAN
OPT WAN refers to Internet connections using an OPT interface, either those configured for DHCP
or specifying a gateway IP address. It will used for the Multiple WAN Connections.
19
- DMZ
Short for demilitarized zone. The term was borrowed from its military meaning, which refers to a
sort of buffer between a protected area and a war zone. In networking, it is an area where your public
servers reside that is reachable from the Internet via the WAN, but is also isolated from the LAN so that a
compromise in the DMZ does not endanger systems in other segments.
3.2. interface naming
FreeBSD names its interfaces by the network driver used, followed by a number starting at 0 and
incrementing by one for each additional interface using that driver. For example, a common driver is fxp,
used by Intel Pro/100 cards. The first Pro/100 card in a system will be fxp0, the second is fxp1, and so on.
Other common ones are em (Intel Pro/1000), bge (various Broadcom chipsets), rl (Realtek 8129/8139),
amongst numerous others. If your system mixes a Pro/100 card and a Realtek 8139, your interfaces will be
fxp0 and rl0 respectively.
4. Hardware
4.1. Hardware Architectures
pfSense is supported only on the x86 architecture. The types of devices supported range from
standard PCs to a variety of embedded devices. It is targeted at x86-based PCs 300 MHz or faster.
4.2. Minimum Hardware Requirements
At least Pentium II processors with at least 128 MB RAM. its able to get by with less than that, but
with less memory it may start swapping to disk, which will dramatically slow down the system.
4.3. Embedded Hardwar
Pfsense can also installed on other specific plateforms as:
- Compact Flash
Figure 3. Compact Flash
- WRAP
A cost effective Device for special Network appliance such as Wireless Routers, VPN, VOIP…
20
Figure 4. WRAP
- ALIX
A higher performance replacement for the WRAP series.
Figure 5. ALIX
- Soekris
Open source software optimized to provide maximum flexibility and functionality for many
different applications and industries.
Figure 6. Soekris
21
5. Features List
- Firewall /Router.
- Edit information via the web GUI.
- Installation Set up Wizard.
- Wireless Accessibility Factor (wifi interface).
- Traffic Shaping.
- State Table.
- NAT.
- Redundancy.
- CARP: CARP from OpenBSD allows for components failover. Two or more firewalls can be
designed as a failover team. If one interface isn't able on the main or the main goes off-line
entirely, the additional becomes effective. PfSense also contains settings synchronization
abilities, so you create your settings changes on the main and they instantly connect to the
additional software.
- Pfsync: pfsync guarantees the firewall's condition desk is duplicated to all failover designed
fire walls. This implies your current relationships will be managed in the situation of failing,
which is essential to avoid system interruptions.
- NTP server.
- Load Controlling both Confident and Inbound.
- nmap, called ping, traceroute via the GUI.
- VPN - IPsec, OpenVPN, PPTP.
- PPPoE Server.
- RRD Charts Reporting.
- Real Time Details.
- Dynamic DNS.
- Captive Portal.
- DHCP Hosting server and Relay.
- Packages list.
- Wake on LAN.
- Proxy Server.
- Sniffer.
- Ability to back-up and reinstate your software settings via the web GUI.
- Ability to upgrade the Firmware.
22
Part III
Instalation and
Configuration
23
1. Installation
1.1. Downloading pfSense
Browse to www.pfsense.org and click the Downloads link. On the Downloads page, click the link
for new installations. This will lead to the mirror selection page. Pick a close geographically mirror for best
performance. Once a mirror has been selected, a directory listing will appear with the current pfSense
release files for new installations.
For Live CD or full installations, download the .iso file. The 1.2.3 release file name is pfSense-
1.2.3-LiveCD-Installer.iso. There is also a MD5 file available by the same name, but ending in .md5. This
file contains a hash of the ISO, which can be used to ensure the download completed properly.
