pfSense 1.2 Firewall Appliance Guide
0.9.3 WORK IN PROGRESS - 27 January 2010 - Added new section - Issues With Particular Versions of pfSense
0.9.2 - 5 January 2010
- Added pfSense 1.2.3
- Added info on changing IRQs in system BIOS to cope with multiple cards using the same IRQ
0.9.1 - 23 September 2009 - added the DHCP option of 'DNS Server address' to the OpenVPN server so VPN clients can access computers on the LAN by name
0.9.0 - 13 August 2009
- Added section on adding more LAN interfaces / Dual LAN
- Added a method of very quick installation of a new site's pfSense by restoring another site's backup
0.8.17 - 5 July 2009 - changed WAN interface from static IP to DHCP, with DHCP server on modem/router instead set to give out same specific address.
This is so that for example if the modem breaks and people on site replace it with a new one then it's likely to just work without any configuration change before an IT support person is able to be there; the same applies if the organisation moves to a location where they no longer have their own modem/router but instead are on a building's local area network.
This also allows us to get DNS addresses from the modem/router rather than entering them manually.
Where the VPN is reliant upon a port forwarding in the modem/router (where the firewall doesn't have its own routable IP address) then the VPN won't work until the modem/router's DHCP server is updated.
Changes you can make to an existing setup to make this happen:
- Interfaces → WAN → General configuration → Type: DHCP
- System → General Setup → DNS servers →
- remove DNS server IP addresses
- make sure 'Allow DNS server list to be overridden by DHCP/PPP on WAN' is checked
- In the modem/router turn on DHCP server and add an address reservation for the pfSense box
0.8.5 - 17 March 2009 - added instructions for setting static routes.
0.8.3 - 23 January 2009 - Confirming what was previously defined as 'Configuration I'm Testing', in Services → DNS Forwarder, set 'Register DHCP leases in DNS forwarder' and 'Register DHCP static mappings in DNS forwarder' so that names of local DHCP clients have their names resolvable.
0.8.1 - 9 January 2009 - added pfSense 1.2.2
0.8.0 - 7 January 2009 - accomodated other versions in the pfSense 1.2 series, starting with 1.2.1
0.4.2 - 15 September 2008 - moved 'enable SSH access' to 'Other Configuration' section because it's not necessary to always enable
The pfSense web site is at www.pfsense.com. This guide covers installing pfSense 1.2 on the hard disk of an i386 architecture 'PC' computer using the LiveCD. pfSense is based on the FreeBSD operating system. Being a firewall appliance, pfSense can be many different things. This guide covers setting up pfSense to be a firewall with one or more LAN / intranet interfaces, and a single WAN / Internet interface. The LAN interface will typically connect to a hub, to which client and server computers are attached. The WAN interface will typically connect to a modem such as an ADSL modem and router. To achieve this, in addition to the general purpose PC, two or more network cards are required.
The typical network configuration I would setup is as follows, though this guide is by no means limited to only setting things up this way:
[Static routable IP - MODEM - 192.168.1.1] | | [Static IP (via DHCP), non-routable (192.168.1.2) or routable - PFSENSE FIREWALL - 10.0.0.1] | | [SWITCHED HUB] | | [Samba and mail server 10.0.0.10 (static)] [Printer(s) 10.0.0.30 - 10.0.0.39 (via DHCP)] [Windows and Ubuntu workstations 10.0.0.100 - 10.0.0.250 (via DHCP)]
The following versions of the pfSense 1.2 stable series are available:
- 1.2.3 - released 10 December 2009 - release notes
- 1.2.2 - released 9 January 2008 - release notes
- 1.2.1 - released 26 December 2008 - release notes
- 1.2.0 - released 25 February 2008 - release notes
A log of all changes in the 1.2 series is kept at rcs.pfsense.org/projects/pfsense/repos/mainline/logs/RELENG_1_2.
Download the latest stable version from www.pfsense.org/index.php?option=com_content&task=view&id=58&Itemid=46.
This advice is based on personal experience of only having at most 30 users.
Minimum recommended (works for up to at least 35 users): Pentium III era PC, 256MB RAM, 10GB hard disk.
