pfSense 1.2 Firewall Appliance Guide

Notable changes to this document

0.9.3 WORK IN PROGRESS - 27 January 2010 - Added new section - Issues With Particular Versions of pfSense

0.9.2 - 5 January 2010

0.9.1 - 23 September 2009 - added the DHCP option of 'DNS Server address' to the OpenVPN server so VPN clients can access computers on the LAN by name

0.9.0 - 13 August 2009

0.8.17 - 5 July 2009 - changed WAN interface from static IP to DHCP, with DHCP server on modem/router instead set to give out same specific address.
This is so that for example if the modem breaks and people on site replace it with a new one then it's likely to just work without any configuration change before an IT support person is able to be there; the same applies if the organisation moves to a location where they no longer have their own modem/router but instead are on a building's local area network.
This also allows us to get DNS addresses from the modem/router rather than entering them manually.
Where the VPN is reliant upon a port forwarding in the modem/router (where the firewall doesn't have its own routable IP address) then the VPN won't work until the modem/router's DHCP server is updated.
Changes you can make to an existing setup to make this happen:

0.8.5 - 17 March 2009 - added instructions for setting static routes.

0.8.3 - 23 January 2009 - Confirming what was previously defined as 'Configuration I'm Testing', in Services → DNS Forwarder, set 'Register DHCP leases in DNS forwarder' and 'Register DHCP static mappings in DNS forwarder' so that names of local DHCP clients have their names resolvable.

0.8.1 - 9 January 2009 - added pfSense 1.2.2

0.8.0 - 7 January 2009 - accomodated other versions in the pfSense 1.2 series, starting with 1.2.1

0.4.2 - 15 September 2008 - moved 'enable SSH access' to 'Other Configuration' section because it's not necessary to always enable

1.0 Introduction

The pfSense web site is at www.pfsense.com. This guide covers installing pfSense 1.2 on the hard disk of an i386 architecture 'PC' computer using the LiveCD. pfSense is based on the FreeBSD operating system. Being a firewall appliance, pfSense can be many different things. This guide covers setting up pfSense to be a firewall with one or more LAN / intranet interfaces, and a single WAN / Internet interface. The LAN interface will typically connect to a hub, to which client and server computers are attached. The WAN interface will typically connect to a modem such as an ADSL modem and router. To achieve this, in addition to the general purpose PC, two or more network cards are required.

The typical network configuration I would setup is as follows, though this guide is by no means limited to only setting things up this way:

[Static routable IP - MODEM - 192.168.1.1]
    |
    |
[Static IP (via DHCP), non-routable (192.168.1.2) or routable - PFSENSE FIREWALL - 10.0.0.1]
    |
    |
[SWITCHED HUB]
    |
    |
[Samba and mail server 10.0.0.10 (static)]
[Printer(s) 10.0.0.30 - 10.0.0.39 (via DHCP)]
[Windows and Ubuntu workstations 10.0.0.100 - 10.0.0.250 (via DHCP)]

1.1 pfSense 1.2 Series Versions

The following versions of the pfSense 1.2 stable series are available:

A log of all changes in the 1.2 series is kept at rcs.pfsense.org/projects/pfsense/repos/mainline/logs/RELENG_1_2.

Download the latest stable version from www.pfsense.org/index.php?option=com_content&task=view&id=58&Itemid=46.

2.0 Hardware

Choosing Hardware

This advice is based on personal experience of only having at most 30 users.

Minimum recommended (works for up to at least 35 users): Pentium III era PC, 256MB RAM, 10GB hard disk.

Preferred (works for up to at least 30 users): Pentium 4 era PC, 512MB RAM, 20GB hard disk (less if you're not using Squid).

Use a computer with which you can press the power button on the front briefly and the operating system automatically cleanly shut the machine down, not one that cuts the machine's power. This is so that regular people are able to safely turn it off, making telephone support easier.

