Book Image

pfSense 2 Cookbook

Book Image

pfSense 2 Cookbook

Overview of this book

pfSense is an open source distribution of FreeBSD-based firewall that provides a platform for flexible and powerful routing and firewalling. The versatility of pfSense presents us with a wide array of configuration options, which makes determining requirements a little more difficult and a lot more important, compared to other offerings. Through this book you will see that pfSense offers numerous alternatives to fit any environment's security needs. pfSense 2.0 Cookbook is the first and only book to explore all the features of pfSense, including those released in the latest 2.0 version. With the help of step-by-step instructions and detailed screenshots of the pfSense interface you will be able to configure every general and advanced feature from creating a firewall rule to configuring multi-WAN failover. Each recipe includes tips and offers advice on variations of the topic or references to other related recipes and additional information that can be found from other sources. pfSense 2.0 Cookbook covers the gamut of available features and functionality. The first three chapters will take you from a non-existent system to a basic pfSense firewall. The next chapter focuses on configuring any number of the VPN services available, a very important and sought-after feature for anyone implementing a firewall. The following two chapters describe how to configure the most advanced features available in pfSense; features that may only be relevant to the most experienced network admins. Chapter 7 is dedicated to understanding and configuring the "grab-bag" of features that are available in pfSense, but are often stand-alone options and unrelated to each other. The first appendix explains how to use the status monitoring tools available for many of the features. The second appendix wraps up with helping you to decide how and where pfSense may be incorporated into your system and what type of hardware is required based on your throughput needs.

Related Content you might be interested in

Current Title:

Small book image
pfSense 2 Cookbook
Mar, 2011 | 252 pages
No titles found
Table of Contents (16 chapters)
pfSense 2 Cookbook
pfSense 2 Cookbook
Credits
Credits
About the Author
About the Author
About the Reviewers
About the Reviewers
www.PacktPub.com
www.PacktPub.com
Preface
Preface
Free Chapter
1
Initial Configuration
Initial Configuration
Introduction
Applying basic settings in General Setup
Identifying and assigning interfaces
Configuring the WAN interface
Configuring the LAN interface
Configuring optional interfaces
Enabling the Secure Shell (SSH)
Generating authorized RSA keys
Configuring SSH RSA key authentication
Accessing the Secure Shell (SSH)
2
Essential Services
Essential Services
Introduction
Configuring the DHCP server
Creating static DHCP mappings
Configuring the DHCP relay
Specifying alternate DNS servers
Configuring the DNS Forwarder
Configuring a standalone DHCP/DNS server
Configuring dynamic DNS
3
General Configuration
General Configuration
Introduction
Creating an alias
Creating a NAT port forward rule
Creating a firewall rule
Creating a schedule
Remote desktop access, a complete example
4
Virtual Private Networking
Virtual Private Networking
Introduction
Creating an IPsec VPN tunnel
Configuring the L2TP VPN service
5
Advanced Configuration
Advanced Configuration
Introduction
Creating a virtual IP
Configuring a 1:1 NAT rule
Creating an outbound NAT rule
Creating a gateway
Creating a static route
Configuring traffic-shaping (QoS, Quality of Service)
Bridging interfaces
Creating a virtual LAN
Creating a captive portal
6
Redundancy, Load Balancing, and Failover
Redundancy, Load Balancing, and Failover
Introduction
Configuring multiple WAN interfaces
Configuring multi-WAN load balancing
Configuring multi-WAN failover
Configuring a web server load balancer
Configuring a web server failover
Configuring CARP firewall failover
7
Services and Maintenance
Services and Maintenance
Introduction
Enabling OLSR
Enabling PPPoE
Enabling RIP
Enabling SNMP
Enabling UPnP and NAT-PMP
Enabling OpenNTPD
Enabling Wake On LAN (WOL)
Enabling external logging (syslog server)
Using ping
Using traceroute
Backing up the configuration file
Restoring the configuration file
Configuring automatic configuration file backup
Updating pfSense firmware
Monitoring and Logging
Monitoring and Logging
Introduction
Customizing the Status Dashboard
Monitoring current traffic
Configuring SMTP e-mail notifications
Viewing system logs
Configuring an external syslog server
Viewing RRD graphs
Viewing DHCP leases
Managing services
Monitoring the packet filter with pfInfo
Monitoring traffic with pfTop
Monitoring system activity
Determining our Hardware Requirements
Determining our Hardware Requirements
Introduction
Determining our deployment scenario
Determining our throughput requirements
Determining our interface requirements
Choosing a standard or embedded Image
Choosing a Form Factor
Index
Index

Determining our throughput requirements

This recipe will explain how to determine the throughput requirements, and subsequently the processing and memory requirements needed in our environment.

