SlideShare a Scribd company logo

Hacom%20pf sense%20quick start%20guide

HARRY CHAN PUTRA
HARRY CHAN PUTRA

This document provides an overview and instructions for setting up the pfSense firewall software on Hacom hardware. It includes sections on introduction, setup and configuration, web administration, backup and restore, firmware updates, and maximum firewall states. The setup and configuration section describes connecting the firewall to the local network and internet, accessing the web-based administration interface, and going through an initial setup wizard to configure basic network and system settings.

Related slideshows

SR-IOV benchmark
SR-IOV benchmarkSR-IOV benchmark
SR-IOV benchmark
 
第6讲 操作与配置Cisco Ios
第6讲 操作与配置Cisco Ios第6讲 操作与配置Cisco Ios
第6讲 操作与配置Cisco Ios
 
How to recover the password for cisco 2900 integrated services router
How to recover the password for cisco 2900 integrated services routerHow to recover the password for cisco 2900 integrated services router
How to recover the password for cisco 2900 integrated services router
 
1 of 24
Download to read offline
Hacom's pfSense Quick-Start Guide Bao Ha Copyright © 2008 Hacom Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.2 or any later version published by the Free Software Foundation; with no Invariant Sections, with no Front-Cover Texts, and with no Back-Cover Texts. 12 November 2008 Table of Contents Hacom's pfSense Quick-Start Guide..........................................................................................................1 Introduction...........................................................................................................................................2 Setup and Configuration........................................................................................................................4 Web Administration............................................................................................................................10 Backup and Restore of configuration..................................................................................................18 Firmware Update.................................................................................................................................19 Maximum Firewall States...................................................................................................................25 1
Introduction PfSense is a complete, embedded firewall software package that provides all the important features of commercial firewall boxes (including ease of use) at a fraction of the price (free software). It is based on FreeBSD. The software is available at the URL, http://www.pfsense.com/. Hacom implements pfSense on our hardware to take advantages of their features, as well as , to provide complete packaged supports for commercial customers: small, medium and enterprises, who desire a one-stop shop. Documentation Since pfSense is similar to M0n0wall, the documentation of the M0n0wall systems can be perused at the following URL, • The M0n0 Users Manual (http://m0n0.ch/wall/docbook/) • M0n0wall Quick Start Guide (http://m0n0.ch/wall/quickstart/) • pfSense FAQ (http://faq.pfsense.com/) • pfSense tutorial (http://www.pfsense.com/index.php?id=36) Hacom's pfSense Hacom offers three groups of commercially packaged pfSense systems with choices of support services: Phoenix , Mercury and Mars . The following comparison table can be used to select appropriate equipments depending on a network environment. Performance* Phoenix Mercury Mars Suggested Users 5-25 10-50 10-250 Throughput 90Mbps 200Mbps 400Mbps Concurrent Connections 80,000 200,000 200,000-400,000 3DES IPSec Throughput 8-10Mbps 20Mbps 25-40Mbps AES IPSec Throughput 10-40Mbps 80Mbps 40-60Mbps • Performance depends on network environment and configuration of the firewall. 2
Hardware Phoenix Mercury Mars Specification Systemboard ES466B CV700A CV700A CV763A CI852A 333Mhz AMD 500Mhz 1Ghz 1.6Ghz CPU 1Ghz VIA C7 Geode GX VIA C7 Celeron-M Celeron-M Memory 256MB 512MB 512MB 1GB Storage 1 GB CF (Compact Flash) or 1GB DOM (Disk-On-Module)** 3x10M/10 4x10M/10 Ethernet 3x10M/100M 4x10M/100M/1G 0M/1G 0M/1G ** Disk-on-Module is more durable than compact flash due to its built-in wear leveling function. This quick-start guide is also applicable to other Hacom's pfSense pre-loaded systems. Requirements to Access to pfSense's Console. You will need a keyboard and a monitor to access the console of Hacom's pfSense. Serial console is available on certain models. Input/Output Phoenix Mercury Mars Systemboard ES466B CV700A CV700A CV763A CI852A Monitor VGA Keyboard USB USB or PS/2 Optional (Required Serial Optional hardware Console (Required a serial-console enabled BIOS update) modification at factory!) 3