Preferred (works for up to at least 30 users): Pentium 4 era PC, 512MB RAM, 20GB hard disk (less if you're not using Squid).
Use a computer with which you can press the power button on the front briefly and the operating system automatically cleanly shut the machine down, not one that cuts the machine's power. This is so that regular people are able to safely turn it off, making telephone support easier.
For the network cards I use PCI 3Com 3C905B and 3C905C as they're of high quality and can be found cheap. As I've only used these specific cards I don't know much about what else is worthwhile, but whatever high quality card can be found from 3Com or Intel should work well, where as low quality cards such as from RealTek will suffice but could be problematic so should be avoided.
3Com 3C905B-TX and 3C905C-TX cards are known to not work together.
If you have multiple network cards installed but on startup the BIOS claims "110 out of memory space for option ROMs" or "Parity Check 2"; or the pfSense installer doesn't see them all; or the installer does see them all but then you lose them after installation; or when pfSense is installed it occasionally fails with an issue with a network interface, you likely have an issue with IRQ clashes. The first thing to check is the computer's system BIOS setup, which may or may not have a section where it shows you different devices and IRQs assigned to each. If so, look for network cards sharing an IRQ and swap them around so they use different IRQs, each instead sharing with some other device.
I've also had issues with 2 of 3C905B-TX, whether integrated or PCI, only one being shown as a valid interface in the pfSense installer. At the time I was led to believe this is because FreeBSD assigns the same IRQ to both cards so only one appears, which could be either, depending which came online first within the boot process. I don't now know if this was instead the same issue as in the previous paragraph. The combination that worked for me was to use 2 of 3C905C-TX or one 3Com card and one from another manufacturer.
I've also seen this same issue of only one interface being visible when using an add-in 3C905B-TX card and an on-board Broadcom adapter. I fixed this by instead adding in a 3C905C-TX.
Sometimes, just moving cards around between PCI slots can solve an IRQ clash. This is likely to be useful if the BIOS doesn't allow you to alter IRQ assignments.
Hyperthreading is hardware pre-emption. FreeBSD treats Hyperthreading as multiple CPUs, so if you want to use it you need to use the SMP kernel.
"There is a point of diminishing returns since PF (the packet filter we use) is under the Giant lock in FreeBSD. There certainly is a performance boost going past one CPU (not linearly scaled to the number of cores however), not sure if you'll see it with HyperThreading or not though - the FreeBSD SMP scheduler isn't exactly optimized for HTT."
I've also read that though there is some performance gain with Hyperthreading, it's only slight.
Unless the extra resoures are required, I would disable Hyperthreading so that the firewall consumes less power.
Wikipedia recommends disabling Hyperthreading if you have more than one actual CPU as the operating system doesn't see any difference between a real CPU and Hyperthreading so assigns work to the Hyperthreading that it would otherwise have assigned to a real CPU which would have been more appropriate.
pfSense is based on FreeBSD. The pfSense kernel includes all FreeBSD drivers. Different versions of pfSense are based on different versions of FreeBSD. Check your hardware is supported by FreeBSD by checking against the appropriate Hardware Compatibility List. These are the versions of pfSense, their corresponding version of FreeBSD and a link to their Hardware Compatibility List:
- pfSense 1.2.0 is based on FreeBSD 6.2, specifically 6.2-RELEASE-p11. See the FreeBSD 6.2 Hardware Compatibility List.
- pfSense 1.2.1 is based on FreeBSD 7.0, specifically 7.0-RELEASE-p7. See the FreeBSD 7.0 Hardware Compatibility List.
- pfSense 1.2.2 is based on FreeBSD 7.0, specifically 7.0-RELEASE-p8. See the FreeBSD 7.0 Hardware Compatibility List.
- pfSense 1.2.3 is based on FreeBSD 7.2, specifically 7.2-RELEASE-p4. See the FreeBSD 7.2 Hardware Compatibility List.
