You are on page 1of 52

Acknowledgments

All praise to ALLAH, the most merciful, kind and beneficent, and the source of all knowledge,
wisdom within and beyond my comprehension.

Heart full thanks for prof. Driss El Ouadghiri, the responsible of the professional license on
systems and networks management, at Science Faculty of Meknes, and hes my Project
supervisor.

Special thanks go to all the members of jury, Prof. Khalid EL YASSINI, Prof. Abdeslam EL
FERGOUGUI, Prof. Rachid ELOUAHBI and the engineer Mohammed GHALLALI, for agreeing
to lend us their attention and evaluate our work. The thanks also go to all of my Teachers in
science faculty of Meknes.

I am very grateful to M.Ismail Azzouzi and M.Abdelhakim Mesbahi; they guided and helped me
through timely suggestions, valuable advices and specially the sympathetic attitude, which
always inspired me for hard work.

I would also like to thank everyone shared valuable information that helped in the successful
completion of this project.

Finally, I would like to thank my Mother Zoubida Mestari, my brother and sisters and all my big
family members.

Mohamed Loughmari

List of Figures
Figure 1. Organization chart of the Court of Appeal Taza ......................................................................... 13
Figure 2. Versions of pfSense ....................................................................................................................... 17
Figure 3. Compact Flash .............................................................................................................................. 19
Figure 4. WRAP ........................................................................................................................................... 20
Figure 5. ALIX ............................................................................................................................................. 20
Figure 6. Soekris ........................................................................................................................................... 20
Figure 7. Asking to set up VLANs ............................................................................................................... 23
Figure 9. Finishing steps of installation ....................................................................................................... 24
Figure 10. Shell menue ................................................................................................................................. 24
Figure 11. option 99 ...................................................................................................................................... 25
Figure 12. The configure console ................................................................................................................. 25
Figure 13. Selecting the simple installation .................................................................................................. 26
Figure 14. Confirmation step ....................................................................................................................... 26
Figure 15. Transferring the system to the media ........................................................................................ 27
Figure 16. asking for reboot ......................................................................................................................... 27
Figure 17. Enabling SSH .............................................................................................................................. 28
Figure 18. Generating RSA key ................................................................................................................... 28
Figure 19. The public Key ............................................................................................................................ 29
Figure 20. Disabling password login ............................................................................................................ 29
Figure 21. Pasting the client public RSA ..................................................................................................... 30
Figure 22. Client configuration .................................................................................................................... 30
Figure 23. Crating ALIAS ............................................................................................................................ 31
Figure 24. Types of ALIAS........................................................................................................................... 31
Figure 25. Using ALIAS ............................................................................................................................... 32
Figure 26. Creating a NAT port forward rule ............................................................................................. 33
Figure 27. Creating a schedule ..................................................................................................................... 34
Figure 28. Schedule repeat ........................................................................................................................... 34
Figure 29. Firewall rule ................................................................................................................................ 35
Figure 30. DMZ rules ................................................................................................................................... 36
Figure 31. Creating a VIP ............................................................................................................................ 38
Figure 32. VIP created ................................................................................................................................. 38
Figure 33. Configuring 1:1 NAT .................................................................................................................. 39
Figure 34. Creating gateway ........................................................................................................................ 40
4

Figure 35. Creating a static route ................................................................................................................ 40


Figure 36. Route static created ..................................................................................................................... 41
Figure 37. SMTP notification configuration ................................................................................................ 41
Figure 38. test e-mail .................................................................................................................................... 42
Figure 39. Captive portal ............................................................................................................................. 43
Figure 40. Selecting local user lanager as the authentication ...................................................................... 43
Figure 41. creating a new user ..................................................................................................................... 44
Figure 42. user manager ............................................................................................................................... 44
Figure 43. Captive portal test ....................................................................................................................... 44
Figure 44. Enabling RIP service .................................................................................................................. 45
Figure 45. Enabling the WOL ...................................................................................................................... 46
Figure 46. Sending the magic packet ........................................................................................................... 46
Figure 47. Storing MAC addresses .............................................................................................................. 46
Figure 48. MAC addresses Stored ............................................................................................................... 47
Figure 49. Wake all MAC addresses Stored ................................................................................................ 47
Figure 50. Using ping.................................................................................................................................... 48
Figure 51. Using traceroute .......................................................................................................................... 48
Figure 52. Backing up the configuration file ............................................................................................... 49
Figure 53. Downloading the configuration file ............................................................................................ 49
Figure 54. Restoring the configuration file .................................................................................................. 50
Figure 55. Configuration file restored ......................................................................................................... 50
Figure 56. Auto configuration backup ......................................................................................................... 51

List of Acronyms & Abbreviations


ARP
BGP
CARP
CD
CF
DHCP
DMZ
DNS
GPL
GNU
GUI
HTTP
ICMP
IDS
IP
IT
LAN
MAC
MD5
NAT
NIC
NTP
OPT
OS
PC
PPPoE
PPTP
QoS
RAM
RIP
SDR
SMTP
SSH
TCP
URL
VIP
VLAN
VPN
WAN
Wi-Fi
WOL
XML

Address Resolution Protocol


Border Gateway BC Protocol
Common Address Redundancy Protocol
Compact Disc
Compact Flash
Dynamic Host Configuration Protocol
Demilitarized Zone
Domain Name System
General Public License
GNU's Not UNIX
Graphical User Interface
Hypertext Transfer Protocol
Internet Control Message Protocol
Intrusion Detection System
Internet Protocol
Information Technology
Local Area Network
Media Access Control
Message-Digest 5
Network Address Translation
Network Interface Card
Network Time Protocol
Optional interface
operating system
Personal computer
Point-to-Point Protocol over Ethernet
Point-to-Point Tunneling Protocol
Quality of Service
Random Access Memory
Routing Information Protocol
Regional Sub Direction
Simple Mail Transfer Protocol
Secure Shell
Transmission Control Protocol
Uniform Resource Locator,
Virtual IP
Virtual LAN
Virtual Private Network
Wide Area Network
Wireless Fidelity
Wake-on-LAN
Extensible Markup Language

Abstract
This is a graduation project prepared by Mohamed LOUGHMARI student of the professional license on
systems and networks management, at the science faculty of Meknes. Its the result of two months
traineeship exerted at Court of Appeal in TAZA.
It aims to elaborate PfSense that is an Open Source Firewall Solution.
This report covers the theoretical part and the practical part of pfSense.