Ethernet Network Cards

For the network cards I use PCI 3Com 3C905B and 3C905C as they're of high quality and can be found cheap. As I've only used these specific cards I don't know much about what else is worthwhile, but whatever high quality card can be found from 3Com or Intel should work well, where as low quality cards such as from RealTek will suffice but could be problematic so should be avoided.

Ethernet Network Cards and IRQs

3Com 3C905B-TX and 3C905C-TX cards are known to not work together.

If you have multiple network cards installed but on startup the BIOS claims "110 out of memory space for option ROMs" or "Parity Check 2"; or the pfSense installer doesn't see them all; or the installer does see them all but then you lose them after installation; or when pfSense is installed it occasionally fails with an issue with a network interface, you likely have an issue with IRQ clashes. The first thing to check is the computer's system BIOS setup, which may or may not have a section where it shows you different devices and IRQs assigned to each. If so, look for network cards sharing an IRQ and swap them around so they use different IRQs, each instead sharing with some other device.

I've also had issues with 2 of 3C905B-TX, whether integrated or PCI, only one being shown as a valid interface in the pfSense installer. At the time I was led to believe this is because FreeBSD assigns the same IRQ to both cards so only one appears, which could be either, depending which came online first within the boot process. I don't now know if this was instead the same issue as in the previous paragraph. The combination that worked for me was to use 2 of 3C905C-TX or one 3Com card and one from another manufacturer.

I've also seen this same issue of only one interface being visible when using an add-in 3C905B-TX card and an on-board Broadcom adapter. I fixed this by instead adding in a 3C905C-TX.

Sometimes, just moving cards around between PCI slots can solve an IRQ clash. This is likely to be useful if the BIOS doesn't allow you to alter IRQ assignments.

Hyperthreading (HT)

Hyperthreading is hardware pre-emption. FreeBSD treats Hyperthreading as multiple CPUs, so if you want to use it you need to use the SMP kernel.

"There is a point of diminishing returns since PF (the packet filter we use) is under the Giant lock in FreeBSD. There certainly is a performance boost going past one CPU (not linearly scaled to the number of cores however), not sure if you'll see it with HyperThreading or not though - the FreeBSD SMP scheduler isn't exactly optimized for HTT."

I've also read that though there is some performance gain with Hyperthreading, it's only slight.

Unless the extra resoures are required, I would disable Hyperthreading so that the firewall consumes less power.

Wikipedia recommends disabling Hyperthreading if you have more than one actual CPU as the operating system doesn't see any difference between a real CPU and Hyperthreading so assigns work to the Hyperthreading that it would otherwise have assigned to a real CPU which would have been more appropriate.

FreeBSD Hardware Compatability

pfSense is based on FreeBSD. The pfSense kernel includes all FreeBSD drivers. Different versions of pfSense are based on different versions of FreeBSD. Check your hardware is supported by FreeBSD by checking against the appropriate Hardware Compatibility List. These are the versions of pfSense, their corresponding version of FreeBSD and a link to their Hardware Compatibility List:

System BIOS Settings

BIOS settings worth making that are specific to a firewall:

3.0 Issues With Particular Versions of pfSense

pfsense 1.2.3

Auto Update

System → Firmware → Auto Update isn't working, it was broken at the time of 1.2.3's release and is still broken as-of 27th January 2010, it downloads the update then says "Update cannot continue". You have to use other means of upgrading instead.

Intel PRO/100 network cards

From the release notes: "Warning for those using Intel PRO/100 cards - there is a regression in the fxp driver in FreeBSD 7.2 that may require disabling hardware checksum offloading under System → Advanced if you have connectivity problems."

pfSense 1.2.2's 'Hardware Checksum Offloading' setting says "Checking this option will prevent hardware checksum offloading. FreeBSD sometimes has difficulties with certain drivers". 1.2.3's setting says "Checking this option will disable hardware checksum offloading. Checksum offloading is broken in some hardware, particularly some Realtek cards. Rarely, drivers may have problems with checksum offloading and some specific NICs.".

