Based on FreeBSD distribution, pfSense gives you twin functionality of a
firewall and router application, within the same box. It is derived from the
mOnOwall project, but provides more features. Some of these include firewall,
NAT, load balancing, VPN and reporting.
Direct Hit! |
Applies To: Network admins USP: Add firewall rules, configure a captive portal and much more Primary Link: www.pfsense.com Google Keywords: pfsense |
Deploying pfSense
pfSense can be deployed in various scenarios. It can be deployed as a gateway
firewall with the Internet connection terminating at the WAN port and the
internal network on its LAN port. It can also handle multiple Internet
connections and help you set up a DMZ on your network. For a larger network, you
can deploy it as a LAN or WAN router. You can also set it up as a wireless
access point, a VPN appliance, a DHCP server and much more.
We deployed pfSense as a gateway level firewall, where it offers three
different options. First is the VMware appliance, second is a Live CD and third
is the embedded version. The Live CD gives you the option of installing it on a
hard drive, which is useful if you want to deploy it in a production
environment. In case you want the Live CD option, then the settings can be saved
on a removable media and restored if needed. The embedded version is for flash
drives.
pfSense provides |
We downloaded the VMware appliance and installed it on our server. After
booting up, the console showed the list of options, such as resetting passwords,
restarting web configurator, setting up LAN IP, etc. To open the web
configuration page from another computer on the network, provide admin both as
username and password.
Adding firewall rules
For adding firewall rules in pfSense, open up the web configuration page and
navigate to firewall > rules. Now click on the 'add new rule' icon found at the
right side of the page. A new page opens up, where all the necessary details are
asked for to set up a rule.
In the first option 'Action,' choose block if you want to block the traffic
else choose pass. The second option is used to disable a set rule. Then specify
the interface where pfSense shall look for packets. Next choose the IP where
this rule shall be made applicable. Then there is source and destination 'not'
option, that enables you to invert the sense of the match. The interesting part
is the 'Source OS' option, which enables you to apply specific rules to Linux or
Windows machines. Similarly, there are other useful options available.
Removing a rule is pretty simple. First navigate to LAN or WAN tab wherever
the rule is deployed. Check the rule you want to delete and then click on
'delete selected rule' icon on the right side of the page.
Configuring captive portal
The captive portal provides you the option of restricting Internet access to
guest users. Through this portal, users are required to enter username and
password to get access to the Internet. It is very much similar to accessing the
WiFi network of a hotel.
For configuring the captive portal, navigate to Services > Captive portal and
then click on the Captive Portal tab. Check the 'Enable Captive Portal'
checkbox. Then select the interface on which the captive portal should run.
Specify the maximum number of concurrent connections, idle timeout, redirection
URLs, etc. You can set user authentication through the internal user manager or
with the radius server. In case you are specifying radius authentication,
provide the necessary details such as IP address, port number, etc. It also
enables you to do HTTPS login. For this you need to specify the HTTPS server
name, certificate and private key. You can also customize the page that will be
displayed to guest users. Finally click on Save.
pfSense provides very elaborate and categorised system logs. A system admin can view log reports of systems, firewall, VPN, etc on his network. |
The Captive Portal |
Adding and removing user
Now to add user to its internal database, navigate to Services > Users and
click on 'Add User' icon. Provide username, password, full name and expiration
date of the user. It the user account has no expiration date than leave it blank
and click on Save to create the user. For deleting user, click on the 'delete
user' icon found beside the user details row.
Configuring DHCP server
For enabling the DHCP server, navigate to services > DHCP server and check
the 'enable DHCP server on LAN interface' to enable DHCP server. After that
specify the range of IPs that will be allocated to the clients connecting to the
server, for example 192.168.2.10 — 192.168.2.234. Next specify the DNS server
address, gateway, ie the IP address of the pfSense server itself and then click
on Save.
Log reports
For checking the logs that have been generated, navigate to Status > System
logs. By default it displays last 50 system entries log. Apart from this you can
also view logs generated by firewall, DHCP, settings, portal, etc. These logs
are very helpful when troubleshooting and also keeping track
of different activities happening around pfSense.