Rsum
Ce travail s'inscrit dans le cadre du projet de fin dtude, labor par Mohamed LOUGHMARI tudiant de
la licence professionnelle en gestion des systmes et rseaux, de la facult des sciences de Mekns. Cest le
fruit dun stage de deux mois la cour dappel de Taza.
Il consiste la mise en uvre dune solution Firewall Open Source PfSense .
Ce rapport couvre la partie thorique et la partie pratique de pfSense.

Table Of Contents
Acknowledgments ........................................................................................................................................... 3
List of Figures ................................................................................................................................................. 4
List of Acronyms & Abbreviations ................................................................................................................ 6
Abstract .......................................................................................................................................................... 7
Rsum ............................................................................................................................................................ 7
General Introduction .................................................................................................................................... 11
Part I : Presentation of the Courts of Appeal Taza ..................................................................................... 12
1.

Organization ......................................................................................................................................... 13

2.

Attributions ........................................................................................................................................... 13

3.

Organization chart of the Court of Appeal Taza ................................................................................. 13

4.

IT Service .............................................................................................................................................. 14

Part II : Theory of pfSene ............................................................................................................................. 15


Introduction .................................................................................................................................................. 16
1. History and versions ................................................................................................................................. 16
1.1. History ................................................................................................................................................ 16
1.2. Versions .............................................................................................................................................. 16
2. Common Deployments ............................................................................................................................. 17
2.1. Perimeter Firewall ............................................................................................................................. 17
2.2. LAN or WAN Router ......................................................................................................................... 17
2.3. Wireless Access Point ......................................................................................................................... 17
2.4. Special Purpose Appliances ............................................................................................................... 18
3. Interface Naming Terminology ................................................................................................................ 18
3.1. Network divisions ............................................................................................................................... 18
3.2. interface naming ................................................................................................................................ 19
4. Hardware .................................................................................................................................................. 19
4.1. Hardware Architectures .................................................................................................................... 19
4.2. Minimum Hardware Requirements .................................................................................................. 19
4.3. Embedded Hardwar .......................................................................................................................... 19
5. Features List ............................................................................................................................................. 21
Part III : Instalation and Configuration ...................................................................................................... 22
1. Installation ................................................................................................................................................ 23
1.1. Downloading pfSense ......................................................................................................................... 23
8

1.2. Installing Pfsense ............................................................................................................................... 23


1.2.1. VLANs ......................................................................................................................................... 23
1.2.2. Assigning Interfaces .................................................................................................................... 23
1.2.3. Finishing Steps ............................................................................................................................ 23
1.2.4. pfSense default configuration ..................................................................................................... 24
1.2.5. Storing the configfile on a writable media .................................................................................. 25
1.2.6. Accessing the webgui ................................................................................................................... 25
1.2.7. Installing Pfsense to Hard Drive : ............................................................................................... 25
2. Initial Configuration ................................................................................................................................. 27
2.1. The Secure Shell (SSH) ...................................................................................................................... 27
2.1.1. Enabling SSH .............................................................................................................................. 28
2.2. authorized RSA keys .......................................................................................................................... 28
2.2.1. Generating authorized RSA keys................................................................................................ 28
2.2.2. Configuring SSH RSA key authentication ................................................................................. 29
2.2.3. Accessing the Secure Shell (SSH) ................................................................................................ 30
3. General basic configuration ................................................................................................................. 30
3.1. ALIAS ................................................................................................................................................ 31
3.1.1. Creating an ALIAS ..................................................................................................................... 31
3.1.2. Types of aliase : ........................................................................................................................... 31
3.1.3. Using an alias ............................................................................................................................... 32
3.2. NAT port forward rule ...................................................................................................................... 32
3.2.1. Creating a NAT port forward rule ............................................................................................. 32
3.3. Schedule ............................................................................................................................................. 33
3.3.1. Creating a schedule ..................................................................................................................... 33
3.4. Firewall rule ....................................................................................................................................... 34
3.4.1. Creating a firewall rule ............................................................................................................... 35
3.4.2. Advanced features ....................................................................................................................... 36
4. Advanced Configuration .......................................................................................................................... 37
4.1. Virtual IP ........................................................................................................................................... 37
4.1.1. Types of vierual IPs ..................................................................................................................... 37
4.1.2. Creating a virtual IP ................................................................................................................... 37
4.2. 1:1 NAT rule ...................................................................................................................................... 38
4.2.1. Configuring a 1:1 NAT rule ........................................................................................................ 38
4.3. Static route ......................................................................................................................................... 39
4.3.1. Creating a gateway : ................................................................................................................... 39
9

4.3.2. Creating a static route ................................................................................................................. 40


4.4. SMTP e-mail notifications ................................................................................................................. 41
4.4.1. Configuring SMTP e-mail notifications...................................................................................... 41
4.5. Captive portal .................................................................................................................................... 42
4.5.1. Creating a captive portal ............................................................................................................ 42
5. Services ..................................................................................................................................................... 45
5.1. RIP ..................................................................................................................................................... 45
5.1.1. Enabling RIP ............................................................................................................................... 45
5.2. Wake On LAN (WOL)....................................................................................................................... 45
5.2.1. Enabling Wake On LAN (WOL) ................................................................................................ 45
5.2.2. Storing Mac addresses ................................................................................................................ 46
5.2.3. Wake All ...................................................................................................................................... 47
6. Maintenance.............................................................................................................................................. 47
6.1. Ping ..................................................................................................................................................... 47
6.1.1. Using ping .................................................................................................................................... 47
6.2. Traceroute .......................................................................................................................................... 48
6.2.1. Using traceroute : ........................................................................................................................ 48
6.3. Backing up the configuration file ...................................................................................................... 48
6.4. Restoring the configuration file ......................................................................................................... 49
6.5. Automatic configuration file backup ................................................................................................. 50
6.5.1. Installing the AutoConfigBackup Package ................................................................................. 50
6.5.2. Configuring the AutoConfigBackup Package ............................................................................ 50
Conclusion .................................................................................................................................................... 52
References ..................................................................................................................................................... 53

