1- Installation of Pfsense on HyperV
Also watch this video "In Arabic" for initial setup of Pfsense
First assign the resources to the Virtual Machine
1- 512 MB ram.
2- At least 2 “Legacy Networks” not adapters. And make sure you have their MAC registered coz you will need it later.
3- Setup 30 GBs size for the HD to avoid any HDD formatting issues.
With Microsoft's VHDs if you create a drive with a size over about 31gb it sets the geometry to 255 sectors per track, fdisk does not like this at all!
Making a drive below 30gb will set the disk geometry to a happy 63 sectors per track which fdisk is fine with.
Then follow this
4- When the VM starts, click inside the window and then in the welcome screen type in 1 in order to boot pfSense:
5- pfSense will take a few seconds to load the drivers and initialize the devices, after which it gives you the option to launch the installer. You’ve got nine seconds for that. Press i:
6- In the following window you can customize keymap and font settings or simply choose Accept these settings (the default ones should do for most users):
7- In the next window choose Quick Install. It will warn you that the installer will not ask any questions and that it will erase the entire HDD. Of course, it is the virtual HDD, so don’t worry. Then enter OK.
8- Wait for the installer to finish copying files. Then it will ask you to choose the kernel. Go with the uniprocessor kernel:
It should install successfully and then ask you for a reboot. Proceed accordingly. DON’T FORGET TO REMOVE THE ISO IMAGE FROM THE VIRTUAL CD! Done! Time to configure pfSense’s LAN and WAN interfaces.
1- Now you should setup the Virtual and assign the names “DE0, DE1, DE2” for the correspondent NIC Cards according to the MAC address you have written down earlier.
Once you’re done, you will need to assign the IPs manually by pressing 2 from the command menu.
When you’re finished you will have to do the following in order to bring the NICs UP in order to connect to the web communicator.
To enable the NICs
1. Connect to your pfSense virtual machine, for example via the Hyper-V Manager and connecting to your instance
2. In the pfSense menu choose option 8: Shell
3. Execute ifconfig to show your network interfaces
4. Execute ifconfig <interface name, eg de0> down
5. Execute ifconfig <interface name, eg de0> up
6. In case of using DHCP on the interface, execute dhclient <interface name, eg de0>, when using a static ip, skip this step.
7. Execute ping <ip> to test connectivity
8. Execute exit when done to return to the pfSense menu
for more installation instructions
- Creating Firewall rules.
Creating firewall rules shouldn’t be that difficult after configuring DNS and Default gateway in order to get internet access too.
For HTTP rule. Goto Firewall
Create the rule for the port you wish you have
Then after creating the rules. You have to enable the captive portal.
And add the ip address of the server client to the list of allowed access clients.
To add certificates, You should add the CA of the 3rd party certificate and generate a request from the pfsense firewall it self in order to add these ceritificates to it.
How to configure pfSense
The "webConfigurator" - pfSense basic setup part 2
1. Connect to you newly installed pfSense firewall via the LAN interface IP Address. Type the IP Address of the LAN interface in your browser and you should be presented with a “Security Issue/Warning” for the server's certificate.
This is a warning that your browser gives you when it receives a security certificate that the browser can not validated against a Certificate Authority. It's the browser way or warning the end user that the site may be untrustworthy. During the installation of pfSense, a security certificate was created by the system which is known as a self-signed certificate in order to have a security certificate available to encrypt your connection between your web browser and the pfSense firewall. Accept the security certificate and continue to the site.
2- You now should have the pfSense webConfigurator login screen. Your first time logging into your pfSense firewall, the default username is “admin” with a password of “pfsense”.
Login to you pfSense firewall.
3- After successfully login to your pfSense firewall, You will see the Status of your firewall (Dashboard) which provides a summary of your system information along with the status of your interfaces installed and other bits, you can configure the dashboard and add more plugins to check the status of different services e.g. (Snort, DHCP Server, DNS..etc) .
4- Now we'll start configuring our firewall. Click on System on top left and when the menu scroll click on Setup Wizard. then you will get a screen telling you that the wizard will take you through initial config of pfsense. so click next
5-On the next screen as it says on Pfsense, you will get the screen to set the general parameters such as hostname, domain, dns.
In host name you will place any name for your Pfsense e.g. (Firewall or Pf) and supposedly that you know what's your domain name, and you already have a DNS setup in place you will just place those values where they belong then click next.
6- next you will Configure the “Time Server Information”.
Time server hostname:
Change the time zone to match your location.
7- Next We will configure our WAN Interface. This configuration usually varies depending on your environment and how are you connected to your ISP (Static IP through MetroEthernet ADSL, VHDSL, GHDSL or Dynamic IP address).
I will configure the WAN according to my environment, if you look closely on the snapshot below you will notice there are various settings which you can set however, the only ones that you need is your Public static IP address and the gateway.
Note that you will have to calculate the subnet mask to choose which mask bits is yours, if you're not familiar with sub-netting e.g. (255.255.255.192 = 26) then go to Subnet Calc.
place your gateway and you're done.