Setup and Configuration The simplest pfSense configuration is a 2-zone firewall: WAN and LAN. WAN is the Internet, the outside world. LAN is the local internal network protected by the firewall. Following is a diagram of the 2-zone pfSense firewall. When the system is booted up, a Grub screen is shown. There is a five (5) seconds delay for user to access Grub directly. 4
At the first boot up, pfSense was not configured. User will see a setup screen asking for network interface configuration. PfSense requires that at least two (2) network interfaces are available to set up a firewall. Hacom systems typically have at least three (3) network interfaces. Depending on the systems, they are typically based on the Realtek chipset and will be detected by pfSense as: rl0: first Realtek 10M/100M Ethernet adapter rl1: second Realtek 10M/100M Ethernet adapter rl2: third Realtek 10M/100M Ethernet adapter For the Intel Gigabit Ethernet systems, pfSense will detect the following network interfaces, instead: em0: first Intel Gigabit 10M/100M/1G Ethernet adapter em1: second Intel Gigabit 10M/100M/1G Ethernet adapter em2: third Intel Gigabit 10M/100M/1G Ethernet adapter In some of our systems, an Atheros-based wireless network interface will also be detected as: ath0: first 802.11/b/g Wifi network interface 5
In our simple 2-zone firewall configuration, (1) We don't need VLAN setup. (2) We want rl0 (the first Realtek Ethernet interface) to be our LAN: the local internal network. (3) We want rl1 (the second Realtek Ethernet interface) to be our WAN: the access to the outside Internet. (4) Since we are not ready to set up the DMZ, we will leave the OPT interfaces blank (un- configured) for the time being. Once the network interfaces are set up, pfSense is ready and the console menu is shown as in the following. In the console menu, there are several additional configuration choices. Following are the most important for the initial setup of the firewall to be ready: 1. Assign Interfaces. It is basically the initial network setup that we have just followed. 2. Set LAN IP address. It will be our next step so we can access the web-based configuration tools on a local internet network. By default, the LAN IP is set to be 192.168.1.1, which is very common among other firewalls gateways. It is advised to make this change prior to connecting the firewall to an internal network, to avoid network problems. 6
3. Reset WebConfigurator password. This is to reset the “admin” password to “pfsense”. The password can be changed from the web. 4. Reset to factory defaults. This will wipe out all of the configuration data. Our next step is to change the LAN IP address from the default 192.168.1.1 to an appropriate one in a local network. If there is no need to change the IP address, just skip this step! For our network, we have a company gateway at 192.168.1.1. We want to change the LAN IP to an unused IP in our local network. It was decided to put this pfSense firewall to the end of the class c range of the 192.168.1.0 network. Following is our LAN IP: 1. IP address: 192.168.1.254 2. Subnet masks: 255.255.255.0 (or 24 bits) This is related to our choice of using 192.168.1.0 network as a class C with a maximum of 255 hosts withing the subnet. For some other installations, which need a larger subnet, like 500 hosts within an accessible subnet to all, a class B subnet with s subnet mask of 255.255.0.0 (or 16 bits) may be more appropriate. For example, a 10.0.0.0/16 will accommodate for a range from 10.0.0.1 to 10.0.255.254, or a maximum of 65535 hosts. 7
Now, we are ready to go the web configuration! 8
Web Administration At the first access to the web-based administration tool, we will be lead to a wizard. The wizard can always be choosen from System → Setup wizard. Or we can always use the following URL: http://192.168.1.254/wizard.php?xml=setup_wizard.xml Just change the ip address to the correct one for your installation! The first step is to update some general information: 9
1. Hostname: pfsense or any other hostname you want the firewall to be called. 2. Domain: Default is local. Use your domain name here. We set it up to be baoha.net. 3. DNS servers: It is best to use the DNS servers from your Internet providers. Our Internet provider is dslextreme.com, and the DNS servers they provide are 66.51.205.100 and 66.51.206.100. 10
