Table of Contents
In the rapidly evolving landscape of networking, having a robust and secure network infrastructure is crucial. This project aims to guide you through the process of configuring pfSense, an open-source firewall and routing software, to create a secure and efficient network environment. Whether you are setting up a home network or a small business network, pfSense provides a flexible and powerful solution for managing traffic, enhancing security, and optimizing performance.
This project was built using the following components:
This project includes configuration of both Windows and Ubuntu clients' LANs. Firstly we configure our pfSense's network settings for having a WAN, LAN and LAN2. We will assign LAN IP address from pfSense itself to 10.10.10.1 for reaching the web interface from our Ubuntu client, for LAN2 we will assign 20.20.20.1 IP address for Windows client. Then we use firewall's web interface on Ubuntu client to assign a static IP of 10.10.10.10 to our client. Windows client will also get a static IP of 20.20.20.20 assigned.
-
Download VirtualBox
https://www.virtualbox.org/wiki/Downloads
-
Download Ubuntu for VirtualBox
https://ubuntu.com/download/desktop
-
Download Windows10 for VirtualBox
Windows10 image is not provided anymore by Microsoft, you can download it from the link below. It also has a password set as "Passw0rd!"
https://drive.google.com/file/d/1YKnn1bzbC_34oEX91Vxj5BB1GdmWW3tP
-
Download PFSense for VirtualBox
https://www.pfsense.org/download/
-
Configure the RAM and GPU for the virtual machines.
That's it, we're now ready to start setting up our pfSense Firewall.
Note: For Windows, you must give at least 2 GB of RAM for it to work properly.
Before we begin the configuration of our firewall, we need to understand some terms.
A network consists of two or more computers that are linked in order to share resources (such as printers and CDs), exchange files, or allow electronic communications. The computers on a network may be linked through cables, telephone lines, radio waves, satellites, or infrared light beams.
A local area network (LAN) is a collection of devices connected together in one physical location, such as a building, office, or home. A LAN can be small or large, ranging from a home network with one user to an enterprise network with thousands of users and devices in an office or school.
A wide-area network (WAN) is the technology that connects your offices, data centers, cloud applications, and cloud storage together. It is called a wide-area network because it spans beyond a single building or large campus to include multiple locations spread across a specific geographic area, or even the world. For example, businesses with many international branch offices use a WAN to connect office networks together. The world’s largest WAN is the internet because it is a collection of many international networks that connect to each other. This article focuses on enterprise WANs and their uses and benefits.
The Open Systems Interconnection (OSI) model describes seven layers that computer systems use to communicate over a network. It was the first standard model for network communications, adopted by all major computer and telecommunication companies in the early 1980s.
The modern Internet is not based on OSI, but on the simpler TCP/IP model. The transmission control protocol (TCP) is the internet standard ensuring the successful exchange of data packets between devices over a network. TCP is the underlying communication protocol for a wide variety of applications, including web servers and websites, email applications, FTP and peer-to-peer apps.
TCP operates with the internet protocol (IP) to specify how data is exchanged online. IP is responsible for sending each packet to its destination, while TCP guarantees that bytes are transmitted in the order in which they were sent with no errors or omissions. Together, the two protocols are referred to as TCP/IP.
Establishing a TCP connection requires that both the client and server participate in what is known as a three-way handshake. The process can be broken down as follows:
A client sends the server a SYN packet—a connection request from its source port to a server’s destination port. The server responds with a SYN/ACK packet, acknowledging the receipt of the connection request. The client receives the SYN/ACK packet and responds with an ACK packet of its own. After the connection is established, TCP works by breaking down transmitted data into segments, each of which is packaged into a datagram and sent to its destination.
A subnet is the division of a larger network into smaller logical networks. It enables better organization and management of IP addresses by grouping devices based on network requirements, security policies, or other factors.
Without proper routing between subnets, devices on one subnet cannot communicate directly with devices on the other subnet.
In our project 10.10.10.0/24 , 20.20.20.0/24 are the subnets of our LANs.
DNS, or the Domain Name System, translates human readable domain names to machine readable IP addresses. The Internet’s DNS system works much like a phone book by managing the mapping between names and numbers. DNS servers translate requests for names into IP addresses, controlling which server an end user will reach when they type a domain name into their web browser.
The Hypertext Transfer Protocol (HTTP) is the foundation of the World Wide Web, and is used to load webpages using hypertext links. HTTP is an application layer protocol designed to transfer information between networked devices and runs on top of other layers of the network protocol stack. A typical flow over HTTP involves a client machine making a request to a server, which then sends a response message.