For embedded installations, download the .img.gz file. The 1.2.3 release file name is pfSense-1.2.3-
nanobsd-size.img.gz, where size is one of 512M, 1G, 2G, or 4G, to reflect the size of CF card for which
that image was intended (sizes are in M for megabyte and G for gigabyte).
1.2. Installing Pfsense
After Donwloading, Verifying the integrity of the download, and preparing the CD; We Boot it.
The first time pfSense boots up it will ask to set up VLANs and assign the interfaces.
1.2.1. VLANs
VLANs are optional and are only needed for advanced networking. In our configuration we will not
set it; So we will answer by n .
Figure 7. Asking to set up VLANs
1.2.2. Assigning Interfaces
After the VLANs option, pfSense will ask to assign the interfaces;
- LAN, WAN, OPTx
The first interface it asks to assign is the LAN interface. If we know the interface we want to assign
LAN to enter the name of the interface like "em0" and hit enter.
The second interface have to assign is the WAN interface. Enter the appropriate interface like
"fxp1" and hit enter again.
At least we need two interfaces (LAN and WAN) to setup pfSense. If there are more interfaces
available we can go on and assign them as OPTx interfaces. The procedure is the same like for the already
assigned interfaces.
- Auto Assign Procedure
There is another procedure to assign interfaces which is especially designed if the NICs are all of
the same kind and we don't know which physical NIC matches which detected NIC as they all, then will
appear for example as fxpX. In this case, simply can enter "a" when you are asked for the nic name.
Figure 8. Asking to assingne interfaces
If there is no more interfaces left just hit enter without entering a NIC name and apply the settings by
confirming them with "y".
1.2.3. Finishing Steps
PfSense now will make the finishing touches to configure the interfaces.
24
Figure 9. Finishing steps of installation
After it went through the configuration it will end up with a shell menu and a number of options. PfSense
now is ready to be accessed at the interface you assigned as LAN with the webgui.
Figure 10. Shell menue
1.2.4. pfSense default configuration
By default pfSense will have the following configuration.
- WAN is configured as DHCP client; all incoming connections are blocked by default.
- LAN is configured at 192.168.1.1/24 and acts as DHCP-Server and offers a DNS-forwarder.
- OPTx interfaces are disabled, you have to enable and configure them at the webgui.
- WebGUI runs at port 80, username is "admin", password "pfsense".
25
- SSH is disabled.
1.2.5. Storing the configfile on a writable media
This option used if ther is the planning to run the LiveCD with a writable configmedia, the option
98 used to assign the drive that should hold the configfile.
The LiveCD will browse all available medias on bootup for a valid configfile and use it if found.
1.2.6. Accessing the webgui
Now should modify the configuration to fit needs at the webgui. Using a browser to
access http://192.168.1.1 and using "admin" as user and "pfsense" as password.
1.2.7. Installing Pfsense to Hard Drive
The option 99 from the shell menu is to setup pfSense to the hard drive. The configuration will be
transferred to the hard drive by the installer.
Figure 11. option 99
This Configure Console is to change the keyboard or change the consol apparence, after changing it’s go
on by accepting the setting.
Figure 12. The configure console
26
Next pfSense will present a list of tasks; “Quick/Easy install” for a Simple installation.
Figure 13. Selecting the simple installation
Now the point of no return, we must “Only hit "Ok" if we really sure there is no valuable data left at
this media!”
Figure 14. Confirmation step
Now pfSense is starting to transfer the system to the prepared media.
27
Figure 15. Transferring the system to the media
Asking to remove the CD and reboot the system to boot your new install.
Figure 16. asking for reboot
And it’s done! The installation is finished.
2. Initial Configuration
After finishing the installation let’s make one of the most important initial Configuration.
2.1. The Secure Shell (SSH)
SSH is a networking protocol that allows encrypted communication between two devices. Enabling
SSH allows secure access to the pfSense console remotely, just as if we were sitting in front of the physical
console.
