Oh, and I figured out AdSense finally. I've tried to make it as unobtrusive as possible while still being visible. I'm not going to type out some heartfelt paragraph about needing to use ads because I survive on their support. I'm doing this blog for the good of the people -- and if I am one of those people who gets some good sent their way, I won't complain. But the honest-to-god truth is that I'm here to write the best dang tech blog I can and I'd be doing that even without the few quarters they mail me every other month.
Back to Business: Installing pfSense
I haven't re-read the post I made yesterday, which accidentally turned itself into this series. For those of you who didn't get a chance to read it, we went over the different pfSense versions, I described some common problems when integrating it with Hyper-V, I was in a state of near delirium, and I almost broke a server. So, go on! Check it out:
(Part 1) The Synergy of Hyper-V and pfSense - Prepping Hyper-V
If you were following along, our paths diverged at the end of the first part of the series. You were left with a whole lot of white text flying across the screen for about a minute as the system booted. Then it asked you if you want to set up VLANs now.
I, on the other hand, had to fight with permissions on two machines so that I could finally do a simple file transfer and get all the VM files in place. I am starting the machine up right........... now. I actually did type "now" and click Start at the same time. I'm such a loser.
Up and running, here's the prompt I was talking about:
1. Take note of those interface names. You will need them in a second and they're not always visible on screen when it asks.
Enter "no" or "n" to skip setting up VLANs.
2. It will ask you to label your interfaces. One thing you need to keep in mind while configuring pfSense is that it was created to run on hardware. The fact that it can run inside a virtual machine is just a really great feature. At this point with a hardware installation, you'd already have your cables connected to physical ports. That's why this matters. However, with a virtual machine, all your ports are whatever you want them to be. A WAN port can turn into a LAN port just by changing the IP. So it doesn't matter which interface is labeled what.
Just run down the interface list above to assign them. Don't just type what I'm typing here. Your interface labels may be completely different.
I have 4 virtual NICs installed, so I labeled 4 interfaces here. Once you've given names to all your interfaces, just hit enter one more time. Then enter "yes" or "y" at the confirmation.
3. It will do router-y and firewall-y things for a bit, then finally bring you to the main menu.
Remember that we downloaded the LiveCD for pfSense. This means that it can run straight off external media. You could go ahead and just move on in. You know, setiup a cozy new home complete with love seat and firewall state tables, but you'd be really annoyed when your furniture got deleted on a reboot.
We had to choose the LiveCD because the other option is built as an IMG file, which Hyper-V does not recognize natively. This really doesn't add much time anyway.
Enter "99" to kick off the installation.
4. Choose "Accept these Settings"
5. At the next screen, you really shouldn't ever need to do a custom install unless you have multiple VHDX files connected and you need to install to a drive not in the first slot of IDE Controller 0. "Quick/Easy Install" formats that disk automatically (which will be explained in the shell) and installs pfSense there.
Select Quick/Easy Install.
6. Select OK on the next prompt. pfSense begins installing.
7. Choose to install the standard kernel. The embedded kernel means that it is being installed on hardware that was likely designed to run it.
8. Once it asks you to reboot, don't. We want to turn the machine off. Keep in mind this is different than "Shut Down."
9. Once the machine has powered off, we need to remove the ISO from the drive. On the menu at the top of the VM window, go to Media --> DVD Drive --> Eject
We did this because FreeBSD will automatically boot from the DVD again each time it starts. If you try to remove the DVD at the moment the machine restarts, you will either get an error from Hyper-V or the system will present a mount error.
10. Start the machine back up.
Let's take a short break from doing stuff and learn some stuff
We now need to configure pfSense so that we can reach webConfigurator, which is the HTTP-/HTTPS-based web GUI. It's smooth sailing once we get to that point. This requires configuring IP addresses on specific interfaces. I can't very well tell you what addresses to use, so we're going to have a little sidebar here. I need to explain what's going on and then show you how it'll work with my network.Speaking of my network, here is the diagram of our little slice of the lab:
Notice that there are IP addresses with a subnet mask of "/30", which is equivalent to 255.255.255.252. This subnet mask will look strange to someone who's just getting their feet wet in networking. You may be used to addresses with a subnet mask of 255.255.255.0 from having to configure or troubleshoot your network card. A lot of people are surprised, then, when they are told that /30 is the most common subnet mask in the world. The reason for this is because they define the subnet to allow only 2 endpoints, which applies very frequently when one router is connected to another router.
There's a reason why I bring this up. With pfSense, you have to define the interfaces with labels and also with IP addresses. The labels aren't just for show with a virtualized installation, though. They also configure the default firewall rules on each port. There are always going to be two interfaces with pfSense*: the WAN interface and the LAN interface. Any additional interfaces get the designation OPT1, OPT2, and so on.
We need to know this because we have to use the right interface to get connected to the webConfigurator. If we picked OPT2, for example, we wouldn't be able to connect.
Here's a rundown of the default firewall rules for each interface:
- WAN:
- Deny traffic from private networks
- Deny traffic from bogons
- Allow webConfigurator access over port 80 or 443
- Implicit "deny all"
- LAN:
- Allow traffic from current subnet
- Implicit "deny all"
- Any OPT interface:
- Implicit "deny all"
Let me head the questions off at the pass...
