306 lines
13 KiB
Markdown
306 lines
13 KiB
Markdown
---
|
|
layout: guide
|
|
title: "pfSense Guide"
|
|
description: How to convert an old desktop PC into a router/firewall combo
|
|
carousels:
|
|
installing:
|
|
title: Navigating the Install Wizard
|
|
steps:
|
|
- text: Wait for the installer to boot
|
|
image: /assets/images/guides/pfsense/setup-boot.png
|
|
- text: Accept the copyright agreement
|
|
image: /assets/images/guides/pfsense/setup-copyright.png
|
|
- text: Select `Install` on the welcome screen
|
|
image: /assets/images/guides/pfsense/setup-welcome.png
|
|
- text: For partitioning, select `Auto (ZFS)`
|
|
image: /assets/images/guides/pfsense/setup-partitioning.png
|
|
- text: Wait for the installer to probe for devices
|
|
image: /assets/images/guides/pfsense/setup-probe.png
|
|
- text: On the ZFS Configuration menu, select `Pool Type/Disks` and press enter
|
|
image: /assets/images/guides/pfsense/setup-zfs-menu-pool.png
|
|
- text: When asked for device type, choose `Striped`. Then press enter
|
|
image: /assets/images/guides/pfsense/setup-zfs-type.png
|
|
- text: Select your hard drive and press space to add it to the pool, then press enter
|
|
image: /assets/images/guides/pfsense/setup-zfs-drives.png
|
|
- text: You should now be back on the main ZFS configuration window. Select `Install` and press enter
|
|
image: /assets/images/guides/pfsense/setup-zfs-menu-install.png
|
|
- text: Confirm you would like to wipe the drive
|
|
image: /assets/images/guides/pfsense/setup-confirm.png
|
|
- text: Wait for it to install the Operating System
|
|
image: /assets/images/guides/pfsense/setup-installing.png
|
|
- text: When the installation completes, select `Restart`
|
|
image: /assets/images/guides/pfsense/setup-complete.png
|
|
- text: After the screen goes black, remove your USB drive
|
|
image: /assets/images/guides/pfsense/black.png
|
|
---
|
|
|
|
**NOTE: This article is still under development. Some sections are incomplete or need clarification**
|
|
|
|
# Goals / Who this is for
|
|
|
|
This guide is targeted at people who already understand the basics of computer networking (IP Addresses, DHCP, etc.),
|
|
and want to dive further down the discovery rabbithole, while also building a functioning firewall that can be
|
|
configured to help network security.
|
|
|
|
**Note:** pfSense requires a bit of time messing around in the web UI until you get the hang of it, so get ready to
|
|
spend
|
|
some time to get acquainted to the interface.
|
|
|
|
# Hardware
|
|
|
|
Pretty much any old desktop computer from the last ~15 years should be more than enough as long as it has:
|
|
|
|
- An x86-64 CPU (As long it's a consumer PC or server made in the last 15 years it should be fine)
|
|
- Two RJ45 Ethernet ports
|
|
- Most computers only have one, but one can be added through USB or PCIe
|
|
- I would recommend the [TP-Link TG-3468](https://www.tp-link.com/us/home-networking/pci-adapter/tg-3468/) as a
|
|
budget-friendly PCIe expansion card.
|
|
- At least 2GB of System Memory (RAM)
|
|
- pfSense requires 1GB, but more is needed when there are many connected devices.
|
|
- A USB drive to hold the installer (Must have > 1GB capacity)
|
|
|
|
pfSense is based on the FreeBSD operating system. A full list of supported hardware can be found
|
|
[on the FreeBSD website](https://www.freebsd.org/releases/13.0R/hardware/).
|
|
|
|
# Example network topology
|
|
|
|
In this guide, we will assume that this firewall is between your ISP-provided modem and your wireless router. If your
|
|
ISP only provided a modem/router combo box, contact support to ask about using your own router.
