Hacom pfSense Deployment GuideBao Ha
Copyright © 2008 Hacom
Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.2 or any later version published by the Free Software Foundation; with no Invariant Sections, with no Front-Cover Texts, and with no Back-Cover Texts.
9 November 2008
Table of ContentsHacom pfSense Deployment Guide...........................................................................................................1
Introduction......................................................................................................................................2Three-Zone Firewall: Setup a DMZ.................................................................................................4Four-Zone Firewall: Wireless Configuration.................................................................................13Four-Zone Firewall: Non-Bridged Wireless Network....................................................................22Captive Portal.................................................................................................................................24Virtual Private Network: Site-toSite IPSec....................................................................................35Appendix A. Templates..................................................................................................................46
1
IntroductionPfSense is a complete, embedded firewall software package that provides all the important features of commercial firewall boxes (including ease of use) at a fraction of the price (free software). It is based on FreeBSD. The software is available at the URL, http://www.pfsense.com/.
Hacom implements pfSense on our hardware to take advantages of their features, as well as , to provide complete packaged supports for commercial customers: small, medium and enterprises, who desire a one-stop shop.
This document is the continuation of the Hacom pfSense Quick-Start Guide. It documents common deployments of pfSense firewalls.
Documentation
Since pfSense is similar to M0n0wall, the documentation of the M0n0wall systems can be perused at the following URL,
The M0n0 Users Manual (http://m0n0.ch/wall/docbook/)Mn0wall Quick Start Guide (http://m0n0.ch/wall/quickstart/)pfSense FAQ (http://faq.pfsense.com/)pfSense tutorial (http://www.pfsense.com/index.php?id=36)Hacom pfSense Quick-Start Guide (http://www.hacom.net/catalog/pub/pfsense/Hacom%20pfSense%20Quick-Start%20Guide.pdf)
Hacom's pfSense
Hacom offers three groups of commercially packaged pfSense systems with choices of support services: Phoenix , Mercury and Mars . The following comparison table can be used to select appropriate equipments depending on a network environment.
Performance* Phoenix Mercury Mars
Suggested Users 5-25 10-50 10-250
Throughput 90Mbps 200Mbps 400Mbps
Concurrent Connections 80,000 200,000 200,000-400,000
3DES IPSec Throughput 8-10Mbps 20Mbps 25-40Mbps
AES IPSec Throughput 10-40Mbps 80Mbps 40-60Mbps
• Performance depends on network environment and configuration of the firewall.
2
Hardware Specification
Phoenix Mercury Mars
Systemboard ES466B CV700A CV700A CV763A CI852A
CPU 333Mhz AMD
Geode GX 500Mhz VIA C7
1Ghz VIA C7 1Ghz
Celeron-M1.6Ghz
Celeron-M
Memory 256MB 512MB 512MB 1GB
Storage 1GB CF (Compact Flash) or 1 GB DOM (Disk-On-Module)**
Ethernet 3x10M/100M 3x10M/10
0M/1G 4x10M/100M/1G
4x10M/100M/1G
** Disk-on-Module is more durable than compact flash due to its built-in wear leveling function.
Templates
Templates are just simple forms filled in with enough information to guide the configuration of pfSense firewall in specific use case. For each of the deployments discussed in this guide, we will put the templates at the end of the use case to illustrate how to fill-in the forms.
These templates are more for Hacom's support to evaluate how much information is required to configure the router for a specific application.
Blank forms are put into the appendixes.
3
Three-Zone Firewall: Setup a DMZDMZ stands for De-Militarized Zone. It is an area of a local internal network that contains Internet servers. It is isolated from LAN to prevent accidental access to the internal network spill-over through Internet accessible servers.
Following is a diagram of a 3-zone firewall: WAN, LAN and OPT1. WAN is the Internet, the outside world. LAN is the local internal network protected by the firewall. And OPT1 is the DMZ.
Following are the assumptions for the DMZ setup:
1. The Firewall has a WAN IP of 208.127.150.33. It also has an extra external IP of 208.127.150.32 to be used for the web server: www.baoha.net.