28
2.1.1. Enabling SSH
These steps below describe how to enable the Secure Shell (SSH) service in pfSense.
1. Browse to System | Advanced | Secure Shell.
2. Check Enable Secure Shell.
3. Leave the SSH port blank to use the default port.
4. Save the changes and the SSH service will be started.
Figure 17. Enabling SSH
2.2. Authorized RSA keys
Linux and Mac users will need to ensure ssh-keygen is installed on their system (almost all
distributions have this installed by default). Windows users will need to download and install the
PuTTYGen tool.
2.2.1. Generating authorized RSA keys
These steps below describe how to create an authorized RSA key so a user can connect to pfSense
without being prompted for a password.
1. Open PuTTYGen and generate a public/private key pair by clicking the Generate button.
2. Enter a passphrase.
3. Click the Save Private Key button and choose a location.
Figure 18. Generating RSA key
29
4. Highlight the public key that was generated in the textbox and copy and paste it into a
new file, let's say C:\MyPublicKey.txt.
Figure 19. The public Key
2.2.2. Configuring SSH RSA key authentication
These steps below describe how to configure pfSense to use an RSA key rather than a
password for SSH authentication.
1. Browse to System | Advanced | Secure Shell.
2. Check Disable password login for Secure Shell (RSA key only).
Figure 20. Disabling password login
3. Edit the user we will associate with the client's public key from System | User
Manager | Edit admin.
4. Select Click to paste an authorized key and paste the client's public RSA key here.
When pasted, the key should appear as a single line. Be sure your text editor didn't
insert any line feed characters or authentication may fail.
30
Figure 21. Pasting the client public RSA
5. Save the change.
2.2.3. Accessing the Secure Shell (SSH)
This part describes how to access the pfSense console from Windows client computer.
Connect via SSH from a Windows client with PuTTY as follows.
1. Open PuTTY and specify your hostname or IP address.
2. Specify an alternative port if necessary (default is port 22).
3. Browse to your private key file from Connection | SSH | Auth | Private Key file for
authentication.
Figure 22. Client configuration
3. General basic configuration
The core functionality of any firewall involves creating port forward and firewall security
rules, and pfSense is no different. These core features, plus others, can all be found on the main
Firewall menu of the pfSense web interface.
This chapter explains how to configure these rules and the features associated with them.
31
3.1. ALIAS
Aliases provide a degree of separation between our rules and values that may change in the
future (for example, IP addresses, ports, and so on). It's best to use aliases whenever possible.
3.1.1. Creating an ALIAS
These steps describe how to use, create, edit, and delete aliases.
1. Browse to Firewall | Aliases.
2. Click the "plus" button to add a new alias.
3. Add a Name for the alias.
4. Add an optional Description.
5. Select an alias Type and finish the configuration based on that selection.
Figure 23. Crating ALIAS
6. Save the changes.
3.1.2. Types of aliase
Figure 24. Types of ALIAS
- Host alias
Selecting Host(s) as an alias Type allows creating an alias that holds one or more IP addresses.
32
- Network alias
Selecting Network(s) as an alias Type allows creating an alias that holds one or more networks (that
is ranges of IP addresses).
- Port alias
Selecting Port(s) as an alias Type allows creating an alias that holds one or more ports.
- URL alias
Selecting URL as an alias Type allows creating an alias that holds one or more URLs.
- URL Table alias
Selecting URL Table as an alias Type allows you to create an alias that holds a single URL pointing
to a large list of addresses. This can be especially helpful when we need to import a large list of IPs
and/or subnets.
3.1.3. Using an alias
Aliases can be used anywhere you see a red textbox. Simply begin typing and pfSense will
display any available aliases that match the text you've entered.
Figure 25. Using ALIAS
3.2. NAT port forward rule
As the name said the NAT port forward rule is to forward a type of traffic to a host or to an
other number of ports, in our example We will create a port forward rule to forward any incoming
web requests (HTTP) to a computer we've configured as a web server.
