Hacom pfsense Deployment Guide

Similar documents
ZyWALL 70. Internet Security Appliance. Quick Start Guide Version 3.62 December 2003

Security SSID Selection: Broadcast SSID:

Wireless LAN Device Series CPE2615. User Manual. v

Wireless LAN Device Series CPE2615. User Manual. v

Cradlepoint to Palo Alto VPN Example. Summary. Standard IPSec VPN Topology. Global Leader in 4G LTE Network Solutions

WISNETWORKS. WisOS 11ac V /3/21. Software version WisOS 11ac

IP806GA/GB Wireless ADSL Router

User Manual. SSV Remote Access Gateway. Web ConfigTool

Activity Configuring and Securing a Wireless LAN in Packet Tracer

Configuring Cisco VPN Concentrator to Support Avaya 96xx Phones Issue 1.0. Issue th October 2009 ABSTRACT

VPN Solutions for Zerto Virtual Replication to Azure. IPSec Configuration Guide

Unified Services Routers

BW1330. High Performance Hotspot Access Point

Wireless Access Point

BaseWall VPN 1000 User s Guide

Example - Configuring a Site-to-Site IPsec VPN Tunnel

Creating Wireless Networks

CHAPTER 7 ADVANCED ADMINISTRATION PC

LevelOne WBR User s Manual. 11g Wireless ADSL VPN Router. Ver

EVR b/g/n VPN Router PRODUCT DESCRIPTION

Linksys E2000 Advanced Wireless-N Router. User Guide

VPN Routers DSR-150/250/500/1000AC. Product Highlights. Features. Overview. Comprehensive Management Capabilities. Web Authentication Capabilities

DFL-210, DFL-800, DFL-1600 How to setup IPSec VPN connection with DI-80xHV

Configuration of an IPSec VPN Server on RV130 and RV130W

EVR b/g/n VPN Router

User Guide. 450Mbps/300Mbps Wireless N Access Point TL-WA901ND/TL-WA801ND REV

802.11N Wireless ADSL Router

Cisco Unified Operating System Administration Web Interface

FAQ about Communication

Advanced User Manual

LevelOne FBR User s Manual. 1W, 4L 10/100 Mbps ADSL Router. Ver

Cisco Unified Operating System Administration Web Interface for Cisco Emergency Responder

WISNETWORKS. WisOS 11ac V /3/21. Software version WisOS 11ac

TECHNICAL NOTE MSM & CLEARPASS HOW TO CONFIGURE HPE MSM CONTROLLERS WITH ARUBA CLEARPASS VERSION 3, JUNE 2016

LevelOne. AMG-2000 AP Management Gateway. User Manual. v

firewall { all-ping enable broadcast-ping disable ipv6-receive-redirects disable ipv6-src-route disable ip-src-route disable log-martians enable name

Cisco ASA 5500 LAB Guide

802.11N Wireless Broadband Router

VPN Definition SonicWall:

Configuring VPN from Proventia M Series Appliance to Proventia M Series Appliance

Configuring a Hub & Spoke VPN in AOS

OpenVPN protocol. Restrictions in Conel routers. Modified on: Thu, 14 Aug, 2014 at 2:29 AM

Grandstream Networks, Inc. GWN76xx Wi-Fi Access Points Master/Slave Architecture Guide

MWA Deployment Guide. VPN Termination from Smartphone to Cisco ISR G2 Router

D-Link DSR Series Router

Configuring VPN from Proventia M Series Appliance to NetScreen Systems

LevelOne. User Manual. WAP Mbps PoE Wireless AP V3.0.0

SonicWALL Addendum. A Supplement to the SonicWALL Internet Security Appliance User's Guide

User Manual DIR-615. Wireless Router with Built-in 4-port Switch

Configuration of Shrew VPN Client on RV042, RV042G and RV082 VPN Routers through Windows

SOHOSpeed ADSL Ethernet/Wireless Gateway User s Manual

BW1330. High Performance Hotspot Access Point. Browan Communications. 6 August 2007 Version 1.0

Series 5000 ADSL Modem / Router. Firmware Release Notes

NBG-416N. Wireless N-lite Home Router. Default Login Details. IMPORTANT! READ CAREFULLY BEFORE USE.