Chris Buechler says "re: the fxp issue, I believe it's been fixed in FreeBSD RELENG_7 (what will become 7.3), but I don't know that we'll ever put out another 7.x release." and "It's not a big deal to turn off checksum offloading. It's unlikely we'll spend any time putting out another 1.2.x release.".

Is it worth turning this off pre-emptively?

4.0 Installation And Minimum Configuration

The installer CD is a live CD that can run straight from the CD or be installed to hard disk, memory drive, etcetera.

Define network interfaces

You should get a list of available network interfaces. There should be at least two. If less appear than the number of cards you have in the machine then something's wrong.

BSD uses the network card driver's name for the respective interface name, for example:

Choose not to setup VLANs, unless you know you want that.

Choose which interface is for LAN (local area network) and which is for WAN (wide area network). It will try to auto detect or you can just tell it which of the interfaces it shows are for LAN and WAN (which I find easier than the auto detection), as described below. You can change this in the web GUI later if you wish. If you aren't offered two interfaces it means two network cards aren't being found, in which case you may need to juggle the network cards between different slots or try different cards.

Choose not to "Enter the Optional 1 interface name...", unless you know you want that.

That's it! pfSense is now useable. However you probably want to install it to the hard disk and you may want to change some of these defaults from the console here then change some more (at least the password) from the web interface, or just change them all from the web interface.

Note: the default account has username 'admin' and password 'pfsense'.

Initial Configuration, From Console (Optional)

You may be happy with the defaults, but these are what I set. You can skip this section if you're restoring configuration from backup, unless you need the pfSense machine on the network itself in order to be able to restore it, and at a LAN IP address range other than the default of 192.168.1.0.

Note: the DNS server on the LAN interface is on by default.

I use the ipcalc tool on a Linux workstation to work out IP addressing schemes, alternatively there are many ipcalcs available as web sites:

$ ipcalc 10.0.0.1/255.255.255.0
Address:   10.0.0.1             00001010.00000000.00000000. 00000001
Netmask:   255.255.255.0 = 24   11111111.11111111.11111111. 00000000
Wildcard:  0.0.0.255            00000000.00000000.00000000. 11111111
=>
Network:   10.0.0.0/24          00001010.00000000.00000000. 00000000
HostMin:   10.0.0.1             00001010.00000000.00000000. 00000001
HostMax:   10.0.0.254           00001010.00000000.00000000. 11111110
Broadcast: 10.0.0.255           00001010.00000000.00000000. 11111111
Hosts/Net: 254                   Class A, Private Internet

Install To Hard Drive / Memory Drive (Optional)

pfSense should now be operational from the CD. If you want to install pfSense to a hard disk choose 99) Install pfSense to a hard drive/memory drive, etc. If you want to, you're able to configure pfSense further, from the web interface, before installing it to hard drive/memory drive.

Follow the prompts to install. Accepting the defaults for all questions should be fine (especially if you intend to restore configuration from backup). Note that hard disk geometry misalignments with the BIOS can cause difficulties which pfSense will tell you about. Choose either 'Uniprocessor kernel (one processor)' or 'Symmetric multiprocessing kernel (more than one processor)' depending on how many CPUs / cores the machine has.

Reboot.

Restore Configuration From Backup (Optional)

If you want you can restore a previously saved backup and all settings will be restored, including passwords and certificates. You do so using the pfSense web interface.

There are various methods you can use to conenct to pfSense in order to restore configuration backup:

The setup wizard will appear, choose Next at each prompt to accept the various options → choose any password → Reload → login again - all these settings are going to be overwritten in a moment.

Go to Diagnostics → Backup/Restore (http://pfsense/diag_backup.php); browse for the backup file on your client computer and restore it.

If the network cards differ then you may get the message "Interface mismatch detected. Please resolve the mismatch and click Save. The firewall will reboot afterwards." and a list of network cards to assign to interfaces. If they're not already assigned to the interfaces you want, re-order them then chose Save.

Unless you want to make changes compared to the backup, your installation should now be complete. pfSense will reboot.

