Mastering pfSense

Book description

Install and configure a pfSense router/firewall, and become a pfSense expert in the process.

About This Book
  • You can always do more to secure your software – so extend and customize your pfSense firewall
  • Build a high availability security system that's fault-tolerant – and capable of blocking potential threats
  • Put the principles of better security into practice by implementing examples provided in the text
Who This Book Is For

This book is for those with at least an intermediate understanding of networking. Prior knowledge of pfSense would be helpful but is not required.

Those who have the resources to set up a pfSense firewall, either in a real or virtual environment, will especially benefit, as they will be able to follow along with the examples in the book.

What You Will Learn
  • Configure pfSense services such as DHCP, Dynamic DNS, captive portal, DNS, NTP and SNMP
  • Set up a managed switch to work with VLANs
  • Use pfSense to allow, block and deny traffic, and to implement Network Address Translation (NAT)
  • Make use of the traffic shaper to lower and raise the priority of certain types of traffic
  • Set up and connect to a VPN tunnel with pfSense
  • Incorporate redundancy and high availability by utilizing load balancing and the Common Address Redundancy Protocol (CARP)
  • Explore diagnostic tools in pfSense to solve network problems
In Detail

pfSense has the same reliability and stability as even the most popular commercial firewall offerings on the market – but, like the very best open-source software, it doesn't limit you.

You're in control – you can exploit and customize pfSense around your security needs.

Mastering pfSense - Second Edition, covers features that have long been part of pfSense such as captive portal, VLANs, traffic shaping, VPNs, load balancing, Common Address Redundancy Protocol (CARP), multi-WAN, and routing. It also covers features that have been added with the release of 2.4, such as support for ZFS partitions and OpenVPN 2.4. This book takes into account the fact that, in order to support increased cryptographic loads, pfSense version 2.5 will require a CPU that supports AES-NI.

The second edition of this book places more of an emphasis on the practical side of utilizing pfSense than the previous edition, and, as a result, more examples are provided which show in step-by-step fashion how to implement many features.

Style and approach

Practical guide to learn the advanced functionalities of pfSense with minimum fuss.

