Installation and Configuration of PFSense 2.3.4 Firewall Route

The Internet is a scary place these days. Almost daily, a new zero day, security breach, or ransomware occurs leaving many people wondering if it is possible to secure their systems.
Many organizations spends hundreds of thousands, if not millions, of dollars trying to install the latest and greatest security solutions to protect their infrastructure and data. Home user’s though are at a monetary disadvantage. Investing even a hundred dollars into a dedicated firewall is often beyond the scope of most home networks.
Thankfully, there are dedicated projects in the open source community that are making great strides in the home user security solutions arena. Projects like IPfireSnortSquid, and pfSense all provide enterprise level security at commodity prices!
PfSense is a FreeBSD based open source firewall solution. The distribution is free to install on one’s own equipment or the company behind pfSense, NetGate, sells pre-configured firewall appliances.
The required hardware for pfSense is very minimal and typically an older home tower can easily be re-purposed into a dedicated pfSense Firewall. For those looking to build or purchase a more capable system to run more of pfSense’s advanced features, there are some suggested hardware minimums:

Hardware Minimums

  • 500 mhz CPU
  • 1 GB of RAM
  • 4GB of storage
  • 2 network interface cards

Suggested Hardware

  • 1GHz CPU
  • 1 GB of RAM
  • 4GB of storage
  • 2 or more PCI-e network interface cards.

Serious Home User Hardware Suggestions (and Enterprises)

In the event that a home user would like to enable many of the extra features and functions of pfSense such as SnortAnti-Virus scanning, DNS blacklisting, web content filtering, etc the recommended hardware becomes a little more involved.
To support the extra software packages on the pfSense firewall, it is recommended that the following hardware be provided to pfSense:
  • Modern multi-core CPU running at least 2.0 GHz
  • 4GB+ of RAM
  • 10GB+ of HD space
  • 2 or more Intel PCI-e network interface cards

Installation of pfSense 2.3.4

In this section, we will see the installation of pfSense 2.3.4 (latest version at the time of writing this article).

The Lab Setup

pfSense is often frustrating for users new to firewalls. The default behavior for many firewalls is to block everything, good or bad. This is great from a security standpoint but not from a usability standpoint. Before starting into the installation, it is important to conceptualize the end goal before beginning the configurations.

Downloading pfSense

Regardless of which hardware is chosen, installing pfSense to the hardware is a straightforward process but does require the user to pay close attention to which network interface ports will be used for which purpose (LAN, WAN, Wireless, etc).
Part of the installation process will involve prompting the user to begin configuring LAN and WAN interfaces. The author suggests only plugging in the WAN interface until pfSense has been configured and then proceed to finish the installation by plugging in the LAN interface.
The first step is to obtain the pfSense software from https://www.pfsense.org/download/. There are a couple of different options available depending on the device and installation method but this guide will utilize the ‘AMD64 CD (ISO) Installer’.
Using the drop down menu’s on the link provided earlier, select an appropriate mirror to download the file.
Once the installer has been downloaded, it can either be burned to a CD or it can be copied to a USB drive with the ‘dd’ tool included in most Linux distributions.
The next process is to write the ISO to a USB drive to boot the installer. To accomplish this, use the ‘dd’ tool within Linux. First, the disk name needs to be located with ‘lsblk’ though.
With the name of the USB drive determined as ‘/dev/sdc’, the pfSense ISO can be written to the drive with the ‘dd’ tool.
Important: The above command requires root privileges so utilize ‘sudo’ or login as the root user to run the command. Also this command will REMOVE EVERYTHING on the USB drive. Be sure to backup needed data.

Installation of pfSense

Once ‘dd’ has finished writing to the USB drive or the CD has been burnt, place the media into the computer that will be setup as the pfSense firewall. Boot that computer to that media and the following screen will be presented.
pfSense Boot Menu
At this screen, either allow the timer to run out or select 1 to proceed booting into the installer environment. Once the installer finishes booting, the system will prompt for any changes desired in the keyboard layout. If everything shows in a native language, simply click on ‘Accept these Settings’.
pfSense Configure Console
pfSense Configure Console
The next screen will provide the user with the option of a ‘Quick/Easy Install’ or more advanced install options. For the purposes of this guide, it is suggested to simply use the ‘Quick/Easy Install’ option.
pfSense Installation Option
pfSense Installation Option
The next screen will simply confirm that the user desires to use the ‘Quick/Easy Install’ method which won’t ask as many questions during the installation.
The first question that is likely to be presented will ask about which kernel to install. Again, it is suggested that the ‘Standard Kernel’ be installed for most users.
pfSense Standard Kernel
pfSense Standard Kernel
When the installer has finished this stage, it will prompt for a reboot. Be sure to remove the installation media as well so the machine doesn’t boot back into the installer.
pfSense Installation Complete
pfSense Installation Complete

pfSense Configuration

After the reboot, and the removal of the CD/USB media, pfSense will reboot into the newly installed operating system. By default, pfSense will pick an interface to set-up as the WAN interface with DHCP and leave the LAN interface unconfigured.
pfSense Interface Configuration
pfSense Interface Configuration
While pfSense does have a web based graphical configuration system, it is only running on the LAN side of the firewall but at the moment, the LAN side will be unconfigured. The first thing to do would be to set an IP address on the LAN interface.
To do this follow these steps:
  • Take note of which interface name is the WAN interface (em0 above).
  • Enter ‘1’ and press the ‘Enter’ key.
  • Type ‘n’ and press the ‘Enter’ key when asked about VLANs.
  • Type in the interface name recorded in step one when prompted for the WAN interface or change to the proper interface now. Again this example, ‘em0’ is the WAN interface as it will be the interface facing the Internet.
  • The next prompt will ask for the LAN interface, again type the proper interface name and hit the ‘Enter’ key. In this install, ‘em1’ is the LAN interface.
  • pfSense will continue to ask for more interfaces if they are available but if all interfaces have been assigned, simply hit the ‘Enter’ key again.
  • pfSense will now prompt to ensure that the interfaces are assigned properly.
pfSense Network Interfaces
pfSense Network Interfaces
  • If the interfaces are correct, type ‘y’ and hit the ‘Enter’ key.

