Okay, I’m finally coming back to this, the last part in a overdue, really extended, highly anticipated(?) article on PFSense. In this second part, I am going to cover some of the features I use in PFSense, the ways I have them configured, some uses for PFSense (outside of just a firewall) and some final comments, opinions, wish list, etc… So, let’s stop wasting time and get to it!
So the first feature I want to go over, because outside of setting up the firewall itself it’s the one I use the most, is the vpn (ipsec) capabilities. Just in case you wondering, I will go over the firewall itself (configuring and such) but it’s going to be brief, as this is a pretty easy to figure out firewall. I mean, if you have EVER configured a firewall, you can configure PFSense. At any rate, let’s talk about the IPSEC/VPN tunnel. Most of the time I find myself working on projects for customers that require some sort of firewall/vpn endpoint (so they want a tunnel and often time the tunnel endpoint is a edge device or on the external perimeter). Often times, these customers do not want to spring for a firewall/vpn device the likes of a checkpoint/Cisco/juniper/etc simply due to price (not to take away from these products, they are great and I’ve used them but they are expensive, not something that jives in this economy) and that’s understandable. I’ve found that PFSense is great for this purpose and it’s super easy to setup the tunnel and have it running in a matter of moments. Go to the vpn tab and select IPSEC, and you will be presented with the configuration screen below:
If you click the plus next to the blank configuration you are launched into the first configuration screen (phase1). Take a look at this example I worked up:
Sorry, I had to break it into two different screen shots but as you can see, configuring the initial tunnel connection (hereafter known as phase1) is quite easy. You can modify various settings but it’s pretty straightforward. Your endpoint will be the wan device and your destination external IP, make sure your pre-shared key is allot more secure then mine and the rest is pretty explanatory. The encryption will depend on your corporate standard (or personal preference, whichever trumps) and whatever your connecting endpoint will be. Hit save at the end and then you are back to the IPSEC landing page. Click the plus under the phase1 tunnel, click the plus again and then finally click the next plus to configure the phase2 portion of the tunnel.
Configuring phase2 is allot like configuring phase1. It’s as easy as configuring your local and remote LAN subnet that will be connected via this tunnel, setting the encryption to match and hitting save! Check the box next to enable ipsec and hit save and you are all set!
I know I blitzed through that pretty quickly but here’s a few things to consider while configure this:
- If you are using two PFSense devices, it really is as simple as making sure your settings match. The real trick comes into play with other devices like Checkpoint (pain) and Cisco (not so bad). These devices have these settings in different places, different formats, etc… and can be tricky enough when setting up a site to site tunnel between two of themselves, let alone trying to achieve interoperability between non similar devices
- Make sure you understand the references for phase1 and phase2 between checkpoint, Cisco, juniper, pfsense, etc… This will trip you up everytime if you don’t.
- I have had great success configuring pfsense to connect to Cisco, checkpoint, juniper, etc….The trick is to start out with basic encryption and turn off the extra junk (pfs, groups, etc…), make sure it connects, send traffic (you did configure the firewall rules to allow traffic on each endpoint, didn’t you?) and then add your complexity from there. Don’t start out with complex encryption, groups, pfs, different timings, etc….It will only lead to heartache and possibly a broken keyboard.
- Make sure you allow traffic for the subnet on the ipsec interface (see below) in the firewall portion. Otherwise, well, the firewall does it’s default job.
- Finally, once you have this all working, BACKUP THE CONFIG!!!! DO NOT PROCEED WITHOUT BACKING UP THE CONFIG! If you don’t here is what will happen; you will change something, you won’t keep track of it and you will get a phone call. The phone call will consist of, “the tunnel isn’t working, fix it.” and you will proceed to pull your hair out trying to figure out what happened. It’s how I ended up bald (well that and genetics), don’t let it happen to you.
Okay, so let’s talk about firewall configuration for just a moment. See the following screenshots:
Once you are in the screen, take a look at the tabs. You will have a floating, WAN, LAN, and ipsec. I’ll make this super easy:
floating = A rule that applies to all interfaces. Usually I use this very, very sparingly, like a initial ICMP rule for testing. It just makes like easier.
