pfSense 1.2 Firewall Appliance Guide

Introduction
Installation And Minimum Configuration
Packages
Other Configuration
OpenVPN Server
Wake On LAN
Captive Portal
Upgrading pfSense
Finding Help

1.0 Introduction

The pfSense web site is at www.pfsense.com. This guide currently covers installing pfSense 1.2 on the hard disk of an i386 architecture 'PC' computer using the LiveCD which you download from www.pfsense.org/index.php?option=com_content&task=view&id=58&Itemid=46. pfSense is based on the FreeBSD operating system.

2.0 Installation And Minimum Configuration

The installer CD is a live CD that can be installed to hard disk, memory drive, etcetera.

Define network interfaces

Choose which interface is for LAN (local area network) and which is for WAN (wide area network). It will try to auto detect or you can just tell it which of the interfaces it shows are for LAN and WAN (which I find easier than the auto detection)

LAN xl0 xx:xx:xx:xx:xx:xx - defaults to the first PCI slot it finds a card in and 192.168.1.1
WAN xl1 yy:yy:yy:yy:yy:yy - defaults to the second PCI slot it finds a card in and to getting its address by DHCP. If you want to VPN in you'll need to set this instead to a static address.

That's it! pfSense is now useable. However you probably want to install it to the hard disk and you may want to change some of these defaults from the console here then change some more (at least the password) from the web interface, or just change them all from the web interface.

Note: the default account has username 'admin' and password 'pfsense'.

Optional Configuration From Console

Note: the DNS server on the LAN interface is on by default.

I use the ipcalc tool on a Linux workstation to work out IP addressing schemes, alternatively there are many ipcalcs available as web sites:

$ ipcalc 10.0.0.1/255.255.255.0
Address:   10.0.0.1             00001010.00000000.00000000. 00000001
Netmask:   255.255.255.0 = 24   11111111.11111111.11111111. 00000000
Wildcard:  0.0.0.255            00000000.00000000.00000000. 11111111
=>
Network:   10.0.0.0/24          00001010.00000000.00000000. 00000000
HostMin:   10.0.0.1             00001010.00000000.00000000. 00000001
HostMax:   10.0.0.254           00001010.00000000.00000000. 11111110
Broadcast: 10.0.0.255           00001010.00000000.00000000. 11111111
Hosts/Net: 254                   Class A, Private Internet

2) Set LAN IP address
Enter the new LAN IP address: I choose '10.0.0.1'.
Enter the new LAN subnet bit count: I choose '24' which represents 255.255.255.0, allowing any value of x in 10.0.0.x.
Do you want to enable the DHCP server on LAN [y|n]? I choose 'y'.
Enter the start address of the client address range: I choose 10.0.0.100
Enter the end address of the client address range: I choose 10.0.0.250

Install To Hard Drive/Memory Drive (Optional)

pfSense should now be operational from the CD. If you want to install pfSense to a hard disk choose 99) Install pfSense to a hard drive/memory drive, etc. If you want you're able to configure pfSense further from the web interface before installing it to hard drive/memory drive.

Follow the prompts to install. Accepting the defaults for all questions should be fine. Note that hard disk geometry misalignments with the BIOS can cause difficulties which pfSense will tell you about. Choose either 'Uniprocessor kernel (one processor)' or 'Symmetric multiprocessing kernel (more than one processor)' depending on what the machine has.

Restore Configuration From Backup (Optional)

If you want you can restore a previously saved backup and all settings will be restored, including passwords and certificates. To do so you need to be attached to the firewall with a client computer, connect to its web interface using its default address of http://192.168.1.1 or what ever you set earlier if you changed this and go to Diagnostics → Backup/Restore.

After a restoration you need to install any packages you might have installed to the system you backed up from.

Optional Configuration From Web Interface

The rest of your interaction with pfSense can happen through the web browser on another computer.

Go to web interface: http://<IP address>
The wizard will lead you through answering these questions, or they can later be set in System → General Setup

Hostname: firewall (or whatever you want)
Domain: localdomain. It defaults to 'local' but we're already using localdomain
DNS servers - set this, unless you're getting them through DHCP on the WAN interface in which case you can leave it alone.
Time zone: choose yours i.e. Europe/London
Configure WAN Interface - SelectedType: DHCP or Static (I've no experience of the other options PPPoE, PPTP and BigPond). If you want to use the VPN you need to choose static.