10

General Introduction
"Nothing ever becomes REAL until it is experienced." - John Keats

Internships have become an important part of a college student's education. Through internships
students gain experience in different fields, test career interests, establish contacts that can assist with
networking. Under my studies in professional license on systems and networks management at the faculty
of Meknes, I passed two Month of internship on the Court of Appeal of Taza, as a project I had worked on
a theme that belongs to the security IT topic.
Security IT is vital for protecting the confidentiality, integrity, and availability of computer
systems, resources, and data. Without confidentiality, trade secrets or personally identifying information
can be lost. Without integrity, we can not be sure that the data we have is the same data that was initially
sent without availability, we may be denied access to computing resources.
To ensure the Security IT there is many elements, one of the main elements is Firewall, its one of
the more important elements that can achieve the goals of security. A firewall can be a hardware device or
a software application and generally is placed at the perimeter of the network to act as the gatekeeper for
all incoming and outgoing traffic.
Considering of what we had said about the importance of Security and how the firewall is the
primary tool for the security, I decide to make an implementation of pfSense which is an open source
firewall solution.
Along this report, I will deploy my work that I have done during the training period in three main
parts:
The first Part will focus on an overview of the Court of Appeal of Taza, where I spent the internship.
The second part is about the theory of pfSense, basic information and its features.
The third part is the practical part of pfSense it will cover the installation and some important
configuration.
Finally this work will close by a general conclusion.

11

Part I
Presentation of the
Courts of Appeal Taza

12

1. Organization
The Courts of Appeal include is a regional sub direction, under the authority of the Prime President,
a number of specialized chambers including a staff room and criminal division.
However, any chamber can properly investigate and prosecute, regardless of the nature of the cases
before these courts.
They also have a public ministry composed of a Prosecutor General of the King and substitutes, one
or more magistrates of the investigation, one or more magistrates of minors, a registry and secretariat of the
Prosecutor General.
In all matters, the audience is held and judgments by a panel of three consultants assisted by a clerk,
unless the law provides otherwise.
The criminal division headquarters, due to the seriousness of the cases entrusted with five
counselors, a chamber president and four councilors.

2. Attributions
The courts of appeal, courts of second instance, examine previous cases in the first instance by the
trial court a second time.
They then treat appeals of decisions rendered by the courts and appeals from orders made by their
presidents.
The criminal chambers Courts of Appeal are competent specific training, to judge crimes.

3. Organization chart of the Court of Appeal Taza


Regional Director

Abdellatif
ELGHBAR

IT Service

Budget and
Equipment
Service

human
resource
Service

Technical
service

'' Abd El Hakim Mesbahi ''


Maintenance systems and network

'' Ismail Azzouzi ''


Training students IT

Figure 1. Organization chart of the Court of Appeal Taza

13

4. IT Service
The IT has become essential in the organism; in fact it has many tasks for the purchase of computer
equipment, its installation and management of passing information.
Indeed, the IT department hasnt in any case the right to make mistakes, it is vital for the body. This
is explained by the fact that it who is responsible for managing the emails so communication with the
outside and inside of the body.
It must also deal with the receipt of information from partners and must be converted and integrated
into their databases.
Indeed if the IT department is no longer operational, no further communication could be done and it
would be simply impossible to manage the company (delivery, order, inventory management, data backup
....).
As we see in the organization chart, the IT department of the SDR is composed of two people:
Mr. Abdelhakim Mesbahi IT manager whose mission is to optimize the treatment and computer systems
by providing technical assistance to users. It is responsible for:
-Maintenance of computer equipment in the legal district.
- Monitoring the state of hardware.
- Market monitoring installation of electrical and computer networks.
- Receiving hardware by companies.
- Control of the company in case work.
- support all IT projects of the company and ensure reliability, consistency and evolution of
information systems technically and functionally.
- Advise the Department when considering new solutions (software selection, equipment, network
architecture ...).
- Define the needs of the region and monitoring technology.
Mr. Ismail el Azzouzi Training Officer and host student:
- Training people.
- Monitoring computer programs minister of justice.
- The coaching officials in IT for the Judicial District.
-Other administrative tasks.

14

Part II
Theory of pfSene

15

Introduction
PfSense is a free, open source customized distribution of FreeBSD tailored for use as a firewall and
router, entirely managed in an easy to use web interface. This web interface is known as the web-based
GUI configurator or WebGUI for short. No FreeBSD knowledge is required to deploy and use pfSense.
PfSense is an open source operating system used to turn a computer into a firewall, router, or a
variety of other application-specific network appliances.
PfSense is a customized FreeBSD distribution based on the m0n0wall project, a powerful but lightweight firewall distribution.
PfSense builds upon m0n0wall's foundation and takes its functionality several steps further by
adding a variety of other popular networking services.

1. History and versions


1.1. History
The pfSense project was started in September 2004 by Chris Buechler and Scott Ullrich. Chris is a
long time contributor to the m0n0wall project. m0n0wall is a great embedded firewall, but one of the great
things about its design is also a limitation to expandability. m0n0wall runs entirely from RAM, the entire
OS and all applications are loaded into RAM at boot time. This is a great design for embedded systems, for
performance and reliability reasons. However m0n0wall is not capable of being installed into a normal file
system on a hard drive. Hence many desirable functions can't be reasonably implemented.

1.2. Versions
Each version of pfSense is based on a specific -RELEASE version of FreeBSD. Below is a table that lists
recent versions of pfSense and the underlying FreeBSD version upon which they are based.
pfSense
Version

pfSense
Branch

FreeBSD Version

FreeBSD
Branch

Release Status

1.2

RELENG_1_2

6.2-RELEASEp11

RELENG_6_2

Outdated, no longer supported.

1.2.1

RELENG_1_2 7.0-RELEASE-p7 RELENG_7_0

Outdated, no longer supported.

1.2.2

RELENG_1_2 7.0-RELEASE-p8 RELENG_7_0

Outdated, no longer supported.

1.2.3

RELENG_1_2 7.2-RELEASE-p5 RELENG_7_2

Outdated, no longer supported.

2.0

RELENG_2_0 8.1-RELEASE-p4 RELENG_8_1

Outdated, no longer supported.

