We can start with a short video introduction to PFSense.
It is part of a series located here:
Comprehensive Guide To pfSense 2.3
Mark Furneaux 13 videos 79,773 views
Last updated on Jul 3, 2017
Thank you Logbuilder for providing the links to PFSense.
Comprehensive Guide to pfSense 2.3 Part 1: The What and Why
Mark Furneaux
Published on Nov 29, 2015
Comprehensive Guide to pfSense 2.3 Part 2: Hardware
Mark Furneaux
Published on Dec 23, 2015
Comprehensive Guide to pfSense 2.3 Part 3: Installation
Mark Furneaux
Published on Jan 12, 2016
Comprehensive Guide to pfSense 2.3 Part 4: Networking Crash Course
Mark Furneaux
Published on Jan 31, 2016
Comprehensive Guide to pfSense 2.3 Part 5.1: General Configuration and WebUI Tour
Mark Furneaux
Published on Feb 21, 2016
Will post an easy peasey DIY here with pictures.
Following is a basic step by step with no plugins and default firewall rules which work fine.
Note that you can download a USB stick image or an ISO image and write it to a USB stick.
1 - Download PFSense here:
PFSense Download
2 - extract the compressed file whether it is an image or ISO
3 - Write the iso or img file to a USB stick
4 - boot up the USB stick.
Note here will combine images to be able to fit them here. Note that everything is default except for a couple of choices. One important choice is whether you want to install via a VGA console or Serial console.
Here I have SSH enabled for access to the command line menu. Note that if you make changes to your LAN/WAN stuff here you will most likely lock yourself out of your PFSense box Web GUI.
For some more testing here will enable serial access to this menu via a serial port (#2) on my PFSense box. This terminal will be connected to the Homeseer Pro box running Ubuntu such that will configure a drop down menu in the Main Homeseer GUI for terminal access to the PFSense box. This will create a total headless environment for running PFSense.
New 4 port micro routers also have a serial port. You can install PFSense headless via the serial port connecting a serial cable to a terminal session on a laptop if you want. I am currently utilizing the serial port on my PFSense box for an NTP server documented below.
Note here I have 4 NAS boxes here and 3 are headless and utilize the serial port. One is a Windows server embedded 1U four drive NAS box running windows embedded headless. This one was installed and configured via a serial port.
The default PFSense configuration needs no tweaks and will function as a firewall by default.
1 - ISP Modem ==> PFSense WAN port ==> PFSense LAN port
Note here I labeled my ports for use (currently have 6). When configuring the WAN port for DHCP (very common) unless you are utilizing a static internet IP address. DNS by default is provided by your ISP provider. Over the years here have disabled the use of the ISP provider DNS.
Why?
Read this: DNS spoofing
A few folks on the forum utilize Satellite for their internet. I know of two services (there are probably more). These are HughsNet and Excede.
Relative to Excede ISP service...they provide a guaranteed download / upload rate by using their servers. That said you can only utilize their DNS servers (port 53) for their service. They block the use of common DNS servers (port 53). With this unique DNS methodology you cannot enable two of the PFSense features of: DNS Forwarder and DNS Resolver. Note that the default installation of PFSense enables DNS Resolver. YOU MUST DISABLE THIS to utilize PFSense with Excede Satellite services. I am not sure on the configuration of HughsNet.
A thank you to Logbuilder (Robert) for providing / testing PFSense with the Excede Satellite Provider.
Testing for ISP only DNS spoofing (I guess this can be called this). ALL ISP's today mostly utilize their DNS servers by default. It is preferred here not to do this.
The following stuff came from the Excede Forum post ==>Has anyone found a way around the Exede DNS hijacking?
Test by using a google DNS server
nslookup upload.facebook.com 8.8.8.8
Server: 8.8.8.8
Address: 8.8.8.8#53
** server can't find upload.facebook.com: NXDOMAIN
nslookup upload.facebook.com 8.8.8.8
Server: 8.8.8.8
Address: 8.8.8.8#53
Non-authoritative answer:
upload.facebook.com canonical name = star.c10r.facebook.com.
Name: star.c10r.facebook.com
Address: 31.13.77.6
I can't query Exede DNS externally - because that's blocked.
# nslookup upload.facebook.com 99.196.99.99
;; connection timed out; no servers could be reached
One fix is:
OpenDNS and use the alternate port number 5353. It should look like this:
forwarders {
208.67.222.222 port 5353;
208.67.222.220 port 5353;
}
Now everything resolves for me.
