Cloud Hosting

Having migrated your IT infrastructure and services to the cloud, you need a decent enterprise firewall to handle your internet connection and any site-to-site or site-to-cloud VPN requirements.

The licensing costs for devices from Cisco, Juniper, Sonicwall et al are often extremely high, however. Many admins live in fear of the yearly license renewal invoice turning up, knowing that itll take a significant chunk out of their yearly IT budget, especially if some bright spark in senior management suddenly decides that the firm needs to roll out a costly extra feature.

Advertisement - Article continues below

pfSense is an open source enterprise firewall based on FreeBSD, with comparable features to many of the most expensive enterprise firewall devices and a huge range of packages available to extend its capabilities. As an open source solution, the software is free, and all the features are available without any commercial licensing requirements. Support for pfSense is provided by Netgate, which also manufactures network appliances that use the operating system.

This tutorial will take you through the installation and basic setup of a pfSense device. We will be using the scenario of a business with no on-premises servers, using cloud services or hosting for their IT requirements.

The minimum requirements to run pfSense are an x86 or x64 compatible device with 1GB or more of memory, two or more network interfaces and at least 4GB of storage (this can be a hard disk or a flash device such as an SD card).

Advertisement - Article continues below

Advertisement - Article continues below

How fast a processor you need, and how much memory, will depend on the number of rules, VPNs, and so on that you will have on your device, and the amount of data flowing through it. VPN performance, in particular, is dependent on how much processor power your endpoint has. Depending on the size and complexity of your local network layout, you may want a device with more than two network interfaces.

Purpose-built pfSense devices are available from many manufacturers, including the makers of pfSense themselves. However, you can also set it up on a virtual machine running on your choice of hypervisor, or build your own using a standard desktop PC or server.

Whatever hardware youre using, the setup process is the same. Hook up a monitor and keyboard to your device or use the virtual console if you are installing on a virtual machine. Do not connect any of the network interfaces to a network yet: well get to that later in the installation and setup process.

Download the installer from the pfSense website, taking care to get the version that matches your environment and preferred installation method. Burn the CD or write the image to a USB drive as required.

Advertisement - Article continues below

Boot your device from the installation media you created and wait until it has completed booting, and displays the software license screen. Go through and accept the license terms and move on to the installation. Select Install from the menu, choose the correct keyboard layout for your region, then select continue.

From the next menu, select automatic partitioning and hit enter to continue.

pfSense will partition the disk, and move straight on to the installation. Nows a good time to make some coffee whilst you wait for the installation to complete. When the installation has finished, say no to opening a shell to edit the system. Finally, remove the installation media and hit enter on the next screen to reboot into your new pfSense system.

After the system has rebooted, youll be prompted to set up basic networking. Answer no when asked if VLANs should be set up now. Next, move on to the network interface setup. Hit a to start auto-detection of the WAN interface and follow the instructions on screen, connecting the cable when required, in order to correctly identify the interface. Repeat the process for the LAN interface. Dont forget to physically label the interfaces on the device as well.

Once you have both the LAN and WAN interfaces identified correctly, hit y to continue. pfSense will carry on booting, then display the status of the network interfaces and present you with the console admin menu.

The LAN interface defaults to an IPv4 address of 192.168.1.1/24. If you need to change this to match your existing network, select option 2 (set interface IP address) from the menu, then option 2 again to edit the LAN interface. Enter the desired LAN IPv4 address and subnet mask for the device when prompted. Dont enable IPv6 or DHCP right now; well do that later from the web admin interface.

Configure a computer with a static IPv4 address in the same range as the IPv4 address you assigned to the LAN interface on the firewall. You can connect this computer directly to the LAN port on the firewall (using a crossover cable if youre working with older hardware that doesnt support Auto-MDIX) or connect via a switch.

Advertisement - Article continues below

Advertisement - Article continues below

Using your web browser, go to the LAN IPv4 address that we configured in the previous step. Log in using the username admin and the default password pfsense. You will be presented with the initial setup wizard. Click on next, then next again at the following screen to begin the setup of your new firewall.

Enter the name you want to give your firewall, and the domain associated with your internal office network. Were going to be boring and use firewall for the name, and local for the domain, but you should probably come up with something more distinctive.

Click on next to move on to step 3 of the wizard. The time server can be left on the default, or set to a different one if you have a preferred NTP server for devices on your network. Set your time zone, and then click next to move on to step 4.

Now you need to set up your WAN interface. Were using DHCP, so can leave everything on the defaults, but if you are connecting this device to an ADSL line via a DSL modem in bridge mode, you should select PPPoE here and enter the details provided by your ISP in the PPPoE section of this page. Once youve completed WAN configuration, scroll to the bottom of the page and click next to move on to step 5, where we can review the LAN IPv4 address we configured earlier, and change it if necessary. Click next to keep the address the same and move on to step 6.

Advertisement - Article continues below

Set a new admin password, not forgetting to make a note of it somewhere, and then click next to move on to step 7.

Click on reload to apply these changes to the device. If you changed the LAN IPv4 address in step 5, you will need to enter that address in your browser after this to access the device. Wait for the reload to complete, then click Finish on the last screen to exit the wizard and go to the device dashboard. Read and accept the license for the software again when prompted, then click close to clear the Thank you popup.

If your ISP offers IPv6 (as almost all do now) this is the time to set up the WAN interface IPv6 options to match those provided by your ISP. Select the Interfaces pull-down menu from the top menu bar, and select the WAN interface.

You will also need to set up IPv6 on your LAN interface. pfSense supports a range of different IPv6 configurations, from static IPv6 and DHCPv6 to stateless address autoconfiguration (SLAAC), 6to4 tunnelling and upstream interface tracking. Exactly which one you need will depend on the IPv6 provision from your ISP, who should provide you with adequate setup information to correctly configure your connection.

From the menu bar across the top of the pfSense admin page, open the Services pull-down menu and select DHCP server. Tick the Enable box to turn on the DHCP server for your LAN interface, then enter the range of IPv4 addresses that will be allocated to devices on your LAN. Well set up a range of 200 addresses in this instance. Leave the DNS and WINS server options unset, as the firewall will use those allocated by the ISP on the WAN interface.

Scroll down to the bottom of the page and hit save. The DHCP service will start automatically. The setup wizard will have automatically created a single outbound NAT rule for you, so you should be able to access the internet from devices behind your new firewall.

If you require VPN links to your cloud provider, or to other offices, you can now set them up. We will not go into detail about that here as there are too many different types of VPN to cover, and the process is largely the same with any enterprise firewall device.

Advertisement - Article continues below

Additional services such as traffic prioritization, web filtering, load balancing multiple internet connections and so on are all available, either already built in or via add-on packages. These can be installed from the package manager, found on the System menu pull-down at the left of the top menu bar.

Take some time to explore the various menus and services to familiarize yourself with your new firewall and discover its many features.

Successful digital transformations are future ready - now

Research findings identify key ingredients to complete your transformation journey

Cyber security for accountants

3 ways to protect yourself and your clients online

The future of database administrators in the era of the autonomous database

Autonomous databases are here. So who needs database administrators anymore?

The IT experts guide to AI and content management

Your guide to the biggest opportunities for IT teams when it comes to AI and content management

More:
How to build your own firewall with pfSense - IT PRO