pfSense 1.2 Firewall Appliance Guide
1.0 Introduction
The pfSense web site is at www.pfsense.com. This guide currently covers installing pfSense 1.2 on the hard disk of an i386 architecture 'PC' computer using the LiveCD which you download from www.pfsense.org/index.php?option=com_content&task=view&id=58&Itemid=46. pfSense is based on the FreeBSD operating system.
2.0 Installation And Minimum Configuration
The installer CD is a live CD that can be installed to hard disk, memory drive, etcetera.
Define network interfaces
Choose which interface is for LAN (local area network) and which is for WAN (wide area network). It will try to auto detect or you can just tell it which of the interfaces it shows are for LAN and WAN (which I find easier than the auto detection)
- LAN xl0 xx:xx:xx:xx:xx:xx - defaults to the first PCI slot it finds a card in and 192.168.1.1
- WAN xl1 yy:yy:yy:yy:yy:yy - defaults to the second PCI slot it finds a card in and to getting its address by DHCP. If you want to VPN in you'll need to set this instead to a static address.
That's it! pfSense is now useable. However you probably want to install it to the hard disk and you may want to change some of these defaults from the console here then change some more (at least the password) from the web interface, or just change them all from the web interface.
Note: the default account has username 'admin' and password 'pfsense'.
Optional Configuration From Console
Note: the DNS server on the LAN interface is on by default.
I use the ipcalc tool on a Linux workstation to work out IP addressing schemes, alternatively there are many ipcalcs available as web sites:
$ ipcalc 10.0.0.1/255.255.255.0 Address: 10.0.0.1 00001010.00000000.00000000. 00000001 Netmask: 255.255.255.0 = 24 11111111.11111111.11111111. 00000000 Wildcard: 0.0.0.255 00000000.00000000.00000000. 11111111 => Network: 10.0.0.0/24 00001010.00000000.00000000. 00000000 HostMin: 10.0.0.1 00001010.00000000.00000000. 00000001 HostMax: 10.0.0.254 00001010.00000000.00000000. 11111110 Broadcast: 10.0.0.255 00001010.00000000.00000000. 11111111 Hosts/Net: 254 Class A, Private Internet
- 2) Set LAN IP address
- Enter the new LAN IP address: I choose '10.0.0.1'.
- Enter the new LAN subnet bit count: I choose '24' which represents 255.255.255.0, allowing any value of x in 10.0.0.x.
- Do you want to enable the DHCP server on LAN [y|n]? I choose 'y'.
- Enter the start address of the client address range: I choose 10.0.0.100
- Enter the end address of the client address range: I choose 10.0.0.250
Install To Hard Drive/Memory Drive (Optional)
pfSense should now be operational from the CD. If you want to install pfSense to a hard disk choose 99) Install pfSense to a hard drive/memory drive, etc. If you want you're able to configure pfSense further from the web interface before installing it to hard drive/memory drive.
Follow the prompts to install. Accepting the defaults for all questions should be fine. Note that hard disk geometry misalignments with the BIOS can cause difficulties which pfSense will tell you about. Choose either 'Uniprocessor kernel (one processor)' or 'Symmetric multiprocessing kernel (more than one processor)' depending on what the machine has.
Restore Configuration From Backup (Optional)
If you want you can restore a previously saved backup and all settings will be restored, including passwords and certificates. To do so you need to be attached to the firewall with a client computer, connect to its web interface using its default address of http://192.168.1.1 or what ever you set earlier if you changed this and go to Diagnostics → Backup/Restore.
After a restoration you need to install any packages you might have installed to the system you backed up from.
Optional Configuration From Web Interface
The rest of your interaction with pfSense can happen through the web browser on another computer.
- Go to web interface: http://<IP address>
- The wizard will lead you through answering these questions, or they can later be set in System → General Setup
- Hostname: firewall (or whatever you want)
- Domain: localdomain. It defaults to 'local' but we're already using localdomain
- DNS servers - set this, unless you're getting them through DHCP on the WAN interface in which case you can leave it alone.
- Time zone: choose yours i.e. Europe/London
- Configure WAN Interface - SelectedType: DHCP or Static (I've no experience of the other options PPPoE, PPTP and BigPond). If you want to use the VPN you need to choose static.
