graduation project report - pfsense

3

Acknowledgments

All praise to ALLAH, the most merciful, kind and beneficent, and the source of all knowledge,

wisdom within and beyond my comprehension.

Heart full thanks for prof. Driss El Ouadghiri, the responsible of the professional license on

systems and networks management, at Science Faculty of Meknes, and he’s my Project

supervisor.

Special thanks go to all the members of jury, Prof. Khalid EL YASSINI, Prof. Abdeslam EL

FERGOUGUI, Prof. Rachid ELOUAHBI and the engineer Mohammed GHALLALI, for agreeing

to lend us their attention and evaluate our work. The thanks also go to all of my Teachers in

science faculty of Meknes.

I am very grateful to M.Ismail Azzouzi and M.Abdelhakim Mesbahi; they guided and helped me

through timely suggestions, valuable advices and specially the sympathetic attitude, which

always inspired me for hard work.

I would also like to thank everyone shared valuable information that helped in the successful

completion of this project.

Finally, I would like to thank my Mother Zoubida Mestari, my brother and sisters and all my big

family members.

Mohamed Loughmari

4

List of Figures

Figure 1. Organization chart of the Court of Appeal Taza ......................................................................... 13

Figure 2. Versions of pfSense ....................................................................................................................... 17

Figure 3. Compact Flash .............................................................................................................................. 19

Figure 4. WRAP ........................................................................................................................................... 20

Figure 5. ALIX ............................................................................................................................................. 20

Figure 6. Soekris ........................................................................................................................................... 20

Figure 7. Asking to set up VLANs ............................................................................................................... 23

Figure 9. Finishing steps of installation ....................................................................................................... 24

Figure 10. Shell menue ................................................................................................................................. 24

Figure 11. option 99 ...................................................................................................................................... 25

Figure 12. The configure console ................................................................................................................. 25

Figure 13. Selecting the simple installation .................................................................................................. 26

Figure 14. Confirmation step ....................................................................................................................... 26

Figure 15. Transferring the system to the media ........................................................................................ 27

Figure 16. asking for reboot ......................................................................................................................... 27

Figure 17. Enabling SSH .............................................................................................................................. 28

Figure 18. Generating RSA key ................................................................................................................... 28

Figure 19. The public Key ............................................................................................................................ 29

Figure 20. Disabling password login ............................................................................................................ 29

Figure 21. Pasting the client public RSA ..................................................................................................... 30

Figure 22. Client configuration .................................................................................................................... 30

Figure 23. Crating ALIAS ............................................................................................................................ 31

Figure 24. Types of ALIAS........................................................................................................................... 31

Figure 25. Using ALIAS ............................................................................................................................... 32

Figure 26. Creating a NAT port forward rule ............................................................................................. 33

Figure 27. Creating a schedule ..................................................................................................................... 34

Figure 28. Schedule repeat ........................................................................................................................... 34

Figure 29. Firewall rule ................................................................................................................................ 35

Figure 30. DMZ rules ................................................................................................................................... 36

Figure 31. Creating a VIP ............................................................................................................................ 38

Figure 32. VIP created ................................................................................................................................. 38

Figure 33. Configuring 1:1 NAT .................................................................................................................. 39

Figure 34. Creating gateway ........................................................................................................................ 40

5

Figure 35. Creating a static route ................................................................................................................ 40

Figure 36. Route static created ..................................................................................................................... 41

Figure 37. SMTP notification configuration ................................................................................................ 41

Figure 38. test e-mail .................................................................................................................................... 42

Figure 39. Captive portal ............................................................................................................................. 43

Figure 40. Selecting local user lanager as the authentication ...................................................................... 43

Figure 41. creating a new user ..................................................................................................................... 44

Figure 42. user manager ............................................................................................................................... 44

Figure 43. Captive portal test ....................................................................................................................... 44

Figure 44. Enabling RIP service .................................................................................................................. 45

Figure 45. Enabling the WOL ...................................................................................................................... 46

Figure 46. Sending the magic packet ........................................................................................................... 46

Figure 47. Storing MAC addresses .............................................................................................................. 46

Figure 48. MAC addresses Stored ............................................................................................................... 47

Figure 49. Wake all MAC addresses Stored ................................................................................................ 47

Figure 50. Using ping.................................................................................................................................... 48

Figure 51. Using traceroute .......................................................................................................................... 48

Figure 52. Backing up the configuration file ............................................................................................... 49

Figure 53. Downloading the configuration file ............................................................................................ 49

Figure 54. Restoring the configuration file .................................................................................................. 50

Figure 55. Configuration file restored ......................................................................................................... 50

Figure 56. Auto configuration backup ......................................................................................................... 51

6

List of Acronyms & Abbreviations

ARP Address Resolution Protocol

BGP Border Gateway BC Protocol

CARP Common Address Redundancy Protocol

CD Compact Disc

CF Compact Flash

DHCP Dynamic Host Configuration Protocol

DMZ Demilitarized Zone

DNS Domain Name System

GPL General Public License

GNU GNU's Not UNIX

GUI Graphical User Interface

HTTP Hypertext Transfer Protocol

ICMP Internet Control Message Protocol

IDS Intrusion Detection System

IP Internet Protocol

IT Information Technology

LAN Local Area Network

MAC Media Access Control

MD5 Message-Digest 5

NAT Network Address Translation

NIC Network Interface Card

NTP Network Time Protocol

OPT Optional interface

OS operating system

PC Personal computer

PPPoE Point-to-Point Protocol over Ethernet

PPTP Point-to-Point Tunneling Protocol

QoS Quality of Service

RAM Random Access Memory

RIP Routing Information Protocol

SDR Regional Sub Direction

SMTP Simple Mail Transfer Protocol

SSH Secure Shell

TCP Transmission Control Protocol

URL Uniform Resource Locator,

VIP Virtual IP

VLAN Virtual LAN

VPN Virtual Private Network

WAN Wide Area Network

Wi-Fi Wireless Fidelity

WOL Wake-on-LAN

XML Extensible Markup Language

7

Abstract

This is a graduation project prepared by Mohamed LOUGHMARI student of the professional license on

systems and networks management, at the science faculty of Meknes. It’s the result of two months

traineeship exerted at Court of Appeal in TAZA.