Static IP Configuration

IP Address: this is usually dependent on the subnet of the modem/router that pfSense is connected to or the IP addresses given by your ISP, depending on how you're using IP addresses
Gateway: this will usually be the modem/router that pfSense is connected to

LAN IP Address: only needs to be set if you want to change it from the default of 192.168.1.1 and you didn't do so earlier at the console
Admin Password - set a new password

System → Advanced → Secure Shell [X] Enable Secure Shell (enables SSH access, with username 'root' and password same as your 'admin' web GUI password)
System → General Setup →

webGUI protocol: HTTPS, not HTTP
(this option is a bit flaky, it could take a minute for it to work on HTTPS or it might require you to set it back to HTTP then again to HTTPS before it works). when it's ready it should redirect you to https://<IP address or hostname>

Advanced Configuration

Add any hosts you want to explicitly provide for (such as server → 10.0.0.10) to the DNS forwarder at Services → DNS. "pfSense doesn't do anything complex with DNS unless you install the dns-server package (which is tinydns). If you want to add hosts to the DNS forwarder, do that at Services → DNS"
If you have a WINS server, such as a Windows or Samba server, for Windows workstations, add its IP address so workstations will pick it up: DHCP server → WINS servers and add 10.0.0.10 (or whatever yours is)
How do we enable auth/ident for IRC? You can add BLOCK/REJECT/PASS for IDENT/AUTH TCP/UDP on WAN, coming from WAN, in Firewall → Rules → Add. Good explanation of IDENT/AUTH at www.grc.com/port_113.htm. TODO: None of these changed IRC login, do I need to setup port forwarding for it instead?

Configuration I'm Testing

Services → DNS

Backup

Make a backup of the system to the computer you're connecting with: Diagnostics → Backup/Restore → Local → Backup configuration → Download configuration. Make fresh backups when you change any configuration.

3.0 Packages

From http://blog.pfsense.org/?p=179 13 March 2008: "FreeBSD removed 6.2 packages from all their mirrors, which broke a few of our packages. I fixed as many as I could with files we already had, or that I could still find, but some are still not working. We'll have to build these packages ourselves, and it'll be this weekend before anyone will have time to do so."

"Going forward we are only going to use package files from our servers so we don't get bitten by similar situations in the future."

pfSense packages are custom versions either maintained by the pfSense team or individuals. They don't ship with pfSense, they're downloaded over the internet when installed. They're made available as-and-when ready, not dependent on pfSense updates. There's no pfsense.com page announcing updates. The System → Packages → Installed packages page will tell you if newer versions are available. I think to upgrade you have to choose 'pkg' (reinstall this application); your configuration will be retained.

bandwidthd

Available via: Services → BandwidthD
Version tested: 3.0.619
Doesn't save its log
By default, doesn't require authentication to access

darkstat

Available via: Diagnostics → Darkstat Settings
Requires port 666 be open on the client to view results
Version tested: 3.0.619

phpSysInfo

Available via: Status → phpsysinfo
Version tested: 2.5.3

snort

Available via: Services → Snort

squid

Available via: Services → Proxy server

4.0 Other Configuration

Manual DNS Override

If you're having a problem such as the modem on the WAN interface is using a broken DNS server and you want to manually override it:

System → General Setup →

DNS servers
Allow DNS server list to be overridden by DHCP/PPP on WAN - off

5.0 OpenVPN Server

pfSense's OpenVPN Server feature deals with allowing people to VPN in to the LAN. The OpenVPN Client feature deals with pfSense itself VPNing into another VPN Server and isn't covered here. You have to create your own CA, server and client certificates and keys, which I'll cover in a seperate document another time.

OpenVPN Server Configuration

VPN → OpenVPN → Server → +

Dynamic IP: yes

Address pool: 10.0.10.0/24 (or whichever you want. This is a subnet just for VPN clients, needs to not clash with any existing subnet)

Authentication method: PKI (Public Key Infrastructure)

Local network: 10.0.0.0/24 (or whichever matches your actual local addressing scheme) [this isn't available until you change 'Authentication method' from 'Shared key' to 'PKI (Public Key Infrastructure)']

CA certificate - paste in a .pem file, you need to create this elsewhere, I'll document this seperately

Server certificate - paste in a .pem file, you need to create this elsewhere, I'll document this seperately

Server key - paste in a .pem file without a passphrase included, you need to create this elsewhere, I'll document this seperately

DH parameters - Diffie Hellman parameters, you need to create this elsewhere, I'll document this seperately

DHCP-Opt.: WINS-Server: 10.0.0.10 (if you have a WINS server; change for your specific address)
(Note: I still don't have WINS working, something else must also be needed, at least with Linux clients)

LZO compression: yes

Save

Firewall Configuration

By default setting up OpenVPN doesn't actually open the firewall up to allow OpenVPN access. You have to do this yourself:
Firewall → Rules → + (add new rule) - Setup a rule to pass on WAN interface protocol UDP from any source to destination OpenVPN port:

Action: Pass (the default)
Interface: WAN (the default)
Protocol: UDP
Source - Type: any (the default)
Destination port range
Description: Allow OpenVPN in

from: OpenVPN
to: OpenVPN

Save → Apply changes

6.0 Wake On LAN

As long as you have the other prerequisites (computer BIOS of machines to be woken has WOL capability and it's turned on) this is how you can use Wake On LAN to wake machines when turned 'off' from pfSense.