Wireless-N Broadband Router

ElasterStack 3.2 User Administration Guide - Advanced Zone

AirCruiser G Wireless Router GN-BR01G

IP819VGA g ADSL VoIP Gateway

Site-to-Site VPN with SonicWall Firewalls 6300-CX

VPN Auto Provisioning

CCNA Security PT Practice SBA

Quick Note. Configure an IPSec VPN tunnel between a Digi TransPort LR router and a Digi Connect gateway. Digi Technical Support 20 September 2016

300M Wireless-N Broadband Router User Manual

Release Notes for Avaya WLAN 9100 AOS-Lite Operating System WAP9112 Release WAP9114 Release 8.1.0

Series 1000 / G Cellular Modem / Router. Firmware Release Notes

Wireless a CPE User Manual

802.11g Wireless High-power Broadband Router with passive PoE. User s Manual

HOW TO CONFIGURE AN IPSEC VPN

Configuration Guide. How to connect to an IPSec VPN using an iphone in ios. Overview

A Division of Cisco Systems, Inc. Wireless-G. Travel Router with SpeedBooster. User Guide WIRELESS WTR54GS. Model No.

Cloud Security Best Practices

Wireless-G. User Guide. Broadband Router. Compact WRT54GC. A Division of Cisco Systems, Inc. WIRELESS. Model No.

Setting up L2TP Over IPSec Server for remote access to LAN

LEGAL NOTICE CE COMPLIANCE ATTENTION TECHNICAL SUPPORT CONTACTS

TopGlobal MB8000 Hotspots Solution

Configuring Dynamic VPN v2.0 Junos 10.4 and above

High Availability Synchronization PAN-OS 5.0.3

Configuring a VPN Using Easy VPN and an IPSec Tunnel, page 1

Other product and company names mentioned herein may be trademarks or trade names of their respective owners.

MTA_98-366_Vindicator930

VNS3 IPsec Configuration. VNS3 to Cisco ASA ASDM 9.2

802.11b/g/n SOHO Router 2.4GHz 300Mbps 11N AP/Router

Virtual Private Cloud. User Guide. Issue 03 Date

Openvpn Client Do Not Change Default Gateway

IPS-390U Specification

Quick Note 65. Configure an IPSec VPN tunnel between a TransPort WR router and an Accelerated SR router. Digi Technical Support 7 June 2018

EnGenius Mesh AP M9000

Highlight. Central AP Management with High Scalability

Multimedia Security Center. User s Manual

How to Configure BGP over IKEv2 IPsec Site-to- Site VPN to an Google Cloud VPN Gateway

Dual-Band Wireless-N Gigabit Router

Viewing Network Status, page 116. Configuring IPv4 or IPv6 Routing, page 116. Configuring the WAN, page 122. Configuring a VLAN, page 137

REMOTE ACCESS IPSEC. Course /14/2014 Global Technology Associates, Inc.

System requirements The minimum system requirements for a gateway with less than 10Mbps of throughput are:

Deploying the Barracuda Link Balancer with Cisco ASA VPN Tunnels

Series 1000 / G Cellular Modem / Router. Firmware Release Notes

Quick Note. Configure an IPSec VPN tunnel in Aggressive mode between a TransPort LR router and a Cisco router. Digi Technical Support 7 October 2016

Content 1 OVERVIEW HARDWARE DESCRIPTION HARDWARE INSTALLATION PC CONFIGURATION GUIDE... 5 WEB-BASED MANAGEMENT GUIDE...

A5500 Configuration Guide

Wireless Access Point

Transcription:

Hacom pfsense Deployment Guide Bao Ha Copyright 2008 Hacom Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.2 or any later version published by the Free Software Foundation; with no Invariant Sections, with no Front-Cover Texts, and with no Back-Cover Texts. 9 November 2008 Table of Contents Hacom pfsense Deployment Guide...1 Introduction...2 Three-Zone Firewall: Setup a DMZ...4 Four-Zone Firewall: Wireless Configuration...13 Four-Zone Firewall: Non-Bridged Wireless Network...22 Captive Portal...24 Virtual Private Network: Site-toSite IPSec...35 Appendix A. Templates...46 1