It aims to elaborate PfSense that is an Open Source Firewall Solution.

This report covers the theoretical part and the practical part of pfSense.

Résumé

Ce travail s'inscrit dans le cadre du projet de fin d’étude, élaboré par Mohamed LOUGHMARI étudiant de

la licence professionnelle en gestion des systèmes et réseaux, de la faculté des sciences de Meknès. C’est le

fruit d’un stage de deux mois à la cour d’appel de Taza.

Il consiste à la mise en œuvre d’une solution Firewall Open Source « PfSense ».

Ce rapport couvre la partie théorique et la partie pratique de pfSense.

8

Table Of Contents

Acknowledgments ........................................................................................................................................... 3

List of Figures ................................................................................................................................................. 4

List of Acronyms & Abbreviations ................................................................................................................ 6

Abstract .......................................................................................................................................................... 7

Résumé ............................................................................................................................................................ 7

General Introduction .................................................................................................................................... 11

Part I : Presentation of the Courts of Appeal Taza ..................................................................................... 12

1. Organization ......................................................................................................................................... 13

2. Attributions ........................................................................................................................................... 13

3. Organization chart of the Court of Appeal Taza ................................................................................. 13

4. IT Service .............................................................................................................................................. 14

Part II : Theory of pfSene ............................................................................................................................. 15

Introduction .................................................................................................................................................. 16

1. History and versions ................................................................................................................................. 16

1.1. History ................................................................................................................................................ 16

1.2. Versions .............................................................................................................................................. 16

2. Common Deployments ............................................................................................................................. 17

2.1. Perimeter Firewall ............................................................................................................................. 17

2.2. LAN or WAN Router ......................................................................................................................... 17

2.3. Wireless Access Point ......................................................................................................................... 17

2.4. Special Purpose Appliances ............................................................................................................... 18

3. Interface Naming Terminology ................................................................................................................ 18

3.1. Network divisions ............................................................................................................................... 18

3.2. interface naming ................................................................................................................................ 19

4. Hardware .................................................................................................................................................. 19

4.1. Hardware Architectures .................................................................................................................... 19

4.2. Minimum Hardware Requirements .................................................................................................. 19

4.3. Embedded Hardwar .......................................................................................................................... 19

5. Features List ............................................................................................................................................. 21

Part III : Instalation and Configuration ...................................................................................................... 22

1. Installation ................................................................................................................................................ 23

1.1. Downloading pfSense ......................................................................................................................... 23

9

1.2. Installing Pfsense ............................................................................................................................... 23

1.2.1. VLANs ......................................................................................................................................... 23

1.2.2. Assigning Interfaces .................................................................................................................... 23

1.2.3. Finishing Steps ............................................................................................................................ 23

1.2.4. pfSense default configuration ..................................................................................................... 24

1.2.5. Storing the configfile on a writable media .................................................................................. 25

1.2.6. Accessing the webgui ................................................................................................................... 25

1.2.7. Installing Pfsense to Hard Drive : ............................................................................................... 25

2. Initial Configuration ................................................................................................................................. 27

2.1. The Secure Shell (SSH) ...................................................................................................................... 27

2.1.1. Enabling SSH .............................................................................................................................. 28

2.2. authorized RSA keys .......................................................................................................................... 28

2.2.1. Generating authorized RSA keys................................................................................................ 28

2.2.2. Configuring SSH RSA key authentication ................................................................................. 29

2.2.3. Accessing the Secure Shell (SSH) ................................................................................................ 30

3. General basic configuration ................................................................................................................. 30

3.1. ALIAS ................................................................................................................................................ 31

3.1.1. Creating an ALIAS ..................................................................................................................... 31

3.1.2. Types of aliase : ........................................................................................................................... 31

3.1.3. Using an alias ............................................................................................................................... 32

3.2. NAT port forward rule ...................................................................................................................... 32

3.2.1. Creating a NAT port forward rule ............................................................................................. 32

3.3. Schedule ............................................................................................................................................. 33

3.3.1. Creating a schedule ..................................................................................................................... 33

3.4. Firewall rule ....................................................................................................................................... 34

3.4.1. Creating a firewall rule ............................................................................................................... 35

3.4.2. Advanced features ....................................................................................................................... 36

4. Advanced Configuration .......................................................................................................................... 37

4.1. Virtual IP ........................................................................................................................................... 37

4.1.1. Types of vierual IPs ..................................................................................................................... 37

4.1.2. Creating a virtual IP ................................................................................................................... 37

4.2. 1:1 NAT rule ...................................................................................................................................... 38

4.2.1. Configuring a 1:1 NAT rule ........................................................................................................ 38

4.3. Static route ......................................................................................................................................... 39

4.3.1. Creating a gateway : ................................................................................................................... 39

10

4.3.2. Creating a static route ................................................................................................................. 40

4.4. SMTP e-mail notifications ................................................................................................................. 41

4.4.1. Configuring SMTP e-mail notifications...................................................................................... 41

4.5. Captive portal .................................................................................................................................... 42

4.5.1. Creating a captive portal ............................................................................................................ 42

5. Services ..................................................................................................................................................... 45

5.1. RIP ..................................................................................................................................................... 45

5.1.1. Enabling RIP ............................................................................................................................... 45

5.2. Wake On LAN (WOL)....................................................................................................................... 45

5.2.1. Enabling Wake On LAN (WOL) ................................................................................................ 45

5.2.2. Storing Mac addresses ................................................................................................................ 46

5.2.3. Wake All ...................................................................................................................................... 47

6. Maintenance.............................................................................................................................................. 47

6.1. Ping ..................................................................................................................................................... 47

6.1.1. Using ping .................................................................................................................................... 47

6.2. Traceroute .......................................................................................................................................... 48

6.2.1. Using traceroute : ........................................................................................................................ 48

6.3. Backing up the configuration file ...................................................................................................... 48

6.4. Restoring the configuration file ......................................................................................................... 49

6.5. Automatic configuration file backup ................................................................................................. 50

6.5.1. Installing the AutoConfigBackup Package ................................................................................. 50

6.5.2. Configuring the AutoConfigBackup Package ............................................................................ 50

Conclusion .................................................................................................................................................... 52

References ..................................................................................................................................................... 53

11

General Introduction

"Nothing ever becomes REAL until it is experienced." - John Keats Internships have become an important part of a college student's education. Through internships

students gain experience in different fields, test career interests, establish contacts that can assist with

networking. Under my studies in professional license on systems and networks management at the faculty

of Meknes, I passed two Month of internship on the Court of Appeal of Taza, as a project I had worked on

a theme that belongs to the security IT topic.