The second step is to set up the time server information. 1. Time server dns name is defaulted to 0.pfsense.pool.ntp.org. Don't change it unless there is valid reason. 2. Time zone may be changed to local time zone. In our case, it is the US Pacific Time Zone. 11
The third step is to configure the Wide Area Network (WAN) information. There are several configuration choices: (1) static IP, (2) DHCP IP, (3) PPPoE, (4) PptP, and (5) Big Pond. For our configuration, we choose static IP 1. Static IP address: 208.127.150.33 (Use your own IP!!!) 2. Default gateway: 208.127.150.1 (Use your own gateway!!!) When scrolling to the bottom, there is also a choice of “Block RFC1918 Private Networks.” We left it set to prevent spoofing. 12
The fourth step is to set the Local Area Network (LAN). It is just a confirm of what we have changed at the console menu. 13
The last step is to change the “admin” password. We changed it from the default “pfsense” to *****. 14
Now, the firewall is ready to reload its new configuration data. 15
The following screen shows the pfSense's system status upon reloaded. 16
Backup and Restore of configuration The configuration data should be back up to a local storage of the system administration for recovery purposes. To access the backup and restore tools, got to Diagnostic → Backup/Restore. The page is self-explanatory. We would recommend to back up every time a configuration change was made. Also, periodic backup should also be performed. It is also recommend to test the restore function after the initial backup, as well as every time the firmware is updated. 17
Firmware Update There are several ways to update the firmware. 1. For Hacom systems prior to pfSense version 1.2.1, it is recommended a. to back up the configuration b. to flash the new firmware c. to restore the configuration. 2. Starting from version 1.2.1, firmware can be updated reliably on-line. Important notes: Hacom pfSense systems are based on the full firmware, including headless systems. ● When updating the firmware, use the full-update version. ● The compact flash (CF) based systems require the platform information to be changed from “embedded” to “pfSense” before the updating process. It should be changed back to “embedded” after the update. The CF-based system can be used as “pfSense” platform if the mount command shows the following: ... pfSense:~# mount /dev/ad2s4a on / (ufs, local, noatime) devfs on /dev (devfs, local) /dev/md0 on /var/run (ufs, local) /dev/ad2s4d on /cf (ufs, local, noatime) devfs on /var/dhcpd/dev (devfs, local) pfSense:~# ... The “noatime” option on the root / and /cf allows the CF to last several years under normal use. It is recommended to use industrial-grade CF or Disk-on-Module (DOM) with their built-in static wear leveling function. ● The DOM based platforms are “pfSense” and ready to use just like a solid state drive. 18
Following is the procedure to update the firmware. First, the platform is changed to “pfSense”. This step can be skipped for DOM-based systems or systems which are already “pfSense”. The following procedure is done as a shell using the console. It can also be performed using the web- based administration: go to Diagnostic → Command. 19
The second step is to enable the Firmware upload. Go to System → Firmware. 20
The third step is to upload the firmware. 1. The new firmware should have been downloaded into a local storage. 2. Browse to the local folder to upload the new firmware. 3. If asked about the kernel, select the Uniprocessor or Multiprocessor kernel, as appropriate. Do not select embedded kernel since that will disable the display, keyboard and mouse. 4. Click on upgrade firmware and wait. 21
If the firmware is uploaded successful, it will take a while for the updating process. It takes more than 10 minutes for an OpenBrick-E cv700a3r50 to complete the firmware update. 22
Following is the screen showing a successful update. 23
Maximum Firewall States It is recommended to change the maximum firewall state from the default 10,000 to at least 100,000 for systems with 256MB RAM memory, or 200,000 for systems with more than 512MB RAM, or 400,000 for systems with more than 1GB RAM. Each state uses about 1k of RAM memory. Sometimes, the maximum number of firewall states is also referred as maximum number of concurrent connections. Go to System → Advanced, and scroll all the way to the bottom to see the option. 24