Introduction PfSense is a complete, embedded firewall software package that provides all the important features of commercial firewall boxes (including ease of use) at a fraction of the price (free software). It is based on FreeBSD. The software is available at the URL, http://www.pfsense.com/. Hacom implements pfsense on our hardware to take advantages of their features, as well as, to provide complete packaged supports for commercial customers: small, medium and enterprises, who desire a one-stop shop. This document is the continuation of the Hacom pfsense Quick-Start Guide. It documents common deployments of pfsense firewalls. Documentation Since pfsense is similar to M0n0wall, the documentation of the M0n0wall systems can be perused at the following URL, The M0n0 Users Manual (http://m0n0.ch/wall/docbook/) Mn0wall Quick Start Guide (http://m0n0.ch/wall/quickstart/) pfsense FAQ (http://faq.pfsense.com/) pfsense tutorial (http://www.pfsense.com/index.php?id=36) Hacom pfsense Quick-Start Guide (http://www.hacom.net/catalog/pub/pfsense/hacom%20pfsense%20quick-start%20guide.pdf) Hacom's pfsense Hacom offers three groups of commercially packaged pfsense systems with choices of support services: Phoenix, Mercury and Mars. The following comparison table can be used to select appropriate equipments depending on a network environment. Performance* Phoenix Mercury Mars 5-25 10-50 10-250 Throughput 90Mbps 200Mbps 400Mbps Concurrent Connections 80,000 200,000 200,000-400,000 3DES IPSec Throughput 8-10Mbps 20Mbps 25-40Mbps AES IPSec Throughput 10-40Mbps 80Mbps 40-60Mbps Suggested Users Performance depends on network environment and configuration of the firewall. 2

Hardware Specification Systemboard CPU Memory Phoenix Mercury ES466B CV700A 333Mhz AMD Geode GX 500Mhz VIA C7 CV700A CV763A 1Ghz VIA C7 256MB 512MB Mars CI852A 1Ghz 1.6Ghz Celeron-M Celeron-M 512MB 1GB Storage 1GB CF (Compact Flash) or 1 GB DOM (Disk-On-Module)** Ethernet 3x10M/100M 3x10M/10 4x10M/10 0M/1G 0M/1G 4x10M/100M/1G ** Disk-on-Module is more durable than compact flash due to its built-in wear leveling function. Templates Templates are just simple forms filled in with enough information to guide the configuration of pfsense firewall in specific use case. For each of the deployments discussed in this guide, we will put the templates at the end of the use case to illustrate how to fill-in the forms. These templates are more for Hacom's support to evaluate how much information is required to configure the router for a specific application. Blank forms are put into the appendixes. 3

Three-Zone Firewall: Setup a DMZ DMZ stands for De-Militarized Zone. It is an area of a local internal network that contains Internet servers. It is isolated from LAN to prevent accidental access to the internal network spill-over through Internet accessible servers. Following is a diagram of a 3-zone firewall: WAN, LAN and OPT1. WAN is the Internet, the outside world. LAN is the local internal network protected by the firewall. And OPT1 is the DMZ. Following are the assumptions for the DMZ setup: 1. The Firewall has a WAN IP of 208.127.150.33. It also has an extra external IP of 208.127.150.32 to be used for the web server: www.baoha.net. 2. The LAN subnet is 192.168.1.0/24. 3. The OPT1 (DMZ) subnet is 192.168.2.0/24. 4. The web server's DMZ IP is 192.168.2.5. The goal is to forward any Internet traffic to the web server's public IP of 208.127.150.32 to the server 192.168.2.5 in the DMZ. The procedure is as follows: 1. Create an OPT1 interface if it does not exist. 2. Configure the OPT1 interface. 3. Add the virtual IP 208.127.150.32 to the pfsense firewall. 4

4. Configure 1:1 NAT. 5. Setup the firewall rule to allow access from DMZ to WAN, but not from DMZ to LAN. 6. Setup the firewall rule During the initial setup, we may have only setup a 2-zone firewall with only 2 assigned network interfaces. We need to add the third interface using the web administration tools. 1. Go to s Assign. 2. Click on the plus + sign on the right hand side to create a new interface OPT1. Click on Save! 5

Now, we need to set up the OPT1 interface. OPT1 is the interface for the DMZ zone. It subnet would be 192.168.1.0/24, which contains the private IP of the web server www.baoha.net. For the OPT1 interface, we will: 1. Enable the OPT1 interface. 2. Set it to be static. 3. Set the IP = 192.168.2.1/24 4. Save it! 6

