Sunday, February 5, 2012

How to configure pfSense


The "webConfigurator" - pfSense basic setup part 2

Note: The following is a continuation of the How to Install pfSense posting.

1. Using your favorite browser, connect to  you newly installed pfSense firewall via the LAN interface IP Address.  Type the IP Address of the LAN interface in your browser and you should be presented with a “Security Issue/Warning” for the server's certificate. This is a warning that your browser gives you when it receives a security certificate that the browser can not validated against a Certificate Authority. It's the browser way or warning the end user that the site may be untrustworthy.  During the installation of pfSense, a security certificate was created by the system which is known as a self-signed certificate in order to have a security certificate available to encrypt your connection between your web browser and the pfSense firewall.



2. If you take a closer look at the certificate that was issue to your browser, you will discover that the security certificate has the IP Address of your pfSense firewall but all other identifying information is blank.  Since this warning is to be excepted because the security certificate was self-signed and it does have the IP Address of your pfSense firewall, you should have a good confident level that this system is the pfSense firewall and not another system posing as your pfSense firewall.  Accept the security certificate and continue to the site. (Note: It's never a good idea to accept any certificate issued to your browser that can not be validated if your surfing on the Internet.)




3. After accepting the security certificate, you should then be presented with the pfSense webConfigurator login screen. Your first time logging into your pfSense firewall, the default username is “admin” with a password of “pfsense”. Login to you pfSense firewall.



4. After successfully login to your pfSense firewall, you will be presented with the pfSense Status Dashboard which provides you with a summary of your system information along with the status of your interfaces installed. The dashboard is configurable and can include additional information about other components of your pfSense firewall. 



5. Let's continue configuring the pfSense firewall. From the System menu select Setup Wizard to start the pfSense setup wizard.


6. You should then be greeted with the pfSense setup wizard, click the Next button to continue.



7. Complete the “General Information” section and click the Next button when complete:
       

   
Hostname:
Enter the name of what you want to call your firewall

Domain
Unless you currently have a domain, create one that will be used on your local network.

Primary DNS Server & Secondary DNS Server:
Enter the IP Address of your local Internet Provider DNS Server or  third party DNS such as OpenDNS or leave it blank to have this information automatically provided via the Override DNS setting.

Override DNS:
If you prefer pfSense to use the Primary and Secondary DNS received from your Internet service provider, ensure that “Allow DNS server to be overridden by DHCP/PPP on WAN” check-box is checked.
       
8. Configure “Time Server Information”. 

Time server hostname:
Keep default

Timezone:
Chane to your local time zone.




9. WAN Interface configuration. Unless you need to authenticate to your ISP provider  when accessing the Internet which is usually a requirement of some DSL providers or there are configuration you need in order to access the Internet, this section can be bypassed. Just click the Next button.



10. Review the "Configure LAN Interface" screen. This screen can be left as default unless you want to change the IP Address scheme provided by pfSense to match a current IP Scheme being used on your or your client network. 


11. The "Set Admin WebGUI Password" screen.  Enter a new pfSense “admin” user password. Recommend that your password be longer then 7 characters and incorporate a combination of Upper case/Lower case letters, number and a special character such as !, #, %, etc to make it strong.


12. Reload of pfSense web browser – After configuring a new password, pfSense will require you login again with the new password. Click the Reload button to refresh the screen and login with your new password.


13. At the end of the “Setup Wizard” you will be presented with the pfSense “Wizard Completed” page indicating that you have successfully completed the setup wizard and configured pfSense with the basic configuration to protect your and yours client network work from the dangers of the Internet.  Your pfSense firewall will automatically allow traffic destine to the Internet to leave your network but block any traffic that was not initiated from your network to enter your network.


14. Now that we have successfully configured the basic setting in pfSense we will make a couple more changes to personalize your pfSense installation. First let start with the self-signed security certificate. As you remember in step 2 the pfSense security certificate only contained the IP Address of your pfSense firewall and no other identifying information. We will now configure the security certificate with that identifying info which is useful if you decided to configure VPN access in the future and allow others to connect to your or your clients network thru the pfSense firewall.

From the pfSense menu, select System | Cert Manager to access pfSense System Certificate Authority Manager application.


