Hacom pfsense Deployment Guide

Transcription

1 Hacom pfsense Deployment Guide Bao Ha Copyright 2008 Hacom Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.2 or any later version published by the Free Software Foundation; with no Invariant Sections, with no Front-Cover Texts, and with no Back-Cover Texts. 9 November 2008 Table of Contents Hacom pfsense Deployment Guide...1 Introduction...2 Three-Zone Firewall: Setup a DMZ...4 Four-Zone Firewall: Wireless Configuration...13 Four-Zone Firewall: Non-Bridged Wireless Network...22 Captive Portal...24 Virtual Private Network: Site-toSite IPSec...35 Appendix A. Templates

2 Introduction PfSense is a complete, embedded firewall software package that provides all the important features of commercial firewall boxes (including ease of use) at a fraction of the price (free software). It is based on FreeBSD. The software is available at the URL, Hacom implements pfsense on our hardware to take advantages of their features, as well as, to provide complete packaged supports for commercial customers: small, medium and enterprises, who desire a one-stop shop. This document is the continuation of the Hacom pfsense Quick-Start Guide. It documents common deployments of pfsense firewalls. Documentation Since pfsense is similar to M0n0wall, the documentation of the M0n0wall systems can be perused at the following URL, The M0n0 Users Manual ( Mn0wall Quick Start Guide ( pfsense FAQ ( pfsense tutorial ( Hacom pfsense Quick-Start Guide ( Hacom's pfsense Hacom offers three groups of commercially packaged pfsense systems with choices of support services: Phoenix, Mercury and Mars. The following comparison table can be used to select appropriate equipments depending on a network environment. Performance* Phoenix Mercury Mars Throughput 90Mbps 200Mbps 400Mbps Concurrent Connections 80, , , ,000 3DES IPSec Throughput 8-10Mbps 20Mbps 25-40Mbps AES IPSec Throughput 10-40Mbps 80Mbps 40-60Mbps Suggested Users Performance depends on network environment and configuration of the firewall. 2

3 Hardware Specification Systemboard CPU Memory Phoenix Mercury ES466B CV700A 333Mhz AMD Geode GX 500Mhz VIA C7 CV700A CV763A 1Ghz VIA C7 256MB 512MB Mars CI852A 1Ghz 1.6Ghz Celeron-M Celeron-M 512MB 1GB Storage 1GB CF (Compact Flash) or 1 GB DOM (Disk-On-Module)** Ethernet 3x10M/100M 3x10M/10 4x10M/10 0M/1G 0M/1G 4x10M/100M/1G ** Disk-on-Module is more durable than compact flash due to its built-in wear leveling function. Templates Templates are just simple forms filled in with enough information to guide the configuration of pfsense firewall in specific use case. For each of the deployments discussed in this guide, we will put the templates at the end of the use case to illustrate how to fill-in the forms. These templates are more for Hacom's support to evaluate how much information is required to configure the router for a specific application. Blank forms are put into the appendixes. 3

4 Three-Zone Firewall: Setup a DMZ DMZ stands for De-Militarized Zone. It is an area of a local internal network that contains Internet servers. It is isolated from LAN to prevent accidental access to the internal network spill-over through Internet accessible servers. Following is a diagram of a 3-zone firewall: WAN, LAN and OPT1. WAN is the Internet, the outside world. LAN is the local internal network protected by the firewall. And OPT1 is the DMZ. Following are the assumptions for the DMZ setup: 1. The Firewall has a WAN IP of It also has an extra external IP of to be used for the web server: 2. The LAN subnet is / The OPT1 (DMZ) subnet is / The web server's DMZ IP is The goal is to forward any Internet traffic to the web server's public IP of to the server in the DMZ. The procedure is as follows: 1. Create an OPT1 interface if it does not exist. 2. Configure the OPT1 interface. 3. Add the virtual IP to the pfsense firewall. 4