The next step is to add a virtual IP. Go to Firewall Virtual Ips. 1. Click on the plus + sign on the right hand side to create a new interface OPT1. 2. Click on Save! 3. Click on Apply Changes! Now, we are ready to configure the 1:1 NAT. 1. Go to Firewall NAT. 2. Click on the plus + sign on the right hand side to create a new 1:1 NAT rule. 7

3. Set the to be WAN. 4. Set the external IP to be 208.127.150.32. 5. Set the internal subnet to be 192.168.2.5. 6. Click on Save! 7. Click on Apply Changes Now, we are ready to set up the firewall rule on the DMZ interface denying all traffic to the LAN while still permitting all traffic to the WAN. 1. Click Firewall -> Rules. 2. Click on the plus + sign on the right hand side to create a new firewall rule. 3. Set action to be REJECT 4. Set the interface to be OPT1 8

5. Set source to be ANY 6. Set the destination as LAN subnet 7. Click on Save. 8. Click on Apply Changes 9. Next, we set up the firewall rule on the DMZ interface to allow DMZ traffic to go anywhere except LAN. Click Firewall -> Rules. 9

10. Click on the plus + sign on the bottom right hand side to create a new firewall rule. 11. Set action to be ACCEPT 12. Set source to be ANY 13. Set the destination as NOT LAN subnet 14. Click on Save. 15. Click on Apply Changes If we want certain services from LAN, firewall rules have to be setup to allows these to be accessed 10

from the DMZ. Following is the minimum firewall rules for the DMZ (OPT1) zone. 11

Three-Zone Firewall Template Hacom pfsense Three-Zone Firewall Setup Template s Static IP Comment WAN 208.127.150.32/24 LAN 192.168.1.0 OPT1 (DMZ) 192.168.2.1/24 Virtual Ips (Firewall Virtual IPs) Virtual IP Address 208.127.150.32/32 Type Other WAN Description Firewall NAT 1:1 WAN External subnet Internal subnet Description 192.168.1.2.5 www.baoha.net 208.127.150.32/32 Firewall Rules Action Protocol Source /Port Destination /Port Reject OPT1 Any Any LAN net Pass OPT1 Any OPT1 net!lan net 12 Gateway Description Reject SMZ traffic to LAN Permit DMZ to any but LAN

Four-Zone Firewall: Wireless Configuration There are three ways to add a wireless network to our networking environment, assuming that the system has the optional wireless adapter. 1. Bridged Wireless Network.. In this configuration, although we still have four zones: WAN, LAN, OPT1 and OPT2, the wireless interface OPT2 is bridged with LAN. The two zones LAN and OPT1 are in effect combined into one zone: LAN for all practical purposes. 2. Four-zone firewall. In this configuration, the wireless network is just another local network as the local nework in the LAN zone. 3. Captive portal. This is similar to the above 4-zone networking environment. It forces users to be authenticated before they can access the wireless network. The DMZ or OPT1 zone can be ignored at this point. In fact, if we don't have a DMZ, the wireless interface becomes OPT1, instead of OPT2. And all configurations are the same. Following is a diagram of a 4-zone firewall: WAN, LAN, OPT1 and OPT2. WAN is the Internet, the outside world. LAN is the local internal network protected by the firewall. OPT1 is the DMZ. And OPT2 is our wireless zone. 13

If it has not been done, We need to add the wireless network interface, OPT2 in this case, using the web administration tools. 1. Go to s Assign. 2. Click on the plus + sign on the right hand side to create a new interface OPT2. 3. Choose the ath0 network port. 4. Click on Save! 14

Note: Hacom supplies the Atheros-based network adapter with some of the systems. It is detected be FreeBSD as ath0 interface. Some other wireless network adapters may be detected differently. Bridged Wireless Network In this configuration, all of the OPT2 zone wireless users are considered as on the same network as LAN wired network users. This configuration has an advantage; allowing all users in OPT2 and LAN to share peripherals, like networked printers, shared drives,... To configure a wireless network: 1. Go to s OPT2 2. Enable the optional 2 interface; OPT2 3. On the IP Configuration, set it to bridge with LAN 15