|
|
|
|
<img src="/assets/images/guides/pfsense/topology.png" alt="TODO">
|
|
|
|
# pfSense CE vs pfSense Plus
|
|
|
|
The pfSense branding applies to two different operating systems, pfSense CE (Community Edition) and pfSense Plus.
|
|
pfSense CE is Free and Open Source, meaning that the source code is freely available to view, modify, and redistribute.
|
|
pfSense Plus is a closed-source version maintained by Netgate.
|
|
|
|
For more information on the differences between pfSense CE and pfSense Plus, view the
|
|
[official FAQ](https://www.netgate.com/support/frequently-asked-questions-pfsense-plus)
|
|
|
|
**Note:** pfSense Plus used to be free for non-commercial use, but Netgate has removed that subscription tier. The
|
|
cheapest subscription plan is $129 per year.
|
|
|
|
# Installing the OS
|
|
|
|
Note: This guide assumes that your firewall has a video output. If you are using serial, please follow the
|
|
[official documentation](https://docs.netgate.com/pfsense/en/latest/install/download-installer-image.html)
|
|
|
|
## Downloading the OS
|
|
|
|
The pfSense CE download image can be obtained from [the pfSense website](https://www.pfsense.org/download/).
|
|
|
|
Architecture should be set to **AMD64**, and installer can be set to USB Memstick or DVD Image. Both can be flashed onto
|
|
a USB stick. [Here is a full comparison](https://en.wikipedia.org/wiki/IMG_(file_format)#Comparison_to_ISO_images)
|
|
|
|
If you have chosen to use pfSense plus, you can update from pfSense CE to pfSense Plus after installation.
|
|
|
|
## Flashing the Image onto a USB Stick
|
|
|
|
Once the file has downloaded, open the usb-flasher of your choice (I recommend
|
|
[Balena Etcher](https://etcher.balena.io/)), and flash the file.
|
|
|
|
**Note: This will wipe the contents of the USB stick, so make sure there's nothing important on it.**
|
|
|
|
# Booting into the installer
|
|
|
|
1. Insert the USB device into a USB port on the back of the motherboard (Front of the case should be fine but don't use
|
|
a USB hub)
|
|
2. Shut down the device
|
|
3. Start the device
|
|
4. Open the boot selection screen
|
|
- This is different for every computer, but normally holding down `DELETE` works.
|
|
- You can also try `F2` or `F12`
|
|
- If those don't work, consult your motherboard or computer's manual.
|
|
5. Select to boot from the USB drive
|
|
6. You should now see a pfSense boot screen. Press `Enter` or wait a few seconds for the installer to start booting
|
|
|
|
<img src="/assets/images/guides/pfsense/setup-bootloader.png" alt="TODO">
|
|
|
|
# Installing
|
|
|
|
{% include guide-carousel.html id="installing" %}
|
|
|
|
# Configuring pfSense
|
|
|
|
## Getting the router's IP address
|
|
|
|
After the system boot process completes, you should see a screen that looks like this.
|
|
|
|
<img src="/assets/images/guides/pfsense/cli-menu.png" alt="TODO">
|
|
|
|
The router displays its WAN address (public IP address), and LAN address (local IP address)
|
|
|
|
in my case, the local IP address is `192.168.1.1`
|
|
|
|
## Accessing the Web Dashboard
|
|
|
|
Going to `http://ROUTER_LOCAL_IP_ADDRESS` in your browser should bring you to a login screen
|
|
|
|
<img src="/assets/images/guides/pfsense/pfsense-login.png" alt="TODO">
|
|
|
|
The default username is `admin`, and the default password is `pfsense`
|
|
|
|
You should now be prompted with a setup wizard.