8- Next screen we'll set the LAN IP address for the Pfsense Firewall, by default the IP address 192.168.1.1 or what you have set earlier during the initial installation.
9- Next you will get the "Set Admin WebGUI Password" screen. Enter a new pfSense “admin” user password. It's always recommended that you use a complicated password which you can also remember as well. also it's better if you mix it with numbers, big and small letters and symbols so it's not easy to hack or figure.
10- Reload the pfSense page (F5) – After configuring the new password, pfSense will require you to login again with your new password.
11- Next you will see a screen telling you that Wizard setup is completed “Wizard Completed”, which means that the basic setup of the firewall is completed and now your clients will be able to access Internet, most likely will be allowed to browse only since the initial configuration of the firewall enables outbound access to port 80/443.
so depending on your needs you will have to enable outbound access for Internal clients to all destinations with specific ports or specific destination with all ports or specific ports..e.g. (Teamviewer)
12. Now that we have successfully configured the basic setting in pfSense we will make a couple more changes to personalize your pfSense installation. First lets start by changing the existing certificate which is self signed certificate.
From the pfSense menu, select System | Cert Manager to access pfSense System Certificate Authority Manager application.
13- Configure pfSense as a trusted Certificate Authority – Ensure the “CA” tab is selected and click on the “+” to create the CA.
Fill in all the required details and in method make sure that you choose "Create an internal Certificate Authority".
Then click Save.
Now since your Pfsense became the CA, you can create clients certificates which can be trusted by it for different uses e.g. (VPN, Squid..etc).
14- Next we will configure an Internal Certificate for Pfsense web interface. Click on the “Certificates Tab” and then select “Create an internal Certificate” from Method drop down box. Many of the fields will automatically filled-in from what was entered in the CA tab. Just complete the following fields below:
Enter a name to describe the security certificate you are creating.
From the drop down menu, select “Server Certificate”
Enter the name of your firewall and domain i.e. firewall.mynetwork.com. If you or your client have a domain that will point to the firewall such as a static or dynamic DNS name, you can type that domain name here.
Press the "Save" button to save changes.
15- Next we will change pfSense to use the new security certificate we created for the webConfigurator. From the “System” menu, select “Advanced”
On the “Admin Access” tab, find the following setting:
Ensure “HTTPS” is selected
In the drop down menu, change the SSL certificate to the internal certificate made n the previous steps.
Change port to 445. Port is changed from the standard 443 to 445 to free up port 443 for future use.Hint: VPN connections on port 443 is ensure to be allowed out from any were you may be when on the road if you later decide to configure remote VPN access.
Secure Shell Server:
Enable Secure Shell. This allow for remote console access to your firewall.
Press the "Save" button to save changes.
16- When changes are saved in the System: Advance - Admin tab, pfSense will reissue the security certificate causing your browser to display the Security Certificate Warning again. You should accept the certificate and ignore the warning.
You may also notice that pfSense now has an alert displayed in the upper right hand corner of your screen. The alert is to notify you that pfSense has created the keys required for your SSH communication. This is the result of enabling the Secure Shell Server option on the System: Advance - Admin tab. Click the alert to acknowledge the change and the alert should disappear.
17- Now you have successfully configured your Pfsense machine and you can further allow or configure access or publish services through firewall tab/Rules or using NAT from Firewall tab menu NAT.
For more articles, please visit this blog often as I will be updating articles every now and then.
2-Configuration of Lync edge on Pfsense
In this scenario Lync Edge is configured with 2 NICs (One Internal facing Lync FE) and one (External) DMZ facing the Firewall.
The Lync topology
is configured with 3 DMZ IP addresses, each IP is responsible for one role (AV, Webconf, and Access Edge).
1- But for external access we should have Public IP address configured on our Public DNS in order to get access to our Published Lync edge server. So we must have at least 3 Public IP address configured on the Pfsense firewall with 1:1 NAT rules to map to the DMZ IP addresses.
Figure 1:1 below illustrates the first step we’ll have to take in order to configure our Pfsense firewall to allow External traffic to be passed into the EDGE with it’s specific requested IP.
2- Now after we added our external IP addresses as Virtual IPs, we must allow the Lync Edge server to pass traffic from and to the firewall.
So we will add all the 2 NICs of both IP addresses to the list in order for this to work. Figure 1:2 shows us the list of IP addresses that we have to add into the allow list in Captive Portal plugin in Pfsense Firewall.
We also should not forget to sit the gateway of Edge server to Pfsense’s Public IP address.
3- Next we’ll add 1:1 NAT rules to enable each External IP to map to the DMZ IP assigned to it on
our Lync Topology as appears on figure 1:3.
4- In the DMZ tab in Firewall we’ll add an exception From the DMZ IPs to Any destination. To allow edge's second NIC as in figure 1:4
5- It’s time to create the rules for each IP address which corresponds to the services assigned with it. E.g. (AV, SIP, Webconf) we’ll create 6 rules as following and as illustrated in figure 1:5.
A- Rule 1: will Enable protocol HTTPS to pass from the SIP FQDN’s External IP to the DMZ IP.
B- Rule 2: will Enable port 5061 to pass from External IP to the DMZ IP.