BIOS settings worth making that are specific to a firewall:
- POST messages - disable - this will allow it to boot without a prompt if there's, for example, no keyboard detected
- After power loss: on - turn back on automatically after a power failure
- On-board network card / ethernet: if you're not using it then disable it to save confusion and system resources
- audio device: disable - frees up some system resources
- Parallel port: disable - frees up some system resources
- AGP aperture size: lowest - frees up some system resources
- network service boot: disable
System → Firmware → Auto Update isn't working, it was broken at the time of 1.2.3's release and is still broken as-of 27th January 2010, it downloads the update then says "Update cannot continue". You have to use other means of upgrading instead.
Intel PRO/100 network cards
From the release notes: "Warning for those using Intel PRO/100 cards - there is a regression in the fxp driver in FreeBSD 7.2 that may require disabling hardware checksum offloading under System → Advanced if you have connectivity problems."
pfSense 1.2.2's 'Hardware Checksum Offloading' setting says "Checking this option will prevent hardware checksum offloading. FreeBSD sometimes has difficulties with certain drivers". 1.2.3's setting says "Checking this option will disable hardware checksum offloading. Checksum offloading is broken in some hardware, particularly some Realtek cards. Rarely, drivers may have problems with checksum offloading and some specific NICs.".
Chris Buechler says "re: the fxp issue, I believe it's been fixed in FreeBSD RELENG_7 (what will become 7.3), but I don't know that we'll ever put out another 7.x release." and "It's not a big deal to turn off checksum offloading. It's unlikely we'll spend any time putting out another 1.2.x release.".
Is it worth turning this off pre-emptively?
The installer CD is a live CD that can run straight from the CD or be installed to hard disk, memory drive, etcetera.
Define network interfaces
You should get a list of available network interfaces. There should be at least two. If less appear than the number of cards you have in the machine then something's wrong.
Choose not to setup VLANs, unless you know you want that.
Choose which interface is for LAN (local area network) and which is for WAN (wide area network). It will try to auto detect or you can just tell it which of the interfaces it shows are for LAN and WAN (which I find easier than the auto detection), as described below. You can change this in the web GUI later if you wish. If you aren't offered two interfaces it means two network cards aren't being found, in which case you may need to juggle the network cards between different slots or try different cards.
- LAN - xl0 xx:xx:xx:xx:xx:xx - defaults to the first PCI slot it finds a card in and 192.168.1.1
- WAN - xl1 yy:yy:yy:yy:yy:yy - defaults to the second PCI slot it finds a card in and to getting its address by DHCP. I setup the modem/router that it connects to to give out a specific IP address to it via DHCP so that we're able to VPN in when the modem/router has a VPN port forwarding.
Choose not to "Enter the Optional 1 interface name...", unless you know you want that.
That's it! pfSense is now useable. However you probably want to install it to the hard disk and you may want to change some of these defaults from the console here then change some more (at least the password) from the web interface, or just change them all from the web interface.
Note: the default account has username 'admin' and password 'pfsense'.
Initial Configuration, From Console (Optional)
You may be happy with the defaults, but these are what I set. You can skip this section if you're restoring configuration from backup, unless you need the pfSense machine on the network itself in order to be able to restore it, and at a LAN IP address range other than the default of 192.168.1.0.
Note: the DNS server on the LAN interface is on by default.
- 2) Set LAN IP address
- Enter the new LAN IP address: I choose '10.0.0.1'.
- Enter the new LAN subnet bit count: I choose '24' which represents 255.255.255.0, allowing any value of x in 10.0.0.x.
- Do you want to enable the DHCP server on LAN [y|n]? I choose 'y'.
- Enter the start address of the client address range: I choose 10.0.0.100 so as to give space below 100 for servers with static addresses
- Enter the end address of the client address range: I choose 10.0.0.250
Install To Hard Drive / Memory Drive (Optional)
pfSense should now be operational from the CD. If you want to install pfSense to a hard disk choose 99) Install pfSense to a hard drive/memory drive, etc. If you want to, you're able to configure pfSense further, from the web interface, before installing it to hard drive/memory drive.
