The Complete Magazine on Open Source

pfSense: The Popular Open Source Firewall

SHARE
/ 3036 0

Network touch screen

pfsense.org has an interesting slogan: “We make network security easy.” With thousands of enterprises using pfSense software, it is rapidly becoming the world’s most popular open source network security solution. pfSense is indeed an excellent firewall.

pfSense software is a customised distribution of FreeBSD, specifically tailored for use as a firewall and router that is primarily managed via a Web interface. In addition to being a powerful, flexible firewall and routing platform, it includes a long list of related features and a package system that allows further expandability, without adding bloat to the base distribution.
The pfSense project was started in September 2004 by Chris Buechler and Scott Ullrich, with a growing development team. pfSense and its current logo is a copyright of Electric Sheep Fencing LLC.
Apart from pfSense downloads, pfSense.org also provides firewall appliances based on pfSense to cater to a variety of customer requirements. Other offerings include product support, professional services, official training via ‘pfSense university’ and gold membership. pfSense also has great community support.

The latest pfSense version 2.3 was released on April 12, 2016. Some interesting functional changes over the earlier version are:

  • Drag-and-drop rule reordering enabled for firewall and NAT rules.
  • Live CD support no more available. Live boot using a USB drive.
  • Removal of support for unsecured protocols such as Single DES Encryption, Wired Equivalence Privacy (WEP) for wireless encryption, etc.

Selection of download image
For AMD or Intel 64-bit CPUs, download the image for AMD (64-bit) architecture. Do not forget to crosscheck the SHA256 checksum to verify if it’s the correct download. Create a CD from the downloaded ISO, select the required hardware and proceed to install.

Figure 1

Figure 1: Simple network diagram

Figure 2

Figure 2: General configuration

Recommended hardware
Selection of hardware depends on required throughput and the various features to be used such as VPN, captive portal, additional packages, etc.
For pfSense installation, the computer system must have at least two Ethernet cards — one per WAN and LAN interface. For extra segments such as DMZ/secondary WAN, additional Ethernet card(s) are required.
For writing this series of articles, I have used a system with three Ethernet cards.

Installation
Make sure that data from the hard disk being used for pfSense installation is backed up before proceeding. The installation will delete everything from the disk and create new suitable partitions.
Basic pfSense installation is really simple and straightforward. Boot the system using the CD created from the ISO image and answer very simple questions. Care should be taken at one step – select ‘I’ to start installation on the hard disk when prompted to select from ‘Recovery’ and ‘Installer’ mode. Once this process is complete, reboot the system.
Earlier versions of pfSense had live boot CD support, which is no more available. But the live boot functionality is possible using a USB drive.
The next step is to assign interfaces. For this, select the Assign Interfaces menu option at the prompt. All the Ethernet interfaces recognised by pfSense, along with their MAC IDs and their link states, will be visible. Select the appropriate interfaces for your LAN, WAN and OPT1 connections. Figure 1 depicts the set-up used for this test installation.
From the menu, proceed to ‘Set Interface IP’ and assign the LAN interface IP address. Once that is done, the box is ready to be controlled from the Web based interface. Connect to pfSense’s Web interface from the system connected to the Ethernet switch. This system should be configured with the IP address in the range of the pfSense LAN IP.
System default login name is admin and password is pfSense. As a best practice, make sure to change your password from the System – User manager – Actions menu immediately after the first log-on.

Figure 3

Figure 3: PPPoE settings

Figure 4

Figure 4: PPPoE logs

Configuration
pfSense supports various WAN protocols such as DHCP, Static IP, PPP, PPTP, PPPoE, etc. In this test set-up, a PPPoE WAN connection has been used. Under Interfaces– WAN – PPPoE connection, fill in the user name, password, service name (optional) and save the configuration. Go through Figures 2 and 3 for detailed settings. The relevant explanation about these settings is available on the page. It is also possible to configure pfSense using System- Setup Wizard menu.
Assuming the cable from the PPPoE modem to the pfSense WAN port already exists and that the modem/Internet connection is in working condition, the Internet will connect readily. Use the logs available under Status System Logs to troubleshoot if you face any problems.
An interesting feature called Dial-On-Demand (DoD) is available for the PPPoE connection. If there is no traffic towards the Internet for ‘Idle timeout’ seconds, the DoD mode will disconnect WAN, and on the next Internet request, the WAN will reconnect.
The basic pfSense LAN – WAN setup is now complete. It will help you if you browse through the pfSense Web based menu for getting acquainted with it, before continuing with further installation and configuration.
Let us take a look at several interesting pfSense features and packages.