3.2.1. Creating a NAT port forward rule
These steps below describe how to create, edit, and delete port forward rules.
1. Browse to Firewall | NAT.
2. Select the Port Forward tab.
3. Click the "plus" button to create a new NAT port forward rule.
4. For Destination port range, choose HTTP for the from and to drop-down boxes.
5. For Redirect target IP specify the web server this traffic will be forwarded to, by alias or
IP address.
6. For Redirect target Port choose HTTP.
7. Add a Description, such as Forward HTTP to webserver1.
33
Figure 26. Creating a NAT port forward rule
8. Save the changes.
3.3. Schedule
Schedules allow us to specify when rules are enabled. They are primarily used with firewall
rules, but their generic design allows them to be used with other existing and future pfSense features.
If a firewall rule specifies a schedule, the rule is only enabled during that time period. In the
following example, we'll define a schedule for our normal 9am-5pm work hours.
3.3.1. Creating a schedule
This recipe describes how to create a schedule.
1. Browse to Firewall | Schedules.
2. Click the "plus" button to create a new schedule.
3. Enter a Schedule Name, such as WorkHours.
4. Enter a Description, such as Regular work week hours.
5. In the Month section, click Mon, Tue, Wed, Thu, and Fri to select all the days of the
work week.
6. Specify a 9 am as the Start Time and 5 pm as the Stop Time.
7. Enter a Time Range Description, such as Monday-Friday 9am-5pm.
8. Click Add Time.
34
Figure 27. Creating a schedule
9. Note that the repeating time is added to Configured Ranges.
Figure 28. Schedule repeat
10. Save the changes.
3.4. Firewall rule
Firewall rules control what traffic is allowed to enter an interface on the firewall. Once traffic
is passed on the interface it enters, an entry in the state table is created, which allows through
subsequent packets that are part of that connection.
Firewall rules are processed from the top down, and the first match wins. The default on all
interfaces is to deny traffic, and only what is explicitly allowed via firewall rules will be passed.
35
3.4.1. Creating a firewall rule
As an example, we will create a firewall rules for DMZ.
1. Browse to Firewall | Rules.
2. Select the WAN tab.
3. Click the "plus" button to create a new firewall rule.
4. Specify the WAN Interface.
5. Specify the TCP Protocol.
6. Specify any as the Source.
7. Specify any as the Source Port Range.
8. Specify Webserver1 as our Destination.
9. Specify HTTP as our Destination Port Range.
10. Specify a Description.
Figure 29. Firewall rule
11. Save the changes.
36
Figure 30. DMZ rules
3.4.2. Advanced features
New to pfSense 2.0 is the firewall rule Advanced Features section. Each of the following
features can be specified as criteria for a rule. If an advanced feature is specified, the rule will only be
executed if a match is found. Click the Advanced button to display the following configuration
settings for each feature:
Source OS: This option will attempt to match the operating system of the source traffic.
Diffserv Code Point: Diffserv is a mechanism for providing Quality of Service (QoS) of network
traffic. Systems can prioritize traffic based on their code point values.
Advanced Options: Allows for the specification of advanced IP Options.
TCP Flags: Specific TCP flags may be set here.
State Type: Specify a particular state tracking mechanism.
No XMLRPC Sync: Prevent a rule from syncing with the other CARP members.
Schedule: Specify the schedule for when this rule is valid. Schedules defined in “Firewall |
Schedules” will appear here.
Gateway: Gateways other than the default may be specified here.
In/Out: Specify alternative queues and virtual interfaces.
Ackqueue/Queue: Specify alternative acknowledge queues.
Layer7: Specify an alternative Layer7 container.
37
4. Advanced Configuration
4.1. Virtual IP
Virtual IPs adds knowledge of additional IP addresses to the firewall that are different from
the firewall's actual "real" interface addresses. Most often, these are used for NAT, but they can also
be used for other functions such as clustering, binding services such as DNS, load balancing in
packages, and so on.