- Static IP Configuration
- IP Address: this is usually dependent on the subnet of the modem/router that pfSense is connected to or the IP addresses given by your ISP, depending on how you're using IP addresses
- Gateway: this will usually be the modem/router that pfSense is connected to
- LAN IP Address: only needs to be set if you want to change it from the default of 192.168.1.1 and you didn't do so earlier at the console
- Admin Password - set a new password
- System → Advanced → Secure Shell [X] Enable Secure Shell (enables SSH access, with username 'root' and password same as your 'admin' web GUI password)
- System → General Setup →
- webGUI protocol: HTTPS, not HTTP
(this option is a bit flaky, it could take a minute for it to work on HTTPS or it might require you to set it back to HTTP then again to HTTPS before it works). when it's ready it should redirect you to https://<IP address or hostname>
Advanced Configuration
- Add any hosts you want to explicitly provide for (such as server → 10.0.0.10) to the DNS forwarder at Services → DNS. "pfSense doesn't do anything complex with DNS unless you install the dns-server package (which is tinydns). If you want to add hosts to the DNS forwarder, do that at Services → DNS"
- If you have a WINS server, such as a Windows or Samba server, for Windows workstations, add its IP address so workstations will pick it up: DHCP server → WINS servers and add 10.0.0.10 (or whatever yours is)
- How do we enable auth/ident for IRC? You can add BLOCK/REJECT/PASS for IDENT/AUTH TCP/UDP on WAN, coming from WAN, in Firewall → Rules → Add. Good explanation of IDENT/AUTH at www.grc.com/port_113.htm. TODO: None of these changed IRC login, do I need to setup port forwarding for it instead?
Configuration I'm Testing
- Services → DNS
- Register DHCP leases in DNS forwarder
- Register DHCP static mappings in DNS forwarder
Backup
Make a backup of the system to the computer you're connecting with: Diagnostics → Backup/Restore → Local → Backup configuration → Download configuration. Make fresh backups when you change any configuration.
3.0 Packages
From http://blog.pfsense.org/?p=179 13 March 2008: "FreeBSD removed 6.2 packages from all their mirrors, which broke a few of our packages. I fixed as many as I could with files we already had, or that I could still find, but some are still not working. We'll have to build these packages ourselves, and it'll be this weekend before anyone will have time to do so."
"Going forward we are only going to use package files from our servers so we don't get bitten by similar situations in the future."
pfSense packages are custom versions either maintained by the pfSense team or individuals. They don't ship with pfSense, they're downloaded over the internet when installed. They're made available as-and-when ready, not dependent on pfSense updates. There's no pfsense.com page announcing updates. The System → Packages → Installed packages page will tell you if newer versions are available. I think to upgrade you have to choose 'pkg' (reinstall this application); your configuration will be retained.
- bandwidthd
- Available via: Services → BandwidthD
- Version tested: 3.0.619
- Doesn't save its log
- By default, doesn't require authentication to access
- darkstat
- Available via: Diagnostics → Darkstat Settings
- Requires port 666 be open on the client to view results
- Version tested: 3.0.619
- phpSysInfo
- Available via: Status → phpsysinfo
- Version tested: 2.5.3
- snort
- Available via: Services → Snort
- squid
- Available via: Services → Proxy server
4.0 Other Configuration
Manual DNS Override
If you're having a problem such as the modem on the WAN interface is using a broken DNS server and you want to manually override it:
- System → General Setup →
- DNS servers
- Allow DNS server list to be overridden by DHCP/PPP on WAN - off
5.0 OpenVPN Server
pfSense's OpenVPN Server feature deals with allowing people to VPN in to the LAN. The OpenVPN Client feature deals with pfSense itself VPNing into another VPN Server and isn't covered here. You have to create your own CA, server and client certificates and keys, which I'll cover in a seperate document another time.
OpenVPN Server Configuration
VPN → OpenVPN → Server → +
Dynamic IP: yes
Address pool: 10.0.10.0/24 (or whichever you want. This is a subnet just for VPN clients, needs to not clash with any existing subnet)
Authentication method: PKI (Public Key Infrastructure)
Local network: 10.0.0.0/24 (or whichever matches your actual local addressing scheme) [this isn't available until you change 'Authentication method' from 'Shared key' to 'PKI (Public Key Infrastructure)']
CA certificate - paste in a .pem file, you need to create this elsewhere, I'll document this seperately
Server certificate - paste in a .pem file, you need to create this elsewhere, I'll document this seperately
Server key - paste in a .pem file without a passphrase included, you need to create this elsewhere, I'll document this seperately
DH parameters - Diffie Hellman parameters, you need to create this elsewhere, I'll document this seperately
DHCP-Opt.: WINS-Server: 10.0.0.10 (if you have a WINS server; change for your specific address)
(Note: I still don't have WINS working, something else must also be needed, at least with Linux clients)
LZO compression: yes
Save
Firewall Configuration
By default setting up OpenVPN doesn't actually open the firewall up to allow OpenVPN access. You have to do this yourself:
Firewall → Rules → + (add new rule) - Setup a rule to pass on WAN interface protocol UDP from any source to destination OpenVPN port:
- Action: Pass (the default)
- Interface: WAN (the default)
- Protocol: UDP
- Source - Type: any (the default)
- Destination port range
- Description: Allow OpenVPN in
- from: OpenVPN
- to: OpenVPN
Save → Apply changes
Further Reading
6.0 Wake On LAN
As long as you have the other prerequisites (computer BIOS of machines to be woken has WOL capability and it's turned on) this is how you can use Wake On LAN to wake machines when turned 'off' from pfSense.
