The "webConfigurator" - pfSense basic setup part 2
Note: The following is a continuation of the
How to Install pfSense posting.
1. Using your favorite browser, connect to you newly installed pfSense firewall via the LAN interface IP Address. Type the IP Address of the LAN interface in your browser and you should be presented with a “Security Issue/Warning” for the server's certificate. This is a warning that your browser gives you when it receives a security certificate that the browser can not validated against a Certificate Authority. It's the browser way or warning the end user that the site may be untrustworthy. During the installation of pfSense, a security certificate was created by the system which is known as a self-signed certificate in order to have a security certificate available to encrypt your connection between your web browser and the pfSense firewall.
2. If you take a closer look at the certificate that was issue to your browser, you will discover that the security certificate has the IP Address of your pfSense firewall but all other identifying information is blank. Since this warning is to be excepted because the security certificate was self-signed and it does have the IP Address of your pfSense firewall, you should have a good confident level that this system is the pfSense firewall and not another system posing as your pfSense firewall. Accept the security certificate and continue to the site. (
Note: It's never a good idea to accept any certificate issued to your browser that can not be validated if your surfing on the Internet.)
3. After accepting the security certificate, you should then be presented with the pfSense webConfigurator login screen. Your first time logging into your pfSense firewall, the default username is “
admin” with a password of “
pfsense”. Login to you pfSense firewall.
4. After successfully login to your pfSense firewall, you will be presented with the pfSense Status Dashboard which provides you with a summary of your system information along with the status of your interfaces installed. The dashboard is configurable and can include additional information about other components of your pfSense firewall.
5. Let's continue configuring the pfSense firewall. From the
System menu select
Setup Wizard to start the pfSense setup wizard.
6. You should then be greeted with the pfSense setup wizard, click the
Next button to continue.
7. Complete the “
General Information” section and click the
Next button when complete:
Hostname:
Enter the name of what you want to call your firewall
Domain:
Unless you currently have a domain, create one that will be used on your local network.
Primary DNS Server &
Secondary DNS Server:
Enter the IP Address of your local Internet Provider DNS Server or third party DNS such as OpenDNS or leave it blank to have this information automatically provided via the Override DNS setting.
Override DNS:
If you prefer pfSense to use the Primary and Secondary DNS received from your Internet service provider, ensure that “
Allow DNS server to be overridden by DHCP/PPP on WAN” check-box is checked.
8. Configure “
Time Server Information”.
Time server hostname:
Keep default
Timezone:
Chane to your local time zone.
9. WAN Interface configuration. Unless you need to authenticate to your ISP provider when accessing the Internet which is usually a requirement of some DSL providers or there are configuration you need in order to access the Internet, this section can be bypassed. Just click the
Next button.
10. Review the "
Configure LAN Interface" screen. This screen can be left as default unless you want to change the IP Address scheme provided by pfSense to match a current IP Scheme being used on your or your client network.
11. The "
Set Admin WebGUI Password" screen. Enter a new pfSense “
admin” user password.
Recommend that your password be longer then 7 characters and incorporate a combination of Upper case/Lower case letters, number and a special character such as !, #, %, etc to make it strong.
12. Reload of pfSense web browser – After configuring a new password, pfSense will require you login again with the new password. Click the
Reload button to refresh the screen and login with your new password.
13. At the end of the “
Setup Wizard” you will be presented with the pfSense “
Wizard Completed” page indicating that you have successfully completed the setup wizard and configured pfSense with the basic configuration to protect your and yours client network work from the dangers of the Internet. Your pfSense firewall will automatically allow traffic destine to the Internet to leave your network but block any traffic that was not initiated from your network to enter your network.
14. Now that we have successfully configured the basic setting in pfSense we will make a couple more changes to personalize your pfSense installation. First let start with the self-signed security certificate. As you remember in step 2 the pfSense security certificate only contained the IP Address of your pfSense firewall and no other identifying information. We will now configure the security certificate with that identifying info which is useful if you decided to configure VPN access in the future and allow others to connect to your or your clients network thru the pfSense firewall.
