You can run pfSense in a VM

Installation and Configuration of PfSense: Advanced Firewall for Business

pfSense is an operating system that uses very few resources. However, depending on the use, the users who are transferring data and the services we have installed, we need more or less resources CPU power and also RAM memory size. This operating system can be installed on practically any current computer. Logically, the performance we get depends on the hardware. This also applies to the configuration that we made on the firewall ourselves. The most important thing for pfSense to be able to detect ethernet network cards. The most recommended to avoid problems is Intel, but there are many other manufacturers that are also compatible, but first it would be advisable to check out the official pfSense forums.

content

Main features

The main goal of the pfSense operating system is to provide security for home and business environments. This device acts as a firewall, but it can also be used as the main router as we have hundreds of advanced configuration options. Thanks to the possibility of installing additional software, we can have a powerful IDS / IPS (Intrusion Detection and Prevention System) such as Snort or Suricata. To use pfSense you need two network cards, one for the Internet WAN and one for the LAN. However, if we have more cards (or a card with multiple ports) it is much better because we can configure additional physical interfaces, a DMZ, an additional network, and much more.

Another point for pfSense is the continuous updates that we have for the basic operating system as well as for all packages that we can additionally install. In a firewall / router that is exposed to the internet, it is very important to have updates in place to avoid any security holes that might be found.

Firewall and IDS / IPS

As usual, pfSense uses a rule-based SPI firewall (Stateful Packet Inspection). We can filter packets quickly in a very advanced way. Depending on the hardware, we can achieve bandwidths of more than 10 Gbit / s. Thanks to the graphical user interface, we can create "aliases" to create groups of IPs and ports to apply to the rules later. That way we don't have hundreds of rules in the firewall. It is very important to know what we are filtering and keeping the rules properly updated. Of course pfSense has an extended record of whether a rule has been executed and what is happening in the operating system.

pfSense not only has a powerful firewall to mitigate and / or block DoS and DDoS attacks, but also an advanced IDS / IPS such as Snort and Suricata, which we can install easily and quickly using the available packages. For installation, and in both cases, we have a graphical user interface that can be used to configure the different interfaces on which it must run, as well as all the rules we need to detect possible attacks. We can also spot information leaks and even suspicious activity on the network that we can block. Of course, we also have the option to see the status of the operating system in real time and even install additional software to view advanced graphical reports and to know everything that is going on in the system.

VPN

Virtual private networks (VPNs) are usually placed in the firewall itself so as not to have problems with NAT and the filtering of other firewalls. A ... have VPN With the server or VPN client we can securely connect remote locations via the Internet and connect various devices to the local network in RAS VPN mode. pfSense includes different types of VPNs to perfectly adapt to the needs of the users:

  • L2TP / IPsec
  • IPSec IKEv1 and IKEv2 with different authentication types like Mutual-PSK, Mutual-RSA and even Xauth.
  • OpenVPN with authentication through digital certificates, user credentials, and more.
  • WireGuard

The highlight of pfSense 2.5.0 is the inclusion of the popular WireGuard VPN to connect users both remotely and to create site-to-site tunnels quickly and easily, thanks to this new protocol that has been integrated into the kernel and gives us a provides excellent performance.

Other features

pfSense includes a variety of services that are equal to or higher than routers and other professional firewalls. Some of the most important additional functions are, for example, the ability to configure a DNS server with a DNS resolver, ideal for the firewall itself to solve all requirements. We also have a full DHCP server with dozens of advanced options, an NTP server that provides the time for different devices, WoL, QoS to prioritize different devices, traffic shapers, compatibility with VLANs, possibility of different VLANs in one or more to configure multiple interfaces, ability to configure QinQ, Bridge and LAGG with various advanced options, we can also use the dynamic DNS server and much more. We must not forget that as a very advanced operating system, we can see a full record of everything that is happening and we will even receive notifications from Email or Telegram to be aware of everything that is happening.