Security IT is vital for protecting the confidentiality, integrity, and availability of computer

systems, resources, and data. Without confidentiality, trade secrets or personally identifying information

can be lost. Without integrity, we can not be sure that the data we have is the same data that was initially

sent without availability, we may be denied access to computing resources.

To ensure the Security IT there is many elements, one of the main elements is Firewall, it’s one of

the more important elements that can achieve the goals of security. A firewall can be a hardware device or

a software application and generally is placed at the perimeter of the network to act as the gatekeeper for

all incoming and outgoing traffic.

Considering of what we had said about the importance of Security and how the firewall is the

primary tool for the security, I decide to make an implementation of pfSense which is an open source

firewall solution.

Along this report, I will deploy my work that I have done during the training period in three main

parts:

The first Part will focus on an overview of the Court of Appeal of Taza, where I spent the internship.

The second part is about the theory of pfSense, basic information and its features.

The third part is the practical part of pfSense it will cover the installation and some important

configuration.

Finally this work will close by a general conclusion.

12

Part I

Presentation of the

Courts of Appeal Taza

13

1. Organization

The Courts of Appeal include is a regional sub direction, under the authority of the Prime President,

a number of specialized chambers including a staff room and criminal division.

However, any chamber can properly investigate and prosecute, regardless of the nature of the cases

before these courts.

They also have a public ministry composed of a Prosecutor General of the King and substitutes, one

or more magistrates of the investigation, one or more magistrates of minors, a registry and secretariat of the

Prosecutor General.

In all matters, the audience is held and judgments by a panel of three consultants assisted by a clerk,

unless the law provides otherwise.

The criminal division headquarters, due to the seriousness of the cases entrusted with five

counselors, a chamber president and four councilors.

2. Attributions

The courts of appeal, courts of second instance, examine previous cases in the first instance by the

trial court a second time.

They then treat appeals of decisions rendered by the courts and appeals from orders made by their

presidents.

The criminal chambers Courts of Appeal are competent specific training, to judge crimes.

3. Organization chart of the Court of Appeal Taza

Figure 1. Organization chart of the Court of Appeal Taza

Regional Director

Abdellatif ELGHBAR

IT Service

'' Abd El Hakim Mesbahi ''

Maintenance systems and network

'' Ismail Azzouzi ''

Training students IT

Budget and Equipment

Service

human resource Service

Technical service

14

4. IT Service

The IT has become essential in the organism; in fact it has many tasks for the purchase of computer

equipment, its installation and management of passing information.

Indeed, the IT department hasn’t in any case the right to make mistakes, it is vital for the body. This

is explained by the fact that it who is responsible for managing the emails so communication with the

outside and inside of the body.

It must also deal with the receipt of information from partners and must be converted and integrated

into their databases.

Indeed if the IT department is no longer operational, no further communication could be done and it

would be simply impossible to manage the company (delivery, order, inventory management, data backup

....).

As we see in the organization chart, the IT department of the SDR is composed of two people:

Mr. Abdelhakim Mesbahi IT manager whose mission is to optimize the treatment and computer systems

by providing technical assistance to users. It is responsible for:

-Maintenance of computer equipment in the legal district.

- Monitoring the state of hardware.

- Market monitoring installation of electrical and computer networks.

- Receiving hardware by companies.

- Control of the company in case work.

- support all IT projects of the company and ensure reliability, consistency and evolution of

information systems technically and functionally.

- Advise the Department when considering new solutions (software selection, equipment, network

architecture ...).

- Define the needs of the region and monitoring technology.

Mr. Ismail el Azzouzi Training Officer and host student:

- Training people.

- Monitoring computer programs minister of justice.

- The coaching officials in IT for the Judicial District.

-Other administrative tasks.

15

Part II

Theory of pfSene

16

Introduction

PfSense is a free, open source customized distribution of FreeBSD tailored for use as a firewall and

router, entirely managed in an easy to use web interface. This web interface is known as the web-based

GUI configurator or WebGUI for short. No FreeBSD knowledge is required to deploy and use pfSense.

PfSense is an open source operating system used to turn a computer into a firewall, router, or a

variety of other application-specific network appliances.

PfSense is a customized FreeBSD distribution based on the m0n0wall project, a powerful but light-

weight firewall distribution.

PfSense builds upon m0n0wall's foundation and takes its functionality several steps further by

adding a variety of other popular networking services.

1. History and versions

1.1. History

The pfSense project was started in September 2004 by Chris Buechler and Scott Ullrich. Chris is a

long time contributor to the m0n0wall project. m0n0wall is a great embedded firewall, but one of the great

things about its design is also a limitation to expandability. m0n0wall runs entirely from RAM, the entire

OS and all applications are loaded into RAM at boot time. This is a great design for embedded systems, for

performance and reliability reasons. However m0n0wall is not capable of being installed into a normal file

system on a hard drive. Hence many desirable functions can't be reasonably implemented.

1.2. Versions

Each version of pfSense is based on a specific -RELEASE version of FreeBSD. Below is a table that lists

recent versions of pfSense and the underlying FreeBSD version upon which they are based.

pfSense

Version

pfSense

Branch FreeBSD Version

FreeBSD

Branch Release Status

1.2 RELENG_1_2 6.2-RELEASE-

p11 RELENG_6_2 Outdated, no longer supported.

1.2.1 RELENG_1_2 7.0-RELEASE-p7 RELENG_7_0 Outdated, no longer supported.



2.0 RELENG_2_0 8.1-RELEASE-p4 RELENG_8_1 Outdated, no longer supported.

2.0.1 RELENG_2_0 8.1-RELEASE-p6 RELENG_8_1

Outdated, no longer

supported. Includes

fixes/enhancements from after 2.0.

http://doc.pfsense.org/index.php/2.0.1_New_Features_and_Changes



17

2.0.2 RELENG_2_0 8.1-RELEASE-

p13 RELENG_8_1

Outdated, no longer

supported. Includes

fixes/enhancements from after 2.0.1.

