MASTERING PFSENSE master the art of managing securing and monitoring your on premises and cloud network using the powerful pfsense 2 4 3 2nd edition by Zientara ISBN 1788993470 9781788993173

ISBN 10: 1788993470

ISBN 13: 9781788993173

Author: Zientara

Install and configure a pfSense router/firewall, and become a pfSense expert in the process.

About This Book

• You can always do more to secure your software – so extend and customize your pfSense firewall
• Build a high availability security system that’s fault-tolerant – and capable of blocking potential threats
• Put the principles of better security into practice by implementing examples provided in the text

Who This Book Is For

This book is for those with at least an intermediate understanding of networking. Prior knowledge of pfSense would be helpful but is not required.

Those who have the resources to set up a pfSense firewall, either in a real or virtual environment, will especially benefit, as they will be able to follow along with the examples in the book.

What You Will Learn

• Configure pfSense services such as DHCP, Dynamic DNS, captive portal, DNS, NTP and SNMP
• Set up a managed switch to work with VLANs
• Use pfSense to allow, block and deny traffic, and to implement Network Address Translation (NAT)
• Make use of the traffic shaper to lower and raise the priority of certain types of traffic
• Set up and connect to a VPN tunnel with pfSense
• Incorporate redundancy and high availability by utilizing load balancing and the Common Address Redundancy Protocol (CARP)
• Explore diagnostic tools in pfSense to solve network problems

In Detail

pfSense has the same reliability and stability as even the most popular commercial firewall offerings on the market – but, like the very best open-source software, it doesn’t limit you.

You’re in control – you can exploit and customize pfSense around your security needs.

Mastering pfSense – Second Edition, covers features that have long been part of pfSense such as captive portal, VLANs, traffic shaping, VPNs, load balancing, Common Address Redundancy Protocol (CARP), multi-WAN, and routing. It also covers features that have been added with the release of 2.4, such as support for ZFS partitions and OpenVPN 2.4. This book takes into account the fact that, in order to support increased cryptographic loads, pfSense version 2.5 will require a CPU that supports AES-NI.

The second edition of this book places more of an emphasis on the practical side of utilizing pfSense than the previous edition, and, as a result, more examples are provided which show in step-by-step fashion how to implement many features.

Style and approach

Practical guide to learn the advanced functionalities of pfSense with minimum fuss.

Packt Upsell

Why subscribe?