A MAC address (Media Access Control Address) is a 12-digit hexadecimal number assigned to each device connected to the network. Primarily specified as a unique identifier during device manufacturing, the MAC address is often found on a device's network interface card. A MAC address is required when trying to locate a device or when performing diagnostics on a network device.
The MAC address belongs to the data link layer of the Open Systems Interconnection (OSI) model, which encapsulates the MAC address of the source and destination in the header of each data frame to ensure node-to-node communication.
Dynamic Host Configuration Protocol (DHCP) is a client/server protocol that automatically provides an Internet Protocol (IP) host with its IP address and other related configuration information such as the subnet mask and default gateway.
Every device on a TCP/IP-based network must have a unique unicast IP address to access the network and its resources. Without DHCP, IP addresses for new computers or computers that are moved from one subnet to another must be configured manually; IP addresses for computers that are removed from the network must be manually reclaimed.
With DHCP, this entire process is automated and managed centrally. The DHCP server maintains a pool of IP addresses and leases an address to any DHCP-enabled client when it starts up on the network. Because the IP addresses are dynamic (leased) rather than static (permanently assigned), addresses no longer in use are automatically returned to the pool for reallocation.
A network switch is a physical device that operates at the Data Link Layer, Layer 2 of the Open Systems Interconnect (OSI) model. It receives packets sent by devices connected to physical ports and forwards them to devices. intended to reach the packets. Switches can also operate at the Network Layer (Layer 3) where routing occurs.
A router is a device that connects two or more packet switched networks or subnets. Layer 3 switch's can also act as routers.
One of the primary jobs of a router is to assign IP addresses to the computers on a home network. The router has a pool of IP addresses that it keeps track of. When a computer connects to it and asks for an IP address, the router picks an IP address from the pool and assigns it to the computer. The router makes sure that two computers are not assigned the same IP address. This process of computers asking for an IP address from the router is called dynamic IP address assignment. It uses the network protocol called DHCP.
A default gateway is a node in a computer network that enables connection to other networks. It allows devices on separate networks to communicate with one another. It serves as a forwarding host when no other routes for the destination Internet Protocol (IP) address have been specified. It can also act as an intermediary between multiple devices connected to a shared subnet. A default gateway in action can be found when accessing web pages. Each request is sent through the gateway before it actually gets onto the internet, and vice versa.
Address Resolution Protocol (ARP) is a protocol or procedure that connects an ever-changing Internet Protocol (IP) address to a fixed physical machine address, also known as a media access control (MAC) address, in a local-area network (LAN).
When a new computer joins a local area network (LAN), it will receive a unique IP address to use for identification and communication.
Packets of data arrive at a gateway, destined for a particular host machine. The gateway, or the piece of hardware on a network that allows data to flow from one network to another, asks the ARP program to find a MAC address that matches the IP address. The ARP cache keeps a list of each IP address and its matching MAC address. The ARP cache is dynamic, but users on a network can also configure a static ARP table containing IP addresses and MAC addresses.
ARP caches are kept on all operating systems in an IPv4 Ethernet network. Every time a device requests a MAC address to send data to another device connected to the LAN, the device verifies its ARP cache to see if the IP-to-MAC-address connection has already been completed. If it exists, then a new request is unnecessary. However, if the translation has not yet been carried out, then the request for network addresses is sent, and ARP is performed.
An ARP cache size is limited by design, and addresses tend to stay in the cache for only a few minutes. It is purged regularly to free up space. This design is also intended for privacy and security to prevent IP addresses from being stolen or spoofed by cyberattackers. While MAC addresses are fixed, IP addresses are constantly updated.
In the purging process, unutilized addresses are deleted; so is any data related to unsuccessful attempts to communicate with computers not connected to the network or that are not even powered on.
After downloading all our virtual machines, we can now start setting up our firewall. The first thing we need to is setting up network settings. On pfSense, we are going to enable first adapter to NAT (this will be our WAN), second adapter to internal network with any name assigned, such as "lan", third one to internal network again but with a different name, such as "lan2". Then on Ubuntu, we will enable first adapter to internal network with "lan", and on Windows, we will connect to internal network "lan2".
After that and assigning IP addresses we should be able to see this screen on pfSense :
Now we can reach the web interface of pfSense on our Ubuntu client :
On default, your username is "admin" and your password is "pfsense". Once you're in the system you may configure your authentication settings.