5 4. Configure 1:1 NAT. 5. Setup the firewall rule to allow access from DMZ to WAN, but not from DMZ to LAN. 6. Setup the firewall rule During the initial setup, we may have only setup a 2-zone firewall with only 2 assigned network interfaces. We need to add the third interface using the web administration tools. 1. Go to s Assign. 2. Click on the plus + sign on the right hand side to create a new interface OPT1. Click on Save! 5

6 Now, we need to set up the OPT1 interface. OPT1 is the interface for the DMZ zone. It subnet would be /24, which contains the private IP of the web server For the OPT1 interface, we will: 1. Enable the OPT1 interface. 2. Set it to be static. 3. Set the IP = /24 4. Save it! 6

7 The next step is to add a virtual IP. Go to Firewall Virtual Ips. 1. Click on the plus + sign on the right hand side to create a new interface OPT1. 2. Click on Save! 3. Click on Apply Changes! Now, we are ready to configure the 1:1 NAT. 1. Go to Firewall NAT. 2. Click on the plus + sign on the right hand side to create a new 1:1 NAT rule. 7

8 3. Set the to be WAN. 4. Set the external IP to be Set the internal subnet to be Click on Save! 7. Click on Apply Changes Now, we are ready to set up the firewall rule on the DMZ interface denying all traffic to the LAN while still permitting all traffic to the WAN. 1. Click Firewall -> Rules. 2. Click on the plus + sign on the right hand side to create a new firewall rule. 3. Set action to be REJECT 4. Set the interface to be OPT1 8

9 5. Set source to be ANY 6. Set the destination as LAN subnet 7. Click on Save. 8. Click on Apply Changes 9. Next, we set up the firewall rule on the DMZ interface to allow DMZ traffic to go anywhere except LAN. Click Firewall -> Rules. 9

10 10. Click on the plus + sign on the bottom right hand side to create a new firewall rule. 11. Set action to be ACCEPT 12. Set source to be ANY 13. Set the destination as NOT LAN subnet 14. Click on Save. 15. Click on Apply Changes If we want certain services from LAN, firewall rules have to be setup to allows these to be accessed 10

11 from the DMZ. Following is the minimum firewall rules for the DMZ (OPT1) zone. 11

12 Three-Zone Firewall Template Hacom pfsense Three-Zone Firewall Setup Template s Static IP Comment WAN /24 LAN OPT1 (DMZ) /24 Virtual Ips (Firewall Virtual IPs) Virtual IP Address /32 Type Other WAN Description Firewall NAT 1:1 WAN External subnet Internal subnet Description /32 Firewall Rules Action Protocol Source /Port Destination /Port Reject OPT1 Any Any LAN net Pass OPT1 Any OPT1 net!lan net 12 Gateway Description Reject SMZ traffic to LAN Permit DMZ to any but LAN

13 Four-Zone Firewall: Wireless Configuration There are three ways to add a wireless network to our networking environment, assuming that the system has the optional wireless adapter. 1. Bridged Wireless Network.. In this configuration, although we still have four zones: WAN, LAN, OPT1 and OPT2, the wireless interface OPT2 is bridged with LAN. The two zones LAN and OPT1 are in effect combined into one zone: LAN for all practical purposes. 2. Four-zone firewall. In this configuration, the wireless network is just another local network as the local nework in the LAN zone. 3. Captive portal. This is similar to the above 4-zone networking environment. It forces users to be authenticated before they can access the wireless network. The DMZ or OPT1 zone can be ignored at this point. In fact, if we don't have a DMZ, the wireless interface becomes OPT1, instead of OPT2. And all configurations are the same. Following is a diagram of a 4-zone firewall: WAN, LAN, OPT1 and OPT2. WAN is the Internet, the outside world. LAN is the local internal network protected by the firewall. OPT1 is the DMZ. And OPT2 is our wireless zone. 13

14 If it has not been done, We need to add the wireless network interface, OPT2 in this case, using the web administration tools. 1. Go to s Assign. 2. Click on the plus + sign on the right hand side to create a new interface OPT2. 3. Choose the ath0 network port. 4. Click on Save! 14