More Related Content

Hacom%20pf sense%20quick start%20guide

  • 1. Hacom's pfSense Quick-Start Guide Bao Ha Copyright © 2008 Hacom Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.2 or any later version published by the Free Software Foundation; with no Invariant Sections, with no Front-Cover Texts, and with no Back-Cover Texts. 12 November 2008 Table of Contents Hacom's pfSense Quick-Start Guide..........................................................................................................1 Introduction...........................................................................................................................................2 Setup and Configuration........................................................................................................................4 Web Administration............................................................................................................................10 Backup and Restore of configuration..................................................................................................18 Firmware Update.................................................................................................................................19 Maximum Firewall States...................................................................................................................25 1
  • 2. Introduction PfSense is a complete, embedded firewall software package that provides all the important features of commercial firewall boxes (including ease of use) at a fraction of the price (free software). It is based on FreeBSD. The software is available at the URL, http://www.pfsense.com/. Hacom implements pfSense on our hardware to take advantages of their features, as well as , to provide complete packaged supports for commercial customers: small, medium and enterprises, who desire a one-stop shop. Documentation Since pfSense is similar to M0n0wall, the documentation of the M0n0wall systems can be perused at the following URL, • The M0n0 Users Manual (http://m0n0.ch/wall/docbook/) • M0n0wall Quick Start Guide (http://m0n0.ch/wall/quickstart/) • pfSense FAQ (http://faq.pfsense.com/) • pfSense tutorial (http://www.pfsense.com/index.php?id=36) Hacom's pfSense Hacom offers three groups of commercially packaged pfSense systems with choices of support services: Phoenix , Mercury and Mars . The following comparison table can be used to select appropriate equipments depending on a network environment. Performance* Phoenix Mercury Mars Suggested Users 5-25 10-50 10-250 Throughput 90Mbps 200Mbps 400Mbps Concurrent Connections 80,000 200,000 200,000-400,000 3DES IPSec Throughput 8-10Mbps 20Mbps 25-40Mbps AES IPSec Throughput 10-40Mbps 80Mbps 40-60Mbps • Performance depends on network environment and configuration of the firewall. 2
  • 3. Hardware Phoenix Mercury Mars Specification Systemboard ES466B CV700A CV700A CV763A CI852A 333Mhz AMD 500Mhz 1Ghz 1.6Ghz CPU 1Ghz VIA C7 Geode GX VIA C7 Celeron-M Celeron-M Memory 256MB 512MB 512MB 1GB Storage 1 GB CF (Compact Flash) or 1GB DOM (Disk-On-Module)** 3x10M/10 4x10M/10 Ethernet 3x10M/100M 4x10M/100M/1G 0M/1G 0M/1G ** Disk-on-Module is more durable than compact flash due to its built-in wear leveling function. This quick-start guide is also applicable to other Hacom's pfSense pre-loaded systems. Requirements to Access to pfSense's Console. You will need a keyboard and a monitor to access the console of Hacom's pfSense. Serial console is available on certain models. Input/Output Phoenix Mercury Mars Systemboard ES466B CV700A CV700A CV763A CI852A Monitor VGA Keyboard USB USB or PS/2 Optional (Required Serial Optional hardware Console (Required a serial-console enabled BIOS update) modification at factory!) 3
  • 4. Setup and Configuration The simplest pfSense configuration is a 2-zone firewall: WAN and LAN. WAN is the Internet, the outside world. LAN is the local internal network protected by the firewall. Following is a diagram of the 2-zone pfSense firewall. When the system is booted up, a Grub screen is shown. There is a five (5) seconds delay for user to access Grub directly. 4
