pfSense is open source router/firewall software based on the FreeBSD operating system. It provides a frontend to Packet Filter (PF), FreeBSD's built-in firewall. Originally introduced in 2006, it has achieved a level of scalability, flexibility, and cost-effectiveness that has made it one of the most popular router/firewall distributions. The flexibility of pfSense means that in most cases there are several options available when configuring options and services. In such cases, determining your specific requirements is critical to optimizing results.
This book tries to make this process of obtaining optimal results as easy as possible. It follows a cookbook-style approach to teach you how to use pfSense's many features after determining your security requirements. This book covers everything from configuring network interfaces and basic services such as DHCP and DNS, to more complex capabilities such as load balancing and failover.
This book is targeted at those with a beginner- or intermediate-level understanding of computer networking. Basic knowledge of the fundamentals of networking is helpful, although basic networking concepts and terms are explained to the greatest extent possible within the scope of the book. No prior knowledge of pfSense or FreeBSD is assumed.
Chapter 1, Initial Configuration, covers pfSense firewall configuration from the point of initial installation, and covers much of what most users will need to configure, such as setting up WAN, LAN, and optional interfaces; enabling SSH access and generating RSA keys; and adding VLANs.
Chapter 2, Essential Services, includes the services that crucial to virtually every pfSense deployment – namely, DHCP, DHCP6, DNS, and dynamic DNS. This chapter also covers how to configure pfSense for use as a wireless access point.
Chapter 3, Firewall and NAT, covers the basics of creating firewall rules (standard and floating), as well as how to leverage aliases and scheduling to impose rules on a flexible basis. Different forms of Network Address Translation (NAT) are covered, along with two specialized forms of NAT designed to make online gaming easier: UPnP and NAT-PnP.
Chapter 4, Additional Services, is a new chapter covering services that are less commonly enabled but still useful for many home and SOHO deployments. Captive portals are covered, including all forms of authentication currently supported by pfSense, including RADIUS authentication. The chapter also covers the Network Time Protocol (NTP) and the Simple Network Management Protocol (SNMP).
Chapter 5, Virtual Private Networking, shows how to set up pfSense to act as the endpoint of a VPN tunnel, both as a peer-to-peer entity with another firewall at the opposite end of the connection, and as a client-server entity with a mobile client at the other end. Recipes are provided covering the three protocols supported by the current version of pfSense: IPsec, OpenVPN, and L2TP.
Chapter 6, Traffic Shaping, is another new chapter. This chapter demonstrates how to leverage the capabilities of pfSense to achieve a certain Quality of Service (QoS), using both the traffic shaper wizard and floating rules for policy-based routing. Deep packet inspection, however, is not possible using the built-in traffic shaper. To make this possible, we need the third-party package known as Snort, and this chapter covers the installation and configuration of Snort.
Chapter 7, Redundancy, Load Balancing, and Failover, covers the essential ways in which pfSense provides for load balancing and failover. Namely, it covers multiple WAN setups (which enable us to aggregate bandwidth and/or provide failover capabilities when we have multiple internet connections), load balancing using pfSense's built-in server load balancing capabilities, and the Common Address Redundancy Protocol (CARP), which allows us to have a completely redundant firewall on standby.
Chapter 8, Routing and Bridging, covers cases that many pfSense deployments may rarely encounter, if ever. This chapter demonstrates how to bridge interfaces, how to add a static route, and the dynamic routing protocols of the Routing Information Protocol (RIP), Border Gateway Protocol (BGP), and Open Shortest Path First (OSPF).
Chapter 9, Services and Maintenance, covers a number of services and utilities, most of which are useful for diagnostics and troubleshooting. Wake-on LAN (WOL), Point-to-Point over Ethernet (PPPoE), and enabling Syslog are covered, as well as command-line utilities such as ping and traceroute.
Appendix A, Backing Up and Restoring pfSense, provides a brief guide to backing up pfSense, restoring pfSense from either the web GUI or SSH/command line interface, and the various options for updating pfSense.
Appendix B, Determining Hardware Requirements, is a brief primer showing how to choose the best pfSense configuration after you determine your firewall requirements. You will even learn how and where to deploy pfSense to fit your environment's security needs.
Following along with the recipes in this book should not require anything more than a basic knowledge of computer networking and some familiarity with computers and software.
You will get the most out of this book if you follow along with a functioning pfSense system. Thus, it will be helpful you have either spare hardware onto which you can install the current version of pfSense, or virtualization software so that you can run pfSense inside a virtual machine (VM). I cannot do full justice to all the variants of VMs available, but I can say that Oracle VM Virtual Box has proven quite useful in preparing the material for this book.
This book does not provide a step-by-step guide on how to install pfSense, but if you need such a guide, you can find one here: https://www.netgate.com/docs/pfsense/install/installing-pfsense.html.
We also provide a PDF file that has color images of the screenshots/diagrams used in this book. You can download it here: http://www.packtpub.com/sites/default/files/downloads/9781789806427_ColorImages.pdf.
There are a number of text conventions used throughout this book.
CodeInText: Indicates code words in text, database table names, folder names, filenames, file extensions, pathnames, dummy URLs, user input, and Twitter handles. Here is an example: "In the Name edit box, enter an appropriate name (for example, WEB_SERVER_IPS)."
Bold: Indicates a new term, an important word, or words that you see onscreen. For example, words in menus or dialog boxes appear in the text like this. Here is an example: "Click on the LAN tab, if it isn't selected already."
In this book, you will find several headings that appear frequently (Getting ready, How to do it..., How it works..., There's more..., and See also).
To give clear instructions on how to complete a recipe, use these sections as follows:
This section tells you what to expect in the recipe and describes how to set up any software or any preliminary settings required for the recipe.
This section usually consists of a detailed explanation of what happened in the previous section.
This section consists of additional information about the recipe in order to make you more knowledgeable about the recipe.
Feedback from our readers is always welcome.
General feedback: If you have questions about any aspect of this book, mention the book title in the subject of your message and email us at [email protected].
Errata: Although we have taken every care to ensure the accuracy of our content, mistakes do happen. If you have found a mistake in this book, we would be grateful if you would report this to us. Please visit www.packt.com/submit-errata, selecting your book, clicking on the Errata Submission Form link, and entering the details.
Piracy: If you come across any illegal copies of our works in any form on the Internet, we would be grateful if you would provide us with the location address or website name. Please contact us at [email protected] with a link to the material.
If you are interested in becoming an author: If there is a topic that you have expertise in and you are interested in either writing or contributing to a book, please visit authors.packtpub.com.
Please leave a review. Once you have read and used this book, why not leave a review on the site that you purchased it from? Potential readers can then see and use your unbiased opinion to make purchase decisions, we at Packt can understand what you think about our products, and our authors can see your feedback on their book. Thank you!
For more information about Packt, please visit packt.com.