15 Note: Hacom supplies the Atheros-based network adapter with some of the systems. It is detected be FreeBSD as ath0 interface. Some other wireless network adapters may be detected differently. Bridged Wireless Network In this configuration, all of the OPT2 zone wireless users are considered as on the same network as LAN wired network users. This configuration has an advantage; allowing all users in OPT2 and LAN to share peripherals, like networked printers, shared drives,... To configure a wireless network: 1. Go to s OPT2 2. Enable the optional 2 interface; OPT2 3. On the IP Configuration, set it to bridge with LAN 15

16 4. Set the wireless configuration standard to be g 5. Set the mode to be Access Point 6. Set the SSID to be pfsense or your choice of network name 7. Enable WEP authentication. There are other authentication methods besides WEP; i.e. WPA or 16

17 802.11x. Depending on the number of users and security-level, they may be a better choice than WEP. 8. Set the 13-character WEP key 9. Set Open Authentication 10. Click on Save! 17

18 11. Add a firewall rule for OPT2 similar to the LAN zone. 12. Click on Save! 13. Click on Apply Changes! 18

19 19

20 Four-Zone Firewall Template (Bridged Wireless) Hacom pfsense Four-Zone Firewall Setup Template s Static IP Comment WAN /24 LAN OPT1 (DMZ) /24 OPT2 (Wireless) Bridged with LAN! Referred to Wireless template for setup info. Virtual Ips (Firewall Virtual IPs) Virtual IP Address /32 Type Other WAN Description Firewall NAT 1:1 WAN External subnet Internal subnet Description /32 Firewall Rules Action Protocol Source /Port Destination /Port Reject OPT1 Any Any LAN net Pass OPT1 Any OPT1 net!lan net Permit DMZ to any but LAN Pass OPT2 Any OPT2 net Permit OPT2 to any Any 20 Gateway Description Reject SMZ traffic to LAN

21 Wireless Template Hacom pfsense Wireless Template OPT2 Standard g Mode g OFDM Protection Mode SSID Enable WEP Key 1 Access Point Protection mode off pfsense Yes abc Key 2 Key 3 Key 4 Enable WPA WPA Pre Shared Key (PSK) WPA Mode Authentication Open System Authentication WPA Pairwise Key Rotation Master Key Regeneration Strict Key Regeneration Enable IEEE802.1X Hostname (DHCP client configuration) 21

22 Four-Zone Firewall: Non-Bridged Wireless Network Setting up a non-bridged wireless network is fairly easy. Just follow the same above procedure except for the first three steps. 1. Go to s OPT2. Enable the optional 2 interface: OPT2, if it not! 2. On the IP Configuration, set it to bridge to NONE. And set the IP address to a separate subnet from LAN. For example, we set it to be /24. 22

23 Four-Zone Firewall Template (Non-Bridged Wireless) Hacom pfsense Four-Zone Firewall Setup Template s Static IP Comment WAN /24 LAN OPT1 (DMZ) /24 OPT2 (Wireless) /24 Referred to Wireless template for setup info. Virtual Ips (Firewall Virtual IPs) Virtual IP Address /32 Type Other WAN Description Firewall NAT 1:1 WAN External subnet Internal subnet Description /32 Firewall Rules Action Protocol Source /Port Destination /Port Reject OPT1 Any Any LAN net Pass OPT1 Any OPT1 net!lan net Permit DMZ to any but LAN Pass OPT2 Any OPT2 net Permit OPT2 to any Any 23 Gateway Description Reject SMZ traffic to LAN

24 Captive Portal Captive portal uses a web page to authenticate users before granting their accesses to the Internet. It is commonly used in a wireless environment, also called hotspot management. But, the technique is applicable to wired network environment. Following are the assumptions for the Captive Portal setup: 1. The Firewall has a WAN IP of The OPT1 (DMZ) subnet is / The LAN subnet is / The captive portal is on the OPT2 zone. It has its own subnet: /24. The goal is to authenticate all wireless users before allowing them to access to the Internet as well as local LAN resources. The procedure is as follows: 24