If you setup pfSense for various sites using the same configuration, then setting up a new pfSense firewall can be made vastly quicker by restoring the backp for a different site then, assuming you setup pfSense as per this guide (apart from the captive portal), just changing the following options:

After a restoration, if you have Internet access then any pfSense packages you had installed on the system you backed up will be automatically installed, otherwise you need to install them manually.

Further Configuration, From Web Interface (Optional)

The rest of your interaction with pfSense can happen through the web browser on another computer.

Advanced Configuration

Backup

Make a backup of the system to the computer you're connecting with: Diagnostics → Backup/Restore → Local → Backup configuration → Download configuration. Make fresh backups when you change any configuration.

5.0 Packages

pfSense needs to have Internet access for the packages section to be usable.

From blog.pfsense.org/?p=179 13 March 2008: "FreeBSD removed 6.2 packages from all their mirrors, which broke a few of our packages. I fixed as many as I could with files we already had, or that I could still find, but some are still not working. We'll have to build these packages ourselves, and it'll be this weekend before anyone will have time to do so."

"Going forward we are only going to use package files from our servers so we don't get bitten by similar situations in the future."

pfSense packages are custom versions either maintained by the pfSense team or individuals. They don't ship with pfSense, they're downloaded over the internet when installed. They're made available as-and-when ready, not dependent on pfSense updates. There's no pfsense.com page announcing updates. The System → Packages → Installed packages page will tell you if newer versions are available. I think to upgrade you have to choose 'pkg' (reinstall this application); your configuration will be retained.

6.0 Other Configuration

Firewall Hardening

Prevent Clients Using Malicious DNS Servers

The rules must appear in the following order. Use Firewall → Rules.

Allow outgoing DNS access by pfSense, or by a dedicated DNS server (whichever you use).

On LAN interface block all DNS traffic to any network.

Further information: blog.pfsense.org/?p=308 and www.symantec.com/security_response/writeup.jsp?docid=2008-120318-5914-99&tabid=2.

Manual DNS Override

If you're having a problem such as the modem on the WAN interface is using a DNS server that doesn't work and you want to manually override it:

SSH Access

It isn't strictly necessary to enable SSH access, and it's a worthwhile security measure not to. The only features I've used it for are restarting the webConfigurator when it's inaccessable and as an efficient method of upgrading. Enable SSH access using System → Advanced → Secure Shell [X] Enable Secure Shell. SSH access is then enabled for the user 'root' with the password the same as for the user 'admin' at the web GUI. SSH access is enabled on the LAN interface, not on the WAN interface.

Static Routes

"Static routes are only used for networks reachable via a different router, and not reachable via your default gateway."

Static routes are used for example if you want to point the way to another network for which another router / firewall on the LAN controls access to, for example to access a printer shared by different organisations from which you're firewalled. All traffic to that other network will pass across the LAN interface of this firewall.

To add a static route use System → Static routes.

We had an issue with printing in this situation where print test pages printed OK but anything else above 70kB large stalled with pfSense giving "rule 60/0 (match) : block in on xlt : <sending machine>.1306><printer router>.9100:tcp 20 [bad hdr length 0 - too short, <20]" and "@60 block drop in log quick all label "Default deny rule"". Enabling this fixed it: System → Advanced → Static route filtering [] Bypass firewall rules for traffic on the same interface - "This option only applies if you have defined one or more static routes. If it is enabled, traffic that enters and leaves through the same interface will not be checked by the firewall. This may be desirable in some situations where multiple subnets are connected to the same interface."

7.0 OpenVPN Server

pfSense's OpenVPN Server feature deals with allowing people to VPN in to the LAN. The OpenVPN Client feature deals with pfSense itself VPNing into another VPN Server and isn't covered here. You have to create your own CA, server certificate and client certificates and keys, which I cover in a seperate guide Creating Certificates and Keys for pfSense 1.2 Series OpenVPN Servers and Clients.