Register machines for Wake On LAN by turning them all on. Go to Status → DHCP Leases. For each machine choose 'Add a Wake on Lan mapping for this address'.

You can wake a single machine using Services → Wake On LAN and choosing the MAC address in the list. You can wake all registered machines at once by choosing the appropriate button.

7.0 Captive Portal

Authenticated Captive Portal

This describes setting it up so that people require an account to connect to the the Internet.

The Captive Portal uses MAC address to track people unless you choose 'Disable MAC filtering'. The Captive portal bypass is either all or nothing, you can't enable certain ports to bypass. The Captive portal doesn't tell you total bandwidth consumed per user

Concurrent user logins: Disable concurrent logins
Authentication: Local user manager
HTTPS login: Enable HTTPS login
This name will be used in the form action for the HTTPS POST and should match the Common Name (CN) in your certificate (otherwise, the client browser will most likely display a security warning). Make sure captive portal clients can resolve this name in DNS.
HTTPS certificate - I've not done this yet
HTTPS private key - I've not done this yet

"Platforms that have Wi-Fi and a TCP/IP stack but do not have a web browser that supports HTTPS cannot use many captive portals. Such platforms include the Nintendo DS running a game that uses Nintendo Wi-Fi Connection. Non browser authentication is possible using WISPr, an XML-based authentication protocol for this purpose, or MAC-based authentication or authentications based on other protocols."

Note: Make sure that the default/maximum DHCP lease time is higher than the timeout entered on this page.

Create portal page. For example:

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html lang="en">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">

<title>your organisation name - Login</title>

</head>
<body>

<h1>your organisation name Login</h1>

<p>You need to enter, or re-enter, your username and password to use the Internet. If
you're paid-up you should have been given this information recently.</p>

<p>To get an account, or if you're having problems, see Payment and Contact sections
below. Details of how the login system works and Terms and Conditions of Use are below.</p>

<h2>Login</h2>

<form method="post" action="$PORTAL_ACTION$">

	<fieldset>

	<legend>Account Details</legend>

	<p>
		<label for="Username">Username:</label>
		<input type="text" id="auth_user" name="auth_user" size="25"/> (case-sensitive)
	</p>

	<p>
		<label for="Password">Password:</label>
		<input type="Password" id="auth_pass" name="auth_pass" size="25"/> (case-sensitive)
	</p>

   <input name="redirurl" type="hidden" value="$PORTAL_REDIRURL$">

	</fieldset>

   <p><input name="accept" type="submit" value="Login"></p>

</form>

</body>

Create portal error page. For example:

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html lang="en">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">

<title>your organisation name - Login Error</title>

</head>
<body>

<h1>your organisation name Login Error</h1>

<h2 style="color:red;">Error</h2>

<p style="color:red;">The username and/or password you entered is invalid.</p>

<p>Try to enter it again. If it continues to not work then most likely your subscription has
run out and needs to be renewed; or we may not yet be aware of your payment; or there could be
an unforeseen problem, so get in touch.</p>

<form method="post" action="$PORTAL_ACTION$">

	<fieldset>

	<legend>Account Details</legend>

	<p>
		<label for="Username">Username:</label>
		<input type="text" id="auth_user" name="auth_user" size="25"/> (case-sensitive)
	</p>

	<p>
		<label for="Password">Password:</label>
		<input type="Password" id="auth_pass" name="auth_pass" size="25"/> (case-sensitive)
	</p>

   <input name="redirurl" type="hidden" value="$PORTAL_REDIRURL$">

	</fieldset>

   <p><input name="accept" type="submit" value="Login"></p>

</form>

</body>

Allowed IP addresses - maybe your web server IP so you can link to payment pages and contact pages from portal page

Captive Portal Administrator's Guide

change a username/password and the user isn't prompted. They can continue to use the one they're logged in with until they're logged out. If you want to force them to use the new one straight away you can go to Status -? Captive portal, find the username and choose 'X'
username is case sensitive
restart the router and you log everyone out of the captive portal

Issues For Captive Portal Users To Be Aware Of

Open port 8000 in any firewalling software that might be installed
Non-web browsers won't be able to connect and won't say anything about it. Only the web browser will take you to the login page
It works through a router

8.0 Upgrading pfSense

Upgrades are available via www.pfsense.org/mirror.php?section=updates.

You can upgrade one of these two ways:

web GUI - you have to previously download the update from the pfSense web site then upload it here
SSH - 13) Upgrade from console → 1) Update from a URL - easier than the above because you can just feed ita URL for example http://mirror.qubenet.net/mirror/pfsense/updates/pfSense-Full-Update-1.2-RELEASE.tgz

The system may (or maybe _will_, I'm not sure) restart to apply the upgrade.

7.0 Finding Help

Forum divided up in to the different pfSense features: forum.pfsense.org/index.php#2

Random knowledge about pfSense / answers to repeated questions: forum.pfsense.org/index.php/topic,7001.0.html