A selection of pfSense’s inherent features

  • Creating ACLs to control access from the internal IP addresses towards the external IP addresses for the required ports (services)
  • Network address translation
  • DHCP server
  • NTP server
  • ClamAV anti-virus

pfSense packages
Various packages are available for online installation from System –Package Manager Available Packages menu. This menu lists all such available packages including:

  • Iftop – A real-time interface monitor
  • Nmap – A network exploration and security utility
  • Openvpn client export – This exports pre-configured openvpn client settings for Windows and MAC
  • OpenBGPD, Routed and Quagga_OSPF – Offers support for BGP, RIP V1/V2 and OSPF routing protocols
  • Snort and Suricata – For intrusion detection and prevention
  • Squid – This is a high performance Web proxy cache, which also supports SSL filtering
  • SquidGuard – This is a Web proxy URL filter

Out of these, the most popular is Squid for caching and SquiqdGuard for website filtering.

Installation and configuration of the Squid proxy server
Go to System –Package Manager –Available Packages and click on the Install button corresponding to Squid.
The Squid proxy will download and install automatically. ‘Success’ at the end of the installation screen will indicate that the Squid installation is complete. This will add two menu items under Services– Squid Proxy Server and Squid Reverse Proxy.
Start with the Services –Squid Proxy Server menu. Figure 5 elaborates on the required configuration parameters.
One by one, browse through the following sub-menus –- Local Cache, ACLs, Traffic Mgmt, Authentication, Users — and make the desired changes or save their default settings.
This completes Squid’s configuration. Under Real Time you can view the current Squid Access, Squid Cache tables and if enabled, SquidGuard and ClamAV tables too.

Figure 5

Figure 5: Squid proxy configuration

Figure 6

Figure 6: SquidGuard configuration

Installation and configuration of SquidGuard
Go back to the package manager and install SquidGuard. Successful installation will add the SquidGuard Proxy Filter menu item under Services. Figure 6 details the required configuration items.
For SquidGuard to filter out the unnecessary websites, a blacklist will have to be configured and updated periodically. This is possible from Services –SquidGuard Proxy Filter –Blacklist options. One of the most widely used blacklist URL is http://www.shallalist.de/Downloads/shallalist.tar.gz. Please read the terms and conditions of using the Shallalist website beforehand.
Before continuing further, please go through the steps detailed at the end of this article to overcome the known issues associated with Squid and SquidGuard.
Continue to update the blacklist from the Services –SquidGuard Proxy Filter –Blacklist menu by clicking on the Download button. Once this download is completed, as a primary configuration, go to the Services –SquidGuard Proxy Filter Common ACL menu, select the Expand Target Rules Lists by clicking the ‘+’ button, deny access for unwanted target categories such as gambling, porn, etc. Then click on Save. See Figure 7 for this configuration example.
Once configured, implement this configuration by clicking the ‘Apply’ button from the Services – SquidGuard Proxy Filter – General menu.
Verify that the filtering is working properly by opening one of the blocked sites in the Web browser. The browser should give a Request denied error along with the reason and client IP address. This unauthorised access attempt is also logged and can be viewed from SquidGuard Proxy Filter –Logs.

Table 1: Important pfSense menu items

Enable SSH access  System – Advanced – Admin Access – Secure Shell – Enable Secure Shell. If required, you can define the non-standard SSH port number.
Shutdown/restart  Diagnostic – Halt/Diagnostic – Restart
 Check running services   Status – Services
 Backup & Restore settings Reinstall existing packages  Diagnostics – Backup & Restore
Checking Interface Status Connect/Disconnect WAN   Status – Interfaces
Figure 7

Figure 7: SquidGuard common ACL

Figure 8

Figure 8: SquidGuard request denied

Overcoming known Squid proxy problems

Detailed instructions and discussions related to the issue of SquidGuard not able to auto restart after system reboot are available at: https://forum.pfsense.org/index.php?topic=94312.0
For the ready reference of users, the steps from this discussion are detailed below.
1. Login to your pfSense computer using SSH and monitor cache log:

tail -f /var/squid/logs/cache.log

2. In the proxy filter SquidGuard/target categories, define a dummy custom target category. Name: Dummy. Description: Dummy custom target category (Fix: Squid and SquidGuard are not set to auto start after reboot). The remaining parameters are blank.
3. In the proxy filter SquidGuard/Common Access Control List, in Target Rules, find your dummy target category and set access to Deny to create the missing blacklist directory.
4. Go to General Settings and select Apply to activate the configuration update.
5. Your monitoring tail of cache.log will immediately start to scroll, indicating successful implementation of the workaround.
6. It is advisable to do a configuration backup (diagnostics/backup/restore).
7. Do a system restart and validate that Squid and SquidGuard services now successfully auto-start.