2.0.3 RELENG_2_0 8.1-RELEASE-

p13 RELENG_8_1

Current stable supported

release. Includes fixes/enhancements

from after 2.0.2.

2.1 HEAD

(master)

(TBD, at least 8.3-

RELEASE-p5) RELENG_8_3

Next release, mainly adding IPv6

support.

2.2 (future) (TBD, Likely 9.x-

RELEASE) RELENG_9 Next future release.

Figure 2. Versions of pfSense

2. Common Deployments PfSense is used in about every type and size of network environment imaginable, and is almost

certainly suitable for your network whether it contains one computer, or thousands. This section will

outline the most common deployments.

2.1. Perimeter Firewall

The most common deployment of pfSense is as a perimeter firewall, with an Internet connection

plugged into the WAN side, and the internal network on the LAN side.

PfSense accommodates networks with more complex needs, such as multiple Internet connections,

multiple LAN networks, multiple DMZ networks, etc.

Some users also add BGP (Border Gateway Protocol) capabilities to provide connection

redundancy and load balancing.

2.2. LAN or WAN Router

The second most common deployment of pfSense is as a LAN or WAN router. This is a separate

role from the perimeter firewall in midsized to large networks, and can be integrated into the perimeter

firewall in smaller environments.

- LAN Router

In larger networks utilizing multiple internal network segments, pfSense is a proven solution to

connect these internal segments. This is most commonly deployed via the use of VLANs with 802.1Q

trunking. Multiple Ethernet interfaces are also used in some environments.

- WAN Router

For WAN services providing an Ethernet port to the customer, pfSense is a great solution for

private WAN routers. It offers all the functionality most networks require and at a much lower price point

than big name commercial offerings.

2.3. Wireless Access Point

Many deploy pfSense strictly as a wireless access point. Wireless capabilities can also be added to

any of the other types of deployments.







http://doc.pfsense.org/index.php/2.1_New_Features_and_Changes

http://doc.pfsense.org/index.php/2.1_New_Features_and_Changes

18

2.4. Special Purpose Appliances

Many deploy pfSense as a special purpose appliance. The following are four scenarios we know of,

and there are sure to be many similar cases we are not aware of. Most any of the functionality of pfSense

can be utilized in an appliance-type deployment.. As the project has matured, there has been considerable

focus on using it as an appliance building framework, especially in the next release. Some special purpose

appliances will be made available in the future.

- VPN Appliance

Some users drop in pfSense as a VPN appliance behind an existing firewall, to add VPN

capabilities without creating any disruption in the existing firewall infrastructure. Most pfSense VPN

deployments also act as a perimeter firewall, but this is a better fit in some circumstances.

- DNS Server Appliance

PfSense offers a DNS (Domain Name System) server package based on TinyDNS, a small, fast,

secure DNS server. It isn't laden with features.

- Sniffer Appliance

One user was looking for a sniffer appliance to deploy to a number of branch office locations.

Commercial sniffer appliances are available with numerous bells and whistles, but at a very significant cost

especially when multiplied by a number of branch locations. PfSense offers a web interface for tcpdump

that allows the downloading of the resulting pcap file when the capture is finished. This enables to capture

packets on a branch network, download the resulting capture file, and open it in Wireshark for analysis.

PfSense is not nearly as fancy as commercial sniffer appliances, but offers adequate functionality

for many purposes at a vastly lower cost.

- DHCP Server Appliance

One user deploys pfSense installs strictly as DHCP (Dynamic Host Configuration Protocol) servers

to hand out IP addresses for its network.

3. Interface Naming Terminology

3.1. Network divisions

- LAN

The LAN interface is the first internal interface on the firewall. Short for Local Area Network, it is

most commonly the private side of a router which often utilizes a private IP address scheme. In small

deployments, this is typically the only internal interface.

- WAN

The WAN interface is used for the Internet connection, or primary Internet connection in a multi-

WAN deployment. Short for Wide Area Network, it is the untrusted public network outside of the router.

Connections from the Internet will come in through the WAN interface.

- OPT

OPT or Optional interfaces refer to any interfaces connected to local networks other than LAN.

OPT interfaces are commonly used for second LAN segments, DMZ segments, wireless networks and

more.

- OPT WAN

OPT WAN refers to Internet connections using an OPT interface, either those configured for DHCP

or specifying a gateway IP address. It will used for the Multiple WAN Connections.

19

- DMZ

Short for demilitarized zone. The term was borrowed from its military meaning, which refers to a

sort of buffer between a protected area and a war zone. In networking, it is an area where your public

servers reside that is reachable from the Internet via the WAN, but is also isolated from the LAN so that a

compromise in the DMZ does not endanger systems in other segments.

3.2. interface naming

FreeBSD names its interfaces by the network driver used, followed by a number starting at 0 and

incrementing by one for each additional interface using that driver. For example, a common driver is fxp,

used by Intel Pro/100 cards. The first Pro/100 card in a system will be fxp0, the second is fxp1, and so on.

Other common ones are em (Intel Pro/1000), bge (various Broadcom chipsets), rl (Realtek 8129/8139),

amongst numerous others. If your system mixes a Pro/100 card and a Realtek 8139, your interfaces will be

fxp0 and rl0 respectively.

4. Hardware

4.1. Hardware Architectures

pfSense is supported only on the x86 architecture. The types of devices supported range from

standard PCs to a variety of embedded devices. It is targeted at x86-based PCs 300 MHz or faster.

4.2. Minimum Hardware Requirements

At least Pentium II processors with at least 128 MB RAM. its able to get by with less than that, but

with less memory it may start swapping to disk, which will dramatically slow down the system.

4.3. Embedded Hardwar

Pfsense can also installed on other specific plateforms as:

- Compact Flash

Figure 3. Compact Flash

- WRAP

A cost effective Device for special Network appliance such as Wireless Routers, VPN, VOIP…

20

Figure 4. WRAP

- ALIX

A higher performance replacement for the WRAP series.

Figure 5. ALIX

- Soekris

Open source software optimized to provide maximum flexibility and functionality for many

different applications and industries.

Figure 6. Soekris

21

5. Features List

- Firewall /Router.

- Edit information via the web GUI.

- Installation Set up Wizard.

- Wireless Accessibility Factor (wifi interface).