Getting ready

We’ll want to prepare for determining our requirements by gathering the following information:

  • Our Internet connection speed.

  • Our network hardware speed. Will our network be capable of 10, 100, or 1000 Mbps speeds?

  • What connection speeds will our different types of users be expecting?

How to do it...

  1. Let’s review the general throughput and feature guidelines (available at http://pfsense.com/ at Hardware | Selection & Sizing):

    Firewall throughput

    Processing power required

    Server hardware (PCI-X/PCI-e NICs)

    10-20 Mbps

    266-MHz CPU

    No

    21-50 Mbps

    500-MHz CPU

    No

    51-200 Mbps

    1-GHz CPU

    No

    201-500 Mbps

    2-GHz CPU

    Recommended

    501+ Mbps

    3-GHz CPU

    Recommended

    The following table defines any additional system requirements that would be necessary if deploying optional features:

    Feature

    Additional Requirements

    VPN

    A CPU’s encrypted throughput is roughly 20 percent of its unencrypted throughput. If you have a 500-Mhz processor (~50 Mbps unencrypted) and you need more than 10 Mbps encrypted throughput, you’re going to need a faster processor or a separate encryption card.

    Captive portal

    Environments with a larger number of captive portal users (100+) may need to bump their processing power slightly to achieve the same throughput.

    Large state tables

    The default state table size of 10,000 entries takes up 10 MB of RAM. Large environments with hundreds of thousands of entries will want to make sure they have the necessary memory available.

    Squid Package

    It is a package used for caching web content which requires extensive use of a hard disk with a large amount of storage. It is not for use with an embedded installation where writes to the compact flash card are kept to a minimum.

    Snort Package

    It is a packet sniffer/intrusion prevention and detection system (IPS/IDS). A minimum of 512 MB RAM is required.

    NTop Package

    A network traffic reporting tool. A minimum of 512 MB of RAM required.

  2. Now, let’s determine our own requirements:

    • Our medium-sized business, Any Company USA, has 100 typical business users. Our network infrastructure consists of CAT5 cable and 100 Mbps switches. The majority of our traffic is web browsing, e-mails, and small file sharing. Our 100-Mbps Internet connection is ample, and our primary concern is being able to use what we’re paying for.

    • We want to provide VPN access for employees on the go, but we expect no more than a handful of VPN connections at any given time and throughput for these external users isn’t a primary concern. Of the additional packages available to pfSense, we’ve decided we’d like to use the NTop package to help us analyze our traffic and identify problems.

    • Lastly, given the money we’re saving using the open source pfSense platform, we’re going to build an additional fail-over firewall to comply with our organization’s redundancy IT policy.

  3. At this point we’ve identified our requirements as:

    • 1 Gbps network hardware (cables and switches)

    • Unencrypted throughput of 100 Mbps

    • Encrypted throughput (VPN) of 20 Mbps

    • 1-GHz CPU, 1-GB RAM

    • A second identical machine to be used as a failover

How it works...

Throughput is the amount of data that can be processed at any given time. We may have a 100 Mbps fiber-optic Internet connection, but if our firewall’s hardware can only process 20 Mbps, then that’s all we’re going to get.

Firewall throughput is only a factor for traffic passing through the firewall. Internet traffic meets this requirement (LAN <| WAN), as would any traffic between our own networks (LAN <| DMZ). However, traffic between two machines on the same network, 2 PCs in our LAN for example, won’t be bottlenecked by the firewall.

There’s more...

It’s important to remember that certain firewall features have their own hardware requirements. For example, VPN connections require additional processing power and the Squid web-caching package isn’t suitable for an embedded compact flash disk installation.

List of available packages

Unfortunately, a current list of packages available to pfSense isn’t maintained online. Once pfSense is installed, we can view available packages in the System | Packages menu.

See also

Previous Section
End of Section
Next Section