4. Set the wireless configuration standard to be 802.11g 5. Set the mode to be Access Point 6. Set the SSID to be pfsense or your choice of network name 7. Enable WEP authentication. There are other authentication methods besides WEP; i.e. WPA or 16

802.11x. Depending on the number of users and security-level, they may be a better choice than WEP. 8. Set the 13-character WEP key 9. Set Open Authentication 10. Click on Save! 17

11. Add a firewall rule for OPT2 similar to the LAN zone. 12. Click on Save! 13. Click on Apply Changes! 18

19

Four-Zone Firewall Template (Bridged Wireless) Hacom pfsense Four-Zone Firewall Setup Template s Static IP Comment WAN 208.127.150.32/24 LAN 192.168.1.0 OPT1 (DMZ) 192.168.2.1/24 OPT2 (Wireless) Bridged with LAN! Referred to Wireless template for setup info. Virtual Ips (Firewall Virtual IPs) Virtual IP Address 208.127.150.32/32 Type Other WAN Description Firewall NAT 1:1 WAN External subnet Internal subnet Description 192.168.1.2.5 www.baoha.net 208.127.150.32/32 Firewall Rules Action Protocol Source /Port Destination /Port Reject OPT1 Any Any LAN net Pass OPT1 Any OPT1 net!lan net Permit DMZ to any but LAN Pass OPT2 Any OPT2 net Permit OPT2 to any Any 20 Gateway Description Reject SMZ traffic to LAN

Wireless Template Hacom pfsense Wireless Template OPT2 Standard 802.11g Mode 802.11g OFDM Protection Mode SSID Enable WEP Key 1 Access Point Protection mode off pfsense Yes 123456789abc Key 2 Key 3 Key 4 Enable WPA WPA Pre Shared Key (PSK) WPA Mode Authentication Open System Authentication WPA Pairwise Key Rotation Master Key Regeneration Strict Key Regeneration Enable IEEE802.1X Hostname (DHCP client configuration) 21

Four-Zone Firewall: Non-Bridged Wireless Network Setting up a non-bridged wireless network is fairly easy. Just follow the same above procedure except for the first three steps. 1. Go to s OPT2. Enable the optional 2 interface: OPT2, if it not! 2. On the IP Configuration, set it to bridge to NONE. And set the IP address to a separate subnet from LAN. For example, we set it to be 192.168.3.1/24. 22

Four-Zone Firewall Template (Non-Bridged Wireless) Hacom pfsense Four-Zone Firewall Setup Template s Static IP Comment WAN 208.127.150.32/24 LAN 192.168.1.0 OPT1 (DMZ) 192.168.2.1/24 OPT2 (Wireless) 192.168.3.1/24 Referred to Wireless template for setup info. Virtual Ips (Firewall Virtual IPs) Virtual IP Address 208.127.150.32/32 Type Other WAN Description Firewall NAT 1:1 WAN External subnet Internal subnet Description 192.168.1.2.5 www.baoha.net 208.127.150.32/32 Firewall Rules Action Protocol Source /Port Destination /Port Reject OPT1 Any Any LAN net Pass OPT1 Any OPT1 net!lan net Permit DMZ to any but LAN Pass OPT2 Any OPT2 net Permit OPT2 to any Any 23 Gateway Description Reject SMZ traffic to LAN

Captive Portal Captive portal uses a web page to authenticate users before granting their accesses to the Internet. It is commonly used in a wireless environment, also called hotspot management. But, the technique is applicable to wired network environment. Following are the assumptions for the Captive Portal setup: 1. The Firewall has a WAN IP of 208.127.150.33. 2. The OPT1 (DMZ) subnet is 192.168.2.0/24. 3. The LAN subnet is 192.168.1.0/24. 4. The captive portal is on the OPT2 zone. It has its own subnet: 192.168.3.0/24. The goal is to authenticate all wireless users before allowing them to access to the Internet as well as local LAN resources. The procedure is as follows: 24

1. Create an OPT2 interface and configure it if it does not exist. 2. Configure the DHCP server. 3. Configure the Captive Portal. 4. Setup the firewall rule for OPT2, if there is none! Wireless Non-Bridged Network Configuration of the non-bridged wireless network is similar the previous section: Four-Zone Firewall: Wireless Network. Note: Make sure to disable all wireless authentication: NO Wep/WPA/802.11x! 25