- Traffic Shaping.

- State Table.

- NAT.

- Redundancy.

- CARP: CARP from OpenBSD allows for components failover. Two or more firewalls can be

designed as a failover team. If one interface isn't able on the main or the main goes off-line

entirely, the additional becomes effective. PfSense also contains settings synchronization

abilities, so you create your settings changes on the main and they instantly connect to the

additional software.

- Pfsync: pfsync guarantees the firewall's condition desk is duplicated to all failover designed

fire walls. This implies your current relationships will be managed in the situation of failing,

which is essential to avoid system interruptions.

- NTP server.

- Load Controlling both Confident and Inbound.

- nmap, called ping, traceroute via the GUI.

- VPN - IPsec, OpenVPN, PPTP.

- PPPoE Server.

- RRD Charts Reporting.

- Real Time Details.

- Dynamic DNS.

- Captive Portal.

- DHCP Hosting server and Relay.

- Packages list.

- Wake on LAN.

- Proxy Server.

- Sniffer.

- Ability to back-up and reinstate your software settings via the web GUI.

- Ability to upgrade the Firmware.

22

Part III

Instalation and

Configuration

23

1. Installation

1.1. Downloading pfSense

Browse to www.pfsense.org and click the Downloads link. On the Downloads page, click the link

for new installations. This will lead to the mirror selection page. Pick a close geographically mirror for best

performance. Once a mirror has been selected, a directory listing will appear with the current pfSense

release files for new installations.

For Live CD or full installations, download the .iso file. The 1.2.3 release file name is pfSense-

1.2.3-LiveCD-Installer.iso. There is also a MD5 file available by the same name, but ending in .md5. This

file contains a hash of the ISO, which can be used to ensure the download completed properly.

For embedded installations, download the .img.gz file. The 1.2.3 release file name is pfSense-1.2.3-

nanobsd-size.img.gz, where size is one of 512M, 1G, 2G, or 4G, to reflect the size of CF card for which

that image was intended (sizes are in M for megabyte and G for gigabyte).

1.2. Installing Pfsense

After Donwloading, Verifying the integrity of the download, and preparing the CD; We Boot it.

The first time pfSense boots up it will ask to set up VLANs and assign the interfaces.

1.2.1. VLANs

VLANs are optional and are only needed for advanced networking. In our configuration we will not

set it; So we will answer by n .

Figure 7. Asking to set up VLANs

1.2.2. Assigning Interfaces

After the VLANs option, pfSense will ask to assign the interfaces;

- LAN, WAN, OPTx

The first interface it asks to assign is the LAN interface. If we know the interface we want to assign

LAN to enter the name of the interface like "em0" and hit enter.

The second interface have to assign is the WAN interface. Enter the appropriate interface like

"fxp1" and hit enter again.

At least we need two interfaces (LAN and WAN) to setup pfSense. If there are more interfaces

available we can go on and assign them as OPTx interfaces. The procedure is the same like for the already

assigned interfaces.

- Auto Assign Procedure

There is another procedure to assign interfaces which is especially designed if the NICs are all of

the same kind and we don't know which physical NIC matches which detected NIC as they all, then will

appear for example as fxpX. In this case, simply can enter "a" when you are asked for the nic name.

Figure 8. Asking to assingne interfaces

If there is no more interfaces left just hit enter without entering a NIC name and apply the settings by

confirming them with "y".

1.2.3. Finishing Steps

PfSense now will make the finishing touches to configure the interfaces.

24

Figure 9. Finishing steps of installation

After it went through the configuration it will end up with a shell menu and a number of options. PfSense

now is ready to be accessed at the interface you assigned as LAN with the webgui.

Figure 10. Shell menue

1.2.4. pfSense default configuration

By default pfSense will have the following configuration.

- WAN is configured as DHCP client; all incoming connections are blocked by default.

- LAN is configured at 192.168.1.1/24 and acts as DHCP-Server and offers a DNS-forwarder.

- OPTx interfaces are disabled, you have to enable and configure them at the webgui.

- WebGUI runs at port 80, username is "admin", password "pfsense".

25

- SSH is disabled.

1.2.5. Storing the configfile on a writable media

This option used if ther is the planning to run the LiveCD with a writable configmedia, the option

98 used to assign the drive that should hold the configfile.

The LiveCD will browse all available medias on bootup for a valid configfile and use it if found.

1.2.6. Accessing the webgui

Now should modify the configuration to fit needs at the webgui. Using a browser to

access http://192.168.1.1 and using "admin" as user and "pfsense" as password.

1.2.7. Installing Pfsense to Hard Drive

The option 99 from the shell menu is to setup pfSense to the hard drive. The configuration will be

transferred to the hard drive by the installer.

Figure 11. option 99

This Configure Console is to change the keyboard or change the consol apparence, after changing it’s go

on by accepting the setting.

Figure 12. The configure console

http://192.168.1.1/

26

Next pfSense will present a list of tasks; “Quick/Easy install” for a Simple installation.

Figure 13. Selecting the simple installation

Now the point of no return, we must “Only hit "Ok" if we really sure there is no valuable data left at

this media!”

Figure 14. Confirmation step

Now pfSense is starting to transfer the system to the prepared media.

27

Figure 15. Transferring the system to the media

Asking to remove the CD and reboot the system to boot your new install.

Figure 16. asking for reboot

And it’s done! The installation is finished.

2. Initial Configuration

After finishing the installation let’s make one of the most important initial Configuration.

2.1. The Secure Shell (SSH)

SSH is a networking protocol that allows encrypted communication between two devices. Enabling

SSH allows secure access to the pfSense console remotely, just as if we were sitting in front of the physical

console.

28

2.1.1. Enabling SSH

These steps below describe how to enable the Secure Shell (SSH) service in pfSense.

1. Browse to System | Advanced | Secure Shell.

2. Check Enable Secure Shell.

3. Leave the SSH port blank to use the default port.

4. Save the changes and the SSH service will be started.

Figure 17. Enabling SSH

2.2. Authorized RSA keys

Linux and Mac users will need to ensure ssh-keygen is installed on their system (almost all

distributions have this installed by default). Windows users will need to download and install the

PuTTYGen tool.

2.2.1. Generating authorized RSA keys

These steps below describe how to create an authorized RSA key so a user can connect to pfSense

without being prompted for a password.