15. Configure pfSense as a trusted Certificate Authority – Ensure the “CA” tab is selected and click on the “+” to create the CA.

16. From the “Method” pull down, select “Create an internal Certificate Authority” and complete the following field pressing the “Save” button when finished.

Descriptive Name:
Enter a name for CA

Method:
Create an internal Certificate Authority

Key length:
Keep at default (2048) bits

Lifetime:
Keep at default (3650) days

Country Code:  
Change to your country

State or Providence:
Enter your State or Providence

City:
Enter your City

Organization:
Enter what you would want to display as the organization that the pfSense firewall belongs. This could be a business name, household name or any other name you like to display in the security certificate.

Email Address:
Enter the email address that others can send an email if they have question about the security certificate.

Common Name:
Enter a name for the CA security certificate.


17. Your pfSense firewall should now be configured as a trusted Certificate Authority.
18. Next we will configure the Internal Certificate. Click on the “Certificates Tab” and then select “Create an internal Certificate” from Method drop down box.  Many of the fields will automatically filled-in from what was entered in the CA tab. Just complete the following fields below:

Descriptive name:
Enter a name to describe the security certificate you are creating.

Certificate Type:
From the drop down menu, select “Server Certificate

Common Name:
Enter the name of your firewall and domain i.e. firewall.mynetwork.com. If you or your client have a domain that will point to the firewall such as a static or dynamic DNS name, you can type that domain name here.

Press the "Save" button to save changes. 


19. You should now display two security certificate under the “Certificates” tab, one that was created during the installation of the pfSense and the one you just created.  Currently only the security certificate created during the installation of pfSense is in use and being used by the webConfigurator.

20. Next we will change pfSense to use the new security certificate we created for the webConfigurator. From the “System” menu, select “Advanced


21. The System: Advance screen should now be displayed. On the “Admin Access” tab, find the following setting:

Protocol:
Ensure “HTTPS” is selected

SSL Certificate:   
 In the drop down menu, change the SSL certificate to the internal certificate made n the previous steps.

TCP port:
Change port to 445. Port is changed from the standard 443 to 445 to free up port 443 for future use. Hint: VPN connections on port 443 is ensure to be allowed out from any were you may be when on the road if you later decide to configure remote VPN access.

Secure Shell Server:
Enable Secure Shell. This allow for remote console access to your firewall.

Press the "Save" button to save changes.

22. Once your save the changes in the System: Advance - Admin tab, pfSense will reissue the security certificate causing your browser to display the Security Certificate Warning again. This is to be excepted since we configured pfSense to use the new security certificate we created except this time if you look at the detail of the security certificate, it should now display the identifying information contained in the new security certificate.


23. You may also notice that pfSense now has an alert displayed in the upper right hand corner of your screen. The alert is to notify you that pfSense has created the keys required for your SSH communication. This is the result of enabling the Secure Shell Server option on the System: Advance - Admin tab.  Click the alert to acknowledge the change and the alert should disappear.


24. One additional change that I recommend but is not required for pfSense to work is to configure pfSense to show log entries in reverse order (newest entries on top). This is really convenient when your looking at a log that may be very long and you can save time by not having to scroll to the bottom to see the latest events.

From the menu select “Status” and then “System Logs”.


25. Once on the Status: System Log screen, select the “Setting” tab and then enable the “Show log entries in reverse order (newest entries on top)" option and click the “Save” button at the bottom of the page.

26. CONGRATULATIONS -- You have now completed the Basement PC Tech basic pfSense firewall setup. Your pfSense installation should be up and running and by selecting the “Firewall” tab while you are still in the “Status” section you will be able to see all the Internet traffic that is being denied and logged by pfSense for traffic that is no longer allowed to enter yours or your client network with out authorization.

3 comments:

  1. Hi if you don't mind could i ask my query regarding configuring the Pfsense. I have already compiled my query but it is too big too fit in comment box & i am not able to find any other to put it here. If yes please mail me or let me know the way to ask here.

    ReplyDelete
  2. I reade this post and find a lot of information regarding the configuration of PFsense. When first time i configured pfsense on my network complete all steps but leave certificate portion so that is useful to me.i have also some further knowledge about PFSense. If you would like more detail visit on below given link.

    http://pfsensesolution.blogspot.com/

    ReplyDelete