WAN = your wan (internet) interface
LAN = your local interface
ipsec = Tunnel interface (tunnel/ipsec traffic)
Configure as needed! Pretty straightforward and easy to use. You can setup groups of IPs, subnet, ports, etc… using the aliases tab under the firewall settings. This is pretty handy for helping to organize your rules, segregate traffic, etc… You can also group the groups under the same setting (just type the name of the alias in the field below type after you set the type of alias you are creating. Finally, PFSense does support NAT (as any descent firewall should) in a couple of forms like 1 to 1, forwarding and outbound. I won’t go over this because it’s pretty straightforward and the documentation on the pfsense site is pretty spot on.
Another feature I want to drop a mention about is OpenVPN. I use this everywhere! I use it in my home lab, I use it at work, I use it for clients running the range of 5 users to 300 users! It simply works and takes nothing to configure. Use the wizard and the client export tool and you will be off and running. Since this configuration can be pretty detailed, I’ll simply say this; follow the wizard and the pfsense docs site and it will work. Make sure you download and install the openvpn client export package (under system, packages, available packages) to ensure you get the client portion right (and make your life easier; export the installer bundle and tell the user where to download it from, run it to install, accept the defaults, done!). If the need arises I will write how to do this but for right now, I’m going to leave it to the good folks at pfsense and their docs.
Finally, a couple of features I use that function great, depending on what you are looking for (I’ll explain in a moment):
Squid = It simply works, period. It does a great job filtering, it’s fast and it’s easy to work with. RAM will be an issue; don’t do this with 512mb of ram, it will S…U…C…K!
HAVP = If you need a antivirus that also filters web traffic, here it is. And don’t get me wrong, it can be buggy; my suggestion is to test it on your hardware and make sure you do a good load test on it before deploying. I’ve seen this package cripple a box under enough stress (30 users doing random surfing, streaming, downloading, etc….) so test, test, test. Reference this doc http://doc.pfsense.org/index.php/HAVP_Package_for_HTTP_Anti-Virus_Scanning
Snort = It works well in SOHO settings and doing some traffic logging. I wouldn’t replace your IDS environment with this, unless your pfsense box is pretty kick ass (mine are built to be mini-appliances; minimal processor, ram and storage so it’s not too ideal for this) but it gets the job done and it’s easy to work with
The biggest advice I can give with packages like this are to keep in mind that they are:
Sooooo running these on that old crummy atx P4 with a gig of ram…..will just piss you off. Running these on a dual core with 4gb of ram and a SSD drive and/or some sort of solid state based storage, will make you happy and simply your life (if you manage two of three devices to get all of this done).
Finally, at the end here, let me give you a few examples of how I use pfsense:
- Redundant/failover for two WAN drops (ex. comcast business lines) in a clustered config
- Gateway device acting as a antivirus/proxy/IDS filter
- VPN Endpoint devices (both as perimeter devices and 2nd/3rd network layer devices)
- Quick firewalls for layered designs (ex. internet–>primary firewall–>int network (web app)–>pfsense fw–>int network (db))
- IDS sniffers
All of these functions work well for me. I’ve used them in simple environments, all the way up to complex environments connecting businesses on different continents. I simply can’t sing the praise of pfsense enough. That being said, I have seen some issues:
- Use good hardware – do not expect killer speeds if you are running REALTEK cards…..this is not possible, no matter how many sacrifices you make.
- Try to avoid mechancial storage – this is a given. Mechancial storage is slow, no matter what the spin speeds are. Your firewall needs to be able to read traffic and move it, FAST. It needs to be able to filter objects, store a descent amount of info, etc… Stick with CF/SD cards and/or SSD drives, you won’t regret it (personally, I’ve had great luck with CF cards).
- Don’t skimp on the RAM – RAM is critical, especially on certain packages like squid. Don’t be frugle here; ram is cheap and if you are using allot of packages, run at least 4gb.
And with that, I will bring this article to a close. I hope you enjoyed it and although it was a little rushed I might elaborate and/or write another article on the different features at some point in the future (especially if there is feedback on it). Thanks for reading and until next time, take care!