RELENG_2_0 8.1-RELEASE-p6 RELENG_8_1

Outdated, no longer
supported. Includes
fixes/enhancements from after 2.0.

2.0.1

16

RELENG_2_0

8.1-RELEASEp13

Outdated, no longer
RELENG_8_1
supported. Includes
fixes/enhancements from after 2.0.1.

2.0.3

RELENG_2_0

8.1-RELEASEp13

Current stable supported


RELENG_8_1 release. Includes fixes/enhancements
from after 2.0.2.

2.1

HEAD
(master)

(TBD, at least 8.3RELENG_8_3


RELEASE-p5)

2.2

(future)

(TBD, Likely 9.xRELEASE)

2.0.2

RELENG_9

Next release, mainly adding IPv6


support.
Next future release.

Figure 2. Versions of pfSense

2. Common Deployments
PfSense is used in about every type and size of network environment imaginable, and is almost
certainly suitable for your network whether it contains one computer, or thousands. This section will
outline the most common deployments.

2.1. Perimeter Firewall


The most common deployment of pfSense is as a perimeter firewall, with an Internet connection
plugged into the WAN side, and the internal network on the LAN side.
PfSense accommodates networks with more complex needs, such as multiple Internet connections,
multiple LAN networks, multiple DMZ networks, etc.
Some users also add BGP (Border Gateway Protocol) capabilities to provide connection
redundancy and load balancing.

2.2. LAN or WAN Router


The second most common deployment of pfSense is as a LAN or WAN router. This is a separate
role from the perimeter firewall in midsized to large networks, and can be integrated into the perimeter
firewall in smaller environments.

- LAN Router
In larger networks utilizing multiple internal network segments, pfSense is a proven solution to
connect these internal segments. This is most commonly deployed via the use of VLANs with 802.1Q
trunking. Multiple Ethernet interfaces are also used in some environments.

- WAN Router
For WAN services providing an Ethernet port to the customer, pfSense is a great solution for
private WAN routers. It offers all the functionality most networks require and at a much lower price point
than big name commercial offerings.

2.3. Wireless Access Point


Many deploy pfSense strictly as a wireless access point. Wireless capabilities can also be added to
any of the other types of deployments.
17

2.4. Special Purpose Appliances


Many deploy pfSense as a special purpose appliance. The following are four scenarios we know of,
and there are sure to be many similar cases we are not aware of. Most any of the functionality of pfSense
can be utilized in an appliance-type deployment.. As the project has matured, there has been considerable
focus on using it as an appliance building framework, especially in the next release. Some special purpose
appliances will be made available in the future.

- VPN Appliance
Some users drop in pfSense as a VPN appliance behind an existing firewall, to add VPN
capabilities without creating any disruption in the existing firewall infrastructure. Most pfSense VPN
deployments also act as a perimeter firewall, but this is a better fit in some circumstances.

- DNS Server Appliance


PfSense offers a DNS (Domain Name System) server package based on TinyDNS, a small, fast,
secure DNS server. It isn't laden with features.

- Sniffer Appliance
One user was looking for a sniffer appliance to deploy to a number of branch office locations.
Commercial sniffer appliances are available with numerous bells and whistles, but at a very significant cost
especially when multiplied by a number of branch locations. PfSense offers a web interface for tcpdump
that allows the downloading of the resulting pcap file when the capture is finished. This enables to capture
packets on a branch network, download the resulting capture file, and open it in Wireshark for analysis.
PfSense is not nearly as fancy as commercial sniffer appliances, but offers adequate functionality
for many purposes at a vastly lower cost.

- DHCP Server Appliance


One user deploys pfSense installs strictly as DHCP (Dynamic Host Configuration Protocol) servers
to hand out IP addresses for its network.

3. Interface Naming Terminology


3.1. Network divisions
- LAN
The LAN interface is the first internal interface on the firewall. Short for Local Area Network, it is
most commonly the private side of a router which often utilizes a private IP address scheme. In small
deployments, this is typically the only internal interface.

- WAN
The WAN interface is used for the Internet connection, or primary Internet connection in a multiWAN deployment. Short for Wide Area Network, it is the untrusted public network outside of the router.
Connections from the Internet will come in through the WAN interface.

- OPT
OPT or Optional interfaces refer to any interfaces connected to local networks other than LAN.
OPT interfaces are commonly used for second LAN segments, DMZ segments, wireless networks and
more.

- OPT WAN
OPT WAN refers to Internet connections using an OPT interface, either those configured for DHCP
or specifying a gateway IP address. It will used for the Multiple WAN Connections.
18

- DMZ
Short for demilitarized zone. The term was borrowed from its military meaning, which refers to a
sort of buffer between a protected area and a war zone. In networking, it is an area where your public
servers reside that is reachable from the Internet via the WAN, but is also isolated from the LAN so that a
compromise in the DMZ does not endanger systems in other segments.

3.2. interface naming


FreeBSD names its interfaces by the network driver used, followed by a number starting at 0 and
incrementing by one for each additional interface using that driver. For example, a common driver is fxp,
used by Intel Pro/100 cards. The first Pro/100 card in a system will be fxp0, the second is fxp1, and so on.
Other common ones are em (Intel Pro/1000), bge (various Broadcom chipsets), rl (Realtek 8129/8139),
amongst numerous others. If your system mixes a Pro/100 card and a Realtek 8139, your interfaces will be
fxp0 and rl0 respectively.

4. Hardware
4.1. Hardware Architectures
pfSense is supported only on the x86 architecture. The types of devices supported range from
standard PCs to a variety of embedded devices. It is targeted at x86-based PCs 300 MHz or faster.

4.2. Minimum Hardware Requirements


At least Pentium II processors with at least 128 MB RAM. its able to get by with less than that, but
with less memory it may start swapping to disk, which will dramatically slow down the system.

4.3. Embedded Hardwar


Pfsense can also installed on other specific plateforms as:

- Compact Flash

Figure 3. Compact Flash

- WRAP
A cost effective Device for special Network appliance such as Wireless Routers, VPN, VOIP

19

Figure 4. WRAP

- ALIX
A higher performance replacement for the WRAP series.

Figure 5. ALIX

- Soekris
Open source software optimized to provide maximum flexibility and functionality for many
different applications and industries.