4.1.1. Types of vierual IPs
There are four types of Virtual IPs available in pfSense: Proxy ARP, CARP, and Other. Each
is useful in different situations:
- CARP
Can be used or forwarded by the firewall ;
Uses Layer 2 traffic ;
Should be used in firewall fail-over or load-balancing scenarios ;
Must be in the same subnet as the interface ;
Will respond to pings if configured properly ;
- Proxy ARP
Can only be forwarded by the firewall ;
Uses Layer 2 traffic ;
Can be in a different subnet than the interface ;
Cannot respond to pings ;
- Other
Can only be forwarded by the firewall ;
Can be in a different subnet than the interface ;
Cannot respond to pings ;
- IP Alias
New to pfSense 2.0 ;
Can be used or forwarded by the firewall ;
Allows extra IP addresses to be added to an interface ;
4.1.2. Creating a virtual IP
1. Browse to Firewall | Virtual IPs.
2. Click the "plus" button to add a new virtual IP address.
3. Choose Other as Type.
4. Select the WAN as the Interface.
5. Specify the IP Address.
6. Add a Description.
38
Figure 31. Creating a VIP
7. Save the changes.
Figure 32. VIP created
4.2. 1:1 NAT rule
The 1:1 NAT maps one public IP to one private IP. All traffic from that private IP to the
Internet will be mapped to the public IP defined in the 1:1 NAT mapping, overriding your Outbound
NAT configuration.
4.2.1. Configuring a 1:1 NAT rule
This an example to use my local webserver in the public.
1. Browse to Firewall | NAT.
2. Select the 1:1 tab.
3. Click the "plus" button to add a new 1:1 NAT rule.
4. Select an Interface, in this case WAN.
5. Specify a Source, in this case any.
6. Specify a Destination; we'll specify our internal webserver by alias.
7. Specify the External subnet, our public IP address.
8. Add a Description.
9. Leave NAT reflection disabled.
39
Figure 33. Configuring 1:1 NAT
10. Save the changes.
4.3. Static route
Static routes are for accessing networks that aren't reachable through the default WAN
gateway, but can be reached indirectly through a difference interface. A common scenario might be
an office building with a shared network for printing. Anyone connected to the business network can
use the shared network, they just need to create a static route. We can use pfSense to create this static
route for an entire interface, instead of a configuring a static route on each individual PC.
4.3.1. Creating a gateway
1. Go to System | Routing.
2. Click the Gateways tab.
3. Click the "plus" button to add a new gateway.
4. Select the Interface for the new gateway.
5. Specify a Name for the gateway (no spaces allowed).
6. Specify the IP address for the gateway, it must be a valid address on the chosen
interface.
7. Add a Description, such as “LAN gateway”.
8. Save the changes.
40
Figure 34. Creating gateway
4.3.2. Creating a static route
9. Browse to System | Routing.
10. Click the Routes tab.
11. Click the "plus" button to add a new route.
12. Enter the IP Address of the Destination network.
13. Choose the Gateway we've defined above.
14. Add a Description, such as “adding LAN route”.
Figure 35. Creating a static route
15. Save the changes.
41
Figure 36. Route static created
4.4. SMTP e-mail notifications
PfSense can send an e-mail notification using the information supplied to notify
administrators of significant system events.
4.4.1. Configuring SMTP e-mail notifications
1. Browse to System | Advanced.
2. Click the Notifications tab.
3. Enter the IP Address of the E-Mail server.
4. Enter the SMTP Port of the E-Mail server.
5. Enter the From e-Mail address.
6. Enter the Notification E-Mail address.
7. Enter the Notification E-Mail auth username.
8. Enter the Notification E-Mail auth password.
Figure 37. SMTP notification configuration
9. Save the changes.
10. Apply changes, if necessary.
Once the settings are saved, a test e-mail will be sent automatically.