2. The LAN subnet is 192.168.1.0/24.
3. The OPT1 (DMZ) subnet is 192.168.2.0/24.
4. The web server's DMZ IP is 192.168.2.5.
The goal is to forward any Internet traffic to the web server's public IP of 208.127.150.32 to the server 192.168.2.5 in the DMZ.
The procedure is as follows:
1. Create an OPT1 interface if it does not exist.
2. Configure the OPT1 interface.
3. Add the virtual IP 208.127.150.32 to the pfSense firewall.
4
4. Configure 1:1 NAT.
5. Setup the firewall rule to allow access from DMZ to WAN, but not from DMZ to LAN.
6. Setup the firewall rule
During the initial setup, we may have only setup a 2-zone firewall with only 2 assigned network interfaces. We need to add the third interface using the web administration tools.
1. Go to Interfaces → Assign.
2. Click on the plus + sign on the right hand side to create a new interface OPT1. Click on Save!
5
Now, we need to set up the OPT1 interface.
OPT1 is the interface for the DMZ zone. It subnet would be 192.168.1.0/24, which contains the private IP of the web server www.baoha.net.
For the OPT1 interface, we will:
1. Enable the OPT1 interface.
2. Set it to be static.
3. Set the IP = 192.168.2.1/24
4. Save it!
6
The next step is to add a virtual IP. Go to Firewall → Virtual Ips.
1. Click on the plus + sign on the right hand side to create a new interface OPT1.
2. Click on Save!
3. Click on “Apply Changes”!
Now, we are ready to configure the 1:1 NAT.
1. Go to Firewall → NAT.
2. Click on the plus + sign on the right hand side to create a new 1:1 NAT rule.
7
3. Set the Interface to be WAN.
4. Set the external IP to be 208.127.150.32.
5. Set the internal subnet to be 192.168.2.5.
6. Click on Save!
7. Click on “Apply Changes”
Now, we are ready to set up the firewall rule on the DMZ interface denying all traffic to the LAN while still permitting all traffic to the WAN.
1. Click Firewall -> Rules.
2. Click on the plus + sign on the right hand side to create a new firewall rule.
3. Set action to be REJECT
4. Set the interface to be OPT1
8
5. Set source to be ANY
6. Set the destination as “LAN subnet”
7. Click on Save.
8. Click on “Apply Changes”
9. Next, we set up the firewall rule on the DMZ interface to allow DMZ traffic to go anywhere except LAN. Click Firewall -> Rules.
9
10. Click on the plus + sign on the bottom right hand side to create a new firewall rule.
11. Set action to be ACCEPT
12. Set source to be ANY
13. Set the destination as “NOT LAN subnet”
14. Click on Save.
15. Click on “Apply Changes”
If we want certain services from LAN, firewall rules have to be setup to allows these to be accessed
10
from the DMZ.
Following is the minimum firewall rules for the DMZ (OPT1) zone.
11
Three-Zone Firewall Template
Hacom pfSense Three-Zone Firewall Setup Template
Interfaces
Interface Static IP Comment
WAN 208.127.150.32/24
LAN 192.168.1.0
OPT1 (DMZ) 192.168.2.1/24
Virtual Ips(Firewall → Virtual IPs)
Virtual IP Address Type Interface Description
208.127.150.32/32 Other WAN
Firewall → NAT → 1:1
Interface External subnet Internal subnet Description
WAN 208.127.150.32/32 192.168.1.2.5 www.baoha.net
Firewall → Rules
Action Interface Protocol Source/Port
Destination/Port
Gateway Description
Reject OPT1 Any Any LAN net Reject SMZ traffic to LAN
Pass OPT1 Any OPT1 net !LAN net Permit DMZ to any but LAN
12
Four-Zone Firewall: Wireless ConfigurationThere are three ways to add a wireless network to our networking environment, assuming that the system has the optional wireless adapter.