Figure 6. Soekris

20

5. Features List
-

Firewall /Router.
Edit information via the web GUI.
Installation Set up Wizard.
Wireless Accessibility Factor (wifi interface).
Traffic Shaping.
State Table.
NAT.
Redundancy.
CARP: CARP from OpenBSD allows for components failover. Two or more firewalls can be
designed as a failover team. If one interface isn't able on the main or the main goes off-line
entirely, the additional becomes effective. PfSense also contains settings synchronization
abilities, so you create your settings changes on the main and they instantly connect to the
additional software.
Pfsync: pfsync guarantees the firewall's condition desk is duplicated to all failover designed
fire walls. This implies your current relationships will be managed in the situation of failing,
which is essential to avoid system interruptions.
NTP server.
Load Controlling both Confident and Inbound.
nmap, called ping, traceroute via the GUI.
VPN - IPsec, OpenVPN, PPTP.
PPPoE Server.
RRD Charts Reporting.
Real Time Details.
Dynamic DNS.
Captive Portal.
DHCP Hosting server and Relay.
Packages list.
Wake on LAN.
Proxy Server.
Sniffer.
Ability to back-up and reinstate your software settings via the web GUI.
Ability to upgrade the Firmware.

21

Part III
Instalation and
Configuration

22

1. Installation
1.1. Downloading pfSense
Browse to www.pfsense.org and click the Downloads link. On the Downloads page, click the link
for new installations. This will lead to the mirror selection page. Pick a close geographically mirror for best
performance. Once a mirror has been selected, a directory listing will appear with the current pfSense
release files for new installations.
For Live CD or full installations, download the .iso file. The 1.2.3 release file name is pfSense1.2.3-LiveCD-Installer.iso. There is also a MD5 file available by the same name, but ending in .md5. This
file contains a hash of the ISO, which can be used to ensure the download completed properly.
For embedded installations, download the .img.gz file. The 1.2.3 release file name is pfSense-1.2.3nanobsd-size.img.gz, where size is one of 512M, 1G, 2G, or 4G, to reflect the size of CF card for which
that image was intended (sizes are in M for megabyte and G for gigabyte).

1.2. Installing Pfsense


After Donwloading, Verifying the integrity of the download, and preparing the CD; We Boot it.
The first time pfSense boots up it will ask to set up VLANs and assign the interfaces.
1.2.1. VLANs
VLANs are optional and are only needed for advanced networking. In our configuration we will not
set it; So we will answer by n .

Figure 7. Asking to set up VLANs

1.2.2. Assigning Interfaces


After the VLANs option, pfSense will ask to assign the interfaces;
- LAN, WAN, OPTx
The first interface it asks to assign is the LAN interface. If we know the interface we want to assign
LAN to enter the name of the interface like "em0" and hit enter.
The second interface have to assign is the WAN interface. Enter the appropriate interface like
"fxp1" and hit enter again.
At least we need two interfaces (LAN and WAN) to setup pfSense. If there are more interfaces
available we can go on and assign them as OPTx interfaces. The procedure is the same like for the already
assigned interfaces.
- Auto Assign Procedure
There is another procedure to assign interfaces which is especially designed if the NICs are all of
the same kind and we don't know which physical NIC matches which detected NIC as they all, then will
appear for example as fxpX. In this case, simply can enter "a" when you are asked for the nic name.

Figure 8. Asking to assingne interfaces

If there is no more interfaces left just hit enter without entering a NIC name and apply the settings by
confirming them with "y".

1.2.3. Finishing Steps


PfSense now will make the finishing touches to configure the interfaces.
23

Figure 9. Finishing steps of installation

After it went through the configuration it will end up with a shell menu and a number of options. PfSense
now is ready to be accessed at the interface you assigned as LAN with the webgui.

Figure 10. Shell menue

1.2.4. pfSense default configuration


By default pfSense will have the following configuration.
-

WAN is configured as DHCP client; all incoming connections are blocked by default.

LAN is configured at 192.168.1.1/24 and acts as DHCP-Server and offers a DNS-forwarder.

OPTx interfaces are disabled, you have to enable and configure them at the webgui.

WebGUI runs at port 80, username is "admin", password "pfsense".


24

SSH is disabled.

1.2.5. Storing the configfile on a writable media


This option used if ther is the planning to run the LiveCD with a writable configmedia, the option
98 used to assign the drive that should hold the configfile.
The LiveCD will browse all available medias on bootup for a valid configfile and use it if found.
1.2.6. Accessing the webgui
Now should modify the configuration to fit needs at the webgui. Using a browser to
access http://192.168.1.1 and using "admin" as user and "pfsense" as password.
1.2.7. Installing Pfsense to Hard Drive
The option 99 from the shell menu is to setup pfSense to the hard drive. The configuration will be
transferred to the hard drive by the installer.

Figure 11. option 99

This Configure Console is to change the keyboard or change the consol apparence, after changing its go
on by accepting the setting.

Figure 12. The configure console

25

Next pfSense will present a list of tasks; Quick/Easy install for a Simple installation.

Figure 13. Selecting the simple installation

Now the point of no return, we must Only hit "Ok" if we really sure there is no valuable data left at
this media!

Figure 14. Confirmation step

Now pfSense is starting to transfer the system to the prepared media.

26

Figure 15. Transferring the system to the media

Asking to remove the CD and reboot the system to boot your new install.

Figure 16. asking for reboot

And its done! The installation is finished.

2. Initial Configuration
After finishing the installation lets make one of the most important initial Configuration.

2.1. The Secure Shell (SSH)


SSH is a networking protocol that allows encrypted communication between two devices. Enabling
SSH allows secure access to the pfSense console remotely, just as if we were sitting in front of the physical
console.
27

2.1.1. Enabling SSH


These steps below describe how to enable the Secure Shell (SSH) service in pfSense.
1.

Browse to System | Advanced | Secure Shell.

2.

Check Enable Secure Shell.

3.

Leave the SSH port blank to use the default port.

4.

Save the changes and the SSH service will be started.

Figure 17. Enabling SSH

2.2. Authorized RSA keys


Linux and Mac users will need to ensure ssh-keygen is installed on their system (almost all
distributions have this installed by default). Windows users will need to download and install the
PuTTYGen tool.
2.2.1. Generating authorized RSA keys
These steps below describe how to create an authorized RSA key so a user can connect to pfSense
without being prompted for a password.
1.