25 1. Create an OPT2 interface and configure it if it does not exist. 2. Configure the DHCP server. 3. Configure the Captive Portal. 4. Setup the firewall rule for OPT2, if there is none! Wireless Non-Bridged Network Configuration of the non-bridged wireless network is similar the previous section: Four-Zone Firewall: Wireless Network. Note: Make sure to disable all wireless authentication: NO Wep/WPA/802.11x! 25

26 Setting up the DHCP Server The DHCP server is used to hand out the IP addresses for the computers connecting to the Captive Portal. Use the following procedure if the DHCP server has not been set up. 1. Go to Services DHCP server 2. Enable the DHCP server on the OPT2 interface 3. Set the IP range to be from to Click on Save! 26

27 Captive Portal Setting 1. Go to Services Captive portal 2. Enable the Captive Portal 3. Set the to OPT2 4. Set idle timeout to 10 minutes, hard timeout to 120 minutes. 5. Set authentication to Local user manager. It is recommended to use a Radius server for authentication. Scroll down to see the option. 6. Don't forget to upload the Portal page contents and the Authentication error page contents. Scroll further down to see the option. 7. Go to Services Captive portal Allowed IP addresses to allow the following Ips: : Hacom.net logo! This is an example of displaying images from an outside Internet server : Our web server in the DMZ zone. 27

28 8. Click on the plus + sign on the right hand side to create a new allowed IP address. 9. Click on Save! 10. Click on Apply Changes! 28

29 11. Go to Services Captive portal Users to add authorized users: 12. Click on Save! 13. Click on Apply Changes! 29

30 Captive Portal Templates The setup of a captive portal is similar to the four-zone non-bridge wireless configuration. We will need the following three templates with filled-in information: 1. DHCP server service 2. Wireless configuration ( No authentication) 3. Four-zone firewall 4. Captive portal Hacom pfsense DHCP Services Template DHCP Relay Services DHCP Relay Enable DHCP Append circuit ID and agent ID to requests Destination server DHCP Server Services DHCP server OPT2 Deny unknown clients Range (from-to) WINS servers DNS servers Gateway Default lease time Maximum lease time Failover peer IP Static ARP Dynamic DNS NTP servers Enable Networkk booting

31 Hacom pfsense Wireless Template OPT2 Standard g Mode g OFDM Protection Mode SSID Access Point Protection mode off pfsense Enable WEP Key 1 Key 2 Key 3 Key 4 Enable WPA WPA Pre Shared Key (PSK) WPA Mode Authentication Open System Authentication WPA Pairwise Key Rotation Master Key Regeneration Strict Key Regeneration Enable IEEE802.1X Hostname (DHCP client configuration) 31

32 Hacom pfsense Four-Zone Firewall Setup Template s Static IP Comment WAN /24 LAN OPT1 (DMZ) /24 OPT2 (Wireless) /24 Referred to Wireless template for setup info. Virtual Ips (Firewall Virtual IPs) Virtual IP Address /32 Type Other WAN Description Firewall NAT 1:1 WAN External subnet Internal subnet Description /32 Firewall Rules Action Protocol Source /Port Destination /Port Reject OPT1 Any Any LAN net Pass OPT1 Any OPT1 net!lan net Permit DMZ to any but LAN Pass OPT2 Any OPT2 net Permit OPT2 to any Any 32 Gateway Description Reject SMZ traffic to LAN

33 Hacom pfsense Captive Portal Services Captive portal Captive portal Enable Captive Portal Yes OPT2 Maximum concurrent connections Idle timeout 10 Hard timeout 120 Logout popup window Redirection URL Concurrent user logins MAC filtering Authentication No authentication Local user manager RADIUS authentication Yes Radius Server Accounting Accounting updates Radius MAC authentication IP address send RADIUS accounting packets Port Shared Secret Accounting port no accounting updates Reauthenticate users/minute stop/start accounting Shared secret RADIUS options (Type) HTTPS login HTTPS server name HTTPS certificate HTTPS private key Portal page contents Authentication error page 33 interim update