Follow the prompts to install. Accepting the defaults for all questions should be fine (especially if you intend to restore configuration from backup). Note that hard disk geometry misalignments with the BIOS can cause difficulties which pfSense will tell you about. Choose either 'Uniprocessor kernel (one processor)' or 'Symmetric multiprocessing kernel (more than one processor)' depending on how many CPUs / cores the machine has.
If you want you can restore a previously saved backup and all settings will be restored, including passwords and certificates. You do so using the pfSense web interface.
There are various methods you can use to conenct to pfSense in order to restore configuration backup:
- Attach a client computer using a network cable connected directly into the LAN interface, it will get an IP address from the pfSense box. Connect to http://pfsense in your web browser.
- ? Attach a local area network cable to the WAN interface, so as to allow it to get an IP address from an existing DHCP server if there is one. Connect to http://pfsense in your web browser (assuming there exists no other machine called 'pfsense' on the network).
- Connect your client computer through your usual network to the pfSense box, then connect using either its IP address or domain name. Depending whether you set an IP address relevant to your LAN or not in Initial Configuration earlier, pfSense will either be on its default IP address of 192.168.1.1, or some other, and your client computer will have to have its IP addressing configured either automatically or manually respectively.
The setup wizard will appear, choose Next at each prompt to accept the various options → choose any password → Reload → login again - all these settings are going to be overwritten in a moment.
Go to Diagnostics → Backup/Restore (http://pfsense/diag_backup.php); browse for the backup file on your client computer and restore it.
If the network cards differ then you may get the message "Interface mismatch detected. Please resolve the mismatch and click Save. The firewall will reboot afterwards." and a list of network cards to assign to interfaces. If they're not already assigned to the interfaces you want, re-order them then chose Save.
Unless you want to make changes compared to the backup, your installation should now be complete. pfSense will reboot.
If you setup pfSense for various sites using the same configuration, then setting up a new pfSense firewall can be made vastly quicker by restoring the backp for a different site then, assuming you setup pfSense as per this guide (apart from the captive portal), just changing the following options:
- Remove Wake On Lan (WOL) machines and add new ones
- System → General Setup → Password
- VPN → OpenVPN → Server → e (Edit)
- CA certificate
- Server certificate
- Server key
- Interfaces → WAN → IP address - if yours differs from that set in this guide
- Interfaces → LAN → IP address - if yours differs from that set in this guide
After a restoration, if you have Internet access then any pfSense packages you had installed on the system you backed up will be automatically installed, otherwise you need to install them manually.
Further Configuration, From Web Interface (Optional)
The rest of your interaction with pfSense can happen through the web browser on another computer.
- Go to web interface: http://<IP address>
- The wizard will lead you through answering these questions, or they can later be set in System → General Setup
- Hostname: firewall (or whatever you want)
- Domain: localdomain. It defaults to 'local' but we're already using localdomain
- DNS servers - as the WAN interface will get its IP address via DHCP, also allow the DNS addresses to be gotten via DHCP here.
- Time zone: choose yours i.e. Europe/London
- Configure WAN Interface - SelectedType: DHCP.
- Static IP Configuration
- IP Address and subnet mask: depending on how the modem is configured, this will either be of private address syntax respective to the modem's LAN interface, or an Internet addressable syntax as provided by the ISP
- Gateway: this will usually be the modem/router that pfSense is connected to
- LAN IP Address: only needs to be set if you want to change it from the default of 192.168.1.1 and you didn't do so earlier at the console
- Admin Password - set a new password
- System → General Setup →
- webGUI protocol: HTTPS, not HTTP
(this option is a bit flaky, it could take a minute for it to work on HTTPS or it might require you to set it back to HTTP then again to HTTPS before it works). when it's ready it should redirect you to https://<IP address or hostname>
- Services → DNS Forwarder
- Register DHCP leases in DNS forwarder - so local computers and printers can be accessed by name
- Register DHCP static mappings in DNS forwarder - so local computers and printers can be accessed by name
- Add any hosts you want to explicitly provide for (such as server.localdomain → 10.0.0.10) to the DNS forwarder at Services → DNS forwarder. "pfSense doesn't do anything complex with DNS unless you install the dns-server package (which is tinydns). If you want to add hosts to the DNS forwarder, do that at Services → DNS Forwarder"
- If you have a WINS server, such as a Windows or Samba server, for Windows workstations, add its IP address so workstations will pick it up: Services → DHCP server → WINS servers and add 10.0.0.10 (or whatever yours is)
- How do we enable auth/ident for IRC? You can add BLOCK/REJECT/PASS for IDENT/AUTH TCP/UDP on WAN, coming from WAN, in Firewall → Rules → Add. Good explanation of IDENT/AUTH at www.grc.com/port_113.htm. TODO: None of these changed IRC login, do I need to setup port forwarding for it instead?