Another option is DNSCrypt. I've successfully used it to get around temporary problems with Exede's DNS resolver. Just keep in mind that using a different DNS resolver also disables the Exede accelerator.
I see the same issues with DNS intercepts on port 53. Great idea to use the OpenDNS servers with alternate ports, of course all Exede has to do is intercept those as well...... Additionally you will actually get better performance using a caching server even with using different DNS servers as your server will keep those records on hand providing a response without having to go query the net once they have been looked up the first time.
I use the Open DNS servers and run PFSense with Caching, Squidguard, PFBlockerNG, Snort, and a variety of other tweaks and tools and have noticed a LOT of traffic hitting my system that I wouldn't normally have thought would have been doing so.
Thanks for the tip!
Note that PFSense also serves as a WAN optimizer / accelerator. And with AES-NI serves as a cryptographic accelerator.
For those wanting to test the use of PFSense inside of your network I would recommend the following settings for PFSense. Note that these settings are only for testing purposes and to get familiar with the PFSense GUI. I recommend this if you have never utilized PFSense before.
I used Smoothwall here for many years and before switching over to PFSense I tested it to get familiar with the GUI and not affect my then current network devices.
1 - start with command line menu.
a - leave the WAN port to default DHCP. Configure existing firewall such that DHCP address from PFSense WAN port is in a DMZ.
b - configure the LAN port with a small subnet or same subnet and shut off DHCP on the LAN port. Note it is your preference on IPs of you subnet.
An example would be the following. (here utilize Online IP Subnet calculator)
Note here for testing purposed you can make the subnet very small. Typically you may only want to access PFSense from one computer.
IP of PFSense box is: 192.168.1.2
Subnet mask here is: 255.255.255.0
Bit mask: /24
Hosts per subnet here is: 254
Host addresses are: 192.168.1.1 - 192.168.1.254
Subnet ID: 192.168.1.0
Broadcast address is: 192.168.1.0
PFSense DHCP on LAN is set to disabled.
Typically this has worked for me OK. Now to NAT reflection (which is sometimes by default enabled or not on a variety of SOHO routers).
NAT reflection is sometimes referred to as NAT Loopback, NAT hairpinning.
NAT definition (read the rest of the wiki)
Network address translation (NAT) is a method of remapping one IP address space into another by modifying network address information in Internet Protocol (IP) datagram packet headers while they are in transit across a traffic routing device. The technique was originally used for ease of rerouting traffic in IP networks without readdressing every host. In more advanced NAT implementations featuring IP masquerading, it has become a popular and essential tool in conserving global address space allocations in face of IPv4 address exhaustion by sharing one Internet-routable IP address of a NAT gateway for an entire private network.
NAT loopback
NAT loopback, also known as NAT hairpinning or NAT reflection, is a feature in many consumer routers which permits the access of a service via the public IP address from inside the local network. This eliminates the need for using separate domain name resolution for hosts inside the network than for the public network for a website.
The following describes an example network:
Public address: 203.0.113.1. This is the address of the WAN interface on the router.
Internal address of router: 192.168.1.1
Address of the server: 192.168.1.2
Address of a local computer: 192.168.1.100
If a packet is sent to the public address by a computer at 192.168.1.100, the packet would normally be routed to the default gateway (the router), unless an explicit route is set in the computer's routing tables. A router with the NAT loopback feature detects that 203.0.113.1 is the address of its WAN interface, and treats the packet as if coming from that interface. It determines the destination for that packet, based on DNAT (port forwarding) rules for the destination. If the data were sent to port 80 and a DNAT rule exists for port 80 directed to 192.168.1.2, then the host at that address receives the packet.
If no applicable DNAT rule is available, the router drops the packet. An ICMP Destination Unreachable reply may be sent. If any DNAT rules were present, address translation is still in effect; the router still rewrites the source IP address in the packet. The local computer (192.168.1.100) sends the packet as coming from 192.168.1.100, but the server (192.168.1.2) receives it as coming from 203.0.113.1. When the server replies, the process is identical as for an external sender. Thus, two-way communication is possible between hosts inside the LAN network via the public IP address.
PFSense NAT loopback by default is disabled.
You have the option of turning it on or off with PFSense.
Go to PFSense / system / advanced / Firewall and NAT to enable it.
The setting is towards the bottom of the page and by default disabled. Just enable it there.
Comment