42
Figure 38. test e-mail
4.5. Captive portal
A captive portal is a web page that is displayed before a user is allowed to browse the web.
This is most often seen at commercial Wi-Fi hotspots where you must pay for service before you are
allowed to surf the web. In other scenarios, captive portals are used for authentication or end-user
agreements.
4.5.1. Creating a captive portal
During these steps, we will configure pfSense to display an authentication captive portal before users
are allowed to surf the web from our LAN.
1. Browse to Services | Captive Portal.
2. From the Captive portal tab, click Enable captive portal.
3. Choose Interfaces; we'll select our LAN as our interface.
4. Specify an Idle timeout; we'll say 10 minutes.
5. Specify a Hard timeout; we'll leave the default of 30 minutes.
6. Click Enable logout popup window so that users may log themselves out when they
are finished.
7. Specify a Redirection URL, say http://www.google.com.
43
Figure 39. Captive portal
8. Select Local User Manager as the Authentication:
Figure 40. Selecting local user lanager as the authentication
9. Save the changes.
10. Browse to System | User Manager.
11. Click the Users tab.
12. Click the "plus" button to add a new user.
13. Enter a Username.
14. Enter and confirm a Password.
15. Enter a Full name
44
Figure 41. creating a new user
16. Save the Changes.
Figure 42. user manager
Now with a test.
Figure 43. Captive portal test
45
5. Services
5.1. RIP
RIP stands for Routing Information Protocol, a dynamic routing protocol for local and wide
area networks.
5.1.1. Enabling RIP
Thiese steps describe how to enable RIP in pfSense.
1. Browse to Services | RIP.
2. Check Enable RIP.
3. Select an interface (Ctrl + click to select multiple interfaces).
4. Select a RIP Version.
5. Set a Password in case of using RIP version 2.
Figure 44. Enabling RIP service
6. Save the changes.
5.2. Wake On LAN (WOL)
Wake on LAN can be used to wake up computers from a powered-off state by sending special
"Magic Packets". The NIC in the computer that is to be woken up must support WOL and has to be
configured properly.
5.2.1. Enabling Wake On LAN (WOL)
1. Browse to Services | Wake on LAN.
2. Select the Interface which contains the device we'd like to wake up.
3. Enter the device's MAC address.
46
Figure 45. Enabling the WOL
4. Click Send.
Figure 46. Sending the magic packet
5.2.2. Storing Mac addresses
There is a possibility to store the MAC addresses of any machines that support Wake on LAN.
1. Browse to Services | Wake on LAN.
2. Click the "plus" button to add a WOL Mac Address entry.
3. Select the Interface that contains the device.
4. Specify the device's MAC address.
5. Add a Description.
Figure 47. Storing MAC addresses
6. Save the changes.
47
Figure 48. MAC addresses Stored
7. Click the MAC address of any of the stored clients to send a magic packet.
5.2.3. Wake All
Instead of waking clients individually, there may be times when we want to wake them all up
at once-simply click the Wake All button.
Figure 49. Wake all MAC addresses Stored
6. Maintenance
6.1. Ping
pfSense exposes the ping service that's included on almost all operating systems. This can be
handy for administrators since pfSense can ping on any machine from any specified interface.
6.1.1. Using ping
These steps describe how to use the ping service in pfSense.
1. Browse to Diagnostics | Ping.
2. Set Host to the IP Address or hostname of the machine we're trying to ping.
3. Choose the Interface to initiate the ping from.
4. Select a Count.
5. Press the Ping button.
48
Figure 50. Using ping
6.2. Traceroute
Traceroute is a useful tool for testing and verifying routes and multi-WAN functionality,
among other uses. It will allow you to view each "hop" along a packet's path as it travels from one
end to the other, along with the latency encountered in reaching that intermediate point.