Setting up the DHCP Server The DHCP server is used to hand out the IP addresses for the computers connecting to the Captive Portal. Use the following procedure if the DHCP server has not been set up. 1. Go to Services DHCP server 2. Enable the DHCP server on the OPT2 interface 3. Set the IP range to be from 192.168.3.101 to 192.168.3.150 4. Click on Save! 26

Captive Portal Setting 1. Go to Services Captive portal 2. Enable the Captive Portal 3. Set the to OPT2 4. Set idle timeout to 10 minutes, hard timeout to 120 minutes. 5. Set authentication to Local user manager. It is recommended to use a Radius server for authentication. Scroll down to see the option. 6. Don't forget to upload the Portal page contents and the Authentication error page contents. Scroll further down to see the option. 7. Go to Services Captive portal Allowed IP addresses to allow the following Ips: 208.127.150.34: Hacom.net logo! This is an example of displaying images from an outside Internet server. 192.168.2.5: Our web server www.baoha.net in the DMZ zone. 27

8. Click on the plus + sign on the right hand side to create a new allowed IP address. 9. Click on Save! 10. Click on Apply Changes! 28

11. Go to Services Captive portal Users to add authorized users: 12. Click on Save! 13. Click on Apply Changes! 29

Captive Portal Templates The setup of a captive portal is similar to the four-zone non-bridge wireless configuration. We will need the following three templates with filled-in information: 1. DHCP server service 2. Wireless configuration ( No authentication) 3. Four-zone firewall 4. Captive portal Hacom pfsense DHCP Services Template DHCP Relay Services DHCP Relay Enable DHCP Append circuit ID and agent ID to requests Destination server DHCP Server Services DHCP server OPT2 Deny unknown clients Range (from-to) 192.168.3.101 WINS servers DNS servers Gateway Default lease time Maximum lease time Failover peer IP Static ARP Dynamic DNS NTP servers Enable Networkk booting 30 192.168.3.150

Hacom pfsense Wireless Template OPT2 Standard 802.11g Mode 802.11g OFDM Protection Mode SSID Access Point Protection mode off pfsense Enable WEP Key 1 Key 2 Key 3 Key 4 Enable WPA WPA Pre Shared Key (PSK) WPA Mode Authentication Open System Authentication WPA Pairwise Key Rotation Master Key Regeneration Strict Key Regeneration Enable IEEE802.1X Hostname (DHCP client configuration) 31

Hacom pfsense Four-Zone Firewall Setup Template s Static IP Comment WAN 208.127.150.32/24 LAN 192.168.1.0 OPT1 (DMZ) 192.168.2.1/24 OPT2 (Wireless) 192.168.3.1/24 Referred to Wireless template for setup info. Virtual Ips (Firewall Virtual IPs) Virtual IP Address 208.127.150.32/32 Type Other WAN Description Firewall NAT 1:1 WAN External subnet Internal subnet Description 192.168.1.2.5 www.baoha.net 208.127.150.32/32 Firewall Rules Action Protocol Source /Port Destination /Port Reject OPT1 Any Any LAN net Pass OPT1 Any OPT1 net!lan net Permit DMZ to any but LAN Pass OPT2 Any OPT2 net Permit OPT2 to any Any 32 Gateway Description Reject SMZ traffic to LAN

Hacom pfsense Captive Portal Services Captive portal Captive portal Enable Captive Portal Yes OPT2 Maximum concurrent connections Idle timeout 10 Hard timeout 120 Logout popup window Redirection URL Concurrent user logins MAC filtering Authentication No authentication Local user manager RADIUS authentication Yes Radius Server Accounting Accounting updates Radius MAC authentication IP address send RADIUS accounting packets Port Shared Secret Accounting port no accounting updates Reauthenticate users/minute stop/start accounting Shared secret RADIUS options (Type) HTTPS login HTTPS server name HTTPS certificate HTTPS private key Portal page contents Authentication error page 33 interim update