Open PuTTYGen and generate a public/private key pair by clicking the Generate button.

2.

Enter a passphrase.

3.

Click the Save Private Key button and choose a location.

Figure 18. Generating RSA key

28

4.

Highlight the public key that was generated in the textbox and copy and paste it into a
new file, let's say C:\MyPublicKey.txt.

Figure 19. The public Key

2.2.2. Configuring SSH RSA key authentication


These steps below describe how to configure pfSense to use an RSA key rather than a
password for SSH authentication.
1. Browse to System | Advanced | Secure Shell.
2. Check Disable password login for Secure Shell (RSA key only).

Figure 20. Disabling password login

3.

Edit the user we will associate with the client's public key from System | User
Manager | Edit admin.

4. Select Click to paste an authorized key and paste the client's public RSA key here.
When pasted, the key should appear as a single line. Be sure your text editor didn't
insert any line feed characters or authentication may fail.

29

Figure 21. Pasting the client public RSA

5. Save the change.

2.2.3. Accessing the Secure Shell (SSH)


This part describes how to access the pfSense console from Windows client computer.
Connect via SSH from a Windows client with PuTTY as follows.
1. Open PuTTY and specify your hostname or IP address.
2. Specify an alternative port if necessary (default is port 22).
3. Browse to your private key file from Connection | SSH | Auth | Private Key file for
authentication.

Figure 22. Client configuration

3. General basic configuration


The core functionality of any firewall involves creating port forward and firewall security
rules, and pfSense is no different. These core features, plus others, can all be found on the main
Firewall menu of the pfSense web interface.
This chapter explains how to configure these rules and the features associated with them.
30

3.1. ALIAS
Aliases provide a degree of separation between our rules and values that may change in the
future (for example, IP addresses, ports, and so on). It's best to use aliases whenever possible.
3.1.1. Creating an ALIAS
These steps describe how to use, create, edit, and delete aliases.
1. Browse to Firewall | Aliases.
2. Click the "plus" button to add a new alias.
3. Add a Name for the alias.
4. Add an optional Description.
5. Select an alias Type and finish the configuration based on that selection.

Figure 23. Crating ALIAS

6. Save the changes.

3.1.2. Types of aliase

Figure 24. Types of ALIAS


-

Host alias

Selecting Host(s) as an alias Type allows creating an alias that holds one or more IP addresses.

31

Network alias

Selecting Network(s) as an alias Type allows creating an alias that holds one or more networks (that
is ranges of IP addresses).
-

Port alias

Selecting Port(s) as an alias Type allows creating an alias that holds one or more ports.
-

URL alias

Selecting URL as an alias Type allows creating an alias that holds one or more URLs.
-

URL Table alias

Selecting URL Table as an alias Type allows you to create an alias that holds a single URL pointing
to a large list of addresses. This can be especially helpful when we need to import a large list of IPs
and/or subnets.

3.1.3. Using an alias


Aliases can be used anywhere you see a red textbox. Simply begin typing and pfSense will
display any available aliases that match the text you've entered.

Figure 25. Using ALIAS

3.2. NAT port forward rule


As the name said the NAT port forward rule is to forward a type of traffic to a host or to an
other number of ports, in our example We will create a port forward rule to forward any incoming
web requests (HTTP) to a computer we've configured as a web server.
3.2.1. Creating a NAT port forward rule
These steps below describe how to create, edit, and delete port forward rules.
1. Browse to Firewall | NAT.
2. Select the Port Forward tab.
3. Click the "plus" button to create a new NAT port forward rule.
4. For Destination port range, choose HTTP for the from and to drop-down boxes.
5. For Redirect target IP specify the web server this traffic will be forwarded to, by alias or
IP address.
6. For Redirect target Port choose HTTP.
7. Add a Description, such as Forward HTTP to webserver1.

32

Figure 26. Creating a NAT port forward rule

8. Save the changes.

3.3. Schedule
Schedules allow us to specify when rules are enabled. They are primarily used with firewall
rules, but their generic design allows them to be used with other existing and future pfSense features.
If a firewall rule specifies a schedule, the rule is only enabled during that time period. In the
following example, we'll define a schedule for our normal 9am-5pm work hours.
3.3.1. Creating a schedule
This recipe describes how to create a schedule.
1. Browse to Firewall | Schedules.
2. Click the "plus" button to create a new schedule.
3. Enter a Schedule Name, such as WorkHours.
4. Enter a Description, such as Regular work week hours.
5. In the Month section, click Mon, Tue, Wed, Thu, and Fri to select all the days of the
work week.
6. Specify a 9 am as the Start Time and 5 pm as the Stop Time.
7. Enter a Time Range Description, such as Monday-Friday 9am-5pm.
8. Click Add Time.
33

Figure 27. Creating a schedule

9. Note that the repeating time is added to Configured Ranges.

Figure 28. Schedule repeat

10. Save the changes.

3.4. Firewall rule


Firewall rules control what traffic is allowed to enter an interface on the firewall. Once traffic
is passed on the interface it enters, an entry in the state table is created, which allows through
subsequent packets that are part of that connection.
Firewall rules are processed from the top down, and the first match wins. The default on all
interfaces is to deny traffic, and only what is explicitly allowed via firewall rules will be passed.
34

3.4.1. Creating a firewall rule


As an example, we will create a firewall rules for DMZ.
1. Browse to Firewall | Rules.
2. Select the WAN tab.
3. Click the "plus" button to create a new firewall rule.
4. Specify the WAN Interface.
5. Specify the TCP Protocol.
6. Specify any as the Source.
7. Specify any as the Source Port Range.
8. Specify Webserver1 as our Destination.
9. Specify HTTP as our Destination Port Range.
10. Specify a Description.