We can see our interfaces on web interface :
After assigning static IP's through DHCP Leases, your addresses should be seen like this :
Ping is a command-line utility, available on virtually any operating system with network connectivity, that acts as a test to see if a networked device is reachable.
The ping command sends a request over the network to a specific device. A successful ping results in a response from the computer that was pinged back to the originating computer.
In our project, we want to ping our Ubuntu client from our Windows Client. In this case, we need to configure firewall rules.
After that we can successfully ping our Ubuntu :
The ping command is commonly used to check network connections, test the accessibility of a target, and evaluate network performance. The output of the ping command includes the following information:
Sent Packets: Shows the total number of packets sent to the target by the ping command.
Received Packets: Indicates the number of packets that were successfully received from the target. This is important to determine if there is any loss in communication.
Packet Loss Percentage (%): Represents the percentage of sent packets that were lost. Ideally, there should be no loss, but small losses may be normal in some cases.
Minimum, Maximum, and Average Response Times: Shows the time values between the sent packets and the corresponding responses. These values are the minimum, maximum, and average response times, usually measured in milliseconds.
Ping outputs provide information about the status of the network connection, packet transmission, and the time it takes to reach the target. This information can be used to detect and troubleshoot network issues.
The Network Time Protocol (NTP) is an application layer protocol in the TCP/IP protocol suite. It is used to synchronize the clock between the client and the server to provide high-precision time correction. The NTP server receives accurate Coordinated Universal Time (UTC) from an authoritative clock source, such as an atomic clock or GPS. Then, the NTP client requests and receives time from the NTP server.
In our project we will enable NTP from Services tab and configure our timezone. Then we can test it if it is enable or not with this command :
~$ timedatectl status
Sample NTP activated output
Simple Network Management Protocol (SNMP) is an internet standard protocol used to monitor and manage network devices connected over an IP. SNMP is used for communication between routers, switches, firewalls, load balancers, servers, CCTV cameras, and wireless devices.
SNMP collects, organizes, and sends data from various devices for network monitoring assisting with fault identification and isolation. Both the monitored endpoints and the monitoring system rely on SNMP for seamless communication.
In our project, we will enable SNMP through services like this :
We can test it with this command :
~$ snmpwalk -v2c -c SNMPTest 10.10.10.1
Sample output
The captive portal is an application responsible for controlling and managing the access of users to public and private networks in an automated way. Captive portals are commonly used in open access networks, available in stores, malls, clinics, airports, supermarkets, and corporate networks, for visitor access management. The captive portal allows administrators to provide access to the internet by passing on information that allows user identification, such as name, e-mail, Social Security number, or authentication by using a voucher.
In our project, we will configure captive portal. To do this, we will enable it from services.
Then create a user and give the necessary privileges to login the internet via captive portal.
Now we can enter the system.
We can see the activities through Status -> Captive Portal :
Snort is the foremost Open Source Intrusion Prevention System (IPS) in the world. Snort IPS uses a series of rules that help define malicious network activity and uses those rules to find packets that match against them and generates alerts for users.
In our project, we will install Snort to our system. Firstly we will go to Snort website and sign up. Then we are heading to "My Account" -> "Oinkcode" to get our subscription code.
Then we will head back to our web interface and go to "Package Manager" and install "snort". In this way, we now have "Snort" is ready on "Services" part. Then Services -> Snort -> Global Settings, we will enable snort VRT and type our oinkmaster code :
Now, we are heading to "Updates" and update our rules. When it is successful, we can create our snort interface and enable it :
Finally, we can see the activities on "Alerts" :
Sometimes we want to copy our system settings to a different system or wanted to recover our system to a previous configuration.
On pfSense, we are going to Diagnostics -> Backup & Restore part to backup our specific area or all of it if wanted, or restore backup from previously backuped.
These are the references I used for research and configure my Firewall.
- Network
- LAN
- WAN
- OSI
- TCP/IP & TCP Handshake
- Subnet
- DNS
- HTTP
- MAC
- DHCP
- Router
- Switch
- Default Getaway
- ARP
- Snort
- Ping
- NTP
- SNMP
- Captive Portal
- Snort
- Snort Install Guide
Ömer Faruk YILDIRIM - LinkedIn - [email protected]
Project Link: https://github.com/ylScarred/pfSense-Firewall-Setup/
Distributed under the MIT License. See LICENSE.txt for more information.