One of the most important features is the ability to install additional packages to get even more functionality. Thanks to this additional software, we can expand the functions of this professional firewall. Some of the most popular extensions are:

  • arpwatch notifies us via email or telegram which new devices have been connected
  • Bandwidth to view graphs of bandwidth usage
  • freeradius3 for mounting a RADIUS authentication server, ideal for configuring WiFi APs and with WPA2 / WPA3-Enterprise
  • iperf for measuring the bandwidth to and from pfSense
  • nmap to perform port scanning
  • pfBlocker-ng to block all advertisements as well as malicious domains and IP addresses
  • Snort and Suricata: The two IDS / IPS par excellence are not supplied as standard, but can be installed
  • Haproxy for balancers
  • Squid to mount a proxy server.
  • Nut for monitoring UPS systems
  • Zabbix agent for easy integration into a surveillance system
  • Zeek (former Bro IDS)

pfSense works with an x86 architecture and is compatible with the latest 64-bit CPUs. In addition, it can be installed on almost any cloud platform such as Amazon Cloud, Azure and more.In addition, we have to take into account that today we can buy devices from the manufacturer Netgate that have already come with pfSense preinstalled and whose devices are geared towards the professional sector .

Download and install pfSense

PfSense CE is completely free to download and use. Just go to the official website and go straight to the “Download” tab.

As soon as we have clicked on «Download», we will see a section in which we select the architecture to be chosen and choose AMD64.

We also need to choose the image type. If an ISO image is to be copied to a DVD or a pendrive or directly to a USB image, we have selected the ISO DVD image. Next we need to select the server to download from. It is recommended that it always be the closest physically to your current location.

Once we have downloaded the image we need to unzip it as it is in iso.gz format and we need to extract the ISO image directly.

Once we have downloaded it we can burn it to a CD and copy it to a bootable USB stick with Rufus etc. In our case we are going to install pfSense in a virtual machine with VMware so you can see it virtually installed and in tested in a controlled test environment in order to move it to production later. In the tutorial you will learn how to create two network cards, one in bridge mode to connect to the real local network and one in host-only mode to be able to access the Internet from our computer without the to be dependent on local network.

Configuration of the virtual machine in VMware

In our case we will be using VMware Workstation 15.5 PRO, but any version would be used to install this firewall-oriented operating system. The first thing we need to do when opening VMware is to click on "Create New Virtual Machine" as you can see on the following screen:

In the VM configuration wizard we have to select «Typical» creation, load the ISO image from pfSense, it automatically detects that the internally recognized operating system is FreeBSD 10 (although it is really the latest version), we continue with the wizard until we do Choosing the one VM path, we leave the hard disk reserved for the virtual machine at 20 GB. Finally, a summary of all the hardware this virtual machine will have is displayed.

Before we're done, we have to click. " Adjust hardware To increase the RAM to 4 GB, increase the number of CPU cores, add an additional network card, and configure the network cards correctly.

Regardless of the number of CPUs and cores (we recommend 1 CPU and 4 cores) and the RAM (we recommend at least 4 GB), we have to add a second network card because we have the Internet WAN and LAN. We click "Add" and click "Add Network Adapter" to add it. We could also add additional cards to have more firewall-level configuration options, but starting with a WAN and LAN is fine.

Once we have added the two we need to configure them as follows:

  • Adapter 1: bridge (automatic)
  • Adapter 2: Custom VMnet1 (host only)

Next, you can see what this configuration would look like.

The VMnet1 adapter must be configured in order to be able to access the operating system management via the web. We go to " Control Panel / Network and Sharing Center / Change adapter settings ”And change the IP address in the VMware Network Adapter VMnet1 adapter, and enter the IP 192.168.1.2/24 as you can see below. When you're done, click Accept and Accept to exit the configuration menu.

Once we have everything configured at the virtual machine level, we can run the virtual machine to begin the installation.