Figure 29. Firewall rule

11. Save the changes.

35

Figure 30. DMZ rules

3.4.2. Advanced features


New to pfSense 2.0 is the firewall rule Advanced Features section. Each of the following
features can be specified as criteria for a rule. If an advanced feature is specified, the rule will only be
executed if a match is found. Click the Advanced button to display the following configuration
settings for each feature:
Source OS: This option will attempt to match the operating system of the source traffic.
Diffserv Code Point: Diffserv is a mechanism for providing Quality of Service (QoS) of network
traffic. Systems can prioritize traffic based on their code point values.
Advanced Options: Allows for the specification of advanced IP Options.
TCP Flags: Specific TCP flags may be set here.
State Type: Specify a particular state tracking mechanism.
No XMLRPC Sync: Prevent a rule from syncing with the other CARP members.
Schedule: Specify the schedule for when this rule is valid. Schedules defined in Firewall |
Schedules will appear here.
Gateway: Gateways other than the default may be specified here.
In/Out: Specify alternative queues and virtual interfaces.
Ackqueue/Queue: Specify alternative acknowledge queues.
Layer7: Specify an alternative Layer7 container.

36

4. Advanced Configuration
4.1. Virtual IP
Virtual IPs adds knowledge of additional IP addresses to the firewall that are different from
the firewall's actual "real" interface addresses. Most often, these are used for NAT, but they can also
be used for other functions such as clustering, binding services such as DNS, load balancing in
packages, and so on.
4.1.1. Types of vierual IPs
There are four types of Virtual IPs available in pfSense: Proxy ARP, CARP, and Other. Each
is useful in different situations:
- CARP

Can be used or forwarded by the firewall ;

Uses Layer 2 traffic ;

Should be used in firewall fail-over or load-balancing scenarios ;

Must be in the same subnet as the interface ;

Will respond to pings if configured properly ;

Proxy ARP

Can only be forwarded by the firewall ;

Uses Layer 2 traffic ;

Can be in a different subnet than the interface ;

Cannot respond to pings ;

Other

Can only be forwarded by the firewall ;

Can be in a different subnet than the interface ;

Cannot respond to pings ;

IP Alias

New to pfSense 2.0 ;

Can be used or forwarded by the firewall ;

Allows extra IP addresses to be added to an interface ;

4.1.2. Creating a virtual IP


1. Browse to Firewall | Virtual IPs.
2. Click the "plus" button to add a new virtual IP address.
3. Choose Other as Type.
4. Select the WAN as the Interface.
5. Specify the IP Address.
6. Add a Description.
37

Figure 31. Creating a VIP

7. Save the changes.

Figure 32. VIP created

4.2. 1:1 NAT rule


The 1:1 NAT maps one public IP to one private IP. All traffic from that private IP to the
Internet will be mapped to the public IP defined in the 1:1 NAT mapping, overriding your Outbound
NAT configuration.
4.2.1. Configuring a 1:1 NAT rule
This an example to use my local webserver in the public.
1. Browse to Firewall | NAT.
2. Select the 1:1 tab.
3. Click the "plus" button to add a new 1:1 NAT rule.
4. Select an Interface, in this case WAN.
5. Specify a Source, in this case any.
6. Specify a Destination; we'll specify our internal webserver by alias.
7. Specify the External subnet, our public IP address.
8. Add a Description.
9. Leave NAT reflection disabled.

38

Figure 33. Configuring 1:1 NAT

10. Save the changes.

4.3. Static route


Static routes are for accessing networks that aren't reachable through the default WAN
gateway, but can be reached indirectly through a difference interface. A common scenario might be
an office building with a shared network for printing. Anyone connected to the business network can
use the shared network, they just need to create a static route. We can use pfSense to create this static
route for an entire interface, instead of a configuring a static route on each individual PC.
4.3.1. Creating a gateway
1. Go to System | Routing.
2. Click the Gateways tab.
3. Click the "plus" button to add a new gateway.
4. Select the Interface for the new gateway.
5. Specify a Name for the gateway (no spaces allowed).
6. Specify the IP address for the gateway, it must be a valid address on the chosen
interface.
7. Add a Description, such as LAN gateway.
8. Save the changes.

39

Figure 34. Creating gateway

4.3.2. Creating a static route


9. Browse to System | Routing.
10. Click the Routes tab.
11. Click the "plus" button to add a new route.
12. Enter the IP Address of the Destination network.
13. Choose the Gateway we've defined above.
14. Add a Description, such as adding LAN route.

Figure 35. Creating a static route

15. Save the changes.

40

Figure 36. Route static created

4.4. SMTP e-mail notifications


PfSense can send an e-mail notification using the information supplied to notify
administrators of significant system events.
4.4.1. Configuring SMTP e-mail notifications
1. Browse to System | Advanced.
2. Click the Notifications tab.
3. Enter the IP Address of the E-Mail server.
4. Enter the SMTP Port of the E-Mail server.
5. Enter the From e-Mail address.
6. Enter the Notification E-Mail address.
7. Enter the Notification E-Mail auth username.
8. Enter the Notification E-Mail auth password.

Figure 37. SMTP notification configuration

9. Save the changes.


10. Apply changes, if necessary.
Once the settings are saved, a test e-mail will be sent automatically.

41

Figure 38. test e-mail

4.5. Captive portal


A captive portal is a web page that is displayed before a user is allowed to browse the web.
This is most often seen at commercial Wi-Fi hotspots where you must pay for service before you are
allowed to surf the web. In other scenarios, captive portals are used for authentication or end-user
agreements.
4.5.1. Creating a captive portal
During these steps, we will configure pfSense to display an authentication captive portal before users
are allowed to surf the web from our LAN.
1. Browse to Services | Captive Portal.
2. From the Captive portal tab, click Enable captive portal.
3. Choose Interfaces; we'll select our LAN as our interface.
4. Specify an Idle timeout; we'll say 10 minutes.
5. Specify a Hard timeout; we'll leave the default of 30 minutes.
6. Click Enable logout popup window so that users may log themselves out when they
are finished.
7. Specify a Redirection URL, say http://www.google.com.

42

Figure 39. Captive portal

8. Select Local User Manager as the Authentication:

Figure 40. Selecting local user lanager as the authentication

9. Save the changes.


10. Browse to System | User Manager.
11. Click the Users tab.
12. Click the "plus" button to add a new user.
13. Enter a Username.
14. Enter and confirm a Password.
15. Enter a Full name

43

Figure 41. creating a new user

16. Save the Changes.

Figure 42. user manager

Now with a test.