Register machines for Wake On LAN by turning them all on. Go to Status → DHCP Leases. For each machine choose 'Add a Wake on Lan mapping for this address'.
You can wake a single machine using Services → Wake On LAN and choosing the MAC address in the list. You can wake all registered machines at once by choosing the appropriate button.
7.0 Captive Portal
Authenticated Captive Portal
This describes setting it up so that people require an account to connect to the the Internet.
The Captive Portal uses MAC address to track people unless you choose 'Disable MAC filtering'. The Captive portal bypass is either all or nothing, you can't enable certain ports to bypass. The Captive portal doesn't tell you total bandwidth consumed per user
- Concurrent user logins: Disable concurrent logins
- Authentication: Local user manager
- HTTPS login: Enable HTTPS login
This name will be used in the form action for the HTTPS POST and should match the Common Name (CN) in your certificate (otherwise, the client browser will most likely display a security warning). Make sure captive portal clients can resolve this name in DNS. - HTTPS certificate - I've not done this yet
- HTTPS private key - I've not done this yet
"Platforms that have Wi-Fi and a TCP/IP stack but do not have a web browser that supports HTTPS cannot use many captive portals. Such platforms include the Nintendo DS running a game that uses Nintendo Wi-Fi Connection. Non browser authentication is possible using WISPr, an XML-based authentication protocol for this purpose, or MAC-based authentication or authentications based on other protocols."
Note: Make sure that the default/maximum DHCP lease time is higher than the timeout entered on this page.
- Create portal page. For example:
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"> <html lang="en"> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8"> <title>your organisation name - Login</title> </head> <body> <h1>your organisation name Login</h1> <p>You need to enter, or re-enter, your username and password to use the Internet. If you're paid-up you should have been given this information recently.</p> <p>To get an account, or if you're having problems, see Payment and Contact sections below. Details of how the login system works and Terms and Conditions of Use are below.</p> <h2>Login</h2> <form method="post" action="$PORTAL_ACTION$"> <fieldset> <legend>Account Details</legend> <p> <label for="Username">Username:</label> <input type="text" id="auth_user" name="auth_user" size="25"/> (case-sensitive) </p> <p> <label for="Password">Password:</label> <input type="Password" id="auth_pass" name="auth_pass" size="25"/> (case-sensitive) </p> <input name="redirurl" type="hidden" value="$PORTAL_REDIRURL$"> </fieldset> <p><input name="accept" type="submit" value="Login"></p> </form> </body>
- Create portal error page. For example:
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"> <html lang="en"> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8"> <title>your organisation name - Login Error</title> </head> <body> <h1>your organisation name Login Error</h1> <h2 style="color:red;">Error</h2> <p style="color:red;">The username and/or password you entered is invalid.</p> <p>Try to enter it again. If it continues to not work then most likely your subscription has run out and needs to be renewed; or we may not yet be aware of your payment; or there could be an unforeseen problem, so get in touch.</p> <form method="post" action="$PORTAL_ACTION$"> <fieldset> <legend>Account Details</legend> <p> <label for="Username">Username:</label> <input type="text" id="auth_user" name="auth_user" size="25"/> (case-sensitive) </p> <p> <label for="Password">Password:</label> <input type="Password" id="auth_pass" name="auth_pass" size="25"/> (case-sensitive) </p> <input name="redirurl" type="hidden" value="$PORTAL_REDIRURL$"> </fieldset> <p><input name="accept" type="submit" value="Login"></p> </form> </body>
- Allowed IP addresses - maybe your web server IP so you can link to payment pages and contact pages from portal page
Captive Portal Administrator's Guide
- change a username/password and the user isn't prompted. They can continue to use the one they're logged in with until they're logged out. If you want to force them to use the new one straight away you can go to Status -? Captive portal, find the username and choose 'X'
- username is case sensitive
- restart the router and you log everyone out of the captive portal
Issues For Captive Portal Users To Be Aware Of
- Open port 8000 in any firewalling software that might be installed
- Non-web browsers won't be able to connect and won't say anything about it. Only the web browser will take you to the login page
- It works through a router
8.0 Upgrading pfSense
Upgrades are available via www.pfsense.org/mirror.php?section=updates.
You can upgrade one of these two ways:
- web GUI - you have to previously download the update from the pfSense web site then upload it here
- SSH - 13) Upgrade from console → 1) Update from a URL - easier than the above because you can just feed ita URL for example http://mirror.qubenet.net/mirror/pfsense/updates/pfSense-Full-Update-1.2-RELEASE.tgz
The system may (or maybe _will_, I'm not sure) restart to apply the upgrade.
7.0 Finding Help
Forum divided up in to the different pfSense features: forum.pfsense.org/index.php#2
Random knowledge about pfSense / answers to repeated questions: forum.pfsense.org/index.php/topic,7001.0.html