Hacom pfsense Captive Portal's Allowed IP Address Services Captive portal allowed IP address Direction To IP address 192.168.2.5 Description Www.baoha.net Hacom pfsense Captive Portal's Allowed IP Address Services Captive portal allowed IP address Direction To IP address 208.127.150.34 Description Hacom.net logo Hacom pfsense Captive Portal's User Management Services Captive portal Users Username baoha Password ***** Full Name Expiration Date 34

Virtual Private Network: Site-toSite IPSec Internet Security Protocol (IPSec) is a used to established a secured communication between one site to another remote site through the Internet. In this deployment case, we will be establishing an IPSec link between two pfsense firewalls. Following are the assumptions for the site-to-site IPSec setup: 1. The pfsense firewall has a WAN IP of 208.127.150.33. It has a local network with a subnet of 192.168.254.0/24. 2. The other pfsense firewall has a WAN IP of 208.127.150.32. It has a local network with a subnet of 192.168.1.0/24. 3. Following are the IPSec link specifications: Pre-shared key: BaoHa. It is recommended to use a certificate. Using a simple preshared key simplifying the setup so we can evaluate the IPSec functionality. Encryption algorithm: aes265 Hash algorithm: sha1 The goal is to establish an IPSec virtual private network (VPN); linking two remote networks of 192.168.1.0/24 and 192.168.254.0/24 together through the Internet. The procedure is as follows: 1. Setup IPSec tunnels on both pfsense firewalls. 2. Setup the Firewall rules on both pfsense firewalls. 3. Check the IPSec status.. Setup IPSec tunnels on pfsense Following is the procedure to set up IPSec on the pfsense firewall with a local LAN address of of 192.168.254.0/24. 1. Go to VPN IPSec 2. Put a check mark on Enable IPSEC. Click on the Save button! 35

3. Click on the plus + sign on the bottom right hand side to create a new IPSec tunnel. 4. Set the to WAN. 5. Set the local subnet to type of LAN subnet 6. Set the Remote subnet to 192.168.1.0/24. 7. Set the remote gateway to 208.127.150.32. 8. Scroll down and set to the negotiation mode to main. 9. Set My identifier to be My IP address and 208.127.150.33. 10. Set Encryption algorithm to be Rijndael 256 (AES256). 11. Set Hash algorithm to be SHA1 12. Set DH key group to be 2 (or 1024 bit). 13. Set Lifetime to be 28800. 14. Set Authentication method to be Pre-shared key. 15. Set Pre-shared Key to be BaoHa 36

16. Scroll down further and set Protocol to be ESP. 17. Set encryption algorithm to be Rijndael 256. 18. Set Hash algorithm to be SHA1 19. Set PFS key group to be 2 or 1024 bit. 20. Set Lifetime to be 86400. 21. Click on Save! 22. Click on Apply Change 37

Following is a screenshot of VPN:IPSec screen once setup is done. 38

The IPSec tunnel setup on the second pfsense is similar. Following is the screenshot of VPN:IPSec of the second server. Setup the Firewall rules on both pfsense firewalls. The firewall has also be setup to allow IPSec traffic. Goto Firewall Rules IPSec and set it up to be like the following. 39

Check the IPSec Status 1. Go to Status IPSec 2. If it says No IPSec security associations, it means that the tunnel has not been established. Just ping from one end to another end. 3. When the tunnel is established, following is what the screenshot of Status IpSec Overview should look like. 4. Following is the screenshot of Status IpSec SAD 40

5. Following is the screenshot of Status IPSec SPD 6. Check the system logs of IPSec if there are still problems establishing the VPN tunnel! IPSec tunnel to a Debian Server To connect to a Debian server through IPSec is just as easy. Assuming that the Debian server is running racoon with following: 1. The pfsense firewall has a WAN IP of 208.127.150.33. It has a local network with a subnet of 192.168.254.0/24. 2. The Debian server has a WAN IP of 208.127.150.31. It has a local network with a subnet of 192.168.1.0/24. 3. Following are the IPSec link specifications: Pre-shared key: BaoHa. It is recommended to use a certificate. Using a simple preshared key simplifying the setup so we can evaluate the IPSec functionality. Encryption algorithm: aes265 Hash algorithm: sha1 41

The only change is the Debian's external IP address. 1. Go to VPN IPSec 2. Change the remote gateway to 208.127.150.31. Following is the configuration of Debian's racoon: 42