1. Open PuTTYGen and generate a public/private key pair by clicking the Generate button.

2. Enter a passphrase.

3. Click the Save Private Key button and choose a location.

Figure 18. Generating RSA key

29

4. Highlight the public key that was generated in the textbox and copy and paste it into a

new file, let's say C:\MyPublicKey.txt.

Figure 19. The public Key

2.2.2. Configuring SSH RSA key authentication

These steps below describe how to configure pfSense to use an RSA key rather than a

password for SSH authentication.

1. Browse to System | Advanced | Secure Shell.

2. Check Disable password login for Secure Shell (RSA key only).

Figure 20. Disabling password login

3. Edit the user we will associate with the client's public key from System | User

Manager | Edit admin.

4. Select Click to paste an authorized key and paste the client's public RSA key here.

When pasted, the key should appear as a single line. Be sure your text editor didn't

insert any line feed characters or authentication may fail.

30

Figure 21. Pasting the client public RSA

5. Save the change.

2.2.3. Accessing the Secure Shell (SSH)

This part describes how to access the pfSense console from Windows client computer.

Connect via SSH from a Windows client with PuTTY as follows.

1. Open PuTTY and specify your hostname or IP address.

2. Specify an alternative port if necessary (default is port 22).

3. Browse to your private key file from Connection | SSH | Auth | Private Key file for

authentication.

Figure 22. Client configuration

3. General basic configuration

The core functionality of any firewall involves creating port forward and firewall security

rules, and pfSense is no different. These core features, plus others, can all be found on the main

Firewall menu of the pfSense web interface.

This chapter explains how to configure these rules and the features associated with them.

31

3.1. ALIAS

Aliases provide a degree of separation between our rules and values that may change in the

future (for example, IP addresses, ports, and so on). It's best to use aliases whenever possible.

3.1.1. Creating an ALIAS

These steps describe how to use, create, edit, and delete aliases.

1. Browse to Firewall | Aliases.

2. Click the "plus" button to add a new alias.

3. Add a Name for the alias.

4. Add an optional Description.

5. Select an alias Type and finish the configuration based on that selection.

Figure 23. Crating ALIAS

6. Save the changes.

3.1.2. Types of aliase

Figure 24. Types of ALIAS

- Host alias

Selecting Host(s) as an alias Type allows creating an alias that holds one or more IP addresses.

32

- Network alias

Selecting Network(s) as an alias Type allows creating an alias that holds one or more networks (that

is ranges of IP addresses).

- Port alias

Selecting Port(s) as an alias Type allows creating an alias that holds one or more ports.

- URL alias

Selecting URL as an alias Type allows creating an alias that holds one or more URLs.

- URL Table alias

Selecting URL Table as an alias Type allows you to create an alias that holds a single URL pointing

to a large list of addresses. This can be especially helpful when we need to import a large list of IPs

and/or subnets.

3.1.3. Using an alias

Aliases can be used anywhere you see a red textbox. Simply begin typing and pfSense will

display any available aliases that match the text you've entered.

Figure 25. Using ALIAS

3.2. NAT port forward rule

As the name said the NAT port forward rule is to forward a type of traffic to a host or to an

other number of ports, in our example We will create a port forward rule to forward any incoming

web requests (HTTP) to a computer we've configured as a web server.

3.2.1. Creating a NAT port forward rule

These steps below describe how to create, edit, and delete port forward rules.

1. Browse to Firewall | NAT.

2. Select the Port Forward tab.

3. Click the "plus" button to create a new NAT port forward rule.

4. For Destination port range, choose HTTP for the from and to drop-down boxes.

5. For Redirect target IP specify the web server this traffic will be forwarded to, by alias or

IP address.

6. For Redirect target Port choose HTTP.

7. Add a Description, such as Forward HTTP to webserver1.

33

Figure 26. Creating a NAT port forward rule


3.3. Schedule

Schedules allow us to specify when rules are enabled. They are primarily used with firewall

rules, but their generic design allows them to be used with other existing and future pfSense features.

If a firewall rule specifies a schedule, the rule is only enabled during that time period. In the

following example, we'll define a schedule for our normal 9am-5pm work hours.

3.3.1. Creating a schedule

This recipe describes how to create a schedule.

1. Browse to Firewall | Schedules.

2. Click the "plus" button to create a new schedule.

3. Enter a Schedule Name, such as WorkHours.

4. Enter a Description, such as Regular work week hours.

5. In the Month section, click Mon, Tue, Wed, Thu, and Fri to select all the days of the

work week.

6. Specify a 9 am as the Start Time and 5 pm as the Stop Time.

7. Enter a Time Range Description, such as Monday-Friday 9am-5pm.

8. Click Add Time.

34

Figure 27. Creating a schedule

9. Note that the repeating time is added to Configured Ranges.

Figure 28. Schedule repeat


3.4. Firewall rule

Firewall rules control what traffic is allowed to enter an interface on the firewall. Once traffic

is passed on the interface it enters, an entry in the state table is created, which allows through

subsequent packets that are part of that connection.

Firewall rules are processed from the top down, and the first match wins. The default on all

interfaces is to deny traffic, and only what is explicitly allowed via firewall rules will be passed.

35

3.4.1. Creating a firewall rule

As an example, we will create a firewall rules for DMZ.

1. Browse to Firewall | Rules.

2. Select the WAN tab.

3. Click the "plus" button to create a new firewall rule.

4. Specify the WAN Interface.

5. Specify the TCP Protocol.

6. Specify any as the Source.

7. Specify any as the Source Port Range.

8. Specify Webserver1 as our Destination.

9. Specify HTTP as our Destination Port Range.

10. Specify a Description.

Figure 29. Firewall rule


36

Figure 30. DMZ rules

3.4.2. Advanced features

New to pfSense 2.0 is the firewall rule Advanced Features section. Each of the following

features can be specified as criteria for a rule. If an advanced feature is specified, the rule will only be

executed if a match is found. Click the Advanced button to display the following configuration

settings for each feature:

Source OS: This option will attempt to match the operating system of the source traffic.

Diffserv Code Point: Diffserv is a mechanism for providing Quality of Service (QoS) of network

traffic. Systems can prioritize traffic based on their code point values.

