pfSense Basic

This tutorial is part of "The LAB": http://itfanatic.com/?q=node/11 project.

pfSense is a free, open source customized distribution of FreeBSD tailored for use as a firewall and router. I will use this tool to separate my internal network from the internet, and specify custom access rules for different computers or group of computers. This tutorial will cover the basic install of pfSense.

Requirements

Virtual machine with the following settings:

• Choose FreeBSD when creating VM
• 128 MB RAM
• 1 GB HDD
• 2 NIC cards +1 NIC later(internal, external)

Installer Live CD:

• http://www.pfsense.org/

Installing pfSense

Boot from the live CD and type "I" when it asks for the new install mode.

On the following screen you can choose keyboard layout, video settings, I left everything on default except the keymap.

I prefer choosing "Quick/Easy Install" because I will use the WebGUI for detailed configuration.

Accept the install by selecting "OK".

Select your kernel type. This machine is a minimal config for me, so I chose Uniprocessor. In most cases this should be enough especially for a testlab.

After the installer finished you have to reboot the computer.

The OS automatically detects network interfaces and you have to assign them to LAN, WAN. You see that the interfaces in my case are em0 and em1. I said no to VLAN setup, because it is easier to setup on the GUI. The next question is the LAN interface, which will be em1 now.

The WAN interface will be em0.

It will ask fore more interfaces but I don't have any left so I just hit enter.

A second check on my settings, accept by typing "y".

The system is ready. You can see, that the WAN ip is configured via DHCP and got the correct IP but the LAN has a wrong IP address. Choose "2" from the menu to set the correct address.

Set the IP to the static IP you want. In my LAB environment it will be "10.0.1.100".

Netmask should be 24 for now.

In my LAN I already have a DHCP server on my DC, so I choose "n" for this question, because I don't want this pfSense to be my DHCP server.

Check that the settings are correct, and browse whe IP of the pfSense machine from another machine on the LAN.

The default username/password is "admin"/"pfsense". Log in with the credentials.

Accept the wizard and go through it.

The hostname could be anything, my domain is "w2003.int" with the domain controller on "10.0.1.10" which is also a DNS server.

Set the NTP preferences as you prefer, I left the server on the default. Set the timesona as well.

The pfSense will be a firewall and a gateway to the internet, so it should be a fixed IP. It could be on a reserved DHCP address but what if the DHCP server is not available? No firewall and no connection to the internet? Thats not too good. So choose "Static" type and set the IP address of the WAN. It will automaticall show you the correct value. The gateway should be the next gateway in your network. In my case it is a VirtualBox environment, so the IP address of the WAN interface is "10.0.2.15/24" and the gateway is the VBOX gateway which is "10.0.2.2". VBOX usually use the x.x.x.2 as a gateway address for a network.

 The bottom of the settings page is some security restrictions which you should leave on the defaults.

You can check the LAN settings now. You should see the internal LAN IP you set on the command line earlier.

The last step of the config is changeing the administrator password.

Finish the setup by reloadning the configurations.

Now you are finished with the basic settings.

Add additional network card

I will add now a new network card which will be the DMZ LAN or something similar to that concept.

Steps:

• Shut down the firewall.
• Insert a new NIC card to your (virtual) machine and boot up the pfSense.
• In the menu select "Interfaces" and click on the "+" sign to add the new card. It recognised the card as "em2" in my case. clisk on "Save".

• Choose the new OPT1 interface and configure it.
• Check the "Enable Optional 1 interface".
• The description could be anything.
• The IP will be a static address.

• In my case the DMZ network will be "20.0.0.100/24".

• I have to add some rules to let this network access the Internet.
• I block the connections from this network to the LAN segment which intends to be my "LAN" in the LAB environment.
• I let this network to reach the Internet as you can see in the second rule. Actually it is not necessary to define here that the destination cannot be the LAN but I like to see it.

Network configuration is finished.