C- Rule 3: will enable Protocol HTTPS from Webconf’s External IP to it’s DMZ.
D- Rule 4: will enable Protocol HTTPS from AV’s External IP to it’s DMZ.
E- Rule 5: will enable Protocol STUN port (3478) from AV’s External IP to it’s DMZ.
F- Rule 5: Finally now we’ll enable the RTP Range for Media Path from External IP to it’s DMZ (Between 50000-59999).
Now after creating all these rules, this should work and you will be able to Sign in without any problem. In case you had problem signing in make sure you visit this website for troubleshooting.
3- Installing Squid3 for reverse proxy (HTTP only)
In case you have more than one Public IP, You will use your WAN IP for the Reverse proxy.
1- First goto System on top left select – Packages and then navigate in to available packages and download “Squid 3”.
2- When installation is finished make sure you can see Reverse proxy in Services menu.
Now starting with the basic configuration, let’s start publishing 2 local websites and one of them is going to be the PFsense website on the internet via a different Port rather than 80.
I will only cover the http so we don’t need to enable HTTPS, but later on I’ll cover it in another topic.
Now we’ll move to the next tab “webservers” in order to start importing our web servers information e.g. (IP, Hostname, Port..etc).
As you can see, there are two webservers each of them is listening on a different port and we’ll use hostnames in order to reach each on a separate port but on the same IP “external hostname”.
The webserver settings are easy to enter but I’ll still post a snapshot so newbies don’t get confused when something doesn’t go well.
Now since we are done with importing our webservers details we should move to the mapping in order to get them accessible externally.
In the peers as you can notice, I have selected the peer which represents the webserver I wanted to host on this URI (php.domain.com).
The second one shouldn’t be different as well. We’ll just have to selected related peer and change the URI.
Now, we’ll have to create a firewall rule to enable (TCP) traffic from Any “Source” to WAN address “Destination on HTTP protocol, we’ll go to Firewall tab on top and choose Rules.
Now my both webservers are accessible
Note: if you have problem with publishing your webservers, configure your Pfsense with local DNS and add the webservers host names to the DNS in order for Pfsense to resolve them on the local network.
4- Enabling IPSEC VPN for Mobile users (iOS) on Pfsense
1- First we go to User Manage which located under System tab.
- Create a user with a password only.
- Go to Groups and create a group, give it a name and assign required privileges to it ( I assigned all of them in this scenario).
- Go back to the user you created and add it to the group you just created it.
2- Go to VPN – IPSEC: Enable IPSec.
3- Next Go To Mobile clients page:
Enable IPsec Mobile Client Support
Configure this page as you see below, you can configure any subnet other than 172.16.254.0 for the Virtual Address Pool but it shouldn’t be the same as your local network.
for DNS default domain you need to configure your local DNS and if you'd like to configure any public DNSes as well then enable provide a DNS server .. most likely that would be public DNS like google DNS 188.8.131.52.
Make sure you tick the Phase2 PFS Group and point it to the group where you have enabled the user in the user manager and added the relevant Effective Privileges.
Once you Enable IPSec Mobile client support, it will offer to create Phase 1. click Create.
4- Now configure Phase1 according to the SnapShot below, Make sure you create your own distinguished name and Pre-shared Key.
Click save, and now we are finished with Phase 1, let's create phase 2.
Now click on the + below Remote gateway where it says (Show 1) and click the plus that will appear when you scroll it down.
Phase 2 :
Configure it according to the snapshot below:
Now go to Firewall/Rules/ IPSEC and create the following rule.
Save the rule and try to connect.
If you have Captive Portal, You should add/enable the virtual subnet to connect by adding it to the allowed IP Addresses:
Hope this helps
5- Suppressing in Snort
What is Suppressing in Snort? And how to use it (Basic Tutorial)
Suppression allows an administrator to control how many alerts are generated from (or to) a given host or for a particular signature.
What does it do exactly?
Suppression prevents rules from firing on a specific network segment without removing the rules from the ruleset. By using suppression, ruleset can be quickly turned for a specific environment without disabling rules that maybe useful in general.
How it works?
Assuming that you want to download an executable file/content from any website. If you have ticked all the rules in snort for your wan connection, Snort will alert this and block it in case you have the block option enabled as well. You will get something similar to this alert in the alert tab.
And in Block tab, You will get something like this :
This is a website that I visited “cyberduck.ch” to download a FTP application but snort alerted and blocked the download host IP which is “c315635.r35.cf1.rackcdn.com”
Now By adding a suppression line to snort suppression tab, the rule sid:16313 which happens to be a “download of executable content with x head”, will not fire again in the alerts tab after I add the following line to the suppression list.
The first line with the hash in the beginning is just a title for the rule to remind you later what it exactly does.
The gen_id 1 and sig_id will usually appear in the alert tab so in case you got some rules blocking websites which you visited and don’t want them to get blocked you can filter the alert tab and search for your rule, get the gen_id and sig_id and create the suppression line for it.
Note: adding new suppression lines won’t take effect unless you restart the interface which snort is monitoring.