Make a backup of the system to the computer you're connecting with: Diagnostics → Backup/Restore → Local → Backup configuration → Download configuration. Make fresh backups when you change any configuration.
pfSense needs to have Internet access for the packages section to be usable.
From blog.pfsense.org/?p=179 13 March 2008: "FreeBSD removed 6.2 packages from all their mirrors, which broke a few of our packages. I fixed as many as I could with files we already had, or that I could still find, but some are still not working. We'll have to build these packages ourselves, and it'll be this weekend before anyone will have time to do so."
"Going forward we are only going to use package files from our servers so we don't get bitten by similar situations in the future."
pfSense packages are custom versions either maintained by the pfSense team or individuals. They don't ship with pfSense, they're downloaded over the internet when installed. They're made available as-and-when ready, not dependent on pfSense updates. There's no pfsense.com page announcing updates. The System → Packages → Installed packages page will tell you if newer versions are available. I think to upgrade you have to choose 'pkg' (reinstall this application); your configuration will be retained.
- bandwidthd - bandwidthd.sourceforge.net - tracks usage of TCP/IP network subnets and builds HTML files with graphs to display utilization
- Available via: Services → BandwidthD
- 18.104.22.168 - pfSense 1.2.1
- 22.214.171.124 - pfSense 1.2.0
- Choose output_cdf - Log data to cdf file htdocs/log.cdf (however it wasn't retained through a 1.2.0 to 1.2.1 upgrade)
- Choose recover_cdf - Read back the cdf file on startup
- By default, doesn't require authentication to access
- darkstat - dmr.ath.cx/net/darkstat - Captures network traffic, calculates statistics about usage, and serves reports
- Available via: Diagnostics → Darkstat Settings
- Requires port 666 be open on the client in order to view the results
- phpSysInfo - phpsysinfo.sourceforge.net - displays information about the firewall appliance
- Available via: Status → phpsysinfo
- 2.5.4 - fixes security issue Cross-Site Scripting Vulnerability
- snort - www.snort.org - a network intrusion prevention and detection system
- Available via: Services → Snort
- squid - www.squid-cache.org - an Internet caching proxy
- Available via: Services → Proxy server
Prevent Clients Using Malicious DNS Servers
The rules must appear in the following order. Use Firewall → Rules.
Allow outgoing DNS access by pfSense, or by a dedicated DNS server (whichever you use).
- Action: Pass
- Interface: LAN
- Protocol: TCP/UDP
- Type: Single host or alias
- Address: LAN IP of your pfSense machine, or of your stand-alone DNS server /31
- Destination: any
- Destination port range
- from: DNS
- to: DNS
- Description: Allow outgoing DNS for our pfSense DNS forwarder
On LAN interface block all DNS traffic to any network.
- Action: Block
- Interface: LAN
- Protocol: TCP/UDP
- Destination: any
- Destination port range
- from: DNS
- to: DNS
- Log: Log packets that are handled by this rule - "because it typically indicates either a misconfiguration, compromised host, or somebody trying to do something they aren't supposed to be doing." - Chris Buechler
- Description: Block outgoing DNS in case of rogue DNS servers
Further information: blog.pfsense.org/?p=308 and www.symantec.com/security_response/writeup.jsp?docid=2008-120318-5914-99&tabid=2.
