Book Image

pfSense 2.x Cookbook - Second Edition

By : David Zientara
Book Image

pfSense 2.x Cookbook - Second Edition

By: David Zientara

Overview of this book

pfSense is an open source distribution of the FreeBSD-based firewall that provides a platform for ?exible and powerful routing and firewalling. The versatility of pfSense presents us with a wide array of configuration options, which makes determining requirements a little more difficult and a lot more important compared to other offerings. pfSense 2.x Cookbook – Second Edition starts by providing you with an understanding of how to complete the basic steps needed to render a pfSense firewall operational. It starts by showing you how to set up different forms of NAT entries and firewall rules and use aliases and scheduling in firewall rules. Moving on, you will learn how to implement a captive portal set up in different ways (no authentication, user manager authentication, and RADIUS authentication), as well as NTP and SNMP configuration. You will then learn how to set up a VPN tunnel with pfSense. The book then focuses on setting up traffic shaping with pfSense, using either the built-in traffic shaping wizard, custom ?oating rules, or Snort. Toward the end, you will set up multiple WAN interfaces, load balancing and failover groups, and a CARP failover group. You will also learn how to bridge interfaces, add static routing entries, and use dynamic routing protocols via third-party packages.
Table of Contents (18 chapters)
Title Page
Copyright and Credits
About Packt

Determining our deployment scenario

This section will determine which pfSense deployment scenarios is most applicable by analysing our network diagram.

In this section, we will make use of our network diagram to understand how and where pfSense will fit into our environment. As an example, we will use a relatively typical small Office/Home Office setup. We begin by looking at our network diagram:

In this small office scenario, the firewall that we have diagrammed clearly meets the definition of a perimeter firewall, which is the most common of pfSense deployments.

A perimeter firewall becomes the gatekeeper of all traffic flowing between interfaces. We will define firewall rules based on how we want that traffic to flow. A few common rules that most networks enforce are:

  • Allow all from LAN to WAN: The LAN should have outbound access to the WAN so its users can access the internet.
  • Allow some from LAN to WAN: The practice known as egress filtering involves limiting the types of traffic allowed to leave a network to ensure unauthorized or malicious traffic never leaves it.
  • Block all from WAN to LAN: Do not allow external users to get into our own private network.
  • Allow HTTP from LAN to DMZ: Allow our internal users to access our company's web server.
  • Allow HTTP from WAN to DMZ: Allow external users to access our company's web server.
  • Block all from DMZ to LAN: Our DMZ is insecure since we are allowing external users to come and access the web server. We want to protect ourselves by blocking any traffic that attempts to access our LAN from the DMZ.

pfSense also employs many advanced firewall features to accommodate the needs of more complex networks. pfSense is capable of the following:

  • Supporting dozens of interfaces.
  • Handling multiple internet connections, in case the primary internet connection fails (multi-WAN).
  • Failover protection, in case the primary firewall dies (CARP).
  • Load balancing, to optimize network traffic by balancing demanding loads.

pfSense is highly flexible and can also be configured as any of the following devices. It's important to note that these roles are simply services that we will use within our perimeter firewall deployment, but larger environments may want to build these roles as separate machines to improve performance:

  • Router: This is the second most common deployment of pfSense. A router determines a packet's destination and then sends it on its way, without applying any firewall rules. A router is not necessarily deployed at the perimeter of a network.
  • VPN appliance: A VPN server provides encrypted remote network connections. pfSense supports all the major virtual private networking protocols, such as IPsec, OpenVPN, and L2TP.
  • DHCP appliance: A DHCP server assigns IP addresses to clients that request them.
  • DNS appliance: A DNS server associates names with IP addresses. It's much easier to remember than its IP address.
  • VoIP appliance: Voice over IP (VoIP) is digital telephony, possible with pfSense.
  • Sniffer appliance: Sniffers analyse packets for patterns. This is often to detect and prevent traffic that attempts to exploit known vulnerabilities. pfSense utilizes the most widely deployed sniffer package in existence, Snort.
  • Wireless Access Point: pfSense can be deployed strictly as a wireless access point, through it rarely is.
  • Switch: It is possible to disable all filtering in pfSense and use it as a switch. That makes for one expensive switch (by way of comparison, a simple 5-port GBEthernet switch can be obtained for less than $20 USD), but it is an option.     

pfSense can be configured with many more devices—pfSense being deployed as a special purpose appliance is only limited by the number of packages supported by the platform.


For more information on pfSense deployment scenarios, read through the Common Deployments section of the documentation