Figure 43. Captive portal test

44

5. Services
5.1. RIP
RIP stands for Routing Information Protocol, a dynamic routing protocol for local and wide
area networks.
5.1.1. Enabling RIP
Thiese steps describe how to enable RIP in pfSense.
1. Browse to Services | RIP.
2. Check Enable RIP.
3. Select an interface (Ctrl + click to select multiple interfaces).
4. Select a RIP Version.
5. Set a Password in case of using RIP version 2.

Figure 44. Enabling RIP service

6. Save the changes.

5.2. Wake On LAN (WOL)


Wake on LAN can be used to wake up computers from a powered-off state by sending special
"Magic Packets". The NIC in the computer that is to be woken up must support WOL and has to be
configured properly.
5.2.1. Enabling Wake On LAN (WOL)
1. Browse to Services | Wake on LAN.
2. Select the Interface which contains the device we'd like to wake up.
3. Enter the device's MAC address.

45

Figure 45. Enabling the WOL

4.

Click Send.

Figure 46. Sending the magic packet

5.2.2. Storing Mac addresses


There is a possibility to store the MAC addresses of any machines that support Wake on LAN.
1. Browse to Services | Wake on LAN.
2. Click the "plus" button to add a WOL Mac Address entry.
3. Select the Interface that contains the device.
4. Specify the device's MAC address.
5. Add a Description.

Figure 47. Storing MAC addresses

6. Save the changes.

46

Figure 48. MAC addresses Stored

7. Click the MAC address of any of the stored clients to send a magic packet.

5.2.3. Wake All


Instead of waking clients individually, there may be times when we want to wake them all up
at once-simply click the Wake All button.

Figure 49. Wake all MAC addresses Stored

6. Maintenance
6.1. Ping
pfSense exposes the ping service that's included on almost all operating systems. This can be
handy for administrators since pfSense can ping on any machine from any specified interface.
6.1.1. Using ping
These steps describe how to use the ping service in pfSense.
1. Browse to Diagnostics | Ping.
2. Set Host to the IP Address or hostname of the machine we're trying to ping.
3. Choose the Interface to initiate the ping from.
4. Select a Count.
5. Press the Ping button.
47

Figure 50. Using ping

6.2. Traceroute
Traceroute is a useful tool for testing and verifying routes and multi-WAN functionality,
among other uses. It will allow you to view each "hop" along a packet's path as it travels from one
end to the other, along with the latency encountered in reaching that intermediate point.
6.2.1. Using traceroute
1. Browse to Diagnostics | Traceroute.
2. Set Host to the IP Address or hostname of the machine we're trying to trace.
3. Choose the Maximum number of hops for the trace to jump.
4. Optionally check Use ICMP.

Figure 51. Using traceroute

5. Click the Traceroute button.

6.3. Backing up the configuration file


Backing up configuration files is an essential part of any administrator's position.
PfSense allows an administrator to download the entire pfSense configuration in a single
XML file to any local or networked drive.

48

pfSense configuration files are stored in a plain-text XML format by default, but it also gives you an
option to encrypt them.
1. Browse to Diagnostics | Backup/restore.
2. Select the Backup/Restore tab.
3. Set the Backup area to ALL. For a list of all available areas, see the following Backup
areas section.
4. Leave Do not backup package information unchecked.
5. Leave Do not backup RRD data checked.

Figure 52. Backing up the configuration file

6. Click Download configuration.

Figure 53. Downloading the configuration file

7. Save the file to a secure location.

6.4. Restoring the configuration file


Restoring configuration files is an essential part of any administrator's position. pfSense
configuration files are stored in a plain-text XML format by default, but an encryption option is
available.
1. Browse to Diagnostics | Backup/restore.
2. Select the Backup/Restore tab.
3. Set the Restore area to ALL.

49

Figure 54. Restoring the configuration file

4. Click Restore configuration and pfSense will reboot.

Figure 55. Configuration file restored

6.5. Automatic configuration file backup


Automatic configuration file backup is a good way to save the configuration file automaticly
on external pfsense servers, and only paid support subscribers hae access to this feature.
6.5.1. Installing the AutoConfigBackup Package
1. Browse to System | Packages.
2. Click the + next to the AutoConfigBackup package(It will download and install the
package).
3. Refresh the menus.
Now we can find AutoConfigBackup under the Diagnostics menu.

6.5.2. Configuring the AutoConfigBackup Package


1. Browse to Diagnostics | AutoConfigBackup.
2. Click the Settings tab.
3. Enter our Subscription Username.
4. Enter our Subscription Password.
5. Confirm Subscription Password.
6. Enter our Encryption Password.
7. Confirm Encryption Password.

50

Figure 56. Auto configuration backup

8. Save the changes.

51

Conclusion
As a conclusion, we have shown, first, an overview of the court of appeal of Taza, secondly,
the theory of of pfSense from the history to the features list, Secondly, we start with the necessary
installation and configuration, from the basic one to the service and maintenance configuration.
This project has allowed us to understand the concepts of pfSense firewall. All the Examples
cofigurations had seen is just to know how we must handling with pfSense, and each administrator
can choose its own strategy for his network, that depends on the size, plateforms, the equipment ..., in
the network.
In terms of perspective, I recommend the installation of some usefull package such the
automatic backup , the squidguard, and snort, the first help in the redundancy, the second in the url
filtering plus its free and published under GNU Public License, and the third is an an Intrusion
Detection System(IDS) released under the GNU open source license GPL.

52

References

http://en.wikipedia.org/wiki/PfSense
http://forum.pfsense.org
http://doc.pfsense.org/index.php
http://www.bsdcan.org/2008/schedule/attachments/66_pfSenseTutorial.pdf
http://doc.pfsense.org/index.php/PfSense_and_FreeBSD_Versions
http://pfsensesolution.blogspot.com/2012/07/pfsense-features.html
http://doc.pfsense.org/smiller/pfSenseQuickStartGuide.pdf
http://doc.pfsense.org/index.php/Captive_Portal
www.pcengines.ch/alix.htm
www.pcengines.ch/wrap.htm
http://www.linuxpedia.fr/doku.php/bsd/pfsense
http://www.mearn.org.ma/3/doc%20telecharger/Portail%20Captif%20khalidibolalan/PFsense.pdf
pfSense 2 Cookbook
pfsense - The definitive guide

53

54