|
|
|
|
Skip step 1 since it's just an ad for paid support
|
|
|
|
<img src="/assets/images/guides/pfsense/wizard-welcome.png" alt="TODO">
|
|
|
|
On step 2:
|
|
|
|
- Set the hostname of the firewall (or leave it as pfSense)
|
|
- Give it a subdomain if you have one (TODO)
|
|
- Set DNS servers (1.1.1.1 and 1.0.0.1 are maintained by Cloudflare)
|
|
|
|
<img src="/assets/images/guides/pfsense/wizard-general.png" alt="TODO">
|
|
|
|
On step 3:
|
|
|
|
- Set the timezone
|
|
- Change the network timeserver if you are into that
|
|
|
|
<img src="/assets/images/guides/pfsense/wizard-timezone.png" alt="TODO">
|
|
|
|
On step 4, this is where the magic happens.
|
|
If this firewall is between your ISP provided modem, there is a good chance using DHCP will work completely fine, but it
|
|
depends on your specific ISP.
|
|
|
|
<img src="/assets/images/guides/pfsense/wizard-wan.png" alt="TODO">
|
|
|
|
On step 5, you can set your local IP Address range. The default is `192.168.1.1/16` but if you need more addresses, you
|
|
can use `10.0.0.0/8`
|
|
|
|
<img src="/assets/images/guides/pfsense/wizard-lan.png" alt="TODO">
|
|
|
|
On step 6, set the password for the webGUI. Make sure to use a secure password
|
|
|
|
<img src="/assets/images/guides/pfsense/wizard-password.png" alt="TODO">
|
|
|
|
On step 7, and 8: reload the system
|
|
|
|
The firewall will now restart, if you changed the IP address, you need to change the address in your browser
|
|
|
|
## Configuration
|
|
|
|
Note: This list is not comprehensive.
|
|
|
|
- Enable dark mode
|
|
- System > General Setup > webConfigurator section > Theme
|
|
- Set to pfSense-Dark
|
|
- Remove "Netgate Services and Support tab from dashboard"
|
|
- Press the X in the top-right corner of the window
|
|
- Add the traffic graph to the dashboard
|
|
- Press the plus in the top right corner of the dashboard and select "Traffic Graph"
|
|
- Upgrade to PFSense Plus if you are willing to pay at least $129/year
|
|
- Purchase a license from
|
|
the [PFSense Plus store page](https://shop.netgate.com/products/pfsense-software-subscription)
|
|
- Insert the code provided in System > Register
|
|
|
|
# Setting up IPv6
|
|
|
|
## What is IPv6
|
|
|
|
IPv6 is a newer implementation of the Internet Protocol than the classic IPv4 and was mainly created to add more IP
|
|
addresses. IPv4 supports a maximum of 2^32 (`4,294,967,296`) addresses, while IPv6 has a maximum of 2^128
|
|
(340,282,366,920,938,463,463,374,607,431,768,211,456) addresses.
|
|
|
|
## Do I need one?
|
|
|
|
IPv4 addresses are now a commodity, and thus some people (including me) have moved to hosting exclusively* using IPv6.
|
|
|
|
*My website is still accessible over the IPv4 internet through a network translation service, but I will probably pull
|
|
the plug when IPv6 becomes more widely adopted.
|
|
|
|
Your ISP might have already rolled out IPv6 to your area. You can check your IPv6 status using
|
|
[this website](https://test-ipv6.com/).
|
|
|
|
## Obtaining an IPv6 address block with TunnelBroker
|
|
|
|
Netgate provides an [official tutorial](https://docs.netgate.com/pfsense/en/latest/recipes/ipv6-tunnel-broker.html) on
|
|
how to get a block of IPv6 addresses with TunnelBroker and how to configure pfSense to use them.
|
|
|
|
# Installing and configuring Snort
|
|
|
|
Snort is a rule-based firewall software that blocks incoming and outgoing network packets based on user-configured
|
|
rules.
|
|
|
|
Another issue caused by the IPv4 address space being completely full is that people run bots that ping random addresses
|
|
for both research and malicious reasons.
