Teo en Ming's Pfsense 2.4.4-p1 Firewall Installation Manual Version 1.0

Installing and Configuring pfSense 2.4.
4-p1 Firewall on VirtualBox

6.0.4 with IPsec Remote Access Mobile VPN and Snort IPS
Author: Mr. Turritopsis Dohrnii Teo En Ming

Country: Singapore
Date Published: 24 March 2019 Sunday
Time Published: 9:00 PM Singapore Time
Document Version: 1.0 (24 Mar 2019)
Objectives
The objectives are to install and configure pfSense 2.4.4-p1 firewall on Oracle VM VirtualBox with IPsec remote access mobile VPN and Snort Intrusion
Prevention System (IPS), according to pre-defined security policies.
Pre-defined Security Policies

1. MAC (Ethernet Hardware) Address of WAN interface is 08:00:27:67:A9:66 (vendor VirtualBox).
2. WAN interface is configured by Dynamic Host Configuration Protocol (DHCP).
3. LAN interface IP is 172.16.1.1.
4. DMZ interface IP is 172.16.2.1.
5. LAN DHCP Scope is from 172.16.1.2 to 172.16.1.254.
6. DMZ DHCP Scope is from 172.16.2.100 to 172.16.2.200.
7. Change OPT1 interface name to DMZ.
8. Change webconfigurator port from 443 to 8443.
9. LAN can access DMZ.
10. DMZ cannot access LAN.
11. LAN can access webconfigurator.
12. DMZ cannot access webconfigurator.
13. Make sure IPsec VPN client (Shrew Soft) connects successfully.
The following three security policies from point 14 to 16 CANNOT be tested with a pfSense firewall in a VirtualBox setup. pfSense firewall must be installed
on physical machine for any testing of IPsec VPN security policies to be meaningful.
14. IPsec VPN client cannot access LAN.
15. IPsec VPN client can access DMZ.
16. IPsec VPN client cannot access webconfigurator.
17. Configure NAT Reflection to NAT+Proxy.
18. Install Snort IDS/IPS in monitoring mode and not blocking mode.
19. Add all 3 interfaces for Snort, ie, WAN, LAN and DMZ.
20. Configure and download all possible Snort rule sets.
21. Enable all Snort rules for all interfaces, ie, WAN, LAN, DMZ.
22. Configure no file size limit and retention for Snort alerts.
23. Start Snort on all interfaces.
24. Check for Snort alerts.
25. Backup firewall configuration file.
26. Configure port forwarding after pfsense firewall is deployed on physical machine.
© 2019 TURRITOPSIS DOHRNII TEO EN MING PAGE 1 OF 101

Detailed Steps
Create pfSense 2.4.4-p1 virtual machine in Oracle VM VirtualBox.
Fig 1
pfSense firewall will need at least 2 GB of RAM. Give the pfSense virtual machine 4 GB of RAM.
Fig 2

Create a virtual hard disk.
Fig 3
Fig 4

Select Dynamically allocated.
Fig 5
A virtual hard disk of 50 GB is sufficient.
Fig 6

Uncheck Floppy.
Fig 7
Give the virtual machine 4 virtual CPUs.
Fig 8

Fig 9
Select the ISO image for pfSense Community Edition 2.4.4-p1.
Fig 10

Virtual network adapter 1 is the WAN interface.
Fig 11
Virtual network adapter 2 is the LAN interface.
Fig 12

Virtual network adapter 3 is the DMZ interface.
Fig 13
Get the “Internet Service Provider (ISP)” to reserve a static IP address by DHCP for your WAN interface.
Fig 14

Fig 15
The “ISP” will apply changes.
Fig 16
Fig 17

Starting the pfSense 2.4.4-p1 firewall installation.
Fig 18
Fig 19

Select Install pfSense.
Fig 20
Fig 21

Select Auto (UFS): Guided Disk Setup.
Fig 22
Fig 23

Fig 24
Fig 25

Fig 26
Fig 27

Remove the ISO image for pfSense 2.4.4-p1 from the virtual machine settings.
Fig 28
Basic installation of pfSense 2.4.4-p1 firewall is now complete.
Fig 29

Begin to configure IP addresses for all interfaces.
Fig 30
Configure the WAN interface.
Fig 31

Fig 32
Configure the LAN interface.
Fig 33

Fig 34
Fig 35

Fig 36
Fig 37

Activate the 3rd interface, OPT1, aka DMZ. Do not setup VLANs.
Fig 38
Fig 39

Fig 40
Configure the DMZ interface.
Fig 41

Fig 42
Fig 43

Fig 44
Fig 45

You cannot access the webconfigurator by the public IP address of the WAN interface.
Fig 46
You cannot ping the pfSense firewall by its public IP address.
Fig 47

Settings of the pfSense 2.4.4-p1 firewall virtual machine in Oracle VM VirtualBox.
Fig 48
Creating a Windows 10 Pro virtual machine and placing it in LAN.
Fig 49

Fig 50
Fig 51

Open the ISO image for Windows 10 Pro.
Fig 52
Fig 53

Fig 54

Fig 55

Ensure the pfSense firewall can access the internet.
Fig 56
Ensure the pfSense firewall can access the LAN interface.
Fig 57

Ensure the pfSense firewall can access the DMZ interface.
Fig 58

Ensure that Windows 10 Pro virtual machine has 4 virtual CPUs. Otherwise Windows 10 Pro virtual machine cannot install.
Fig 59

Fig 60

Ensure that Windows 10 Pro virtual machine has received an IP address from the DHCP server on the LAN interface on pfSense firewall.
Fig 61

Ensure that the Windows 10 Pro virtual machine can access the internet.
Fig 62
pfSense firewall webconfigurator cannot be accessed by its public IP address on the WAN interface.
Fig 63

pfSense firewall public IP address on the WAN interface cannot be pinged.
Fig 64
Windows 10 Pro virtual machine is in LAN. It is able to access the pfSense firewall webconfigurator.
Fig 65

Starting the pfSense firewall Setup Wizard.
Fig 66
Fig 67

Fig 68
Fig 69

Fig 70
Fig 71

Fig 72
Fig 73

Fig 74
Fig 75

Fig 76
Fig 77

Fig 78
Rename interface OPT1 to DMZ.
Fig 79

The 3rd interface is now known as DMZ.
Fig 80
Changing the SSL port of the pfSense firewall webconfigurator from 443 to 8443.
Fig 81

Fig 82
Fig 83

Shutting down pfSense firewall for the night and taking a rest.
Fig 84
Creating Ubuntu 18.10 desktop virtual machine and placing it in the DMZ network.
Fig 85

Fig 86
Fig 87

Fig 88

Fig 89

Ubuntu 18.10 desktop virtual machine has obtained an IP address from the DHCP server on the DMZ interface.
Fig 90
LAN can access DMZ.
Fig 91

Default firewall rules for the LAN network.
Fig 92
Ubuntu 18.10 desktop virtual machine is unable to make outgoing connections because there are no default rules configured for the DMZ network.
Fig 93

Fig 94
Adding a Default Allow rule for the DMZ network.
Fig 95

Fig 96
Fig 97

Ubuntu 18.10 Desktop virtual machine is now able to make outgoing connections.
Fig 98
Windows 10 Pro virtual machine is in the LAN network and has an IP address of 172.16.1.10.
Fig 99

At the moment, machines in the DMZ network are able to access machines in the LAN network, as shown in the following two screenshots. We are going to
create a firewall rule that blocks this.
Fig 100

Fig 101
Default firewall rules for the LAN network.
Fig 102

Default firewall rule for the DMZ network, which was added previously.
Fig 103
Creating a firewall rule which blocks DMZ from accessing LAN.
Fig 104

Fig 105
Fig 106

Now, machines in the DMZ network cannot access machines in the LAN network any more.
Fig 107

Double check to confirm that machines in the DMZ network cannot access LAN network anymore.
Fig 108
Machines in the LAN network are still able to access machines in the DMZ network.
Fig 109

Checking that DMZ cannot access LAN, for the third time.
Fig 110
pfSense 2.4.4-p1 firewall dashboard.
Fig 111

Ubuntu 18.10 Desktop virtual machine, which is in the DMZ network, is still able to ping the DMZ interface on the pfSense firewall.
Fig 112

At the moment, it is able to access the webconfigurator on the DMZ interface.
Fig 113
We are going to add a firewall rule which blocks machines in the DMZ network from access the webconfigurator.
Fig 114

Fig 115
Fig 116

Ubuntu 18.10 Desktop virtual machine, which is in the DMZ network, is now unable to access the webconfigurator.
Fig 117
Reading Resource for Configuring an IPsec Remote Access Mobile VPN using IKEv1 Xauth
Fig 118

Configuring IPsec Remote Access Mobile VPN on the pfSense firewall.
Fig 119
Click Create Phase 1.
Fig 120

Creating IPsec Phase 1.
Fig 121
Fig 122

IPsec Phase 1 created.
Fig 123
Creating IPsec Phase 2.
Fig 124

Fig 125
IPsec Phase 2 created.
Fig 126

Creating IPsec VPN user.
Fig 127
Fig 128

IPsec VPN user created.
Fig 129
No firewall rules are defined for the IPsec interface by default.
Fig 130

Creating a Default Allow rule for the IPsec interface.
Fig 131
Fig 132

Fig 133
Giving local user the permission to access IPsec VPN server on the pfSense firewall.
Fig 134

Fig 135
Fig 136

Make sure IPsec Phase 1 is using Aggressive negotiation mode.
Fig 137
Make sure private networks and bogon networks are blocked by default.
Fig 138

Fig 139
Fig 140

Configuring Shrew Soft IPsec VPN client to connect to the IPsec VPN network.
Fig 141
Fig 142

Fig 143
Fig 144

Fig 145
Fig 146

Fig 147
Fig 148

Fig 149
Fig 150

Fig 151
Fig 152

Successfully connected to the IPsec VPN tunnel.
Fig 153
IPsec Security Associations established.
Fig 154

Fig 155
Fig 156

The IPsec VPN tunnel looks stable.
Fig 157
Reading resource for configuring NAT Reflection. NAT stands for Network Address Translation.
Fig 158

Configuring NAT Reflection in the pfSense firewall.
Fig 159
Fig 160

pfSense 2.4.4-p1 firewall package manager.
Fig 161
Installing Snort Intrusion Detection System (IDS) and Intrusion Prevention System (IPS).
Fig 162

Fig 163
Fig 164

Fig 165
Adding Snort interfaces, that is, WAN, LAN, and DMZ. These are the interfaces for Snort IDS/IPS to monitor.
Fig 166

Adding the WAN interface for Snort IDS/IPS.
Fig 167
Adding the LAN interface for Snort IDS/IPS.
Fig 168

Adding the DMZ interface for Snort IDS/IPS.
Fig 169
All 3 interfaces have been added for Snort IDS/IPS.
Fig 170

Configuring Snort IDS/IPS Rules.
Fig 171
Fig 172

All possible Snort IDS/IPS rulesets have been enabled.
Fig 173
Updating Snort IDS/IPS detection signatures/rules.
Fig 174

All Snort IDS/IPS detection signatures/rulesets have been downloaded and installed successfully.
Fig 175
Enable all Snort rules for the WAN interface.
Fig 176

Fig 177
Enable all Snort rules for the LAN interface.
Fig 178

Fig 179
Enable all Snort rules for the DMZ interface.
Fig 180

Fig 181
Default Log Management settings for Snort IDS/IPS.
Fig 182

Configuring Snort IDS/IPS Log Mangement Settings.
Fig 183
Starting Snort IDS/IPS engine.
Fig 184

Now that the Snort IDS/IPS engine is up and running, you can look for intrusion alerts.
Fig 185
pfSense 2.4.4 Patch 1 firewall Dashboard.
Fig 186

Fig 187
Backing up the firewall configuration.
Fig 188

Fig 189
Fig 190
===END OF MANUAL===

Teo en Ming's Pfsense 2.4.4-p1 Firewall Installation Manual Version 1.0

Uploaded by

Document Information

Original Title

Copyright

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Teo en Ming's Pfsense 2.4.4-p1 Firewall Installation Manual Version 1.0

Uploaded by

Copyright:

Installing and Configuring pfSense 2.4.

4-p1 Firewall on VirtualBox

Author: Mr. Turritopsis Dohrnii Teo En Ming

Pre-defined Security Policies

2. WAN interface is configured by Dynamic Host Configuration Protocol (DHCP).

3. LAN interface IP is 172.16.1.1.

4. DMZ interface IP is 172.16.2.1.

5. LAN DHCP Scope is from 172.16.1.2 to 172.16.1.254.

6. DMZ DHCP Scope is from 172.16.2.100 to 172.16.2.200.

7. Change OPT1 interface name to DMZ.

8. Change webconfigurator port from 443 to 8443.

9. LAN can access DMZ.

10. DMZ cannot access LAN.

11. LAN can access webconfigurator.

12. DMZ cannot access webconfigurator.

14. IPsec VPN client cannot access LAN.

15. IPsec VPN client can access DMZ.

16. IPsec VPN client cannot access webconfigurator.

17. Configure NAT Reflection to NAT+Proxy.

20. Configure and download all possible Snort rule sets.

23. Start Snort on all interfaces.

24. Check for Snort alerts.

25. Backup firewall configuration file.

© 2019 TURRITOPSIS DOHRNII TEO EN MING PAGE 1 OF 101

© 2019 TURRITOPSIS DOHRNII TEO EN MING PAGE 2 OF 101

© 2019 TURRITOPSIS DOHRNII TEO EN MING PAGE 3 OF 101

A virtual hard disk of 50 GB is sufficient.

© 2019 TURRITOPSIS DOHRNII TEO EN MING PAGE 4 OF 101

Give the virtual machine 4 virtual CPUs.

© 2019 TURRITOPSIS DOHRNII TEO EN MING PAGE 5 OF 101

Select the ISO image for pfSense Community Edition 2.4.4-p1.

© 2019 TURRITOPSIS DOHRNII TEO EN MING PAGE 6 OF 101

Virtual network adapter 2 is the LAN interface.

© 2019 TURRITOPSIS DOHRNII TEO EN MING PAGE 7 OF 101

© 2019 TURRITOPSIS DOHRNII TEO EN MING PAGE 8 OF 101

The “ISP” will apply changes.

© 2019 TURRITOPSIS DOHRNII TEO EN MING PAGE 9 OF 101

© 2019 TURRITOPSIS DOHRNII TEO EN MING PAGE 10 OF 101

© 2019 TURRITOPSIS DOHRNII TEO EN MING PAGE 11 OF 101

© 2019 TURRITOPSIS DOHRNII TEO EN MING PAGE 12 OF 101

© 2019 TURRITOPSIS DOHRNII TEO EN MING PAGE 13 OF 101

© 2019 TURRITOPSIS DOHRNII TEO EN MING PAGE 14 OF 101

Basic installation of pfSense 2.4.4-p1 firewall is now complete.

© 2019 TURRITOPSIS DOHRNII TEO EN MING PAGE 15 OF 101

Configure the WAN interface.

© 2019 TURRITOPSIS DOHRNII TEO EN MING PAGE 16 OF 101

Configure the LAN interface.

© 2019 TURRITOPSIS DOHRNII TEO EN MING PAGE 17 OF 101

© 2019 TURRITOPSIS DOHRNII TEO EN MING PAGE 18 OF 101

© 2019 TURRITOPSIS DOHRNII TEO EN MING PAGE 19 OF 101

© 2019 TURRITOPSIS DOHRNII TEO EN MING PAGE 20 OF 101

Configure the DMZ interface.

© 2019 TURRITOPSIS DOHRNII TEO EN MING PAGE 21 OF 101

© 2019 TURRITOPSIS DOHRNII TEO EN MING PAGE 22 OF 101

© 2019 TURRITOPSIS DOHRNII TEO EN MING PAGE 23 OF 101

You cannot ping the pfSense firewall by its public IP address.

© 2019 TURRITOPSIS DOHRNII TEO EN MING PAGE 24 OF 101

Creating a Windows 10 Pro virtual machine and placing it in LAN.

© 2019 TURRITOPSIS DOHRNII TEO EN MING PAGE 25 OF 101

© 2019 TURRITOPSIS DOHRNII TEO EN MING PAGE 26 OF 101

© 2019 TURRITOPSIS DOHRNII TEO EN MING PAGE 27 OF 101

© 2019 TURRITOPSIS DOHRNII TEO EN MING PAGE 28 OF 101

© 2019 TURRITOPSIS DOHRNII TEO EN MING PAGE 29 OF 101

Ensure the pfSense firewall can access the LAN interface.

© 2019 TURRITOPSIS DOHRNII TEO EN MING PAGE 30 OF 101

© 2019 TURRITOPSIS DOHRNII TEO EN MING PAGE 31 OF 101