Manual DNS Override
If you're having a problem such as the modem on the WAN interface is using a DNS server that doesn't work and you want to manually override it:
- System → General Setup →
- DNS servers
- Allow DNS server list to be overridden by DHCP/PPP on WAN - off
It isn't strictly necessary to enable SSH access, and it's a worthwhile security measure not to. The only features I've used it for are restarting the webConfigurator when it's inaccessable and as an efficient method of upgrading. Enable SSH access using System → Advanced → Secure Shell [X] Enable Secure Shell. SSH access is then enabled for the user 'root' with the password the same as for the user 'admin' at the web GUI. SSH access is enabled on the LAN interface, not on the WAN interface.
"Static routes are only used for networks reachable via a different router, and not reachable via your default gateway."
Static routes are used for example if you want to point the way to another network for which another router / firewall on the LAN controls access to, for example to access a printer shared by different organisations from which you're firewalled. All traffic to that other network will pass across the LAN interface of this firewall.
To add a static route use System → Static routes.
We had an issue with printing in this situation where print test pages printed OK but anything else above 70kB large stalled with pfSense giving "rule 60/0 (match) : block in on xlt : <sending machine>.1306><printer router>.9100:tcp 20 [bad hdr length 0 - too short, <20]" and "@60 block drop in log quick all label "Default deny rule"". Enabling this fixed it: System → Advanced → Static route filtering  Bypass firewall rules for traffic on the same interface - "This option only applies if you have defined one or more static routes. If it is enabled, traffic that enters and leaves through the same interface will not be checked by the firewall. This may be desirable in some situations where multiple subnets are connected to the same interface."
pfSense's OpenVPN Server feature deals with allowing people to VPN in to the LAN. The OpenVPN Client feature deals with pfSense itself VPNing into another VPN Server and isn't covered here. You have to create your own CA, server certificate and client certificates and keys, which I cover in a seperate guide Creating Certificates and Keys for pfSense 1.2 Series OpenVPN Servers and Clients.
OpenVPN Server Configuration
- VPN → OpenVPN → Server → +
- Dynamic IP: yes
- Address pool: 10.0.10.0/24 (or whichever you want. This is a subnet just for VPN clients, needs to not clash with any existing subnet)
- Authentication method: PKI (Public Key Infrastructure)
- Local network: 10.0.0.0/24 (or whichever matches your actual local addressing scheme) [this isn't available until you change 'Authentication method' from 'Shared key' to 'PKI (Public Key Infrastructure)']
- CA certificate - paste in a .pem file, you need to create this seperatly, see Creating Certificates and Keys for pfSense 1.2 Series OpenVPN Servers and Clients.
- Server certificate - paste in a .pem file, you need to create this seperatly, see Creating Certificates and Keys for pfSense 1.2 Series OpenVPN Servers and Clients.
- Server key - paste in a .pem file without a passphrase included, you need to create this seperatly, see Creating Certificates and Keys for pfSense 1.2 Series OpenVPN Servers and Clients.
- DH parameters - Diffie Hellman parameters, you need to create this seperatly, see Creating Certificates and Keys for pfSense 1.2 Series OpenVPN Servers and Clients.
- DHCP-Opt.: DNS-Server: 10.0.0.1 - this is required for VPN clients to access computers on the LAN by name
- DHCP-Opt.: WINS-Server: 10.0.0.10 (if you have a WINS server; change for your specific address)
- LZO compression: yes
By default setting up OpenVPN doesn't actually open the firewall up to allow OpenVPN access. You have to do this yourself:
Firewall → Rules → + (add new rule) - Setup a rule to pass on WAN interface protocol UDP from any source to destination OpenVPN port:
- Action: Pass (the default)
- Interface: WAN (the default)
- Protocol: UDP
- Source - Type: any (the default)
- Destination port range
- from: OpenVPN
- to: OpenVPN
- Description: Allow OpenVPN in
Save → Apply changes
If you are setting up pfSense, in advance of deploying it, as a subnet of an existing LAN, then testing of VPN access won't work as by default a firewall rule on the WAN interface blocks access from private networks. You can temporarily disable this, for testing purposes, using: Interfaces → WAN → Block private networks - When set, this option blocks traffic from IP addresses that are reserved for private networks as per RFC 1918 (10/8, 172.16/12, 192.168/16) as well as loopback addresses (127/8). You should generally leave this option turned on, unless your WAN network lies in such a private address space, too.