  • 5. At the first boot up, pfSense was not configured. User will see a setup screen asking for network interface configuration. PfSense requires that at least two (2) network interfaces are available to set up a firewall. Hacom systems typically have at least three (3) network interfaces. Depending on the systems, they are typically based on the Realtek chipset and will be detected by pfSense as: rl0: first Realtek 10M/100M Ethernet adapter rl1: second Realtek 10M/100M Ethernet adapter rl2: third Realtek 10M/100M Ethernet adapter For the Intel Gigabit Ethernet systems, pfSense will detect the following network interfaces, instead: em0: first Intel Gigabit 10M/100M/1G Ethernet adapter em1: second Intel Gigabit 10M/100M/1G Ethernet adapter em2: third Intel Gigabit 10M/100M/1G Ethernet adapter In some of our systems, an Atheros-based wireless network interface will also be detected as: ath0: first 802.11/b/g Wifi network interface 5
  • 6. In our simple 2-zone firewall configuration, (1) We don't need VLAN setup. (2) We want rl0 (the first Realtek Ethernet interface) to be our LAN: the local internal network. (3) We want rl1 (the second Realtek Ethernet interface) to be our WAN: the access to the outside Internet. (4) Since we are not ready to set up the DMZ, we will leave the OPT interfaces blank (un- configured) for the time being. Once the network interfaces are set up, pfSense is ready and the console menu is shown as in the following. In the console menu, there are several additional configuration choices. Following are the most important for the initial setup of the firewall to be ready: 1. Assign Interfaces. It is basically the initial network setup that we have just followed. 2. Set LAN IP address. It will be our next step so we can access the web-based configuration tools on a local internet network. By default, the LAN IP is set to be 192.168.1.1, which is very common among other firewalls gateways. It is advised to make this change prior to connecting the firewall to an internal network, to avoid network problems. 6
  • 7. 3. Reset WebConfigurator password. This is to reset the “admin” password to “pfsense”. The password can be changed from the web. 4. Reset to factory defaults. This will wipe out all of the configuration data. Our next step is to change the LAN IP address from the default 192.168.1.1 to an appropriate one in a local network. If there is no need to change the IP address, just skip this step! For our network, we have a company gateway at 192.168.1.1. We want to change the LAN IP to an unused IP in our local network. It was decided to put this pfSense firewall to the end of the class c range of the 192.168.1.0 network. Following is our LAN IP: 1. IP address: 192.168.1.254 2. Subnet masks: 255.255.255.0 (or 24 bits) This is related to our choice of using 192.168.1.0 network as a class C with a maximum of 255 hosts withing the subnet. For some other installations, which need a larger subnet, like 500 hosts within an accessible subnet to all, a class B subnet with s subnet mask of 255.255.0.0 (or 16 bits) may be more appropriate. For example, a 10.0.0.0/16 will accommodate for a range from 10.0.0.1 to 10.0.255.254, or a maximum of 65535 hosts. 7
  • 8. Now, we are ready to go the web configuration! 8
  • 9. Web Administration At the first access to the web-based administration tool, we will be lead to a wizard. The wizard can always be choosen from System → Setup wizard. Or we can always use the following URL: http://192.168.1.254/wizard.php?xml=setup_wizard.xml Just change the ip address to the correct one for your installation! The first step is to update some general information: 9
  • 10. 1. Hostname: pfsense or any other hostname you want the firewall to be called. 2. Domain: Default is local. Use your domain name here. We set it up to be baoha.net. 3. DNS servers: It is best to use the DNS servers from your Internet providers. Our Internet provider is dslextreme.com, and the DNS servers they provide are 66.51.205.100 and 66.51.206.100. 10
  • 11. The second step is to set up the time server information. 1. Time server dns name is defaulted to 0.pfsense.pool.ntp.org. Don't change it unless there is valid reason. 2. Time zone may be changed to local time zone. In our case, it is the US Pacific Time Zone. 11