- The private networks are 10.x.x.x, 172.16.x.x through 172.31.x.x, and 192.168.x.x. These have been specially set aside by the Internet Assigned Numbers Authority (IANA) to only be used locally and shouldn't be out on the open web.
- Bogons are bogus IP addresses. Whenever a block of addresses is reserved with the IANA, they remove the bogon label from them. If an address is a bogon, whoever is using it shouldn't be allowed into your internal network. There's a reason they didn't officially reserve address space and you don't need to find out what that reason is.
- The implicit deny all** comes at the very end of firewall states (rules) and Access Control Lists (ACLs), the latter of which appear in networking equipment as well as file system security including Windows. In pfSense and some other networking technologies, it doesn't even appear in the list. So, when you first look at your rules for OPT interfaces, they are just empty. To allow traffic through, an administrator has to make rules for what can come in. It's kind of like a boy only allowing other boys into his tree house because he thinks girls are icky.
Looking at the interface list above, it would seem like we want to connect to over the WAN interface. And that would normally be true. But, for whatever reason, it just doesn't work when you use pfSense on Hyper-V. Or at least it's very unreliable. Or maybe it has worked for every single one of you except me.
The fact of the matter is that I have a sure-fire way of getting into the web GUI with the LAN interface. I recommend doing it this way so you don't get so frustrated that you throw a phone book at the mailman. I'm not saying I did that or anything...... that would make my defense attorney's job a lot harder.
Okay, let's stop learning and start doing stuff
11. Before I forget, let's enable SSH (Secure Shell) access to the router. This allows you to access the console easily with PuTTY or connect with WinSCP to modify the FreeBSD file system like you would in Windows Explorer.Enter "14" at the main menu to enable SSH.
If the menu has disappeared from random status messages filling the screen, just hit Enter to refresh.
12. Back at the main menu, enter "2" to set interface IP addresses.
13. It will give you a list of your interfaces. Enter the number for the LAN interface, which is probably "2".
14. You now have to assign an IP address. We are NOT going to assign anything from our diagram yet. What you want to do is pick an address on the same subnet as the computer that you will access the webConfigurator from.
For example, if you're connecting from your PC and the IP address is 192.168.0.5 (with the /24 mask), then you can set it to 192.168.0.6 or 192.168.0.100 or 192.168.0.179. As long as there isn't another computer on the network with that address, you're gravy. If you want to see what addresses are floating around out there, run "arp -a" from the command prompt on your PC, which sends out a broadcast message to get the identity of computers on the subnet.
For me, I can use 192.168.0.30, so I will:
15. It then asks you for your subnet mask.*** Enter it in as the bit count. It has some examples above.
16. Are you ready for my trick?! This is how I show both Hyper-V and pfSense who's boss. When it asks for the upstream gateway address, set it to whichever computer you want to access it from. Don't set it as your modem or other router. That's when I started running into issues.
 |
| I will access the webConfigurator from this address. 192.168.0.224 is a computer on my network. |
17. For the IPv6 address, you can just hit Enter. Feel free to type one in if you'd like to use IPv6.
18. Do you want to enable the DHCP server on LAN? No.
19. Do you want to revert to HTTP as the webConfigurator protocol? If you are brand new to pfSense, I'd just say yes.
HTTP is insecure but simpler. With HTTPS, you will have to set up Certification Authorities and configure the trust chains. It's not hard to get going with self-signing, but we won't go into it now. To be honest, I've only done it once. It could be different than I remember.
20. It does some processing and then gives a nice little message that you can access the webConfigurator at the listed address.
Great! Let's do just that! I'm super excited!!
On the computer at 192.168.0.224:
AHH what?? I literally spent like 100 hours writing this post and this is what happens?!
Okay, I knew that was going to happen. We need to do two things first.
(Keep in mind... it could have just worked for you. How pfSense determines your technological karma is mysterious and unknowable... at times just cruel.)
21. Pull up an elevated command prompt and enter the following:
route add -p <IP address of router> mask 255.255.255.255 <IP address of router again>
This basically forces the computer to know that the router exists. It creates a direct connection.
22. Reboot the router. At the main menu, Enter 5 and then confirm it.
Now, it might take a little time for pfSense to get all its ducks in a row. Just to be clear, that is not a technical term... it's an idiom.
Come back to your browser in 5-10 minutes and try the router's IP address again. If you're still having issues, reboot the router once more.
Here it is, folks:
 |
| Smells like victory in here. |
The username is admin
The password is pfsense (all lowercase)
Pause button
In part 3 (which might turn into part 4 and then 5), we'll walk through the setup wizard--yes, a setup wizard on an amazing piece of networking technology and it rocks--and make sure we can connect from all the interfaces.
In conclusion, I understand the importance of properly selecting the correct words to make bold.
* You actually could configure pfSense with just one network card. You would need to configure two VLANs and assign them both to the same port, then configure routing between them. Traffic going through the port uses a subinterface as well as the interface itself. This process is known as "Layer 3 Switching". The device itself is often called a "Router on a Stick."
** There is an alternative method for managing security that uses an explicit deny. This means that everything can come unless it has been denied.
*** To find your subnet mask, run "ipconfig" from the command prompt on the computer you will access the webConfigurator from. If your address starts with 192, it's extremely likely that the bit count for the mask is 24. Starts with 172? 16. Start with 10? That's kind of a mixed bag, so I'd double-check.
No comments:
Post a Comment