Make sure that the file /etc/racoon/psk.txt contains the following pre-shared key: 208.127.150.33 BaoHa Following are the screenshots of the Status IPSec once the tunnel is established. 43

44

VPN IPSec Template Hacom pfsense VPN IPSec WAN Local subnet Type LAN subnet Remote subnet 192.168.1.0/24 Remote gateway 208.127.150.32 Address Description Phase 1 proposal (Authentication) Negotiation Mode main My Identifier My IP Address Encryption algorithm 208.127.150.33 Rijndael 256 Hash algorithm SHA1 DH Key Group 2 lifetime 28800 Authentication method Pre-shared key Pre-shared Key BaoHa Certificate Key Peer Certificate Phase 2 proposal (SA/Key Exchange) Protocol ESP Encryption algorithm Rijndael 256 Hash algorithm SHA1 PFS key group 2 lifetime 86400 Keep alive (automatically ping) Firewall Rules IPSec Action Protocol Source /Port Destination /Port Pass IPSEC Any Any Any 45 Gateway Description

Appendix A. Templates Appendix A1. Three-Zone Firewall Template Hacom pfsense Three-Zone Firewall Setup Template s Static IP Comment WAN LAN OPT1 (DMZ) Virtual Ips (Firewall Virtual IPs) Virtual IP Address Type Description Firewall NAT 1:1 External subnet Internal subnet Description Firewall Rules Action Protocol Source /Port Destination /Port 46 Gateway Description

Appendix A2. Wireless Template Hacom pfsense Wireless Template Standard Mode 802.11g OFDM Protection Mode SSID Enable WEP Key 1 Key 2 Key 3 Key 4 Enable WPA WPA Pre Shared Key (PSK) WPA Mode Authentication WPA Pairwise Key Rotation Master Key Regeneration Strict Key Regeneration Enable IEEE802.1X Hostname (DHCP client configuration) 47

Appendix A3. Four-Zone Firewall Template Hacom pfsense Four-Zone Firewall Setup Template s Static IP Comment WAN LAN OPT1 (DMZ) OPT2 Virtual Ips (Firewall Virtual IPs) Virtual IP Address Type Description Firewall NAT 1:1 External subnet Internal subnet Description Firewall Rules Action Protocol Source /Port Destination /Port 48 Gateway Description

Appendix A4. DHCP Service Template Hacom pfsense DHCP Services Template DHCP Relay Services DHCP Relay Enable DHCP Append circuit ID and agent ID to requests Destination server DHCP Server Services DHCP server Deny unknown clients Range (from - to) WINS servers DNS servers Gateway Default lease time Maximum lease time Failover peer IP Static ARP Dynamic DNS NTP servers Enable Networkk booting 49

Appendix A5. Captive Portal Template Hacom pfsense Captive Portal Services Captive portal Captive portal Enable Captive Portal Maximum concurrent connections Idle timeout Hard timeout Logout popup window Redirection URL Concurrent user logins MAC filtering Authentication No authentication Local user manager RADIUS authentication Radius Server IP address Port Shared Secret Accounting Accounting updates Radius MAC authentication send RADIUS accounting packets Accounting port no accounting updates Reauthenticate connected users every minute RADIUS options (Type) HTTPS login HTTPS server name HTTPS certificate HTTPS private key 50 stop/start accounting Shared secret interim update

Portal page contents Authentication error page contents Appendix A6. Captive portal's Allowed IP Address Template Hacom pfsense Captive Portal's Allowed IP Address Services Captive portal allowed IP address Direction IP address Description Appendix A7. Captive portal's User Management Hacom pfsense Captive Portal's User Management Services Captive portal Users Username Password Full Name Expiration Date Appendix A8. VPN IPSec Template Hacom pfsense VPN IPSec WAN 51

Local subnet Type LAN subnet Address Remote subnet Remote gateway Description Phase 1 proposal (Authentication) Negotiation Mode My Identifier My IP Address Encryption algorithm Hash algorithm DH Key Group lifetime Authentication method Pre-shared Key Certificate Key Peer Certificate Phase 2 proposal (SA/Key Exchange) Protocol ESP Encryption algorithm Hash algorithm PFS key group lifetime Keep alive (automatically ping) Firewall Rules IPSec Action Protocol Source /Port Destination /Port 52 Gateway Description

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback