PfSense Advanced Configuration - VM Setup, Virtual IPs, Alias, NAT, Rules

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

hi Steve Cassell Fee coming back at you tonight strictly from the desktop workstation as we'll be building out a brand-new pfSense server to support our network environment those that have followed me for some time know that a couple years ago I put out a PF sense video that went through the initial setup and configuration where we dug into a lot of details on just what a firewall is how it functions how to get IP addresses on it and how to create some pretty basic rule set we're gonna fast forward past that a little bit and this video is going to rush through the initial set up and be more focused on a lot of the advanced functionality when it comes to PF sense so we're gonna be leveraging a public IP address on our way in interface we're gonna be opening up ports and doing some port forwarding to devices inside our network that service public services we're gonna be Natick additional public IP addresses one to one to other devices on our network so that they have their own public net and we're gonna be working with some aliases as we set up different rules to support what we're trying to do we're gonna look at reporting and visibility there should be a really fun video for those of you that want a little bit deeper dive into PF sense and are looking to do more complex things with their firewall if you liked this video and found it helpful go ahead and hit that subscribe button on the youtube page we appreciate every one of those subscriptions for those of you that want alerts when we post new videos if you hit that post notification bell on the YouTube page you'll get alerted every time we go live or every time we post a new video Ethan's not joining us for this video tonight he's working on some other projects he'll be back with us shortly as we have some products coming in we'll be doing some product reviews and testing so check those out coming soon with Ethan back on screen so let's go ahead and dig into this deploy our pfsense server and get going so the first thing you need to do is go to PF census website which is pfsense org this is the most popular open source firewall out there it is extremely robust updated frequently highly supported and is just a great all-around firewall for your home environment for your SMB environment lots of great uses for this so if you go ahead and to the download section you'll see that they have a couple different choices from an architecture standpoint they have your traditional 64-bit computer architecture for deploying on a physical intel AMD server desktop they also have a net gate adi image because if you take a look at their product section you see that they actually sell small form-factor low compute high network devices specifically for running PF sense that you can find specific to your needs so if you do need a device I suggest you look at their store as they probably have an option that's available for you from the smallest couple network interface devices all the way up to your larger medium business small enterprise size devices we are actually deploying ours in our virtual environment so we're gonna go ahead and download the 64-bit image and we're gonna grab the ISO so that we can deploy a new virtual machine with the pfSense image and then just go ahead and click on download and download that file and as you know and have seen from my past videos grab Rufus turn that ISO into a bootable USB Drive and use it on your hardware that you're deploying pfSense on I'm gonna go ahead and hop over to our virtual environment I'm gonna go ahead and right click on my primary virtualization cluster and create a new virtual machine and we're gonna call this new build pfSense oh one I'm going to put this in my SSD datastore I keep my compatibility - ESX 6.5 and later because I'm not fully ESX 6.7 across the board we're gonna go ahead and set this to other 64-bit and our guest OS name is FreeBSD and this is where we get into the virtual hardware so if you're doing this virtually you're probably follow following along with this if you're deploying it physically you can see based on the pfsense products that these do not require a large amount of processing power I'm gonna go ahead and deploy this with one virtual CPU and I'm gonna go ahead and give our build out four gigs of memory I am gonna give it a little more hard disk than the minimum requirement of eight just because I do some advanced logging and I also do some EPIK monitoring visibility tools a flow collection if you will that can eat up a lot of hard disk space so I'm gonna go ahead and deploy a 30 gig hard disk and hopefully we'll get to use some of that when we show you some of the advanced monitoring and collection tools now the network is where it always gets a little bit of interesting this is a firewall so you have to have a minimum of two interfaces you have to have your way inside interface for public facing traffic and then you have to have your landside interface for what your local devices reach out to from a gateway to then access out to the Internet so by default when you deploy a virtual machine there is one network device connected I am going to go ahead and put the existing network device on my LAN network VLAN if you're using a physical device think of this as the interface that you plug your physical LAN network cable into and I want this connected at power-on but I do need to add a new device I do need to add a second network adapter which is going to be on my data network so this is on the same network as my local devices if you're using a physical appliance think of this as the LAN LAN side network I'm gonna leave that set to client device for now and everything else we are just going with the defaults I'm going to hit next on this double-check my settings one CPU four gigs of RAM to NICs one on the way and one on the land and a 30 gig hard drive and I'm going to it finish and let that virtual machine be built out so here is my pfSense a1 firewall I am going to launch the remote console and bring up our VMware remote console because we know that I have downloaded that ISO file for pfsense and hopefully I will be able to present the ISO to this virtual machine through that interface as a side note here you notice that I have a another pfsense in my environment obviously I have internet connectivity today I have a firewall running so I'm gonna do a temporary IP address on the landside interface and then when I'm ready to provide Internet connectivity to my landside clients I'm gonna go ahead and shut down the old pfSense server and claim that IP address on to the new PSN server so will minimize this you do have to power on a virtual machine before you can present an ISO from your local machine so VMware will go through its usual I cannot boot from anything and if you go into your VMware counsel and go to removable devices into your cd/dvd drive we're gonna connect a disk image ISO and I'm gonna go ahead and go to my download folder and present up the pfSense ISO to this virtual machine now that I have the ISO presented to it and you can see there we go now it's actually booting off the ISO that I presented to it from my desktop pretty default pfSense screen here it's going to boot the multi-user setup screen there's my a.m. 0 and em1 interfaces that I assigned to this device and here we are into the pfSense configuration screen how about that that works better huh that's a little better a little more visible okay we're in the PF installer this is the first screen we get to obviously this is copyrighted by Rubicon communications net gate as they're known this is a fantastic tool so support them if you get the chance buy their hardware if you need it and our options here are install rescue shell or use an XML from a previous installation to restore we're going to go ahead and install from scratch and we're gonna use the default keyboard mapping and we're gonna let it automatically partition the disks for us and pfsense is very small and lightweight so you'll find the installation process pretty darn quick while we have this little break in the action pfsense has a great community forum so if you run into any issues have any additional questions or complications suggest you head over to the pfsense website the installation is now finished before exiting the Installer would you like to open a shell in the new system to make any finding final manual modifications I'm gonna hit no on that I'm not doing anything to custom yet it's complete would you like to reboot I'm gonna go ahead and reboot this system don't forget to go to your removable devices and disconnect that ISO from the system so you don't boot off the ISO a second time now we they want to boot off the internal hard drive of the environment now I did take a stab that that em0 that the first interface I configure in VMware will be em0 so hopefully that's the case once I throw some IP addresses on these interfaces and see if I can reach them that will tell us a lot configuring our Wang interface hopefully it shouldn't be that hard because we don't have a way on interface configuration yet and that is how you install pfSense ladies and gentlemen pretty easy pretty straightforward you notice that the wynn interface has no IP address associated to it from an ipv4 it did assign an ipv6 address and our land interface it statically assigns a 192 168 1.1 IP address that is great if that is the local network range that you use in your environment however it is not what I use so I would ideally you can open your web browser point to the landside interface and get to the web configuration page I cannot do that because that is not my network so we're gonna go ahead and do option 2 here to set interface IP addresses I'm going to set the landside interface with the static IP address and I am going to use 1 7 to 16 1.1 23 for now and then I use a slash 25 subnet 255 255 255 dot 128 and then it's asking for a for a win enter the new upstream gateway address for Al and press Enter I am configuring the landside interface so it doesn't have a separate gateway and I am not configuring ipv6 on this pfsense firewall at this time and I do not want to enable DHCP services on this interface no I don't want to revert to http and there we go so now if you notice my LAN side interface is configured with 172 16 1.1 23 so I'm gonna go ahead and open up a command prompt and throw a quick ping test against that IP address and we see that I can ping my address my dot 123 tells me my PFS server interfaces configured correctly it's responding on the network I'm gonna go ahead and open up my web web browser and navigate to HTTPS and that IP address to actually access the pfSense web interface and you can see here again you have the disclaimer this is not for commercial distribution do not try to sell it as your own I'm gonna go ahead and accept that and I'm going to walk through the setup wizard which you probably got prompted when you first logged into the system go ahead and ignore the default password value error message at the top we'll address that here momentarily let's go ahead and go through the pfSense setup they have global support available 24 hours a day 7 days a week that you can procure from net gate and here is the general information screen so the host name of my server as we talked about before is going to be the ever so creative pfSense oh one I do have a domain in my environment because selkie us you can either leave that to set to local like it was if you do not have a actual network domain or Active Directory domain my primary DNS server environment is 172 16 1.42 so I am going to enter that here your primary DNS server may be a DNS server out on the internet or from your service provider that is the only DNS server in my network and I am NOT going to allow the DNS server to be overridden my time server hostname I also run my own internal ntp server on dot 40 I would suggest you go to NTP pool I believe it's pool org and grab a ntp server that makes geographic sense for your region and input that here my timezone is Eastern but I am going to go ahead and scroll up and find my America Indiana Indianapolis since I am just outside of Indianapolis and it next now on this screen were brought to the configuring of the when interface if you are getting a automatically assigned IP address from your service provider you are going to want to leave this as dhcp whatever your win interface is plugged into on your pfSense firewall if you're getting an IP address from Comcast Google Fiber or whatever the case may be leave this set to DHCP for my scenario and this configuration I actually have statically assigned public IP addresses for my provider so I'm going to set this to static I don't need to spoof the MAC address of my way interface my provider does not require does not tie my public IP addresses to a specific Mac I'm not gonna alter the MTU or the MSS values but I am gonna get down here and configure my static IP address and the IP address that I have from my service provider in 97 78 22.1 42 I'm gonna use my top end public IP address on this / 29 network and then my upstream gateway 77082 to 137 I do not need to set a DHCP host name I am NOT doing a pppoe configuration I am NOT doing a pee-pee teepee configuration I am leaving RFC 1918 networks blocked from entering via LAN these are your 10.17 2.19 - IP addresses I should not be seeing these on my way inside public interface I'm gonna leave the blocking of bogan networks enabled blocked traffic from IP addresses that are reserved but not RFC 1918 are not yet assigned by the Internet Authority they should never appear in the routing table so if you're seeing traffic coming in your ran interface from these destinations there is a high probability it's malicious and we are good to go to hit next and then my LAN interface which I configured via the command prompt because I had to configure it in order to access this web page is already populated in here my dot 123 with my 25 subnet mask and this is why I told you to ignore that error message at the top of your screen because as part of the setup wizard it asked you to reset your password I'm gonna go ahead and read set that password here and next now my passwords match okay press reload to reload at pfSense with the new chase changes I'm going to hit that a reload is in progress and pfSense is now configured we can go ahead and hit finish and we are brought to the main dashboard of our pfSense server what you can see here is that we have some widgets on this screen we have our system information widget here on the left with is lengthy and has all our system information we have a services and support widget I'm going to go ahead and get rid of that one because I don't pay for pfSense support at this time and then we have our interface widget installed by default that just shows the IP address of my land and man interface if you hit the plus icon up here you can see that there are other available widgets that you can add to this screen based on what do you want to keep an eye on I am going to actually take a look at I like keeping my traffic graph on this screen so I can see the network traffic rates on both my land and wanne interface I'm just going to go ahead and hit the Save button up here to save this layout so every time I log in I will be presented with that screen this screen here the first thing you notice is that there is a version update is available so my way inside interface is definitely working successfully because the pfSense was able to reach out to the internet phone home to pfSense servers and verify that there is a 244 underscore to update available ahead and walk through the update procedure now because I always like to start with the latest and greatest software if you hit that little download icon that was on that screen it brings you right into the system update you can see that we are running on the latest stable version if you are a little more interested you can run the latest development snapshot so there will be frequent updates to your pfsense server if you choose to go that route I do not like to reboot servers once they are up and stable so we are going with the latest stable version it shows my current version as underscore one it's gonna upgrade me to the underscore to version and if we go ahead and look at our update settings you can see here that you can disable the auto update so if you don't want it to check and you want to just manually come in every three or six months and check for updates you are welcome to do that I'm gonna go ahead and hit system update and hit confirm and we get a nice updating system status window here that says please wait while the update system initializes please note it does say to not leave or refresh the page that may interrupt the update so stay on this page for the few minutes while the update completes you can see that it is done and is actually going to reboot the system and if we check on our console screen you can see that it actually says upgrade is complete and we can validate that it is rebooting the system in ten seconds if you have a physical machine with a monitor hooked up you should be seeing this on your monitor you can actually watch the PC reboot to make sure everything loads successfully and we can see here that it states that is upgrading the necessary packages during the reboot process ok we're booted back up verified here by a console screen that we are back to the select an option if we wanted to do some configuration via the console screen I'm gonna go ahead and log back in to my web administrator with the new password that we set during our configuration and you can see we're brought right back here to the dashboard screen with our widgets that we added previously and we now see that the system is on the latest version we are in good shape one of the things I want to do is I want to go ahead and go to my win interface I'm going to go ahead and disable IP version 6 I do not use ipv6 on my network yet so rather than just let devices bounce around partially using ipv6 I actually force all my devices to not use ipv6 if I can and I'm gonna go ahead and save that ok changes have been applied successfully so let's take a quick look at the menus across the top if you look at the system here drop-down there are a few different options available here some of these we already hit during the setup wizard you can reinitiate the setup wizard you could come into user manager and either change your password or define different administrators for this environment general setup is everything that we walk through during the initial configuration certificate manager if you wanted to upload your own HTTP certificate to this web page so that you don't get the yellow warning next to your lock you actually get a green lock you were welcome to do that they're under interfaces we have our ran and LAN and any other interfaces you may have on your pfSense firewall but where things get really interested is in the firewall so let's hop into the firewall and look at our default rules you'll notice there are three tabs here under your default rule there are floating rules which if we come to the pfSense documentation floating rules our advanced firewall rules which can apply in any direction and to any or multiple interfaces so more complex rules where you may want a floating rule that will apply to any interface across your device I don't do any floating rules in my environment my rules are all specific to the LAN or the LAN interface the first thing you notice here is in our band interface firewall configuration that we have a set of rules that we specified during the initial setup where we are blocking those RFC 1918 networks and we are blocking those Boggan networks from sending traffic to our win interface on our firewall and the states is always interesting because you can see that we are already getting hits on these rules things are already starting to hit our firewall on the way inside interface so there's a couple concepts when it comes to firewall rules with PF sense there is a and with most firewalls there is a assume to block any any rule at the bottom of your list if traffic comes in and it goes through and processes down this rule set to try to find a match or a reason to let the traffic in if it doesn't find one and gets to the end of this list a default block that traffic is assumed so you need to put rules in here allow rules above the bottom so that if you have try becoming in that you want to a let in then that hits that approved rule set you do not need to create a default block any any rule however I like to create a block any any rule because from a monitoring and visibility standpoint I want to be able to see what my firewall is actually blocking and the way to do that is to add a rule that says block traffic on my ran interface that comes in on ipv4 leveraging any protocol from any source to any destination I want that traffic blocked the reason I'm creating this rule is because I want to check this little box that says log packets that are handled by this rule that being said the firewall has limited log space you are going to have a ton of block traffic on your firewall I would suggest turning this on initially as you get comfortable with your firewall so you can see what kind of traffic you are blocking and what is being blocked maybe you're doing some troubleshooting but then you may want to come in here and actually disable this rule just let the default any-any take it do its work and not generate tons of logging traffic but I'm gonna go ahead and create this rule and this is my block any-any rule and I'm gonna go ahead and save this rule and apply those changes I do definitely want that at the bottom of my list so when I start adding in approved rules above this I can actually see what's going on I'm gonna go ahead and refresh this page yes resend data and you can see that I'm already starting getting hits on my block any-any I've had two packets 80 bytes come in and hit this rule where this is key is if you go into status and go into system logs and in system logs go to your firewall and I like to use the dynamic view because this will actually update and refresh itself you can see that I am getting a lot of hits on my way in interface of course I'm getting hits on my lan interface and i don't have any rules set to allow that traffic but on my way an interface you can see that i have public IP addresses trying to my 97 78 to 22.1 42 IP address via TCP s and since its dynamic view it automatically refreshes here's a trick hit the filter button here in the upper right hand corner I'm going to take my public IP address and create a filter that only shows me the destination IP address the rules that I hit that are hitting that destination IP address now I'm getting a filtered view of what is hitting my way in interface and you can see why you should have a PF sense server within minutes of bringing this firewall on and setting this up and putting my IP address on the public network I have people that are looking to see if I have a open port 22 ssh server on my network 23 people looking to see if I have telnet open 81 seeing if I'm running any web services on port 81 and just a whole breath of constant barrage of IP address port scans against your environment this goes back to that keynote of because there's so much of it you can you know that this is gonna fill up your log file very quickly so be careful with logging every one of these traffic's but you can definitely see what a wild wild west the public Internet is this is why we don't put public IP addresses on computers and servers and devices and plug them directly into the network without some kind of filtering in place to protect you normal view is not dynamic you see that it doesn't automatically refresh I would have to refresh this manually but again my filter I would have to reapply my filter looking for this particular destination IP address and now we can see a static list of all the IPS that are hammering at my network and quite initially enough you can see what rule they're hitting a lot of these are hitting that block any any rule that I created these are the IPS that were hitting the device before I created the rule and now that I created the rule you can see that it's hitting my specific rule that's why I like having the any-any rule created one of the interesting settings here if you go to status and we're in our system logs and if we go ahead and look at the setting screens there's a couple things of interest here that I want to talk to the first thing I want to show you is that there is an option here for logging packets matched by the default block rules in the rule set this is checked by default I thought this was unchecked by default that's why I went ahead and created my own block any-any I still do not like default rules I like to control my rules I like the traffic to hit my rules that way I know if I'm doing a good job controlling the traffic successfully on my firewall but if you don't want to create that default rule here's where you would control if you want to log all those packets that hit the default block rules set and do you want to log packets for those two default rules that were set up during the startup process blocking private networks and blocking Boggan networks this is where you can also increase the log file size so think about log files are it's going to fill up the log file until it uses all the space that it has configured for that log file and then it's automatically gonna overwrite the oldest data set so you'll need to tune in tweak your log file size to make sure you are getting the length of time you want based on the log files you have if I want to make sure I'm holding on to 24 hours of log files I need to come in here and adjust my log file size and keep an eye on my logs initially making sure that I'm hitting the 24 hour mark but also knowing that if I have a flood of traffic or a flood of logging details it's just not that dynamic I can't actually specify save 24 hours of rules I have to control that by specifying a log file size this space currently used by log files as 9.1 Meg's remaining disk space for log files is 24 gigs that's why I created a little bit larger drive I went ahead and created a 30 gig drive so I can actually store 24 gigs of log files on my virtual server let's go ahead and go back to our rules that takes care of our win interface for now I am blocking everything that is trying to come into my network let's go ahead and look at my land side interface and there are a few default rules traded this is your wonderful anti lockout rule this rule if we go ahead and look at it is for our web GUI that you see here if you lock yourself out of the web GUI with a firewall rule you're going to have to come into your council and update that rule via command line to get yourself back into the system or pfSense is nice enough to create a admin access rule that allows HTTPS access to this server from devices on my local network you may want to change that you may want to specify that this rule only applies to a particular source IP address so that you only allow one internal device to connect your firewall I'm okay here with devices on my local network trying to access the firewall they still don't have the username and password to log in but definitely secure your firewall from local people trying to access into it the other rule that is automatically created that allows LAN to any so unlike the external interface where by default it blocked everything because there was no allow rule on the landside there is still a default block everything at the bottom of this but they have superseded this with a default allow land to any so if we go ahead and look at this rule what this is saying is allow the action is passed right which is allow I am allowing any traffic that comes into my LAN interface on ipv4 with any protocol from any device on my land network which is 170 216 1 dot whatever to any destination so I am allowing all traffic to come from my local devices out to the Internet and I am not logging this traffic by default makes sense and this is the default allow LAN to any rule so let me go ahead and show you this in action I'm gonna go ahead and swap IP addresses and actually make this my live production firewall so I am going to go to my old firewall and power that guy down and I just need to come into the land interface on my existing firewall and change this IP address to 1 six you know we make sure this old guy is turned off before I make that change looks like that guy's turned off and I'm gonna go ahead and save these changes 172 16 1.1 26 apply these changes this is always the fun part because now I lose access to my web interface because I'm trying to talk to 123 I need to hopefully connect to 126 go ahead and accept my security login with my username and password and I am on pfSense oh one this tells me I am on my new firewall back to our rules because of my default land rule of allow any any all my local Internet traffic is now able to get out to the internet so I should be able to bring up a web page here go to msn.com and lo and behold I have internet access and you can see that I am processing traffic that is hitting this roll I'm gonna go ahead and delete this ipv6 roll while I'm in here because I am NOT using ipv6 on my network so I don't really want an allow rule for ipv6 at this time that is your default rule set if you simply just want all your devices on your local network to access out to the Internet so be it you can see if chugging away here two point eight four Meg's of traffic because it is re at this rule I'm gonna go ahead and enable logging on this rule so that you can see what impact that will have on my system so if I enable logging and apply those changes and come to my status and go to system logs firewall dynamic view you can see once this refreshes here I'm gonna go ahead and make this easier see and go to my filter and I just want to show all past traffic you can see all this traffic that is sourcing from devices on my local network going out to the internet looking for DNS servers looking for websites looking for the games and applications that are out on the Internet all that traffic is being allowed by default you guys know me I do not like anything going by default so I am going to come into my firewall rules my landside and guess what I'm gonna do here I'm going to delete this rule because I do not want things to just magically access out to the internet without me knowing about them what I've done here is I've taken out that allow rule so now my landside devices are coming through looking to get out to the internet they are not hitting a rule that allows them to get out to the internet so they are hitting the default the up the implicit deny rule and if I come back to my status and look at my system logs and look at my firewall and look at my dynamic view you can now see that all my landside traffic is no longer it's full of red x's if I click on the red X it is hitting the default deny rule in my landside interface so now that I've took the default any-any rule out of my configuration now on my computer when I try to go to that same msn.com website that I was able to access before you can see that I can no longer pull up that web page and if I come into my system logs and use my filter on my firewall to actually look for the source IP address of my computer and apply that filter you can see that my HTTP traffic to these websites was actually blocked by the default deny rule to this destination so that is why I like the combination of logging and poking specific devices access through the firewall I can if I have a server or an application that is struggling to get out I can come in to my firewall filter the IP address of that particular internal device to see what it is trying to communicate to and then make the decision if I want to allow it out and if I want to allow it out I can go into my landside rules and create a rule to allow that device out and everyone's happy and then over time you'll have a nice collection of rules that you have set up for allowing your devices to communicate however they need to communicate if they want HD if they want web access you have to give them 80 and 443 if you want to give your device completely open unfettered access to the Internet just go ahead and add that device and allow it complete access out on to any destination so we're gonna go through a couple of those I'm not gonna reconfigure my entire firewall here for you guys but I'm gonna show you a couple examples of what I do if I go back to my firewall into my rules on my land side so here's what I'm gonna do first I'm gonna go ahead and set up a rule at the bottom that blocks traffic on the land interface with any protocol on ipv4 to any destination to from any source I want to log it so I can see it and this is my land block any any rule and I'm gonna go ahead and save that and apply that and I'm gonna go back to my win interface and rename the description on this rule to win block any any just so that I have a quick description of what that rule is for okay back to my land side so right now I am allowing web access to my firewall from the inside Network I am blocking all traffic to get out to the internet so if I try to go to google.com that page cannot be displayed the first thing I want to do since it's my computer I want to allow myself unfettered access to the Internet that's the joy of being the firewall administrator I'm gonna add a rule to the top of the list on my land side and I'm gonna allow I'm gonna pass the traffic that my land interface receives on using ipv4 for any protocol for my source instead of any I'm gonna set it to single host and I'm gonna put in my specific host address I'm gonna allow my traffic to go to any destination on the internet I'm gonna go ahead and log the packets that are allowed by this and this is my allow Steve to access everything and we're gonna save that and we're going to apply that and you can see that I put this rule it nestled it right in between our default anti lockout rule which should always stay at the top because it won't you to put a block rule above your anti-lock our rule that's why it's called an anti lockout rule so my traffic comes in the land interface and goes through these rules from the top down is it trying to access the firewall web interface no it's not on to the next rule is this one 7 to 16 1 dot 100 and is it trying to access the Internet yes great I was told to allow it if it doesn't hit that then it goes down to our block rule for every other device on my network right now that is unable to get out to the Internet I should be able to load google.com that is our first interesting sort of live troubleshooting test if you saw there I was not able to access the Internet and I'm thinking what the heck my firewall is setting me to allow web traffic out to the Internet why is it not getting out that is because my DNS server when I try to go to MSN comm or Google com my computer is hitting a local DNS server that local DNS server is trying to go out to the Internet to resolve the IP address for google.com or MSN comm and it can't get out to the internet because of my current rule set so I need to come back to the land side interface and I need to add a rule that allows we can see that my DNS server is trying its damnedest to get out to the Internet to do dns resolution for the devices on my network it is trying to use port 53 with UDP protocol in order to do dns lookups and I am blocking it at the firewall so I need to come into my rules on my land side and add a rule that says allow land side traffic ipv4 we saw that that was UDP traffic and I am going to add my specific host my dot 42 DNS server but I do not want it to have access to any destination I wanted to have access to a single host you saw it was trying to use Google's 8.8.8.8 DNS server and let's go ahead and law packets that hit this rule and save it and apply it and now look at that lo and behold I can load a web page so two things I need to needed to make Internet traffic happen I needed to allow this device that I'm on access to the Internet via port 80 or 443 to access web pages however as a pre step I needed to allow my DNS server out to the internet to actually do dns resolution so a little two-step process on that one you got to see a little live troubleshooting of that oh crap moment when I assume my internet traffic was going to go out and it didn't we are definitely good to go now I'm gonna go back in and actually edit this rule let me give this description a description of this is this is DNS server outbound DNS access I'm giving my DNS server the ability to go out and look up IP addresses for me and we can see that it is chugging away doing dns resolution for not only me but everyone else on the network this is the concept of pin holes in your firewall just this is the least accessible access method I'm going to come in and configure each device or set of devices to have the minimum amount of access they need out to the Internet in order to do what they're trying to do so I'm allowing this DNS server DNS access I'm gonna allow my email server access just to SMTP port access to be able to send emails out of my network you can go ahead and rinse and repeat this and take this forward to the rest of your devices in your network how do you keep this from getting so messy where I have a rule for every device on my network that is where we get into aliases aliases allow you to create a group right if I have 10 devices on my network dot 100 101 102 I can come in here and make a rule for every device individually even though most of those devices are going to need the exact same access out to the Internet so I'm gonna show you one thing I do here on how I group addresses together to create a rule that will apply to all of them I have a network range that all my wireless devices get assigned to and let me look that up that is 170 216 1.50 through 1.69 so I could come in here and create a rule for 50 51 52 but that would be a major pain in the ass I'm gonna come into my firewall aliases screen and you can make an alias based on IP addresses ports URLs or all the above I'm going to make an IP alias for my internal DHCP clients I do not control access from my wireless network for our devices that use Wi-Fi they are allowed to have unfiltered access to the Internet so this is for description open the name you can't have spaces so this is going to be internal DHCP clients in my description this is the DHCP wireless clients and these are going to be you can see I can specify hosts network IP address ports or URLs I am going to put a host because I am NOT putting my entire network in here so I am going to put in 172 dot 16 dot one dot 50 and you see that we can use an IP range through 172 16 1.69 and this our DHCP clients and I should be able to save this and you can see that it took my - and actually for a value it specifically wrote out each additional IP address if I come back into my edit screen you can see that 9 now I have a laundry list of individual DHCP clients so if you mess something up just delete the entire alias and recreate it now when I go to my firewall rules and my landside I want to give access to that entire range to get out to the internet so I'm going to add at the top that is going to pass traffic on my land interface protocol any for my source I come in here and pick a single host or alias and in the source address field you start typing the name of the alias this was what did I call that DHCP internal DHCP clients so it automatically populates your list of aliases and I'm saying my source is any IP address in that alias list and my destination is any they can access anything they want on the internet I don't want to log packets for this rule because they're gonna generate tremendous amounts of log files I don't expect to have to do any troubleshooting because they have access to everything so if they are not able to access stuff that means they're hitting a block rule which is already being logged they're not going to be hitting the pass rule and this is my open access to the internet for wireless clients I'm gonna save this and apply this and one of those devices on the network is my cell phone so I'm gonna go ahead and bring up my cell phone here I'm gonna go into my settings and my Wi-Fi and actually look at what my IP address is so my iPhone has a dot 54 address I'm gonna go ahead and open up my browser and I'm gonna go ahead and try to hit a website and validate that I have internet access I do so I am confident that my wireless devices are hitting this role and getting out to the Internet you notice here I am NOT logging that rule and as such I don't have the little icon here that shows that traffic is being logged so that's a visual way to just tell what traffic you are logging if I was troubles troubleshooting something maybe I would come in here and just turn on logging temporarily and see what's going on and then turn it back off so this traffic doesn't flood my logs from a logging standpoint okay so you saw a couple concepts here you saw taking a single host and allowing it any any access to the Internet you saw us taking a specific host and Allah at specific port protocol type traffic out to the internet where we just allowed our DNS server to only do DNS services if this server tried to go out and access a web page it would be denied because it only has access to a single destination and then you saw us use an alias to create a simple rule that would contain a collection of IP addresses so one thing I'm definitely gonna be doing over the next couple of days is coming into my firewall and massaging the landside rules as I come across devices that are wanting to get out to the internet something maybe I need to recreate from my old firewall because I don't just want to bring in all the old dirty rules okay so let's talk a little bit about allowing traffic now in to the network from the LAN side to the LAN side so this will come into play if you are running your own web server if you are running your own plex server and want to allow clients or devices on the Internet to have access into your network to access a specific device or application be careful with doing this because you do not want to let random people from the internet to access certain devices in your network so do what you can do to control what you need to allow in from a LAN side interface but I am going to for the sake of an example I am going to walk you through netting or allowing traffic from the Internet to a specific device on our network on a specific port instead of being on our land side rule let's go ahead and start on our way inside rules what we are doing is we know what our way an IP address is right our when IP address is this ninety seven seventy eight to twenty two one forty two because that is my way inside interface that is the IP address I need to access if I'm out on the internet and want to talk to a device that is back on my home network so how do I take a specific port say I have a web server that's running on port 443 and I want to allow access to that website to people that are on the Internet or to me when I'm on the road I am going to come to my firewall rules and create a one side rule that is going to allow that traffic in going to add a rule at the top of the list that is going to pass traffic that comes to the landside interface using ipv4 I am NOT going to set this to any because again you need to be careful with rules that are coming into your network I only want to allow TCP traffic to this specific port you have to think about what is the source and what is the destination in this scenario the source is actually devices on the Internet and I don't know what their IP address is going to be so I have to allow any source when I take my iPhone out onto the cellular network I have no idea what IP address Verizon is going to give me for my device so I have to allow any device into this destination my destination you're going to want to set this to a single host or alias and for the destination address you want to set this to the specific device on your network that you want to allow access to so for the sake of this scenario I'm going to allow inbound access to 172 16 1.2 this is a device on my network again be careful with letting any any for a destination port that means I can access any port on that destination server if you are hosting something on the Internet you should know exactly what port that device needs to communicate on and only allow that port or group of ports through to that device mine is not a default service in the default list so I'm going to select other and I am going to let through port 32,400 what I am saying here with this rule is that if any device on the network comes to my firewall and says hey I want to talk to the server using port 32 400 via TCP on your public IP address my firewall is going to take that and allow that traffic into this specific internal device on my network you definitely want to log packets that are you're letting through your the way inside of your firewall so you can see who is accessing your inside rules and from a description this is going to be access to server 172 16 1.2 and it's XYZ application implicate application we're going to save this and we are going to apply this and you see that our rule when automatically above our default block any any and that takes care of the rule that says allow traffic to this device however netting devices like this are a two-step process the first part is we need the rule to say allow this traffic the second part is you need to come into your firewall to your NAT rules and tell pfSense that says if you get traffic on this source looking for this port forward it to this destination server inside my environment this is handy because you actually can map different ports to different servers in your network so you can get very creative and pretty complex with your NAT rules I'm gonna go ahead and add a NAT rule here that says if you receive traffic on my way in interface and it is using the protocol of TCP and it is looking for Ana dot is on the LAN address and it is looking for a destination port of 32,400 redirect that traffic into the 172 16 1.2 device that I created the rule for that I want that traffic to ultimately go to the redirect target port is pretty interesting because you may if you have three servers that you leverage the exact same TCP port you have three servers inside your network dot 2.3.4 that all use port 32,400 I can actually take a different source port and redirect it to a different internal port B for a little bit more advanced configuration but I can then I could access one server on the same IP address using port 32 thousand four hundred four thousand 401 402 and tell my PF sense to redirect that to the appropriate client for this scenario I'm just doing a one to one net I'm taking van traffic looking for a port 32,400 and sending it to my destination server on port 32,400 this is for XYZ application always give it a rule for NAT reflection use system default you can add an Associated rule filter I don't do that I like to create my filter rules manually as you saw in step one so I'm gonna hit nut on that and hit save this is not a valid redirect target port that I miss type something Oh redirect target port other 32,400 so take the source traffic on 32 400 and send it to my destination on 32 400 I don't want to add an Associated rural filter and I apply this that is your two-step process for opening ports on your firewall for inbound traffic to access applications now when I go to my phone and I turn off my wireless so that I'm sitting on the Internet instead of my local network I can actually pull up that server on my IP address port 32,400 and boom there's my web page again we are logging from a troubleshooting standpoint this is why we're logging our Associated rule for that NAT so you can go out now and try to access your server from the internet check your firewall logs look for traffic coming in on this specific port see if it's being blocked see why is being blocked sort out your port rules hope that helped you guys out there talking through the how do I open up specific ports on my firewall to allow inbound traffic to my network we are going to get a little bit more advanced here now for this next step the scenario here is is that I have a Xbox Council and in order for me on the NAT screen to get a open when I try to join other people in video games and not get a restricted net or there's like a soft there's an in-between on the Xbox where it's like I can get some stuff through but I can't get all stuff through we are going to go ahead and show you how to NAT the ports to your to your gaming console I'm gonna go ahead and delete that rule because I don't actually use port 32,400 for that application I just wanted to use that in his example when I clean up my firewall after this video I'll continue to add in the actual ports for the applications in my network that I do host out we're gonna go ahead and map a Xbox console we're gonna do a couple sweet things here one I have five public IP addresses from my service provider just opening ports from my public IP address to my Xbox one does not get me an open net by default because I may have other devices other other devices on my network that need to use those ports in order to get a truly open NAT on my Xbox or ps4 I need to make it look like my device is sitting on the public Internet with a public IP address with completely open access again that's a terrible thing to do you do not want to put a public IP address on your gaming console and just make it susceptible to all sorts of hacking you want this firewall sitting between your game console and the Internet but I want the Internet to think my council is sitting directly on the Internet so how do I do that this is gonna be a lot of fun we're gonna leverage a couple concepts - of what you've already seen you've seen us use aliases so we're gonna set up an alias that contains the port's we need for the Xbox gaming console to communicate openly on the Internet from an inbound access standpoint because we need that to be inbound access we need to create a LAN rule that allows that traffic inbound to the network down to my Xbox gaming console and lastly we need to nap the Xbox gaming console to its own public IP address so that it has its own communication chain in and out of the pfSense firewall I'm gonna use the Xbox gaming console as the example this could obviously any device on your network that you want to simulate it's sitting on the public internet with its own IP address but yet have the logging and control plane of pfSense sitting between that device and the internet blocking all the ports you don't want open access to the first thing we need to do it is come into our firewall and let's talk through virtual IPs virtual IPS are ways to add additional public IP addresses to your pfSense firewall you can't just magically go on here and start creating public IP addresses and adding them these are IP addresses you have to have from your service provider in order to make them work as I mentioned I have five we use one of them on our one interface so I am going to come in here and create a IP alias that sits on my win interface that is a single address and I am going to use the next available IP address in my public range you saw I use 97 78 222 142 for my firewall LAN interface I'm gonna go ahead and set up 141 here to use for another device in my network this is a slash twenty nine network I don't have a virtual IP username and password I'm not worried about the VHD group these would be additional settings from your provider advertising frequencies through description and this is going to be Xbox gaming Council we are going to save this and apply this okay that alone does nothing right that first step all's I did was identify the IP address to my pfsense that says hey I have this additional public IP address let's go ahead and use this additional IP address on the LAN interface of my pfsense firewall where the magic happens is you need to come into your firewall NAT settings what we need to setup first is our outbound NAT for those of you that aren't familiar with this outbound NAT screen I'll try to do it a little justice here and give it a overview of what is going on here okay by default this is set to automatic mode that way it matically creates an outbound net rural generation the first rules that are created here are NAT rules Auto created that says any device on my local network 172 16 1.0 going from any source inside my network to any destination on the internet to any destination port NAT that devices communication to the default LAN address but you know that when address here is is sort of default that is the IP address we set on our ran interface this is automatically created so when I go to what is my IP address in my browser you can see that the internet thinks my IP address is 97 78 222 142 because that is the address of my wayne address does that make sense any device on my local network is automatically being added to this public IP address that way I can have a hundred devices on my internal local network accessing the Internet using that single a public IP address I don't need a public IP address for every device on my network because we would quickly run out of public IP addresses in order to NAT a specific device to a specific public IP address you need to change this setting to a hybrid outbound net we want the automatic outbound rule here created for the rest of my general purpose network but I want the ability to add in my own specific outbound NAT rules so the first thing I'm gonna do is change this to hybrid and save this and apply this so that I can now come in here and create my own custom nettings first thing I'm gonna do is create an app that says NAT this on my win interface this is an ipv4 address I want this device to be able to use any protocol however my source is not the entire network it is a specific device 1.95 slash 32 okay what I am saying here is that the device on my network that uses the IP address of 172 16.1 dot 95 do not use that general public IP dress and NAT to this general 142 that all my devices use go ahead and use this specific 97 78 222 141 NAT this one specific device to this one specific public IP address so that on the Internet anyone that's talking to my xbox gaming console responds back to me on this dot 141 address so that I can tell my firewall to specifically take that traffic and pass it back into my Xbox firewall from a destination I don't care what the destination is like I never know what I P address is going to be talking to so allow everything and I'm not defining a specific port or range and this is my xbox one X net and I'm gonna save this and we're gonna go back to the rules for I'm gonna apply this so now I have my automatic general purpose net down here or leveraging my first public IP address and now I have my specific one-to-one outbound net for my Xbox gaming console the other thing I need to do again multiple step process is come to mine at one-to-one mappings and add a one-to-one mapping for my LAN interface with my IP address of 97 78 222 dot 141 down into the 172 16 1.95 again single host on any destination and this is my xbox 1x net and we're gonna use system default for the net reflection this applies more towards the external traffic coming in right from an outbound standpoint my xbox one is going to talk on the internet using this specific IP address for return traffic anything coming to this external IP address should be routed back down to the internal IP address of dot 95 so I have associated both my outbound communication and my return internal communication back to the Xbox one gaming console or to whatever device you're trying to do a one to one net for the last thing need to do is come into our firewall right now on our LAN interface we do not have a rule that allows any traffic to go down to that device any traffic that comes back to our 172 97 78221 41 IP address looking for the Xbox game console is currently going to be blocked because our firewall rule on our land side says to block that traffic so the third step and the last thing we need to do is open up the specific ports that we are going to allow inbound to our Xbox one gaming console and how are we going to do that are we going to create an individual rule for every port we need open no we're gonna go back into our aliases apparently I had some changes that need to be applied we are going to create a port alias group for the Xbox gaming console and here is the definitive list of ports you need to get open net on an Xbox gaming console so we're going to call this our Xbox one exports alias and this is ports needed for open gaming on Xbox and here is the laundry list of ports we need 53 we need 80 we need 88 we need 500 we need 30 74 through 30 80 and we need 35 44 and we need 4500 and we're gonna save that and apply that so you can see we need 1 2 3 4 5 6 specific ports opened up and these 6 additional ports I short card in rather than typing 7475 I created a little port range here using the semicolon now we can go to our rules and go to our lands side interface rules and create a rule that says any traffic received on our win interface on ipv4 with any protocol from any source from anybody on the internet that wants to talk to this single host or alias the key here is you put in the internal IP address when I first did this I put in the public IP address here and figured couldn't figure out why it wouldn't work in your dust in your rule set here on your way an interface you need to actually put in the internal IP address to allow traffic down to this IP address and we do need to set the protocol to TCP or UDP so that we can get our destination port range option here and for this port range we are typing in our alias for this collection of ports and this is our Xbox one X allowed inbound and we do want to log these rules and we want to save this and we're going to apply this one thing I almost forgot to do with that Xbox is it has inbound access but it does not have outbound access so I do need to add a rule that allows access from that internal IP address I still need to give this device outbound access to any any and this is Xbox one X outbound allow all and let's go ahead and log it basically what I did there is I allowed the Xbox one X to talk out to the Internet I set up all the rules for the inbound traffic created the NAT but forgot to allow the Xbox one to actually talk out to the Internet and I'm gonna actually change that to I like if I'm doing in any any role I like setting the protocol to any as well too just to give that device full outbound unfettered access to the Internet that is all you need to do in order to get open net on your Xbox gaming consoles please note this is tested and true with Xbox one X I no longer have xbox 360's so I'm not sure if it's the exact same set of ports but I have an Xbox one X I have an Xbox one s and the original Xbox one and they all function with open NAT when they go to their network test screen on the Xbox leveraging these three key steps and let's recap we created a virtual IP address identifying the public IP address that we're going to ultimately use for the Xbox gaming console we created to NAT rules one outbound to force the Xbox to use this public IP address in its outbound communication and then we created a NAT between that IP address to the internal IP address of the Xbox so pfSense knew where to send the traffic to and then lastly in our rules we created the allow rule to allow the traffic for these ports into our network and we're logging those so we can keep an eye on those you can then go into your status and your system logs and watch the traffic flow in on these ports you will also see traffic blocked on the other ports because again there's tons of malicious people out there looking for open ports and they're scanning them all day long this is the safest way to allow a device public communication inbound and outbound on your network allow just what you need through because you feel that that is safe and secure and block everything else so that you're not letting malicious traffic through that is how you one-to-one NAT and internal device to a public IP address hope you like that now we used Xbox R as an example but obviously C this can apply to your file servers your mail servers your internal DNS servers whatever applications you need to expose on the internet with a true one-to-one net these same rules will apply you'll just be changing the port's that you're allowing in maybe creating a little bit different alias on your network the other cool tool here is the traffic graph screen so if you come into system and traffic graphs you can see that you can monitor the high level bandwidth as coming in and out of your network the thing to note here is that under traffic graph you have your ran and LAN interfaces so if I want to see what is going out or in based on my LAN IP addresses I'm going to turn this to bandwidth out and I want to display it by IP address you can see that I have these devices and this will dynamically update and refresh with what devices that are talking in and out of the network on the flip side if I want to look at my way in and my bandwidth in I can see that there is a particular this is where that gnat rule comes into play right dot 142 is my general-purpose net so I have multiple devices that are leveraging this IP address to talk in and out of my network I can see that I have spikes upwards of two Meg's of traffic I would have to flip to my land side interface to see what device is actually using that traffic and you can see I have a collection of devices that are now accessing the network this dot 61 device is probably watching some videos and pulling in chunks to Meg's at a time so this is a handy screen to know what is going on the other thing I definitely like to hit in regardless of what type of system I'm setting up is always talking about backups because technology fails hard drives die systems crash things need to be rebuilt so come into your Diagnostics screen there is a option for backup and restorations I recommend you run a backup of all areas you can download this configuration file and every time you make a lot of configuration changes to your firewall as your last step you should go ahead and hop in here and download the latest configuration file that way if you need to rebuild it you get your pfSense stood up you import that configuration file and all the rules and Nats and ports and forwarding that you created in this guy are going to be ready to go without you having to reinvent the wheel ok the last thing I want to hit here on our pfSense firewall are the packages from a package manager standpoint so there are additional tools and utilities that you can run on top of pfSense to either give you further visibility additional security options that are outside the scope of what pfsense is meant to provide so if you come into system and go to package manager you see that I do not have any additional packages currently installed but if I go to my available packages screen you can see that there are a list of third-party packages that are supported by PF sense from a ability to install standpoint that are displayed here on this one of my favorite ones are open VM tools as you saw I created a virtual machine to run my pfSense on so there is no way to go into the core freebsd of pfSense and and manually install VMware tools so you're gonna want to come in here and install the VM tools package I'm gonna hit installing this now so you can see how this works but it is an extremely straightforward process we're just confirming that we want to install it and we get our little window here oh please wait while the system initializes our status bar of that package actually being installed and it turns green and within a few seconds here we should pfSense VMware tools was successfully installed and we are good to go I should be able to come to my VMware environment and you can see now that I am running VMware tools inside this guest which should make the processor and RAM from a virtualization standpoint run more effectively let's go back to our available packages what's nice about doing it through the package manager is that when there are updates to these packages it will bubble up and you'll be able to update to the latest packages the other one that I really like and that I will be installing is PF or is it is PF blocker and G this is a robust tool for more advanced abilities to block traffic the reason I use this are for two things the Geo IP database by max mind when you install this you will quickly be able to create rules on your firewall that block entire geographic regions right the internet database keeps track of which countries have which blocks of IP addresses so even though I am opening up say port 443 to allow Internet access to my web server for my web page I really don't want anyone from let's say Russia accessing that web server so I can install PF blocker ng and quickly create a rule that blots all IP addresses from Russia that is pretty much a low level of security but it takes care a lot of the low-hanging fruit because most good hackers are going to proxy into another country or use a device they already hacked in the United States to try to hack your device so it's not a cure-all but it is a additional level of protection that you should have on your firewall to make quick geographic IP blase block rules based on country of origin the other one I really like is there are reputation lists in there so there are websites and companies that keep databases full of known bad malicious IP addresses once your IP address gets on that because you're running ransomware servers you're a known spammer your source IP address gets put into a reputation list and you can download those reputation lists and quickly create block list based on blocking bad people on the Internet again it's a very simple process hit install I may do a separate video specifically on PF blocker ng because there is a fair amount of configuration to it for setting up the rules I hope you enjoyed our video today if you liked it please hit that subscribe button on our webpage I appreciate every subscription you guys throw my way if you want to get alerted when we post new videos hit that post notification bell on the web page and you'll get an alert every time we either go live on YouTube or post a new video thanks for watching

Info

Channel: Steven Koselke

Views: 24,863

Rating: undefined out of 5

Keywords: pfsense, virtual pfsense, vmware, NAT, pfsense NAT, virtual IPs, pfsense virutal IPS, port forwarding, pfsense port forwarding, 1:1 NAT, pfsense 1:1 Nat, NAT rules, Pfsense nat rules, system logs, pfsense system logs, package manager, pfsense package manager

Id: Kk9PK-1bI6U

Channel Id: undefined

Length: 77min 14sec (4634 seconds)

Published: Wed Mar 27 2019