|
|
|
|
## Installing the Snort package
|
|
|
|
1. Open the Package Manager's Available Package view (System > Package Manager > Available Packages)
|
|
<img src="/assets/images/guides/pfsense/pfsense-packages.png" alt="TODO">
|
|
2. Install the Snort Package
|
|
<img src="/assets/images/guides/pfsense/pfsense-package-confirm.png" alt="TODO">
|
|
3. Wait for the installation to complete
|
|
<img src="/assets/images/guides/pfsense/pfsense-package-install.png" alt="TODO">
|
|
|
|
## Configuring Snort
|
|
|
|
1. First, go to the snort configuration menu (Services > Snort), and click on the `Interfaces` tab if it does not send
|
|
you to that page.
|
|
<img src="/assets/images/guides/pfsense/snort-interfaces-empty.png" alt="TODO">
|
|
2. Add the WAN interface to be filtered by pressing the `Add` button in the bottom right
|
|
<img src="/assets/images/guides/pfsense/snort-interfaces-empty.png" alt="TODO">
|
|
3. Select the WAN interface
|
|
4. By default, snort will only save alerts of offences. For extra security, you can enable the `Block Offenders` option,
|
|
but ensure that it will only block the source address, and be aware that on rare occasion you might accidentally
|
|
block yourself.
|
|
5. Press save at the bottom of the page to save interface settings
|
|
6. Going back to the `Snort Interfaces` tab should show the WAN interface
|
|
<img src="/assets/images/guides/pfsense/snort-interfaces-off.png" alt="TODO">
|
|
7. Enable scanning by pressing the Play button and waiting for it to start
|
|
<img src="/assets/images/guides/pfsense/snort-interfaces-on.png" alt="TODO">
|
|
|
|
### Adding rules
|
|
|
|
Snort blocks connections based on rulesets that can be obtained from multiple sources:
|
|
|
|
- Snort VRT (Requires account, has free and paid tiers)
|
|
- Snort GPL (Free without account)
|
|
- ET Open (Free without account)
|
|
- ET Pro (Targeted at large companies; does not publicly list prices)
|
|
|
|
To Add rules:
|
|
|
|
1. Go to `Global Settings`
|
|
<img src="/assets/images/guides/pfsense/snort-globalconfig1.png" alt="TODO">
|
|
2. Enable the rule sources you desire
|
|
3. Set the update interval to 1 Day
|
|
<img src="/assets/images/guides/pfsense/snort-globalconfig2.png" alt="TODO">
|
|
4. Press `Save`
|
|
|
|
### Downloading Rules
|
|
|
|
Go to Updates and press the `Update Rules` button. This will fetch all rules you enabled in the previous step
|
|
|
|
### Configuring rules
|
|
|
|
1. Go to the `Snort Interfaces` tab
|
|
2. Click on the pencil icon associated with the WAN interface
|
|
3. Go to the `WAN Categories` tab
|
|
4. Choose the rule sets you would like to use
|
|
|
|
You can either cherry-pick which rules you would like to apply, or you can press `Select All` at the top, and manually
|
|
whitelist proper traffic that gets blocked.
|
|
|
|
### Viewing alerts in real time
|
|
|
|
In the `Alerts` tab, you can view IP addresses that have been blocked by the selected rules
|
|
|
|
<img src="/assets/images/guides/pfsense/snort-alerts.png" alt="TODO">
|
|
|
|
This image is from an actual pfSense deployment, so many fields have been blurred
|
|
|
|
# Conclusion
|
|
|
|
Congratulations! You now have an open-source* firewall protecting your network! Here are some links to other guides on
|
|
setting up specific packages/programs on pfSense:
|
|
|
|
- [Creating a Virtual Private Network with Tailscale](https://www.wundertech.net/how-to-set-up-tailscale-on-pfsense/)
|
|
- [Forwarding ports through your firewall](https://www.wundertech.net/pfsense-port-forwarding-setup-guide/)
|
|
- [Configuring VLANS, DHCP, and other stuff](https://itigic.com/how-to-configure-pfsense-internet-vlans-dhcp-dns-and-nat/)
|
|
|
|
*If you have chosen to stick with pfSense CE over pfSense+
|