From the pfSense menu, select
System |
Cert Manager to access pfSense
System Certificate Authority Manager application.
15. Configure pfSense as a trusted Certificate Authority – Ensure the “
CA” tab is selected and click on the “
+” to create the CA.
16. From the “
Method” pull down, select “
Create an internal Certificate Authority” and complete the following field pressing the “
Save” button when finished.
Descriptive Name:
Enter a name for CA
Method:
Create an internal Certificate Authority
Key length:
Keep at default (2048) bits
Lifetime:
Keep at default (3650) days
Country Code:
Change to your country
State or Providence:
Enter your State or Providence
City:
Enter your City
Organization:
Enter what you would want to display as the organization that the pfSense firewall belongs. This could be a business name, household name or any other name you like to display in the security certificate.
Email Address:
Enter the email address that others can send an email if they have question about the security certificate.
Common Name:
Enter a name for the CA security certificate.
17. Your pfSense firewall should now be configured as a trusted Certificate Authority.
18. Next we will configure the Internal Certificate. Click on the “
Certificates Tab” and then select “
Create an internal Certificate” from
Method drop down box. Many of the fields will automatically filled-in from what was entered in the CA tab. Just complete the following fields below:
Descriptive name:
Enter a name to describe the security certificate you are creating.
Certificate Type:
From the drop down menu, select “
Server Certificate”
Common Name:
Enter the name of your firewall and domain i.e. firewall.mynetwork.com. If you or your client have a domain that will point to the firewall such as a static or dynamic DNS name, you can type that domain name here.
Press the "
Save" button to save changes.
19. You should now display two security certificate under the “
Certificates” tab, one that was created during the installation of the pfSense and the one you just created. Currently only the security certificate created during the installation of pfSense is in use and being used by the webConfigurator.
20. Next we will change pfSense to use the new security certificate we created for the webConfigurator. From the “
System” menu, select “
Advanced”
21. The
System: Advance screen should now be displayed. On the “
Admin Access” tab, find the following setting:
Protocol:
Ensure “HTTPS” is selected
SSL Certificate:
In the drop down menu, change the SSL certificate to the internal certificate made n the previous steps.
TCP port:
Change port to 445. Port is changed from the standard 443 to 445 to free up port 443 for future use.
Hint: VPN connections on port 443 is ensure to be allowed out from any were you may be when on the road if you later decide to configure remote VPN access.
Secure Shell Server:
Enable Secure Shell. This allow for remote console access to your firewall.
Press the "
Save" button to save changes.
22. Once your save the changes in the
System: Advance - Admin tab, pfSense will reissue the security certificate causing your browser to display the Security Certificate Warning again. This is to be excepted since we configured pfSense to use the new security certificate we created except this time if you look at the detail of the security certificate, it should now display the identifying information contained in the new security certificate.
23. You may also notice that pfSense now has an alert displayed in the upper right hand corner of your screen. The alert is to notify you that pfSense has created the keys required for your SSH communication. This is the result of enabling the Secure Shell Server option on the
System: Advance - Admin tab.
Click the alert to acknowledge the change and the alert should disappear.
24. One additional change that I recommend but is not required for pfSense to work is to configure pfSense to show log entries in reverse order (newest entries on top). This is really convenient when your looking at a log that may be very long and you can save time by not having to scroll to the bottom to see the latest events.
From the menu select “
Status” and then “
System Logs”.
25. Once on the
Status: System Log screen, select the “
Setting” tab and then enable the “
Show log entries in reverse order (newest entries on top)" option and click the “
Save” button at the bottom of the page.
26.
CONGRATULATIONS -- You have now completed the Basement PC Tech basic pfSense firewall setup. Your pfSense installation should be up and running and by selecting the “
Firewall” tab while you are still in the “
Status” section you will be able to see all the Internet traffic that is being denied and logged by pfSense for traffic that is no longer allowed to enter yours or your client network with out authorization.