As long as you have the other prerequisites (computer BIOS of machines to be woken has WOL capability and it's turned on) this is how you can use Wake On LAN to wake machines, that are turned off, using pfSense.
Register machines for Wake On LAN by turning them all on. Go to Status → DHCP Leases. For each machine choose 'Add a Wake on Lan mapping for this address'.
You can wake a single machine using Services → Wake On LAN and choosing the MAC address in the list. You can wake all registered machines at once by choosing the appropriate button.
Authenticated Captive Portal
Require people to have an account to connect to the the Internet.
The Captive Portal uses MAC address to track people unless you choose 'Disable MAC filtering'. The Captive portal bypass is either all or nothing, you can't enable certain ports to bypass. The Captive portal doesn't tell you total bandwidth consumed per user
- Concurrent user logins: Disable concurrent logins
- Authentication: Local user manager
- HTTPS login: Enable HTTPS login
This name will be used in the form action for the HTTPS POST and should match the Common Name (CN) in your certificate (otherwise, the client browser will most likely display a security warning). Make sure captive portal clients can resolve this name in DNS. A down side to enabling HTTPS login with a self signed certificate is that Firefox 3.0 will complain about the certificate, requiring quite an elaborate means to accept it.
- HTTPS certificate - I've not done this yet
- HTTPS private key - I've not done this yet
"Platforms that have Wi-Fi and a TCP/IP stack but do not have a web browser that supports HTTPS cannot use many captive portals. Such platforms include the Nintendo DS running a game that uses Nintendo Wi-Fi Connection. Non browser authentication is possible using WISPr, an XML-based authentication protocol for this purpose, or MAC-based authentication or authentications based on other protocols."
Note: Make sure that the default/maximum DHCP lease time is higher than the timeout entered on this page.
- Create portal page. For example:
- Create portal error page. For example:
- Allowed IP addresses - maybe your web server IP so you can link to payment pages and contact pages from portal page
Captive Portal Administrator's Guide
- change a username/password and the user isn't prompted. They can continue to use the one they're logged in with until they're logged out. If you want to force them to use the new one straight away you can go to Status -? Captive portal, find the username and choose 'X'
- username is case sensitive
- restart the router and you log everyone out of the captive portal
- When captive portal accounts expire they're automatically deleted from the list of captive portal users
- '-' and '@' characters cannot be used in captive portal usernames, which makes it difficult to use email addresses as usernames
- A captive portal keeps the honest honest, it doesn't keep out those determined to work around it
Issues For Captive Portal Users To Be Aware Of
- Open port 8000 in any firewalling software that might be installed
- Software that isn't a web browser won't be able to connect to the Internet and won't say anything about it. Only the web browser will take you to the login page
- It works through a router
You can add more LAN interfaces in order to create additional subnets. Just insert an additional network card and assuming neither the computer nor pfSense clash with it you can follow the instructions here. Alternatively the additional card can be insert at installation time.