Publisher resources

View/Submit Errata

Table of contents

  1. Title Page
  2. Copyright and Credits
    1. Mastering pfSense Second Edition
  3. Dedication
  4. Packt Upsell
    1. Why subscribe?
    2. PacktPub.com
  5. Contributors
    1. About the author
    2. About the reviewer
    3. Packt is searching for authors like you
  6. Preface
    1. Who this book is for
    2. What this book covers
    3. To get the most out of this book
      1. Download the color images
      2. Conventions used
    4. Get in touch
      1. Reviews
  7. Revisiting pfSense Basics
    1. Technical requirements
    2. pfSense project overview
    3. Possible deployment scenarios
    4. Hardware requirements and sizing guidelines
      1. Minimum hardware requirements
    5. Hardware sizing guidelines
    6. The best practices for installation and configuration
    7. pfSense configuration
      1. Configuration from the console
      2. Configuration from the web GUI
        1. Configuring additional interfaces
        2. Additional WAN configuration
        3. General setup options
    8. Summary
    9. Questions
    10. Further reading
  8. Advanced pfSense Configuration
    1. Technical requirements
    2. SSH login
    3. DHCP
      1. DHCP configuration at the console
      2. DHCP configuration in the web GUI
      3. DHCPv6 configuration in the web GUI
      4. DHCP and DHCPv6 relay
      5. DHCP and DHCPv6 leases
    4. DNS
      1. DNS resolver
        1. General Settings
        2. Enable DNSSEC support
        3. Host Overrides and Domain Overrides
        4. Access Lists
      2. DNS forwarder
      3. DNS firewall rules
    5. DDNS
      1. DDNS updating
      2. RFC 2136 updating
      3. Troubleshooting DDNS
    6. Captive portal
      1. Implementing captive portal
        1. User manager authentication
        2. Voucher authentication
        3. RADIUS authentication
        4. Other settings
      2. Troubleshooting captive portal
    7. NTP
    8. SNMP
    9. Summary
    10. Questions
  9. VLANs
    1. Technical requirements
    2. Basic VLAN concepts
      1. Example 1 – developers and engineering
      2. Example 2 – IoT network
      3. Hardware, configuration, and security considerations
    3. VLAN configuration at the console
    4. VLAN configuration in the web GUI
      1. QinQ
      2. Link aggregation
      3. Add firewall rules for VLANs
    5. Configuration at the switch
      1. VLAN configuration example 1 – TL-SG108E
      2. VLAN configuration example 2 – Cisco switches
        1. Static VLAN creation
        2. Dynamic Trunking Protocol
        3. VLAN Trunking Protocol
    6. Troubleshooting VLANs
      1. General troubleshooting tips
      2. Verifying switch configuration
      3. Verifying pfSense configuration
    7. Summary
    8. Questions
  10. Using pfSense as a Firewall
    1. Technical requirements
    2. An example network
    3. Firewall fundamentals
    4. Firewall best practices
      1. Best practices for ingress filtering
      2. Best practices for egress filtering
    5. Creating and editing firewall rules
      1. Floating rules
      2. Example rules
        1. Example 1 – block a website
        2. Example 2 – block all traffic from other networks
        3. Example 3 – the default allow rule
    6. Scheduling
      1. An example schedule entry
    7. Aliases
      1. Creating aliases from a DNS lookup
      2. Bulk import
    8. Virtual IPs
    9. Troubleshooting firewall rules
    10. Summary
    11. Questions
  11. Network Address Translation
    1. Technical requirements
    2. NAT essentials
    3. Outbound NAT
      1. Example – filtering outbound NAT for a single network
    4. 1:1 NAT
      1. Example – mapping a file server
    5. Port forwarding
      1. Example 1 – setting up DCC
      2. Example 2 – excluding a port
      3. Example 3 – setting up a personal web server
    6. Network Prefix Translation
      1. Example – mapping an IPv6 network
    7. Troubleshooting
    8. Summary
    9. Questions
  12. Traffic Shaping
    1. Technical requirements
    2. Traffic shaping essentials
      1. Queuing policies
        1. Priority queuing
        2. Class-based queuing
        3. Hierarchical Fair Service Curve
    3. Configuring traffic shaping in pfSense
      1. The Multiple LAN/WAN Configuration wizard
      2. The Dedicated Links wizard
    4. Advanced traffic shaping configuration
      1. Changes to queues
        1. Limiters
        2. Layer 7 traffic shaping
      2. Adding and changing traffic shaping rules
        1. Example 1 – modifying the penalty box
        2. Example 2 – prioritizing EchoLink
    5. Traffic shaping examples
      1. Example 1 – adding limiters
      2. Example 2 – penalizing peer-to-peer traffic
    6. Using Snort for traffic shaping
      1. Installing and configuring Snort
    7. Troubleshooting traffic shaping
    8. Summary
    9. Questions
    10. Further reading
  13. Virtual Private Networks
    1. Technical requirements
    2. VPN fundamentals
      1. IPsec
      2. L2TP
      3. OpenVPN
        1. AES-NI
      4. Choosing a VPN protocol
    3. Configuring a VPN tunnel
      1. IPsec
        1. IPsec peer/server configuration
        2. IPsec mobile client configuration
        3. Example 1 – Site-to-site IPsec configuration
        4. Example 2 – IPsec tunnel for remote access
      2. L2TP
      3. OpenVPN
        1. OpenVPN server configuration
        2. OpenVPN client configuration
        3. Client-specific overrides
        4. Server configuration with the wizard
        5. OpenVPN Client Export Utility
        6. Example – site-to-site OpenVPN configuration
    4. Troubleshooting
    5. Summary
    6. Questions
  14. Redundancy and High Availability
    1. Technical requirements
    2. Basic concepts
    3. Server load balancing
      1. Example – load balancer for a web server
      2. HAProxy – a brief overview
    4. CARP configuration
      1. Example 1 – CARP with two firewalls
      2. Example 2 – CARP with N firewalls
    5. An example of both load balancing and CARP
    6. Troubleshooting
    7. Summary
    8. Questions
    9. Further reading
  15. Multiple WANs
    1. Technical requirements
    2. Basic concepts
      1. Service Level Agreement
    3. Multi-WAN configuration
      1. DNS considerations
      2. NAT considerations
      3. Third-party packages
    4. Example – multi-WAN and CARP
    5. Troubleshooting
    6. Summary
    7. Questions
  16. Routing and Bridging
    1. Technical requirements
    2. Basic concepts
      1. Bridging
      2. Routing
    3. Routing
      1. Static routes
      2. Public IP addresses behind a firewall
      3. Dynamic routing
        1. RIP
        2. OpenBGPD
        3. Quagga OSPF
        4. FRRouting
      4. Policy-based routing
    4. Bridging
      1. Bridging interfaces
      2. Special issues
      3. Bridging example
    5. Troubleshooting
    6. Summary
    7. Questions
  17. Extending pfSense with Packages
    1. Technical requirements
    2. Basic considerations
    3. Installing packages
    4. Important packages
      1. Squid
        1. Issues with Squid
        2. Squid reverse proxy server
      2. pfBlockerNG
      3. ntopng
      4. Nmap
      5. HAProxy
        1. Example – load balancing a web server
    5. Other packages
      1. Snort
        1. Example – using Snort to block social media sites
      2. FRRouting
      3. Zabbix
    6. Summary
    7. Questions
    8. Further reading
  18. Diagnostics and Troubleshooting
    1. Technical requirements
    2. Troubleshooting basics
      1. Common networking problems
        1. Wrong subnet mask or gateway
        2. Wrong DNS configuration
        3. Duplicate IP addresses
        4. Network loops
        5. Routing issues
        6. Port configuration
        7. Black holes
        8. Physical issues
        9. Wireless issues
        10. RADIUS issues
    3. pfSense troubleshooting tools
      1. System logs
      2. Dashboard
      3. Interfaces
      4. Services
      5. Monitoring
      6. Traffic graphs
      7. Firewall states
        1. States
        2. States summary
        3. pfTop
      8. tcpdump
      9. tcpflow
      10. ping, traceroute and netstat
        1. ping
        2. traceroute
        3. netstat
    4. Troubleshooting scenarios
      1. VLAN configuration problem
    5. Summary
    6. Questions
  19. Assessments
    1. Chapter 1 – Revisiting pfSense Basics
    2. Chapter 2 – Advanced pfSense Configuration
    3. Chapter 3 – VLANs
    4. Chapter 4 – Using pfSense as a Firewall
    5. Chapter 5 – Network Address Translation
    6. Chapter 6 – Traffic Shaping
    7. Chapter 7 – Virtual Private Networks
    8. Chapter 8 – Redundancy and High Availability
    9. Chapter 9 – Multiple WANs
    10. Chapter 10 – Routing and Bridging
    11. Chapter 11 – Extending pfSense with Packages
    12. Chapter 12 – Diagnostics and Troubleshooting
  20. Another Book You May Enjoy
    1. Leave a review - let other readers know what you think

Product information

  • Title: Mastering pfSense
  • Author(s): David Zientara
  • Release date: May 2018
  • Publisher(s): Packt Publishing
  • ISBN: 9781788993173