34 Hacom pfsense Captive Portal's Allowed IP Address Services Captive portal allowed IP address Direction To IP address Description Hacom pfsense Captive Portal's Allowed IP Address Services Captive portal allowed IP address Direction To IP address Description Hacom.net logo Hacom pfsense Captive Portal's User Management Services Captive portal Users Username baoha Password ***** Full Name Expiration Date 34

35 Virtual Private Network: Site-toSite IPSec Internet Security Protocol (IPSec) is a used to established a secured communication between one site to another remote site through the Internet. In this deployment case, we will be establishing an IPSec link between two pfsense firewalls. Following are the assumptions for the site-to-site IPSec setup: 1. The pfsense firewall has a WAN IP of It has a local network with a subnet of / The other pfsense firewall has a WAN IP of It has a local network with a subnet of / Following are the IPSec link specifications: Pre-shared key: BaoHa. It is recommended to use a certificate. Using a simple preshared key simplifying the setup so we can evaluate the IPSec functionality. Encryption algorithm: aes265 Hash algorithm: sha1 The goal is to establish an IPSec virtual private network (VPN); linking two remote networks of /24 and /24 together through the Internet. The procedure is as follows: 1. Setup IPSec tunnels on both pfsense firewalls. 2. Setup the Firewall rules on both pfsense firewalls. 3. Check the IPSec status.. Setup IPSec tunnels on pfsense Following is the procedure to set up IPSec on the pfsense firewall with a local LAN address of of / Go to VPN IPSec 2. Put a check mark on Enable IPSEC. Click on the Save button! 35

36 3. Click on the plus + sign on the bottom right hand side to create a new IPSec tunnel. 4. Set the to WAN. 5. Set the local subnet to type of LAN subnet 6. Set the Remote subnet to / Set the remote gateway to Scroll down and set to the negotiation mode to main. 9. Set My identifier to be My IP address and Set Encryption algorithm to be Rijndael 256 (AES256). 11. Set Hash algorithm to be SHA1 12. Set DH key group to be 2 (or 1024 bit). 13. Set Lifetime to be Set Authentication method to be Pre-shared key. 15. Set Pre-shared Key to be BaoHa 36

37 16. Scroll down further and set Protocol to be ESP. 17. Set encryption algorithm to be Rijndael Set Hash algorithm to be SHA1 19. Set PFS key group to be 2 or 1024 bit. 20. Set Lifetime to be Click on Save! 22. Click on Apply Change 37

38 Following is a screenshot of VPN:IPSec screen once setup is done. 38

39 The IPSec tunnel setup on the second pfsense is similar. Following is the screenshot of VPN:IPSec of the second server. Setup the Firewall rules on both pfsense firewalls. The firewall has also be setup to allow IPSec traffic. Goto Firewall Rules IPSec and set it up to be like the following. 39

40 Check the IPSec Status 1. Go to Status IPSec 2. If it says No IPSec security associations, it means that the tunnel has not been established. Just ping from one end to another end. 3. When the tunnel is established, following is what the screenshot of Status IpSec Overview should look like. 4. Following is the screenshot of Status IpSec SAD 40

41 5. Following is the screenshot of Status IPSec SPD 6. Check the system logs of IPSec if there are still problems establishing the VPN tunnel! IPSec tunnel to a Debian Server To connect to a Debian server through IPSec is just as easy. Assuming that the Debian server is running racoon with following: 1. The pfsense firewall has a WAN IP of It has a local network with a subnet of / The Debian server has a WAN IP of It has a local network with a subnet of / Following are the IPSec link specifications: Pre-shared key: BaoHa. It is recommended to use a certificate. Using a simple preshared key simplifying the setup so we can evaluate the IPSec functionality. Encryption algorithm: aes265 Hash algorithm: sha1 41

42 The only change is the Debian's external IP address. 1. Go to VPN IPSec 2. Change the remote gateway to Following is the configuration of Debian's racoon: 42

43 Make sure that the file /etc/racoon/psk.txt contains the following pre-shared key: BaoHa Following are the screenshots of the Status IPSec once the tunnel is established. 43