Advanced Options: Allows for the specification of advanced IP Options.

TCP Flags: Specific TCP flags may be set here.

State Type: Specify a particular state tracking mechanism.

No XMLRPC Sync: Prevent a rule from syncing with the other CARP members.

Schedule: Specify the schedule for when this rule is valid. Schedules defined in “Firewall |

Schedules” will appear here.

Gateway: Gateways other than the default may be specified here.

In/Out: Specify alternative queues and virtual interfaces.

Ackqueue/Queue: Specify alternative acknowledge queues.

Layer7: Specify an alternative Layer7 container.

37

4. Advanced Configuration

4.1. Virtual IP

Virtual IPs adds knowledge of additional IP addresses to the firewall that are different from

the firewall's actual "real" interface addresses. Most often, these are used for NAT, but they can also

be used for other functions such as clustering, binding services such as DNS, load balancing in

packages, and so on.

4.1.1. Types of vierual IPs

There are four types of Virtual IPs available in pfSense: Proxy ARP, CARP, and Other. Each

is useful in different situations:

- CARP

Can be used or forwarded by the firewall ;

Uses Layer 2 traffic ;

Should be used in firewall fail-over or load-balancing scenarios ;

Must be in the same subnet as the interface ;

Will respond to pings if configured properly ;

- Proxy ARP

Can only be forwarded by the firewall ;

Uses Layer 2 traffic ;

Can be in a different subnet than the interface ;

Cannot respond to pings ;

- Other

Can only be forwarded by the firewall ;

Can be in a different subnet than the interface ;

Cannot respond to pings ;

- IP Alias

New to pfSense 2.0 ;

Can be used or forwarded by the firewall ;

Allows extra IP addresses to be added to an interface ;

4.1.2. Creating a virtual IP

1. Browse to Firewall | Virtual IPs.

2. Click the "plus" button to add a new virtual IP address.

3. Choose Other as Type.

4. Select the WAN as the Interface.

5. Specify the IP Address.

6. Add a Description.

38

Figure 31. Creating a VIP


Figure 32. VIP created

4.2. 1:1 NAT rule

The 1:1 NAT maps one public IP to one private IP. All traffic from that private IP to the

Internet will be mapped to the public IP defined in the 1:1 NAT mapping, overriding your Outbound

NAT configuration.

4.2.1. Configuring a 1:1 NAT rule

This an example to use my local webserver in the public.

1. Browse to Firewall | NAT.

2. Select the 1:1 tab.

3. Click the "plus" button to add a new 1:1 NAT rule.

4. Select an Interface, in this case WAN.

5. Specify a Source, in this case any.

6. Specify a Destination; we'll specify our internal webserver by alias.

7. Specify the External subnet, our public IP address.


9. Leave NAT reflection disabled.

39

Figure 33. Configuring 1:1 NAT


4.3. Static route

Static routes are for accessing networks that aren't reachable through the default WAN

gateway, but can be reached indirectly through a difference interface. A common scenario might be

an office building with a shared network for printing. Anyone connected to the business network can

use the shared network, they just need to create a static route. We can use pfSense to create this static

route for an entire interface, instead of a configuring a static route on each individual PC.

4.3.1. Creating a gateway

1. Go to System | Routing.

2. Click the Gateways tab.

3. Click the "plus" button to add a new gateway.

4. Select the Interface for the new gateway.

5. Specify a Name for the gateway (no spaces allowed).

6. Specify the IP address for the gateway, it must be a valid address on the chosen

interface.

7. Add a Description, such as “LAN gateway”.


40

Figure 34. Creating gateway

4.3.2. Creating a static route

9. Browse to System | Routing.

10. Click the Routes tab.

11. Click the "plus" button to add a new route.

12. Enter the IP Address of the Destination network.

13. Choose the Gateway we've defined above.

14. Add a Description, such as “adding LAN route”.

Figure 35. Creating a static route


41

Figure 36. Route static created

4.4. SMTP e-mail notifications

PfSense can send an e-mail notification using the information supplied to notify

administrators of significant system events.

4.4.1. Configuring SMTP e-mail notifications

1. Browse to System | Advanced.

2. Click the Notifications tab.

3. Enter the IP Address of the E-Mail server.

4. Enter the SMTP Port of the E-Mail server.

5. Enter the From e-Mail address.

6. Enter the Notification E-Mail address.

7. Enter the Notification E-Mail auth username.

8. Enter the Notification E-Mail auth password.

Figure 37. SMTP notification configuration


10. Apply changes, if necessary.

Once the settings are saved, a test e-mail will be sent automatically.

42

Figure 38. test e-mail

4.5. Captive portal

A captive portal is a web page that is displayed before a user is allowed to browse the web.

This is most often seen at commercial Wi-Fi hotspots where you must pay for service before you are

allowed to surf the web. In other scenarios, captive portals are used for authentication or end-user

agreements.

4.5.1. Creating a captive portal

During these steps, we will configure pfSense to display an authentication captive portal before users

are allowed to surf the web from our LAN.

1. Browse to Services | Captive Portal.

2. From the Captive portal tab, click Enable captive portal.

3. Choose Interfaces; we'll select our LAN as our interface.

4. Specify an Idle timeout; we'll say 10 minutes.

5. Specify a Hard timeout; we'll leave the default of 30 minutes.

6. Click Enable logout popup window so that users may log themselves out when they

are finished.

7. Specify a Redirection URL, say http://www.google.com.

http://www.google.com/

43

Figure 39. Captive portal

8. Select Local User Manager as the Authentication:

Figure 40. Selecting local user lanager as the authentication


10. Browse to System | User Manager.

11. Click the Users tab.

12. Click the "plus" button to add a new user.

13. Enter a Username.

14. Enter and confirm a Password.

15. Enter a Full name

44

Figure 41. creating a new user

16. Save the Changes.

Figure 42. user manager

Now with a test.

Figure 43. Captive portal test

45

5. Services

5.1. RIP

RIP stands for Routing Information Protocol, a dynamic routing protocol for local and wide

area networks.

5.1.1. Enabling RIP

Thiese steps describe how to enable RIP in pfSense.