6.2.1. Using traceroute
1. Browse to Diagnostics | Traceroute.
2. Set Host to the IP Address or hostname of the machine we're trying to trace.
3. Choose the Maximum number of hops for the trace to jump.
4. Optionally check Use ICMP.
Figure 51. Using traceroute
5. Click the Traceroute button.
6.3. Backing up the configuration file
Backing up configuration files is an essential part of any administrator's position.
PfSense allows an administrator to download the entire pfSense configuration in a single
XML file to any local or networked drive.
49
pfSense configuration files are stored in a plain-text XML format by default, but it also gives you an
option to encrypt them.
1. Browse to Diagnostics | Backup/restore.
2. Select the Backup/Restore tab.
3. Set the Backup area to ALL. For a list of all available areas, see the following Backup
areas section.
4. Leave Do not backup package information unchecked.
5. Leave Do not backup RRD data checked.
Figure 52. Backing up the configuration file
6. Click Download configuration.
Figure 53. Downloading the configuration file
7. Save the file to a secure location.
6.4. Restoring the configuration file
Restoring configuration files is an essential part of any administrator's position. pfSense
configuration files are stored in a plain-text XML format by default, but an encryption option is
available.
1. Browse to Diagnostics | Backup/restore.
2. Select the Backup/Restore tab.
3. Set the Restore area to ALL.
50
Figure 54. Restoring the configuration file
4. Click Restore configuration and pfSense will reboot.
Figure 55. Configuration file restored
6.5. Automatic configuration file backup
Automatic configuration file backup is a good way to save the configuration file automaticly
on external pfsense servers, and only paid support subscribers hae access to this feature.
6.5.1. Installing the AutoConfigBackup Package
1. Browse to System | Packages.
2. Click the + next to the AutoConfigBackup package(It will download and install the
package).
3. Refresh the menus.
Now we can find AutoConfigBackup under the Diagnostics menu.
6.5.2. Configuring the AutoConfigBackup Package
1. Browse to Diagnostics | AutoConfigBackup.
2. Click the Settings tab.
3. Enter our Subscription Username.
4. Enter our Subscription Password.
5. Confirm Subscription Password.
6. Enter our Encryption Password.
7. Confirm Encryption Password.
51
Figure 56. Auto configuration backup
8. Save the changes.
52
Conclusion
As a conclusion, we have shown, first, an overview of the court of appeal of Taza, secondly,
the theory of of pfSense from the history to the features list, Secondly, we start with the necessary
installation and configuration, from the basic one to the service and maintenance configuration.
This project has allowed us to understand the concepts of pfSense firewall. All the Examples
cofigurations had seen is just to know how we must handling with pfSense, and each administrator
can choose its own strategy for his network, that depends on the size, plateforms, the equipment ..., in
the network.
In terms of perspective, I recommend the installation of some usefull package such the
automatic backup , the squidguard, and snort, the first help in the redundancy, the second in the url
filtering plus it’s free and published under GNU Public License, and the third is an an Intrusion
Detection System(IDS) released under the GNU open source license GPL.
53
References
http://en.wikipedia.org/wiki/PfSense
http://forum.pfsense.org
http://doc.pfsense.org/index.php
http://www.bsdcan.org/2008/schedule/attachments/66_pfSenseTutorial.pdf
http://doc.pfsense.org/index.php/PfSense_and_FreeBSD_Versions
http://pfsensesolution.blogspot.com/2012/07/pfsense-features.html
http://doc.pfsense.org/smiller/pfSenseQuickStartGuide.pdf
http://doc.pfsense.org/index.php/Captive_Portal
www.pcengines.ch/alix.htm
www.pcengines.ch/wrap.htm
http://www.linuxpedia.fr/doku.php/bsd/pfsense
http://www.mearn.org.ma/3/doc%20telecharger/Portail%20Captif%20-
khalidibolalan/PFsense.pdf
pfSense 2 Cookbook
pfsense - The definitive guide
54