- Add the new interface: Interfaces → (assign) → + → OPT1 - <interface name and number i.e. xl2> (xx:xx:xx:xx:xx:xx) → Save
- Configure the new interface: Interfaces → OPT1
- [*] Enable Optional 1 interface
- Description: LAN2
- IP configuration → IP address: 10.1.0.1/24 (remember that our VPN already uses 10.0.10.0/24 and 10.0.5.0/24. You can change this addressing range to suit your situation)
- Optionally, add a DHCP Server for client computers on this subnet: Services → DHCP server → LAN2
- [*] Enable DHCP server on LAN2 interface
- Range: 10.1.0.100 to 10.1.0.250 (You can change this addressing range to suit your situation. Beware that pfSense allows you to choose 10.1.0.255 here which wouldn't work as it's the broadcast address)
- Add a firewall rule to allow traffic of any protocol from the LAN2 subnet to any address (i.e. the Internet): Firewall → Rules → + (add new rule)
- Protocol: any
- Type: LAN2 subnet
- Description: Default LAN2 → any
- If you want to prevent traffic from the new LAN subnet accessing the original LAN subnet then add a firewall rule to block traffic from LAN2 to LAN (this rule needs to be at the top of the list): Firewall → Rules → + (add new rule)
- Action: Block
- Interface: LAN2
- Protocol: any
- Type: any (or maybe 'LAN2 subnet'?) I think any is best for a deny rule
- Destination: LAN subnet
- Description: Block LAN2 → LAN
- If you want to prevent traffic from the original LAN subnet accessing the new LAN subnet then add a firewall rule to block traffic from LAN to LAN2 (this rule needs to be at the top of the list): Firewall → Rules → + (add new rule)
- Action: Block
- Interface: LAN
- Protocol: any
- Type: any (or maybe 'LAN subnet'?) I think any is best for a deny rule
- Destination: LAN2 subnet
- Description: Block LAN → LAN2
Because Firewall → NAT → Automatic outbound NAT rule generation (IPsec passthrough) is on by default, pfSense automaticaly sets up the routing for traffic between the LAN2 interface and the WAN interface (outbound NAT). There's no need to alter Firewall → NAT → Manual Outbound NAT rule generation (Advanced Outbound NAT (AON))
"Any non-embedded version of pfSense can be reliably upgraded to any other version while retaining the existing configuration" (and as of 1.2.3 that applies to embedded too).
It is safe to upgrade whilst logged in remotely using the VPN.
Before you upgrade make sure to make a backup using Diagnostics → Backup/Restore.
Upgrades are available to download from www.pfsense.org/mirror.php?section=updates.
Read the release notes before upgrading so as to be aware of any caveats that might adversely affect your system.
You can upgrade (and downgrade, within the 1.2.x series) one of these two ways:
- Manually using the web GUI
- Download the upgrade file from www.pfsense.org/mirror.php?section=updates to your desktop computer
- Go to System → Firmware → Manual Update
- Browse for the upgrade file on your computer and upload it
- Using the console or by connecting remotely using SSH (which requires you to have enabled SSH access in System → Advanced → Enable Secure Shell). This is easier because you don't have to first manually download the upgrade file, instead you paste in a URL to the upgrade file for pfSense to download directly, though it's slower if you have more than one to upgrade.
- Go to 13) Upgrade from console → 1) Update from a URL
- Paste in the URL for the full upgrade file. For example from the London, UK mirror for various versions in the pfSense 1.2 series:
- 1.2.0: http://mirror.qubenet.net/mirror/pfsense/updates/pfSense-Full-Update-1.2-RELEASE.tgz
- 1.2.1: http://mirror.qubenet.net/mirror/pfsense/updates/pfSense-Full-Update-1.2.1.tgz
- 1.2.2: http://mirror.qubenet.net/mirror/pfsense/updates/pfSense-Full-Update-1.2.2.tgz
- 1.2.3: http://mirror.qubenet.net/mirror/pfsense/updates/pfSense-Full-Update-1.2.3-RELEASE.tgz
- Automatically using the web GUI: System → Firmware → Auto Update. This is a new feature in one of the 1.2.x releases. If a new version is recognised it will say so and give you the opportunity to upgrade to it. This is likely the easiest method of upgrading. Note: this method was broken at the time of 1.2.3's release and still is as of 27th January 2010, it downloads the update then says "Update cannot continue".
Note: if you're updating remotely, this method is likely to be slower as it involves uploading from your location.
The system will then restart.
Return to the system status page, you'll automatically be redirected to the package re-installation page. If you have packages installed they will at this point automatically be re-downloaded and reinstalled.
Forum divided up in to the different pfSense features: forum.pfsense.org/index.php#2
Random knowledge about pfSense / answers to repeated questions: forum.pfsense.org/index.php/topic,7001.0.html
Support mailing list: http://www.pfsense.org/index.php?option=com_content&task=view&id=66&Itemid=71
pfSense Google custom search (search the blog, forum, doc site and more from one location): http://www.google.com/cse/home?cx=006836938521462326004:yyqz67ir-is.