Install pfSense on VMware

When we start the virtual machine, we see a menu with several startup options. We shouldn't touch anything and wait for the seconds to pass. Later it will load and we can see the different options the ISO image offers for installing pfSense.

Once you start installing this operating system, you accept the copyright it shows us. In the menu below we can install, restore the operating system in the event of a catastrophic failure and also restore the configuration file config.xml from a previous installation. We will click on "Install" to reinstall the operating system from scratch. In the next menu we need to configure the keyboard and choose our language and keyboard layout.

Then we are asked how we would like to install the operating system when using UFS for BIOS or UEFI manually opening the console for experts to do everything manually, or using ZFS as the file system. In our case, we first selected the Auto (UFS) BIOS and proceed with the installation. Installation takes about a minute, but it depends on the hardware you have. After the installation is complete, you will be asked if we would like to start a console in order to make certain configurations. Click No and later you will be asked if we want to restart the operating system and accept it.

As soon as pfSense is started again, we can determine that the Internet WAN has been assigned an IP and the LAN has been assigned an IP address correctly.

In the administration menu on the console we can perform the following actions:

  • Sign out of SSH
  • Assign physical interfaces to the WAN or LAN. You can also configure VLANs for the Internet connection and even for the LAN.
  • Configure the IP address of the various previously configured interfaces
  • Reset the administrator password to enter it on the web
  • Reset pfSense to the factory settings
  • Restart the operating system
  • Shut down the operating system
  • Ping a host
  • Start a console for advanced command-based administration tasks
  • Start pfTop to view all current connections
  • View the operating system filter logs
  • Restart the web server
  • Start the console with the pfSense quick setup utilities
  • Update from the console
  • Enable SSH in the operating system
  • Restore a current configuration
  • Restart PHP-FPM if you have problems accessing the operating system from the web.

If you want to configure the physical interfaces through the console before logging in over the web, we can easily do it and even assign the appropriate VLANs:

Of course, we have to perform the configuration from scratch and assign the appropriate interface to the WAN and LAN:

Finally, we can configure the interfaces at the IP level in both the WAN and the LAN. However, this configuration is very simple. You can view all of the options available on the web.

At this point in time, we can access the pfSense configuration via the Internet at https://192.168.1.1 with the user name "admin" and the password "pfsense".

PfSense configuration wizard

In order to be able to access the pfSense operating system via the web, we must enter the URL https://192.168.1.1 with the user name "admin" and the password "pfsense". By default, the port is 443 for HTTPS, it is not necessary to use a specific port.

Once we have accepted the self-signed SSL / TLS certificate from pfSense, the login menu will appear as you can see here:

pfSense provides us with a step-by-step installation wizard that can be used to perform the most important network configurations. We have the option not to, but it is advisable to follow it the first time we use it.

The first thing we'll see in this wizard is the greeting. Then it will show that we can buy a Netgate support subscription to do different configurations. We have to remember that Netgate was created with pfSense years ago to evolve for both their own teams as well as the community. With version 2.5.0 we will split both projects each time they share more (pfSense CE vs pfSense Plus).

Next we can view and configure the name of the host, domain and DNS server if we want to include other servers that are not our operator's. We can also configure the NTP server to synchronize the time and even the time zone. This pfSense wizard helps us to configure the Internet WAN interface. We have four possible configurations: Static, DHCP, PPPoE and PPTP. It also supports the VLAN ID for operators who need it. In this menu we can clone the MAC, configure the MTU and the MSS, make specific configurations depending on the connection type and even integrate automatic rules into the firewall to avoid attacks on the networks.

We can also configure the LAN interface. By default we use 192.168.1.1 but we can choose which one we want. We can also configure the subnet mask. Another very important option is changing the default password. PfSense is asking us to change it to protect it. After making the change, click "Reload" to continue and exit the configuration wizard. Congratulations and we can start configuring this full firewall in an advanced way.

