pfSense
Setup
Install pfSense on your device, connect Ethernet cable to LAN port and navigate to http://192.168.1.1/
Login with username “admin” and password “pfsense” you will get to the setup wizard:
General information:
- Hostname: pfsense
- Domain: localdomain or
- DNS Server: 8.8.8.8, 8.8.4.4 (Use Google DNS)
- Check Allow DNS Server Override by ISP DNS
Follow the wizard to:
- Select your time zone
- Chose your WAN Interface in most cases it would be DHCP or check with your ISP on correct settings.
- Chose your LAN interface interface IP address range:
- Provide a new password for admin user:
- Click “Reload” to apply the changes:
That’s it. pfSense will reload to get an ISP provided IP on the WAN interface via DHCP and provides IP address on the LAN interface via DHCP server.
DNS and DHCP
This is the basic DNS and DHCP configuration steps to setup pfSense systems for my home network.
*** System – General ***
- Hostname: pfSense
- Domain: example.com «Or whatever your domain name is
- Google DNS: 8.8.8.8, 8.8.4.4, 2001:4860:4860::8888, 2001:4860:4860::8844
- Allow DNS to be overwritten
*** Services – DNS Resolver ***
- Check DNSSEC Support
- Check Register DHCP leases in the DNS Resolver
- Check Register DHCP static mappings in the DNS Resolver
*** Services – DHCP Server ***
- Set range 192.168.10.100-200
That’s it. Basic configuration steps for DNS and DHCP.
IPSec VPN
This is an walk through how to setup IPSec VPN on pfSense 2.3.3.
Go to VPN -> IPsec.
Go to Mobile Clients tab:
- Enable IPSec Mobile Client Support
- User Authentication: Local Database
- Check: Provide virtual IP address to clients – 172.16.32.1/16
- Provide a list of accessible network to clients «Needed to reach external from remote clients
- Provide DNS server list to clients
- Server #1: 192.168.1.1 Â «This should be your DNS server or pfSense box
- Save
- Apply Changes
Create Phase 1:
- Authentication Mode: Mutual PSK + Xauth
- Peer Identifier: User Distinguished Name:Â vpnusers@pfsense.com
- Pre-shared Key:
- Encryption Algorithm: AES – 256 bits
- Save
- Apply Changes
Phase 2 Settings:
- Description: MobileIPsecP2
- Encryption Algorithm: AES
- Hash Algorithm: SHA1
- Save
- Apply Changes
System – User Manager:
- Add: Username + Password
- Save
- Edit
- Effective Privileges – Add: User – VPN: Ipsec xauth Dialin
- Save
Firewall Rules:
- IPSec Interface: Allow IP4
to LAN net
That’s it, IPSec VPN should be up and running!
pfBlocker NG
Install “pfBlockerNG” package via System -> Package Manager -> Available Packages.
Got to Firewall -> pfBlockerNG.
General
- Check Enable
- CRON Settings: Put to once a day «Free lists might block to often download
- Inbound Firewall Rules: WAN
- Outbound Firewall Rules: LAN
- Check Floating Rules
- Save
NOTE: As it says you would not need to block any if you have no ports open in your firewall but as soon as you start opening ports for example for a web server it’s a good idea to have these blocks in place!
GeoIP
- Top 20 Tab
- Select All IPv4 Countries
- Select All IPv6 Countries
- List Action: Deny Both
- Save
Reputation
- Check Enable Max
- Check Enable pMAX
- Check Enable dMAX
- Save
IPv4 & IPv6:
- Enter Alias “IPv4” and description
- Click on List Settings -> Copy links provided to IPv4Lists
- Add the IP4 Lists and enter a unique Header/Lobal
- List Action: Deny Both
- Update Frequency: Once a day
- Save
Done!
Squid Proxy
Install “squid” package via System -> Package Manager -> Available Packages
Services -> Squid Proxy Server
General
- Check Enable Squid Proxy
- Proxy Interface: LAN
- Proxy Port: 3128
- Check Transparent HTTP Proxy
- Transparent Proxy Interface: LAN
- SSL MITM « Not enable as SSL splitting requires client configuration
- Check Enable Access Logging
- Rotate Logs: 7
- Save
Local Cache
- HD Disk Cache Size: 10,000 MB
- Max Object Size: 4 MB (Default)
- Memory Cache Size: 1024 MB
- Max Object Size in RAM: 256 KB (Default)
- Save
Antivirus
- Check Enable AV
- Check Enable Google Safe Browsing support
- Check Exclude Audio/Video Streams
- ClamAV Database Update: Every 24 hours
- Regional Mirror: Australia
- Save
That’s it. Squid should be up and running. It will take a while until the ClamAV DB are downloaded until then there will be errors on the Real Time tab but that will resolve eventually.
SquidGuard
Install  SquidGuard from packages repository.
Services -> SquidGuard Proxy Filter
Blacklist
- Enter URL:Â http://www.shallalist.de/Downloads/shallalist.tar.gz
- Download
Target categories
- Name: Whitelist
- Domain List: google.com
- Save
Common ACL
- Target Rules List
- Set Whitelist access to “whitelist”
- Set blk_BL_adv to “deny”
- Set blk_BL_gamble to “deny”
- Set blk_BL_porn to “deny”
- Set blk_BL_spyware to “deny”
- Set blk_BL_tracker to “deny”
- Set Default access [all] to “allow”
- Check Use SafeSearch engine
- Check Log
General settings
- Check Enable
- Check Enable log
- Check Enable log rotation
- Check Clean Advertising
- Check Blacklist
- Blacklist URL:Â http://www.shallalist.de/Downloads/shallalist.tar.gz
- Save
- Apply
In order to have automatic Blacklist updates via cron do the following:
- Log in to pfsense via ssh and go to /tmp
- In GUI go to Services -> SquidGuard -> Blacklists and select “Download”
- In /tmp look for squidGuard_blacklist_update.sh and copy to /root
- Setup cron job to run every 24 hours: 0 0 * * * root /root/squidGuard_blacklist_update.sh
That’s it, SquidGuard should be up and running!
Snort
Install the Snort package via System -> Package Manager -> Available Packages.
Go to Services -> Snort -> Snort Interfaces -> WAN Settings:
- Interface: LAN
- Description: LAN
- Save
Services -> Snort -> Global Settings
- Check Enable Snort VRT
- Put Snort Oinkmaster Code
- Check Enable ET Open
- Check Enable OpenAppID
- Check Enable RULES OpenAppID
- Update Interval: 1 DAY
- Save
Updates
- Click Update Rules
Now the fun begins to carefully monitor your logs as Snort will block a lot of things and you need to add suppression lists to get rid of the false positives.