I finally had some “heads down” time with pfSense this past weekend. Normally I would be outside working like a dog on a Saturday, but with the temperature closing in on 100F, I chose to stay inside and take advantage of the A/C.
If you don’t know what pfSense is, I would suggest that you take some time at their website – http://www.pfsense.org
Here’s a brief description of how I intended to use pfSense in a non-profit environment.
Notice that there are three network segments coming off the pfSense box. The Internet is connected via the WAN interface. The private network is connected on the LAN interface. The OPT1 interface is used to allow pseudo-public access to the Internet. The wireless access point on the public network is protected by WPA2-PSK, and anyone attaching to that subnet must be granted access through a captive portal.
pfSense Install
The first step was to install pfSense using the LiveCD that can be downloaded from the pfSense website. The current version is v1.2.3, but they are working on v2.0. I chose to stay with v1.2.3. When booting, there is an option for a customized installation. I wanted to know what the default installation was, so I chose the Easy option.
I have 4 ethernet interfaces in the host computer. A habit I got into a long time ago is to identify the MAC address of each interface prior to installing any software that needs to differentiate. A part of the install is to identify which interface is WAN and which one is LAN. Knowing the MAC address makes this simple.
The install also expects an IP address to be assigned to the LAN interface. I chose 192.168.200.1.
The WAN interface was set to get information via DHCP.
pfSense Configuration
Configuration is performed via a web interface. I just connected my MacBook to a hub on the LAN interface. The MacBook got configuration via DHCP just fine. The web console is accessed by pointing your browser to 192.168.200.1. Most configuration you need to do can be done with the web interface.
When I logged in using the default credentials, I immediately changed the password. I also changed it so that https was used rather than clear-text https.
The firewall is configured by default to allow full access from LAN to WAN. It also is configured to do ingress filtering from the WAN side.
I enabled the OPT1 interface and assigned an IP address of 192.168.210.1. Now, here’s where things got just a bit sticky…
Normally I don’t read documentation too carefully. In fact, I didn’t read any of the documentation online, nor did I poke around the pfSense forums. I then took my MacBook off the LAN segment and put it on the OPT1 segment. Could not do anything, and didn’t get DHCP. Hmmmmm……
Back to the LAN segment. You must enable DHCP to be served on the OPT1 interface. Also, there must be a rule in the firewall section to allow access from OPT1 to WAN. I put those in and put another computer on the OPT1 segment. Then it happened…
I kicked the power strip the pfSense computer was plugged into and performed a hard crash.
No problem. Just power it back on and wait for the boot process to complete. Did that. Tried to get the computer on the OPT1 segment to access the Internet. It did not work.
So there I sat, reviewing configurations on pfSense for correctness. It was correct and should have served DHCP. I even put another computer with Wireshark on OPT1 segment so that I could see if DHCP requests were being answered. I saw DHCP requests coming from the computer, but no answers were being provided by pfSense.
—- end part 1 —
I’ll finish this story in the next post.
{ 1 comment… read it below or add one }
I hope pfsense will continue upgrade their application and packages. One thing I like about pfsense is its capacity to block https websites.