PacktPub.com

Contributors

About the author

About the reviewer

Packt is searching for authors like you

Preface

Who this book is for

What this book covers

To get the most out of this book

Download the color images

Conventions used

Get in touch

Reviews

Revisiting pfSense Basics

Technical requirements

pfSense project overview

Possible deployment scenarios

Hardware requirements and sizing guidelines

Minimum hardware requirements

Hardware sizing guidelines

The best practices for installation and configuration

pfSense configuration

Configuration from the console

Configuration from the web GUI

Configuring additional interfaces

Additional WAN configuration

General setup options

Summary

Questions

Further reading

Advanced pfSense Configuration

Technical requirements

SSH login

DHCP

DHCP configuration at the console

DHCP configuration in the web GUI

DHCPv6 configuration in the web GUI

DHCP and DHCPv6 relay

DHCP and DHCPv6 leases

DNS

DNS resolver

General Settings

Enable DNSSEC support

Host Overrides and Domain Overrides

Access Lists

DNS forwarder

DNS firewall rules

DDNS

DDNS updating

RFC 2136 updating

Troubleshooting DDNS

Captive portal

Implementing captive portal

User manager authentication

Voucher authentication

RADIUS authentication

Other settings

Troubleshooting captive portal

NTP

SNMP

Summary

Questions

VLANs

Technical requirements

Basic VLAN concepts

Example 1 – developers and engineering

Example 2 – IoT network

Hardware, configuration, and security considerations

VLAN configuration at the console

VLAN configuration in the web GUI

QinQ

Link aggregation

Add firewall rules for VLANs

Configuration at the switch

VLAN configuration example 1 – TL-SG108E

VLAN configuration example 2 – Cisco switches

Static VLAN creation

Dynamic Trunking Protocol

VLAN Trunking Protocol

Troubleshooting VLANs

General troubleshooting tips

Verifying switch configuration

Verifying pfSense configuration

Summary

Questions

Using pfSense as a Firewall

Technical requirements

An example network

Firewall fundamentals

Firewall best practices

Best practices for ingress filtering

Best practices for egress filtering

Creating and editing firewall rules

Floating rules

Example rules

Example 1 – block a website

Example 2 – block all traffic from other networks

Example 3 – the default allow rule

Scheduling

An example schedule entry

Aliases

Creating aliases from a DNS lookup

Bulk import

Virtual IPs

Troubleshooting firewall rules

Summary

Questions

Network Address Translation

Technical requirements

NAT essentials

Outbound NAT

Example – filtering outbound NAT for a single network

1:1 NAT

Example – mapping a file server

Port forwarding

Example 1 – setting up DCC

Example 2 – excluding a port

Example 3 – setting up a personal web server

Network Prefix Translation

Example – mapping an IPv6 network

Troubleshooting

Summary

Questions

Traffic Shaping

Technical requirements

Traffic shaping essentials

Queuing policies

Priority queuing

Class-based queuing

Hierarchical Fair Service Curve

Configuring traffic shaping in pfSense

The Multiple LAN/WAN Configuration wizard

The Dedicated Links wizard

Advanced traffic shaping configuration

Changes to queues

Limiters

Layer 7 traffic shaping

Adding and changing traffic shaping rules

Example 1 – modifying the penalty box

Example 2 – prioritizing EchoLink

Traffic shaping examples

Example 1 – adding limiters

Example 2 – penalizing peer-to-peer traffic

Using Snort for traffic shaping

Installing and configuring Snort

Troubleshooting traffic shaping

Summary

Questions

Further reading

Virtual Private Networks

Technical requirements

VPN fundamentals

IPsec

L2TP

OpenVPN

AES-NI

Choosing a VPN protocol

Configuring a VPN tunnel

IPsec

IPsec peer/server configuration

IPsec mobile client configuration

Example 1 – Site-to-site IPsec configuration

Example 2 – IPsec tunnel for remote access

L2TP

OpenVPN

OpenVPN server configuration

OpenVPN client configuration

Client-specific overrides

Server configuration with the wizard

OpenVPN Client Export Utility

Example – site-to-site OpenVPN configuration

Troubleshooting

Summary

Questions

Redundancy and High Availability

Technical requirements

Basic concepts

Server load balancing

Example – load balancer for a web server

HAProxy – a brief overview

CARP configuration

Example 1 – CARP with two firewalls

Example 2 – CARP with N firewalls

An example of both load balancing and CARP

Troubleshooting

Summary

Questions

Further reading

Multiple WANs

Technical requirements

Basic concepts

Service Level Agreement

Multi-WAN configuration

DNS considerations

NAT considerations

Third-party packages

Example – multi-WAN and CARP

Troubleshooting

Summary

Questions

Routing and Bridging

Technical requirements

Basic concepts

Bridging

Routing

Routing

Static routes

Public IP addresses behind a firewall

Dynamic routing

RIP

OpenBGPD

Quagga OSPF

FRRouting

Policy-based routing

Bridging

Bridging interfaces

Special issues

Bridging example

Troubleshooting

Summary

Questions

Extending pfSense with Packages

Technical requirements

Basic considerations

Installing packages

Important packages

Squid

Issues with Squid

Squid reverse proxy server

pfBlockerNG

ntopng

Nmap

HAProxy

Example – load balancing a web server

Other packages

Snort

Example – using Snort to block social media sites

FRRouting

Zabbix

Summary

Questions

Further reading

Diagnostics and Troubleshooting

Technical requirements

Troubleshooting basics

Common networking problems

Wrong subnet mask or gateway

Wrong DNS configuration

Duplicate IP addresses

Network loops

Routing issues

Port configuration

Black holes

Physical issues

Wireless issues

RADIUS issues

pfSense troubleshooting tools

System logs

Dashboard

Interfaces

Services

Monitoring

Traffic graphs

Firewall states

States

States summary

pfTop

tcpdump

tcpflow

ping, traceroute and netstat

ping

traceroute

netstat

Troubleshooting scenarios

VLAN configuration problem

Summary

Questions

Assessments

Chapter 1 – Revisiting pfSense Basics

Chapter 2 – Advanced pfSense Configuration

Chapter 3 – VLANs

Chapter 4 – Using pfSense as a Firewall

Chapter 5 – Network Address Translation

Chapter 6 – Traffic Shaping

Chapter 7 – Virtual Private Networks

Chapter 8 – Redundancy and High Availability

Chapter 9 – Multiple WANs

Chapter 10 – Routing and Bridging

Chapter 11 – Extending pfSense with Packages

Chapter 12 – Diagnostics and Troubleshooting