44 44

45 VPN IPSec Template Hacom pfsense VPN IPSec WAN Local subnet Type LAN subnet Remote subnet /24 Remote gateway Address Description Phase 1 proposal (Authentication) Negotiation Mode main My Identifier My IP Address Encryption algorithm Rijndael 256 Hash algorithm SHA1 DH Key Group 2 lifetime Authentication method Pre-shared key Pre-shared Key BaoHa Certificate Key Peer Certificate Phase 2 proposal (SA/Key Exchange) Protocol ESP Encryption algorithm Rijndael 256 Hash algorithm SHA1 PFS key group 2 lifetime Keep alive (automatically ping) Firewall Rules IPSec Action Protocol Source /Port Destination /Port Pass IPSEC Any Any Any 45 Gateway Description

46 Appendix A. Templates Appendix A1. Three-Zone Firewall Template Hacom pfsense Three-Zone Firewall Setup Template s Static IP Comment WAN LAN OPT1 (DMZ) Virtual Ips (Firewall Virtual IPs) Virtual IP Address Type Description Firewall NAT 1:1 External subnet Internal subnet Description Firewall Rules Action Protocol Source /Port Destination /Port 46 Gateway Description

47 Appendix A2. Wireless Template Hacom pfsense Wireless Template Standard Mode g OFDM Protection Mode SSID Enable WEP Key 1 Key 2 Key 3 Key 4 Enable WPA WPA Pre Shared Key (PSK) WPA Mode Authentication WPA Pairwise Key Rotation Master Key Regeneration Strict Key Regeneration Enable IEEE802.1X Hostname (DHCP client configuration) 47

48 Appendix A3. Four-Zone Firewall Template Hacom pfsense Four-Zone Firewall Setup Template s Static IP Comment WAN LAN OPT1 (DMZ) OPT2 Virtual Ips (Firewall Virtual IPs) Virtual IP Address Type Description Firewall NAT 1:1 External subnet Internal subnet Description Firewall Rules Action Protocol Source /Port Destination /Port 48 Gateway Description

49 Appendix A4. DHCP Service Template Hacom pfsense DHCP Services Template DHCP Relay Services DHCP Relay Enable DHCP Append circuit ID and agent ID to requests Destination server DHCP Server Services DHCP server Deny unknown clients Range (from - to) WINS servers DNS servers Gateway Default lease time Maximum lease time Failover peer IP Static ARP Dynamic DNS NTP servers Enable Networkk booting 49

50 Appendix A5. Captive Portal Template Hacom pfsense Captive Portal Services Captive portal Captive portal Enable Captive Portal Maximum concurrent connections Idle timeout Hard timeout Logout popup window Redirection URL Concurrent user logins MAC filtering Authentication No authentication Local user manager RADIUS authentication Radius Server IP address Port Shared Secret Accounting Accounting updates Radius MAC authentication send RADIUS accounting packets Accounting port no accounting updates Reauthenticate connected users every minute RADIUS options (Type) HTTPS login HTTPS server name HTTPS certificate HTTPS private key 50 stop/start accounting Shared secret interim update

51 Portal page contents Authentication error page contents Appendix A6. Captive portal's Allowed IP Address Template Hacom pfsense Captive Portal's Allowed IP Address Services Captive portal allowed IP address Direction IP address Description Appendix A7. Captive portal's User Management Hacom pfsense Captive Portal's User Management Services Captive portal Users Username Password Full Name Expiration Date Appendix A8. VPN IPSec Template Hacom pfsense VPN IPSec WAN 51

52 Local subnet Type LAN subnet Address Remote subnet Remote gateway Description Phase 1 proposal (Authentication) Negotiation Mode My Identifier My IP Address Encryption algorithm Hash algorithm DH Key Group lifetime Authentication method Pre-shared Key Certificate Key Peer Certificate Phase 2 proposal (SA/Key Exchange) Protocol ESP Encryption algorithm Hash algorithm PFS key group lifetime Keep alive (automatically ping) Firewall Rules IPSec Action Protocol Source /Port Destination /Port 52 Gateway Description