  • The next step will be to assign the interfaces the proper IP configuration. After pfSense returns to the main screen, type ‘2’ and hit the ‘Enter’ key. (Be sure to keep track of the interface names assigned to the WAN and LAN interfaces).
    *NOTE* For this install the WAN interface can use DHCP without any problems but there may be instances where a static address would be required. The process for configuring a static interface on the WAN would be the same as the LAN interface that is about to be configured.
    Type ‘2’ again when prompted for which interface to set IP information. Again 2 is the LAN interface in this walk through.
    pfSense Available Interfaces
    pfSense Available Interfaces
    When prompted, type the IPv4 address desired for this interface and hit the ‘Enter’ key. This address should not be in use anywhere else on the network and will likely become the default gateway for the hosts that will be plugged into this interface.
    pfSense IP Address
    pfSense IP Address
    The next prompt will ask for the subnet mask in what is known as prefix mask format. For this example network a simple /24 or 255.255.255.0 will be used. Hit the ‘Enter’ key when done.
    pfSense Network Subnet Mask
    pfSense Network Subnet Mask
    The next question will ask about an ‘Upstream IPv4 Gateway’. Since the LAN interface is currently be configured, simply hit the ‘Enter’ key.
    pfSense Network Gateway
    pfSense Network Gateway
    The next prompt will ask to configure IPv6 on the LAN interface. This guide is simply using IPv4 but should the environment require IPv6, it can be configured now. Otherwise, simply hitting the ‘Enter’ key will continue.
    pfSense IPv6 Address
    pfSense IPv6 Address
    The next question will ask about starting the DHCP server on the LAN interface. Most home users will need to enable this feature. Again this may need to be adjusted depending on the environment.
    This guide assumes that the user will want the firewall to provide DHCP services and will allocate 51 addresses for other computers to obtain an IP address from the pfSense device.
    pfSense DHCP Configuration
    pfSense DHCP Configuration
    The next question will ask to revert pfSense’s web tool to the HTTP protocol. It is strongly encouraged NOT to do this as the HTTPS protocol will provide some level of security to prevent disclosure of the admin password for the web configuration tool.
    pfSense HTTP Protocol
    pfSense HTTP Protocol
    Once the user hits ‘Enter’, pfSense will save the interface changes and start the DHCP services on the LAN interface.
    pfSense Interface URL
    pfSense Interface URL
    Notice that pfSense will provide the web address to access the web configuration tool via a computer plugged in on the LAN side of the firewall device. This concludes the basic configuration steps to make the firewall device ready for more configurations and rules.
    The web interface is accessed through a web browser by navigating to the LAN interface’s IP address.
    pfSense Login Interface
    pfSense Login Interface
    The default information for pfSense at the time of this writing is as follows:
    Username: admin
    Password: pfsense
    
    After a successful login through the web interface for the first time, pfSense will run through an initial setup to reset the admin password.
    pfSense Setup Wizard
    pfSense Setup Wizard
    The first prompt is for a registration to pfSense Gold Subscription which has benefits such as automatic configuration backup, access to the pfSense training materials, and periodic virtual meetings with pfSense developers. Purchasing of a Gold subscription isn’t required and the step can be skipped if desired.
    The following step will prompt the user for more configuration information for the firewall such as hostname, domain name (if applicable), and DNS servers.
    pfSense General Information
    pfSense General Information
    The next prompt will be to configured Network Time ProtocolNTP. The default options can be left unless different time servers are desired.
    pfSense Network Time Protocol
    pfSense Network Time Protocol
    After setting up NTP, the pfSense installation wizard will prompt the user to configure the WAN interface. pfSense supports multiple methods for configuring the WAN interface.
    The default for most home users is to use DHCP. DHCP from the user’s internet service provider is the most common method for obtaining the necessary IP configuration.
    pfSense WAN Configuration
    pfSense WAN Configuration
    The next step will prompt for configuration of the LAN interface. If the user is connected to the web interface, the LAN interface has likely already been configured.
    However, if the LAN interface needs to be changed, this step would allow for changes to be made. Make sure to remember what the LAN IP address is set to as this is how the
    administrator will access the web interface!
    pfSense LAN Configuration
    pfSense LAN Configuration
    As with all things in the security world, default passwords represent an extreme security risk. The next page will prompt the administrator to change the default password for the ‘admin’ user to the pfSense web interface.
    pfSense Admin Setup
    pfSense Admin Setup
    The final step involves restarting pfSense with the new configurations. Simply click the ‘Reload’ button.
    pfSense Configuration Reload
    pfSense Configuration Reload
    After pfSense reloads, it will present the user with a final screen before logging into the full web interface. Simply click the second ‘Click Here’ to log into the full web interface.
    pfSense Wizard Completed
    pfSense Wizard Completed
    At last pfSense is up and ready to have rules configured!
    pfSense Dashboard
    pfSense Dashboard
    Now that pfSense is up and running, the administrator will need to go through and create rules to allow the appropriate traffic through the firewall. It should be noted that pfSense has a default allow all rule. For security sake, this should be changed but this is again an administrator’s decision.
    Thank you for reading through this TecMint article on pfSense installation! Stay tuned for future articles on configuring some of the more advanced options available in pfSense.