OpenVPN Server Configuration

Firewall Configuration

By default setting up OpenVPN doesn't actually open the firewall up to allow OpenVPN access. You have to do this yourself:
Firewall → Rules → + (add new rule) - Setup a rule to pass on WAN interface protocol UDP from any source to destination OpenVPN port:

Save → Apply changes

Further Reading

OpenVPN Technologies's OpenVPN HOWTO

Troubleshooting

If you are setting up pfSense, in advance of deploying it, as a subnet of an existing LAN, then testing of VPN access won't work as by default a firewall rule on the WAN interface blocks access from private networks. You can temporarily disable this, for testing purposes, using: Interfaces → WAN → Block private networks - When set, this option blocks traffic from IP addresses that are reserved for private networks as per RFC 1918 (10/8, 172.16/12, 192.168/16) as well as loopback addresses (127/8). You should generally leave this option turned on, unless your WAN network lies in such a private address space, too.

8.0 Wake On LAN

As long as you have the other prerequisites (computer BIOS of machines to be woken has WOL capability and it's turned on) this is how you can use Wake On LAN to wake machines, that are turned off, using pfSense.

Register machines for Wake On LAN by turning them all on. Go to Status → DHCP Leases. For each machine choose 'Add a Wake on Lan mapping for this address'.

You can wake a single machine using Services → Wake On LAN and choosing the MAC address in the list. You can wake all registered machines at once by choosing the appropriate button.

9.0 Captive Portal

Authenticated Captive Portal

Require people to have an account to connect to the the Internet.

The Captive Portal uses MAC address to track people unless you choose 'Disable MAC filtering'. The Captive portal bypass is either all or nothing, you can't enable certain ports to bypass. The Captive portal doesn't tell you total bandwidth consumed per user

"Platforms that have Wi-Fi and a TCP/IP stack but do not have a web browser that supports HTTPS cannot use many captive portals. Such platforms include the Nintendo DS running a game that uses Nintendo Wi-Fi Connection. Non browser authentication is possible using WISPr, an XML-based authentication protocol for this purpose, or MAC-based authentication or authentications based on other protocols."

Note: Make sure that the default/maximum DHCP lease time is higher than the timeout entered on this page.

Captive Portal Administrator's Guide

Issues For Captive Portal Users To Be Aware Of

10.0 Add More LAN Interfaces / Dual LAN

You can add more LAN interfaces in order to create additional subnets. Just insert an additional network card and assuming neither the computer nor pfSense clash with it you can follow the instructions here. Alternatively the additional card can be insert at installation time.

Because Firewall → NAT → Automatic outbound NAT rule generation (IPsec passthrough) is on by default, pfSense automaticaly sets up the routing for traffic between the LAN2 interface and the WAN interface (outbound NAT). There's no need to alter Firewall → NAT → Manual Outbound NAT rule generation (Advanced Outbound NAT (AON))

11.0 Upgrading pfSense

"Any non-embedded version of pfSense can be reliably upgraded to any other version while retaining the existing configuration" (and as of 1.2.3 that applies to embedded too).

It is safe to upgrade whilst logged in remotely using the VPN.

Before you upgrade make sure to make a backup using Diagnostics → Backup/Restore.

Upgrades are available to download from www.pfsense.org/mirror.php?section=updates.

Read the release notes before upgrading so as to be aware of any caveats that might adversely affect your system.

You can upgrade (and downgrade, within the 1.2.x series) one of these two ways:

The system will then restart.

Return to the system status page, you'll automatically be redirected to the package re-installation page. If you have packages installed they will at this point automatically be re-downloaded and reinstalled.

12.0 Troubleshooting

doc.pfsense.org/index.php/Category:Troubleshooting

13.0 Finding Help

Forum divided up in to the different pfSense features: forum.pfsense.org/index.php#2

Random knowledge about pfSense / answers to repeated questions: forum.pfsense.org/index.php/topic,7001.0.html

Support mailing list: http://www.pfsense.org/index.php?option=com_content&task=view&id=66&Itemid=71

pfSense Google custom search (search the blog, forum, doc site and more from one location): http://www.google.com/cse/home?cx=006836938521462326004:yyqz67ir-is.