Once we've seen the web configuration wizard in detail, we'll enter all of the configuration options in full.

PfSense management options

In the main menu of pfSense we can see the system information, the name of the pfSense, the logged in user, the system used, the hardware used and even the exact version of pfSense and the version of the base operating system (FreeBSD). We can also view the operating time, the current time, the DNS servers and the status of memory, CPU and RAM. On the right side we can of course see the status of the network interfaces we have configured.

This main menu is very configurable. To get the whole status of pfSense at a glance, we can add widgets like the actual status of the network interfaces, OpenVPN and IPsec, firewall protocols and many others. This menu is highly customizable to suit the needs of the network and see it all at once.

Once we have seen the main menu, we will see the pfSense operating system part by part without going into details in all of the configurations as we have hundreds of options.

system

In the “System” section we can configure pfSense's own web server, activate the HTTPS and SSH protocol, and configure the access security and login protection in detail. We can also configure global parameters of the firewall and NAT. We can also configure global parameters at the network level, both IPv6 and network interfaces. An important detail is that we can enable or disable "offloading" to speed up performance if the hardware supports it. Additional configuration options include the configuration of proxy, load balancing and energy saving functions. Finally, we can configure the basic operating system parameters at a low level and configure notifications via email and telegram (a novelty in the latest pfSense 2.5 version).

In this section of «System» we also have a digital certificate manager. We can easily and quickly create a certification authority as well as server and client certificates in order to use them later on VPN servers such as IPsec or OpenVPN as well as on the server RADIUS Freeradius, which we can optionally install. With this certificate manager we can create certificates based on RSA and also on EC with different algorithms.

In the "General Setup" section we can change the name of the computer, the domain and the DNS servers to be configured so that the clients can use them later, configure the location (time zone and NTP server) and the appearance of pfSense through various topics . This last part is interesting for modifying the graphical user interface with a dark pfSense or directly other themes that we like better. We can also configure HA to be highly available and even install a large amount of additional software as we will have a large number of plugins in the Package Manager section to extend pfSense's capabilities.

In the "Routing" section you can see the various registered gateways, the ability to configure static routes to reach other networks, and even create a group of gateways.

pfSense allows updating via the operating system itself. As soon as it is determined that a new version is available, we can update it via the graphical user interface without having to download the ISO image and update it manually.

As a very complete operating system, we can create different users and groups with different permissions. For example, we can create a list of local users to authenticate in the system via SSH or to use a specific VPN. We can also configure an authentication server with RADIUS or LDAP to use the existing users.

Once we see the "System" section, let's go to "Interfaces" to see everything we can do.

Interfaces

In the “Interfaces” section we can see the assignment of WAN and LAN to the various physical interfaces. From here we can easily configure the various physical and logical interfaces, as we can configure VLANs and later assign them to a virtual interface. Other configuration options we can do are create groups of interfaces, configure WiFi, QinQ, PPPs, GIFs, bridges or bridges, and we can even create a LAGG with different algorithms (LACP, Failover, LoadBalance and Roundrobin) .

Let's imagine our operator uses VLAN ID 6 to make the Internet available to us because the current configuration of the WAN does not work. We need to create a VLAN ID 6 and apply it to the Internet WAN later. If we have different VLANs in the professional local network and want to communicate between them, we can also do this with pfSense by registering the different VLAN IDs and later creating virtual interfaces that “hang” in the LAN.

If we go into the WAN or LAN configuration, we can see the configuration that was made in the installation wizard that we saw before. In the WAN menu we have different types of configuration for the connection, the same thing happens with IPv6, and we can even enter the MAC address we want. In addition to configuring the advanced parameters of the DHCP client, we can also configure the MTU and MSS.

With regard to the LAN, it is normal to have the configuration in “Static IPv4” and to activate the DHCP server later. Of course, here we also have to configure the gateway for the clients that establish a connection. This is the IP address itself.