Book Image

pfSense 2.x Cookbook - Second Edition

By : David Zientara
Book Image

pfSense 2.x Cookbook - Second Edition

By: David Zientara

Overview of this book

pfSense is an open source distribution of the FreeBSD-based firewall that provides a platform for ?exible and powerful routing and firewalling. The versatility of pfSense presents us with a wide array of configuration options, which makes determining requirements a little more difficult and a lot more important compared to other offerings. pfSense 2.x Cookbook – Second Edition starts by providing you with an understanding of how to complete the basic steps needed to render a pfSense firewall operational. It starts by showing you how to set up different forms of NAT entries and firewall rules and use aliases and scheduling in firewall rules. Moving on, you will learn how to implement a captive portal set up in different ways (no authentication, user manager authentication, and RADIUS authentication), as well as NTP and SNMP configuration. You will then learn how to set up a VPN tunnel with pfSense. The book then focuses on setting up traffic shaping with pfSense, using either the built-in traffic shaping wizard, custom ?oating rules, or Snort. Toward the end, you will set up multiple WAN interfaces, load balancing and failover groups, and a CARP failover group. You will also learn how to bridge interfaces, add static routing entries, and use dynamic routing protocols via third-party packages.
Table of Contents (13 chapters)

Configuring optional interfaces from the console

This recipe describes how to configure optional interfaces (for example, a DMZ network) to pfSense.

Getting ready

The optional network you will create in this network will be a DMZ, which is short for the DeMilitarized Zone. The idea of a DMZ is to have a network where some traffic is allowed to pass and some traffic is not. Typically, traffic in the DMZ is allowed to pass to and from the internet but not to other internal networks. Traffic is allowed to pass from internal networks to the DMZ. Thus, the flow of traffic looks like this:

Internet <<>> DMZ << Internal networks

Unsafe internet traffic, for example, is allowed to enter a web server in the DMZ. LAN traffic is allowed to enter the DMZ as well, for example, if someone on the LAN wants to access the web server as well. However, the key lies in the fact that no DMZ traffic is allowed to access the internal networks.

To configure a DMZ, you will need at least one spare interface, and you will have to have added it using the procedure outlined in the Identifying and assigning interfaces recipe. We will assume that you have added at least one such interface (named OPT1).

How to do it...

  1. Navigate to Interfaces | OPT1.
  2. Check the Enable Interface checkbox:
  1. Set Description to DMZ.
  2. Set IPv4 Configuration Type to Static IPv4.
  3. Enter an IPv4 Address and the CIDR. In our case, we will use 192.168.2.1 and select 24 from the CIDR dropdown list.
  4. Leave IPv4 Upstream gateway set to None.
  5. Leave the Block private networks and Block bogon networks checkboxes unchecked (they should be unchecked by default).
  6. When you are done making changes, click on the Save button. When the page reloads, click on the Apply Changes button.

How it works...

Your DMZ network will now allow external (WAN) access. Your LAN network will now be able to access the DMZ, but the DMZ will not be able to access the LAN.

There's more...

You can now attach a switch to your DMZ port to allow you to attach multiple nodes to your DMZ network. If you have been following the recipes in this chapter in order, your network will now look like this:

See also

  • The Identifying and assigning interfaces recipe
  • The Configuring a WAN interface recipe
  • The Configuring a LAN interface recipe