1. Bridged Wireless Network..
In this configuration, although we still have four zones: WAN, LAN, OPT1 and OPT2, the wireless interface OPT2 is bridged with LAN. The two zones LAN and OPT1 are in effect combined into one zone: LAN for all practical purposes.
2. Four-zone firewall.
In this configuration, the wireless network is just another local network as the local nework in the LAN zone.
3. Captive portal.
This is similar to the above 4-zone networking environment. It forces users to be authenticated before they can access the wireless network.
The DMZ or OPT1 zone can be ignored at this point. In fact, if we don't have a DMZ, the wireless interface becomes OPT1, instead of OPT2. And all configurations are the same.
Following is a diagram of a 4-zone firewall: WAN, LAN, OPT1 and OPT2. WAN is the Internet, the outside world. LAN is the local internal network protected by the firewall. OPT1 is the DMZ. And OPT2 is our wireless zone.
13
If it has not been done, We need to add the wireless network interface, OPT2 in this case, using the web administration tools.
1. Go to Interfaces → Assign.
2. Click on the plus + sign on the right hand side to create a new interface OPT2.
3. Choose the ath0 network port.
4. Click on Save!
14
Note: Hacom supplies the Atheros-based network adapter with some of the systems. It is detected be FreeBSD as ath0 interface. Some other wireless network adapters may be detected differently.
Bridged Wireless Network
In this configuration, all of the OPT2 zone wireless users are considered as on the same network as LAN wired network users. This configuration has an advantage; allowing all users in OPT2 and LAN to share peripherals, like networked printers, shared drives, ...
To configure a wireless network:
1. Go to Interfaces → OPT2
2. Enable the optional 2 interface; OPT2
3. On the IP Configuration, set it to bridge with LAN
15
4. Set the wireless configuration standard to be 802.11g
5. Set the mode to be Access Point
6. Set the SSID to be “pfSense” or your choice of network name
7. Enable WEP authentication. There are other authentication methods besides WEP; i.e. WPA or
16
802.11x. Depending on the number of users and security-level, they may be a better choice than WEP.
8. Set the 13-character WEP key
9. Set Open Authentication
10. Click on Save!
17
11. Add a firewall rule for OPT2 similar to the LAN zone.
12. Click on Save!
13. Click on “Apply Changes”!
18
19
Four-Zone Firewall Template (Bridged Wireless)
Hacom pfSense Four-Zone Firewall Setup Template
Interfaces
Interface Static IP Comment
WAN 208.127.150.32/24
LAN 192.168.1.0
OPT1 (DMZ) 192.168.2.1/24
OPT2 (Wireless) Bridged with LAN! Referred to Wireless template for setup info.
Virtual Ips(Firewall → Virtual IPs)
Virtual IP Address Type Interface Description
208.127.150.32/32 Other WAN
Firewall → NAT → 1:1
Interface External subnet Internal subnet Description
WAN 208.127.150.32/32 192.168.1.2.5 www.baoha.net
Firewall → Rules
Action Interface Protocol Source/Port
Destination/Port
Gateway Description
Reject OPT1 Any Any LAN net Reject SMZ traffic to LAN
Pass OPT1 Any OPT1 net !LAN net Permit DMZ to any but LAN
Pass OPT2 Any OPT2 net Any Permit OPT2 to any
20
Wireless Interface Template
Hacom pfSense Wireless Interface Template
Interface OPT2
Standard 802.11g
Mode Access Point
802.11g OFDM Protection Mode Protection mode off
SSID pfsense
Enable WEP Yes
Key 1 123456789abc
Key 2
Key 3
Key 4
Enable WPA
WPA Pre Shared Key (PSK)
WPA Mode
Authentication Open System Authentication
WPA Pairwise
Key Rotation
Master Key Regeneration
Strict Key Regeneration
Enable IEEE802.1X
Hostname (DHCP client configuration)
21
Four-Zone Firewall: Non-Bridged Wireless Network
Setting up a non-bridged wireless network is fairly easy. Just follow the same above procedure except for the first three steps.
1. Go to Interfaces → OPT2. Enable the optional 2 interface: OPT2, if it not!
2. On the IP Configuration, set it to bridge to NONE. And set the IP address to a separate subnet from LAN. For example, we set it to be 192.168.3.1/24.
22
Four-Zone Firewall Template (Non-Bridged Wireless)
Hacom pfSense Four-Zone Firewall Setup Template
Interfaces
Interface Static IP Comment
WAN 208.127.150.32/24
LAN 192.168.1.0
OPT1 (DMZ) 192.168.2.1/24
OPT2 (Wireless) 192.168.3.1/24 Referred to Wireless template for setup info.
Virtual Ips(Firewall → Virtual IPs)
Virtual IP Address Type Interface Description
208.127.150.32/32 Other WAN
Firewall → NAT → 1:1
Interface External subnet Internal subnet Description
WAN 208.127.150.32/32 192.168.1.2.5 www.baoha.net
Firewall → Rules
Action Interface Protocol Source/Port
Destination/Port
Gateway Description
Reject OPT1 Any Any LAN net Reject SMZ traffic to LAN
Pass OPT1 Any OPT1 net !LAN net Permit DMZ to any but LAN
Pass OPT2 Any OPT2 net Any Permit OPT2 to any
23
Captive PortalCaptive portal uses a web page to authenticate users before granting their accesses to the Internet. It is commonly used in a wireless environment, also called hotspot management. But, the technique is applicable to wired network environment.
Following are the assumptions for the Captive Portal setup:
1. The Firewall has a WAN IP of 208.127.150.33.
2. The OPT1 (DMZ) subnet is 192.168.2.0/24.
3. The LAN subnet is 192.168.1.0/24.
4. The captive portal is on the OPT2 zone. It has its own subnet: 192.168.3.0/24.
The goal is to authenticate all wireless users before allowing them to access to the Internet as well as local LAN resources.
The procedure is as follows:
24
1. Create an OPT2 interface and configure it if it does not exist.
2. Configure the DHCP server.
3. Configure the Captive Portal.
4. Setup the firewall rule for OPT2, if there is none!
Wireless Non-Bridged Network
Configuration of the non-bridged wireless network is similar the previous section: Four-Zone Firewall: Wireless Network. Note: Make sure to disable all wireless authentication: NO Wep/WPA/802.11x!
25
Setting up the DHCP Server
The DHCP server is used to hand out the IP addresses for the computers connecting to the Captive Portal. Use the following procedure if the DHCP server has not been set up.
1. Go to Services → DHCP server
2. Enable the DHCP server on the OPT2 interface
3. Set the IP range to be from 192.168.3.101 to 192.168.3.150
4. Click on Save!
26
Captive Portal Setting
1. Go to Services → Captive portal
2. Enable the Captive Portal
3. Set the Interface to OPT2
4. Set idle timeout to 10 minutes, hard timeout to 120 minutes.
5. Set authentication to “Local user manager”. It is recommended to use a Radius server for authentication. Scroll down to see the option.
6. Don't forget to upload the Portal page contents and the Authentication error page contents. Scroll further down to see the option.
7. Go to Services → Captive portal → Allowed IP addresses to allow the following Ips:
● 208.127.150.34: Hacom.net logo!This is an example of displaying images from an outside Internet server.
● 192.168.2.5: Our web server www.baoha.net in the DMZ zone.
27
8. Click on the plus + sign on the right hand side to create a new allowed IP address.
9. Click on Save!
10. Click on “Apply Changes”!
28
11. Go to Services → Captive portal → Users to add authorized users:
12. Click on Save!
13. Click on “Apply Changes”!
29
Captive Portal Templates
The setup of a captive portal is similar to the four-zone non-bridge wireless configuration. We will need the following three templates with filled-in information:
1. DHCP server service
2. Wireless configuration ( No authentication)
3. Four-zone firewall
4. Captive portal
Hacom pfSense DHCP Services Template
DHCP RelayServices → DHCP Relay
Enable DHCP
Append circuit ID and agent ID to requests
Destination server
DHCP ServerServices → DHCP server
Interface OPT2
Deny unknown clients
Range (from-to) 192.168.3.101 192.168.3.150
WINS servers
DNS servers
Gateway
Default lease time
Maximum lease time
Failover peer IP
Static ARP
Dynamic DNS
NTP servers
Enable Networkk booting
30
Hacom pfSense Wireless Interface Template
Interface OPT2
Standard 802.11g
Mode Access Point
802.11g OFDM Protection Mode Protection mode off
SSID pfsense
Enable WEP
Key 1
Key 2
Key 3
Key 4
Enable WPA
WPA Pre Shared Key (PSK)
WPA Mode
Authentication Open System Authentication
WPA Pairwise
Key Rotation
Master Key Regeneration
Strict Key Regeneration
Enable IEEE802.1X
Hostname (DHCP client configuration)
31
Hacom pfSense Four-Zone Firewall Setup Template
Interfaces
Interface Static IP Comment
WAN 208.127.150.32/24
LAN 192.168.1.0
OPT1 (DMZ) 192.168.2.1/24
OPT2 (Wireless) 192.168.3.1/24 Referred to Wireless template for setup info.
Virtual Ips(Firewall → Virtual IPs)
Virtual IP Address Type Interface Description
208.127.150.32/32 Other WAN
Firewall → NAT → 1:1
Interface External subnet Internal subnet Description
WAN 208.127.150.32/32 192.168.1.2.5 www.baoha.net
Firewall → Rules
Action Interface Protocol Source/Port
Destination/Port
Gateway Description
Reject OPT1 Any Any LAN net Reject SMZ traffic to LAN
Pass OPT1 Any OPT1 net !LAN net Permit DMZ to any but LAN
Pass OPT2 Any OPT2 net Any Permit OPT2 to any
32
Hacom pfSense Captive PortalServices → Captive portal → Captive portal
Enable Captive Portal Yes
Interface OPT2
Maximum concurrent connections
Idle timeout 10
Hard timeout 120
Logout popup window
Redirection URL
Concurrent user logins
MAC filtering
Authentication No authentication Local user manager RADIUS authentication
Yes
Radius Server IP address Port Shared Secret
Accounting send RADIUS accounting packets
Accounting port
Accounting updates no accounting updates
stop/start accounting interim update
Radius MAC authentication Reauthenticate users/minute
Shared secret
RADIUS options (Type)
HTTPS login
HTTPS server name
HTTPS certificate
HTTPS private key
Portal page contents
Authentication error page
33
Hacom pfSense Captive Portal's Allowed IP AddressServices → Captive portal → allowed IP address
Direction To
IP address 192.168.2.5
Description Www.baoha.net
Hacom pfSense Captive Portal's Allowed IP AddressServices → Captive portal → allowed IP address
Direction To
IP address 208.127.150.34
Description Hacom.net logo
Hacom pfSense Captive Portal's User ManagementServices → Captive portal →Users
Username baoha
Password *****
Full Name
Expiration Date
34
Virtual Private Network: Site-toSite IPSecInternet Security Protocol (IPSec) is a used to established a secured communication between one site to another remote site through the Internet. In this deployment case, we will be establishing an IPSec link between two pfSense firewalls.
Following are the assumptions for the site-to-site IPSec setup:
1. The pfSense firewall has a WAN IP of 208.127.150.33. It has a local network with a subnet of 192.168.254.0/24.
2. The other pfSense firewall has a WAN IP of 208.127.150.32. It has a local network with a subnet of 192.168.1.0/24.
3. Following are the IPSec link specifications:
● Pre-shared key: BaoHa. It is recommended to use a certificate. Using a simple pre-shared key simplifying the setup so we can evaluate the IPSec functionality.
● Encryption algorithm: aes265
● Hash algorithm: sha1
The goal is to establish an IPSec virtual private network (VPN); linking two remote networks of 192.168.1.0/24 and 192.168.254.0/24 together through the Internet.
The procedure is as follows:
1. Setup IPSec tunnels on both pfSense firewalls.
2. Setup the Firewall rules on both pfSense firewalls.
3. Check the IPSec status..
Setup IPSec tunnels on pfSense
Following is the procedure to set up IPSec on the pfSense firewall with a local LAN address of of 192.168.254.0/24.
1. Go to VPN → IPSec
2. Put a check mark on Enable IPSEC. Click on the Save button!
35
3. Click on the plus + sign on the bottom right hand side to create a new IPSec tunnel.
4. Set the Interface to WAN.
5. Set the local subnet to type of “LAN subnet”
6. Set the Remote subnet to 192.168.1.0/24.
7. Set the remote gateway to 208.127.150.32.
8. Scroll down and set to the negotiation mode to “main”.
9. Set My identifier to be “My IP address” and “208.127.150.33”.
10. Set Encryption algorithm to be “Rijndael 256” (AES256).
11. Set Hash algorithm to be SHA1
12. Set DH key group to be 2 (or 1024 bit).
13. Set Lifetime to be 28800.
14. Set Authentication method to be Pre-shared key.
15. Set Pre-shared Key to be “BaoHa”
36
16. Scroll down further and set Protocol to be ESP.
17. Set encryption algorithm to be “Rijndael 256”.
18. Set Hash algorithm to be SHA1
19. Set PFS key group to be “2” or 1024 bit.
20. Set Lifetime to be 86400.
21. Click on “Save”!
22. Click on “Apply Change”
37
Following is a screenshot of VPN:IPSec screen once setup is done.
38
The IPSec tunnel setup on the second pfSense is similar. Following is the screenshot of VPN:IPSec of the second server.
Setup the Firewall rules on both pfSense firewalls.
The firewall has also be setup to allow IPSec traffic. Goto Firewall → Rules → IPSec and set it up to be like the following.
39
Check the IPSec Status
1. Go to Status → IPSec
2. If it says “No IPSec security associations”, it means that the tunnel has not been established. Just ping from one end to another end.
3. When the tunnel is established, following is what the screenshot of Status → IpSec → Overview should look like.
4. Following is the screenshot of Status → IpSec → SAD
40
5. Following is the screenshot of Status → IPSec → SPD
6. Check the system logs of IPSec if there are still problems establishing the VPN tunnel!
IPSec tunnel to a Debian Server
To connect to a Debian server through IPSec is just as easy.
Assuming that the Debian server is running racoon with following:
1. The pfSense firewall has a WAN IP of 208.127.150.33. It has a local network with a subnet of 192.168.254.0/24.
2. The Debian server has a WAN IP of 208.127.150.31. It has a local network with a subnet of 192.168.1.0/24.
3. Following are the IPSec link specifications:
● Pre-shared key: BaoHa. It is recommended to use a certificate. Using a simple pre-shared key simplifying the setup so we can evaluate the IPSec functionality.
● Encryption algorithm: aes265
● Hash algorithm: sha1
41
The only change is the Debian's external IP address.
1. Go to VPN → IPSec
2. Change the remote gateway to 208.127.150.31.
Following is the configuration of Debian's racoon:
42
Make sure that the file /etc/racoon/psk.txt contains the following pre-shared key:
“208.127.150.33 BaoHa”
Following are the screenshots of the Status → IPSec once the tunnel is established.
43
44
VPN IPSec Template
Hacom pfSense VPN IPSec
Interface WAN
Local subnet Type LAN subnet Address
Remote subnet 192.168.1.0/24
Remote gateway 208.127.150.32
Description
Phase 1 proposal (Authentication)
Negotiation Mode main
My Identifier My IP Address 208.127.150.33
Encryption algorithm Rijndael 256
Hash algorithm SHA1
DH Key Group 2
lifetime 28800
Authentication method Pre-shared key
Pre-shared Key BaoHa
Certificate
Key
Peer Certificate
Phase 2 proposal (SA/Key Exchange)
Protocol ESP
Encryption algorithm Rijndael 256
Hash algorithm SHA1
PFS key group 2
lifetime 86400
Keep alive (automatically ping)
Firewall → Rules → IPSec
Action Interface Protocol Source/Port
Destination/Port
Gateway Description
Pass IPSEC Any Any Any
45
Appendix A. Templates
Appendix A1. Three-Zone Firewall Template
Hacom pfSense Three-Zone Firewall Setup Template
Interfaces
Interface Static IP Comment
WAN
LAN
OPT1 (DMZ)
Virtual Ips(Firewall → Virtual IPs)
Virtual IP Address Type Interface Description
Firewall → NAT → 1:1
Interface External subnet Internal subnet Description
Firewall → Rules
Action Interface Protocol Source/Port
Destination/Port
Gateway Description
46
Appendix A2. Wireless Interface Template
Hacom pfSense Wireless Interface Template
Interface
Standard
Mode
802.11g OFDM Protection Mode
SSID
Enable WEP
Key 1
Key 2
Key 3
Key 4
Enable WPA
WPA Pre Shared Key (PSK)
WPA Mode
Authentication
WPA Pairwise
Key Rotation
Master Key Regeneration
Strict Key Regeneration
Enable IEEE802.1X
Hostname (DHCP client configuration)
47
Appendix A3. Four-Zone Firewall Template
Hacom pfSense Four-Zone Firewall Setup Template
Interfaces
Interface Static IP Comment
WAN
LAN
OPT1 (DMZ)
OPT2
Virtual Ips(Firewall → Virtual IPs)
Virtual IP Address Type Interface Description
Firewall → NAT → 1:1
Interface External subnet Internal subnet Description
Firewall → Rules
Action Interface Protocol Source/Port
Destination/Port
Gateway Description
48
Appendix A4. DHCP Service Template
Hacom pfSense DHCP Services Template
DHCP RelayServices → DHCP Relay
Enable DHCP
Append circuit ID and agent ID to requests
Destination server
DHCP ServerServices → DHCP server
Interface
Deny unknown clients
Range (from - to)
WINS servers
DNS servers
Gateway
Default lease time
Maximum lease time
Failover peer IP
Static ARP
Dynamic DNS
NTP servers
Enable Networkk booting
49
Appendix A5. Captive Portal Template
Hacom pfSense Captive PortalServices → Captive portal → Captive portal
Enable Captive Portal
Interface
Maximum concurrent connections
Idle timeout
Hard timeout
Logout popup window
Redirection URL
Concurrent user logins
MAC filtering
Authentication No authentication Local user manager RADIUS authentication
Radius Server IP address Port Shared Secret
Accounting send RADIUS accounting packets
Accounting port
Accounting updates no accounting updates
stop/start accounting interim update
Radius MAC authentication Reauthenticate connected users every minute
Shared secret
RADIUS options (Type)
HTTPS login
HTTPS server name
HTTPS certificate
HTTPS private key
50
Portal page contents
Authentication error pagecontents
Appendix A6. Captive portal's Allowed IP Address Template
Hacom pfSense Captive Portal's Allowed IP AddressServices → Captive portal → allowed IP address
Direction
IP address
Description
Appendix A7. Captive portal's User Management
Hacom pfSense Captive Portal's User ManagementServices → Captive portal →Users
Username
Password
Full Name
Expiration Date
Appendix A8. VPN IPSec Template
Hacom pfSense VPN IPSec
Interface WAN
51
Local subnet Type LAN subnet Address
Remote subnet
Remote gateway
Description
Phase 1 proposal (Authentication)
Negotiation Mode
My Identifier My IP Address
Encryption algorithm
Hash algorithm
DH Key Group
lifetime
Authentication method
Pre-shared Key
Certificate
Key
Peer Certificate
Phase 2 proposal (SA/Key Exchange)
Protocol ESP
Encryption algorithm
Hash algorithm
PFS key group
lifetime
Keep alive (automatically ping)
Firewall → Rules → IPSec
Action Interface Protocol Source/Port
Destination/Port
Gateway Description
52