1. Browse to Services | RIP.

2. Check Enable RIP.

3. Select an interface (Ctrl + click to select multiple interfaces).

4. Select a RIP Version.

5. Set a Password in case of using RIP version 2.

Figure 44. Enabling RIP service


5.2. Wake On LAN (WOL)

Wake on LAN can be used to wake up computers from a powered-off state by sending special

"Magic Packets". The NIC in the computer that is to be woken up must support WOL and has to be

configured properly.

5.2.1. Enabling Wake On LAN (WOL)

1. Browse to Services | Wake on LAN.

2. Select the Interface which contains the device we'd like to wake up.

3. Enter the device's MAC address.

46

Figure 45. Enabling the WOL

4. Click Send.

Figure 46. Sending the magic packet

5.2.2. Storing Mac addresses

There is a possibility to store the MAC addresses of any machines that support Wake on LAN.

1. Browse to Services | Wake on LAN.

2. Click the "plus" button to add a WOL Mac Address entry.

3. Select the Interface that contains the device.

4. Specify the device's MAC address.


Figure 47. Storing MAC addresses


47

Figure 48. MAC addresses Stored

7. Click the MAC address of any of the stored clients to send a magic packet.

5.2.3. Wake All

Instead of waking clients individually, there may be times when we want to wake them all up

at once-simply click the Wake All button.

Figure 49. Wake all MAC addresses Stored

6. Maintenance

6.1. Ping

pfSense exposes the ping service that's included on almost all operating systems. This can be

handy for administrators since pfSense can ping on any machine from any specified interface.

6.1.1. Using ping

These steps describe how to use the ping service in pfSense.

1. Browse to Diagnostics | Ping.

2. Set Host to the IP Address or hostname of the machine we're trying to ping.

3. Choose the Interface to initiate the ping from.

4. Select a Count.

5. Press the Ping button.

48

Figure 50. Using ping

6.2. Traceroute

Traceroute is a useful tool for testing and verifying routes and multi-WAN functionality,

among other uses. It will allow you to view each "hop" along a packet's path as it travels from one

end to the other, along with the latency encountered in reaching that intermediate point.

6.2.1. Using traceroute

1. Browse to Diagnostics | Traceroute.

2. Set Host to the IP Address or hostname of the machine we're trying to trace.

3. Choose the Maximum number of hops for the trace to jump.

4. Optionally check Use ICMP.

Figure 51. Using traceroute

5. Click the Traceroute button.

6.3. Backing up the configuration file

Backing up configuration files is an essential part of any administrator's position.

PfSense allows an administrator to download the entire pfSense configuration in a single

XML file to any local or networked drive.

49

pfSense configuration files are stored in a plain-text XML format by default, but it also gives you an

option to encrypt them.

1. Browse to Diagnostics | Backup/restore.

2. Select the Backup/Restore tab.

3. Set the Backup area to ALL. For a list of all available areas, see the following Backup

areas section.

4. Leave Do not backup package information unchecked.

5. Leave Do not backup RRD data checked.

Figure 52. Backing up the configuration file

6. Click Download configuration.

Figure 53. Downloading the configuration file

7. Save the file to a secure location.

6.4. Restoring the configuration file

Restoring configuration files is an essential part of any administrator's position. pfSense

configuration files are stored in a plain-text XML format by default, but an encryption option is

available.

1. Browse to Diagnostics | Backup/restore.

2. Select the Backup/Restore tab.

3. Set the Restore area to ALL.

50

Figure 54. Restoring the configuration file

4. Click Restore configuration and pfSense will reboot.

Figure 55. Configuration file restored

6.5. Automatic configuration file backup

Automatic configuration file backup is a good way to save the configuration file automaticly

on external pfsense servers, and only paid support subscribers hae access to this feature.

6.5.1. Installing the AutoConfigBackup Package

1. Browse to System | Packages.

2. Click the + next to the AutoConfigBackup package(It will download and install the

package).

3. Refresh the menus.

Now we can find AutoConfigBackup under the Diagnostics menu.

6.5.2. Configuring the AutoConfigBackup Package

1. Browse to Diagnostics | AutoConfigBackup.

2. Click the Settings tab.

3. Enter our Subscription Username.

4. Enter our Subscription Password.

5. Confirm Subscription Password.

6. Enter our Encryption Password.

7. Confirm Encryption Password.

51

Figure 56. Auto configuration backup


52

Conclusion

As a conclusion, we have shown, first, an overview of the court of appeal of Taza, secondly,

the theory of of pfSense from the history to the features list, Secondly, we start with the necessary

installation and configuration, from the basic one to the service and maintenance configuration.

This project has allowed us to understand the concepts of pfSense firewall. All the Examples

cofigurations had seen is just to know how we must handling with pfSense, and each administrator

can choose its own strategy for his network, that depends on the size, plateforms, the equipment ..., in

the network.

In terms of perspective, I recommend the installation of some usefull package such the

automatic backup , the squidguard, and snort, the first help in the redundancy, the second in the url

filtering plus it’s free and published under GNU Public License, and the third is an an Intrusion

Detection System(IDS) released under the GNU open source license GPL.

53

References

http://en.wikipedia.org/wiki/PfSense

http://forum.pfsense.org

http://doc.pfsense.org/index.php

http://www.bsdcan.org/2008/schedule/attachments/66_pfSenseTutorial.pdf

http://doc.pfsense.org/index.php/PfSense_and_FreeBSD_Versions

http://pfsensesolution.blogspot.com/2012/07/pfsense-features.html

http://doc.pfsense.org/smiller/pfSenseQuickStartGuide.pdf

http://doc.pfsense.org/index.php/Captive_Portal

www.pcengines.ch/alix.htm

www.pcengines.ch/wrap.htm

http://www.linuxpedia.fr/doku.php/bsd/pfsense

http://www.mearn.org.ma/3/doc%20telecharger/Portail%20Captif%20-

khalidibolalan/PFsense.pdf

pfSense 2 Cookbook

pfsense - The definitive guide

http://doc.pfsense.org/index.php

http://doc.pfsense.org/index.php/PfSense_and_FreeBSD_Versions

http://pfsensesolution.blogspot.com/2012/07/pfsense-features.html

http://doc.pfsense.org/index.php/Captive_Portal

http://www.pcengines.ch/alix.htm

graduation project report - pfsense

Documents

list of figures figure

science faculty of meknes

special thanks

valuable advices

valuable information

members of jury

project supervisor

hard work