  • 12. The third step is to configure the Wide Area Network (WAN) information. There are several configuration choices: (1) static IP, (2) DHCP IP, (3) PPPoE, (4) PptP, and (5) Big Pond. For our configuration, we choose static IP 1. Static IP address: 208.127.150.33 (Use your own IP!!!) 2. Default gateway: 208.127.150.1 (Use your own gateway!!!) When scrolling to the bottom, there is also a choice of “Block RFC1918 Private Networks.” We left it set to prevent spoofing. 12
  • 13. The fourth step is to set the Local Area Network (LAN). It is just a confirm of what we have changed at the console menu. 13
  • 14. The last step is to change the “admin” password. We changed it from the default “pfsense” to *****. 14
  • 15. Now, the firewall is ready to reload its new configuration data. 15
  • 16. The following screen shows the pfSense's system status upon reloaded. 16
  • 17. Backup and Restore of configuration The configuration data should be back up to a local storage of the system administration for recovery purposes. To access the backup and restore tools, got to Diagnostic → Backup/Restore. The page is self-explanatory. We would recommend to back up every time a configuration change was made. Also, periodic backup should also be performed. It is also recommend to test the restore function after the initial backup, as well as every time the firmware is updated. 17
  • 18. Firmware Update There are several ways to update the firmware. 1. For Hacom systems prior to pfSense version 1.2.1, it is recommended a. to back up the configuration b. to flash the new firmware c. to restore the configuration. 2. Starting from version 1.2.1, firmware can be updated reliably on-line. Important notes: Hacom pfSense systems are based on the full firmware, including headless systems. ● When updating the firmware, use the full-update version. ● The compact flash (CF) based systems require the platform information to be changed from “embedded” to “pfSense” before the updating process. It should be changed back to “embedded” after the update. The CF-based system can be used as “pfSense” platform if the mount command shows the following: ... pfSense:~# mount /dev/ad2s4a on / (ufs, local, noatime) devfs on /dev (devfs, local) /dev/md0 on /var/run (ufs, local) /dev/ad2s4d on /cf (ufs, local, noatime) devfs on /var/dhcpd/dev (devfs, local) pfSense:~# ... The “noatime” option on the root / and /cf allows the CF to last several years under normal use. It is recommended to use industrial-grade CF or Disk-on-Module (DOM) with their built-in static wear leveling function. ● The DOM based platforms are “pfSense” and ready to use just like a solid state drive. 18
  • 19. Following is the procedure to update the firmware. First, the platform is changed to “pfSense”. This step can be skipped for DOM-based systems or systems which are already “pfSense”. The following procedure is done as a shell using the console. It can also be performed using the web- based administration: go to Diagnostic → Command. 19
  • 20. The second step is to enable the Firmware upload. Go to System → Firmware. 20
  • 21. The third step is to upload the firmware. 1. The new firmware should have been downloaded into a local storage. 2. Browse to the local folder to upload the new firmware. 3. If asked about the kernel, select the Uniprocessor or Multiprocessor kernel, as appropriate. Do not select embedded kernel since that will disable the display, keyboard and mouse. 4. Click on upgrade firmware and wait. 21
  • 22. If the firmware is uploaded successful, it will take a while for the updating process. It takes more than 10 minutes for an OpenBrick-E cv700a3r50 to complete the firmware update. 22
  • 23. Following is the screen showing a successful update. 23
  • 24. Maximum Firewall States It is recommended to change the maximum firewall state from the default 10,000 to at least 100,000 for systems with 256MB RAM memory, or 200,000 for systems with more than 512MB RAM, or 400,000 for systems with more than 1GB RAM. Each state uses about 1k of RAM memory. Sometimes, the maximum number of firewall states is also referred as maximum number of concurrent connections. Go to System → Advanced, and scroll all the way to the bottom to see the option. 24