Table Of Content[ 1 ]
Mastering pfSense
Master the art of managing, securing, and monitoring
your network using the powerful pfSense 2.3
David Zientara
BIRMINGHAM - MUMBAI
Mastering pfSense
Copyright © 2016 Packt Publishing
All rights reserved. No part of this book may be reproduced, stored in a retrieval
system, or transmitted in any form or by any means, without the prior written
permission of the publisher, except in the case of brief quotations embedded in
critical articles or reviews.
Every effort has been made in the preparation of this book to ensure the accuracy
of the information presented. However, the information contained in this book is
sold without warranty, either express or implied. Neither the author, nor Packt
Publishing, and its dealers and distributors will be held liable for any damages
caused or alleged to be caused directly or indirectly by this book.
Packt Publishing has endeavored to provide trademark information about all of the
companies and products mentioned in this book by the appropriate use of capitals.
However, Packt Publishing cannot guarantee the accuracy of this information.
First published: August 2016
Production reference: 1240816
Published by Packt Publishing Ltd.
Livery Place
35 Livery Street
Birmingham B3 2PB, UK.
ISBN 978-1-78646-343-2
www.packtpub.com
Credits
Author Project Coordinator
David Zientara Judie Jose
Reviewer Proofreader
Brian Scholer Safis Editing
Commissioning Editor Indexer
Pratik Shah Tejal Daruwale Soni
Acquisition Editor Graphics
Prachi Bisht Kirk D'Penha
Content Development Editor Production Coordinator
Abhishek Jadhav Arvindkumar Gupta
Technical Editor Cover Work
Vishal K. Mewada Arvindkumar Gupta
Copy Editor
Madhusudan Uchil
About the Author
David Zientara is a software engineer and IT professional living in northern New
Jersey. He has 20 years of experience in IT and has been an enthusiastic supporter
of the free and open source software (FOSS) community throughout his career,
beginning with his first foray into the open source world with Slackware Linux
in 1995.
In the mid-1990s, David became lead software engineer for Oxberry LLC, a digital
imaging company headquartered in New Jersey. In this capacity, he played a major
role in developing a new software package for the company's film scanners for
Windows while also helping maintain Oxberry's legacy software, which had been
developed for the SGI IRIX platform. He continued in this role for many years and
continues to play a part in software development for Oxberry's corporate successor.
In the mid-2000s, David took an interest in computer networking, an interest
that led him to learn about m0n0wall and, eventually, pfSense, a fork of the
m0n0wall project. His interest in pfSense prompted him to create a pfSense
website, http://pfsensesetup.com/, in June 2013.
I would like to thank my parents, who passed along their passion
for learning as well as their work ethic. I would also like to thank my
editor for having the patience to work with a first-time author, and
whose diligence was instrumental in guiding this project. Finally,
I would like to thank my many professional associates who have
provided assistance over the years.
About the Reviewer
Brian Scholer is a New York City based Systems Engineer with over 14 years
of experience across server, cloud, and infrastructure administration, automation,
virtualization, software development, web operations, networking, and more. He
blogs at https://www.briantist.com/.
www.PacktPub.com
eBooks, discount offers, and more
Did you know that Packt offers eBook versions of every book published, with PDF
and ePub files available? You can upgrade to the eBook version at www.PacktPub.com
and as a print book customer, you are entitled to a discount on the eBook copy. Get in
touch with us at [email protected] for more details.
At www.PacktPub.com, you can also read a collection of free technical articles, sign
up for a range of free newsletters and receive exclusive discounts and offers on Packt
books and eBooks.
TM
https://www2.packtpub.com/books/subscription/packtlib
Do you need instant solutions to your IT questions? PacktLib is Packt's online digital
book library. Here, you can search, access, and read Packt's entire library of books.
Why subscribe?
• Fully searchable across every book published by Packt
• Copy and paste, print, and bookmark content
• On demand and accessible via a web browser
Table of Contents
Preface vii
Chapter 1: pfSense Essentials 1
pfSense project overview 2
Possible deployment scenarios 2
Hardware requirements and sizing guidelines 6
Minimum specifications 6
Hardware sizing guidelines 7
Using a laptop 9
Introduction to VLANs and DNS 10
Introduction to VLANs 10
Introduction to DNS 12
The best practices for installation and configuration 13
Troubleshooting installation 14
pfSense configuration 16
Configuration from the console 16
Configuration from the web GUI 18
Configuring additional interfaces 22
General setup options 25
Advanced setup options 26
Upgrading, backing up, and restoring pfSense 30
Backing up and restoring pfSense 33
Restoring a configuration with Pre-Flight Install 34
Summary 35
Chapter 2: Advanced pfSense Configuration 37
DHCP 37
DHCP configuration at the console 38
DHCP configuration in the web GUI 40
DHCPv6 configuration in the web GUI 43
[ i ]
Table of Contents
DHCP relay and DHCPv6 relay 45
DHCP and DHCPv6 leases 46
DNS 47
DNS Resolver 48
DNS Forwarder 52
DDNS 53
DDNS updating 53
RFC 2136 updating 56
Troubleshooting DDNS 58
Captive portal 59
Implementing captive portal 59
Troubleshooting captive portal 67
NTP 69
NTP configuration 70
NTP troubleshooting 73
SNMP 75
Configuring SNMP 76
Troubleshooting SNMP 77
Summary 78
Chapter 3: Working with VLANs 79
Basic VLAN concepts 80
An example network 81
Hardware, configuration, and security considerations 85
VLAN configuration at the console 87
VLAN configuration in the web GUI 89
VLAN configuration at the switch 97
VLAN configuration example one – TL-SG108E 98
VLAN configuration example two – Cisco switches 103
Static VLAN creation 103
Dynamic Trunking Protocol 106
VLAN Trunking Protocol 106
Troubleshooting VLANs 108
General troubleshooting tips 108
Verifying switch configuration 109
Verifying pfSense configuration 110
Troubleshooting example 112
Summary 115
Chapter 4: pfSense as a Firewall 117
An example network 118
Firewall fundamentals 119
Firewall best practices 122
[ ii ]
Table of Contents
Best practices for ingress filtering 124
Best practices for egress filtering 125
Creating and editing firewall rules 126
Floating rules 131
An example rule 133
Scheduling 134
An example schedule 135
NAT/port forwarding 136
Inbound NAT (port forwarding) 136
1:1 NAT 138
Outbound NAT 140
Network Prefix Translation 142
An example NAT rule 143
Aliases 143
An example alias 146
Virtual IPs 147
An example VIP 150
Troubleshooting 150
Summary 153
Chapter 5: Traffic Shaping 155
An example network 156
Traffic shaping essentials 157
Queuing policies 158
Configuring traffic shaping in pfSense 161
The Multiple LAN/WAN Configuration wizard 162
The Dedicated Links wizard 168
Advanced traffic shaping configuration 170
Changes to queues 171
Limiters 174
Layer 7 traffic shaping 177
Changes to rules 177
Traffic shaping examples 182
Example #1 – adding limiters 182
Example #2 – prioritizing Skype 184
Example #3 – penalizing P2P traffic 188
Troubleshooting traffic shaping 189
Summary 191
Chapter 6: Virtual Private Networks 193
VPN fundamentals 194
IPsec 195
L2TP 196
[ iii ]
