In part one, we focused on setting up Hyper-V so that it doesn't freak out when you slap pfSense inside of it. It took a lot of trial and error on my part to figure it out back in the day, so now you don't have to.
(Part 1) The Synergy of Hyper-V and pfSense - Prepping Hyper-V
In part two, we installed and configured pfSense so that we could get connected through webConfigurator, the web GUI. However, that's all we did, so we need to turn it into an actual router.
(Part 2) The Synergy of Hyper-V and pfSense - Connecting to the webConfigurator
So, here's what we're looking at...
webConfigurator - Configuration Using the Web... even though it's not on the "web"
Username: admin
Password: pfsense
Log in, and you get this screen:
If you log in and do not get this screen and want to get this screen to follow along, go to System -> Setup Wizard from the landing page.
Normally, I skip this wizard and go straight to setting up firewall rules on all the interfaces, but we'll go through it this time. This wizard is honestly fantastic for such a powerful piece of technology.
1. Click Next.
2. pfSense Gold is definitely worth it and you should consider it at some point in the near future. However, because you're just getting started, just go ahead and click Next.
3. Fill out the fields for hostname, domain, and DNS server(s). See my router below.
You technically don't need to enter anything here. You could just hit next. But entering a hostname is just smart, putting the domain is helpful, and DNS servers are required to reach external update and patch servers. For DNS servers, you can use the ones I used above because they are publicly accessible and usable.
For "Override DNS", this means that if you connect the router directly to the internet and it receives a public IP address from your ISP, it will also receive a list of DNS servers. This also applies if your network has a DHCP server of its own on that subnet. If the router won't be directly connected to the web and your network won't ever have a DHCP server on this subnet, it doesn't matter what you put here. Just uncheck it if you are unsure.
Click Next.
4. Choose your timezone. The default NTP server will work just fine. More specific time servers can be found at http://www.pool.ntp.org/en/. Click Next.
5. We'll now configure our WAN interface first. Remember that WAN/LAN/OPT interface design plays a bigger role when using pfSense on physical hardware, but it's still important here. Let's take another look at the diagram for the router I'm configuring to determine how to set up this interface.
We'll go ahead and designate our interfaces based on this. I'm choosing these arbitrarily, but it needs to stay consistent so we don't get confused and misconfigure things. I'm also going to list the routes on these interfaces, which we'll come back to.
- WAN interface: 10.123.123.6 /30 Routes: Default route through 10.123.123.5
- LAN interface: 10.123.123.14 /30 Routes: 10.10.0.0 /24 through 10.123.123.13
- OPT1 interface: 10.0.0.1 /25 Routes: none
- OPT2 interface: 10.0.0.129 /25 Routes: none
So now we know what to enter on this screen.
For "Selected Type" under "Configure WAN Interface", select Static.
For "IP Address" and "Upstream Gateway" under "Static IP Configuration", enter the correct information. Alternatively, you could enter the incorrect information. I'm using the info I listed above.
Remove the checkmarks for "RFC1918 Networks" (private addresses) and also for "Block bogon networks." We covered these types of addresses in part two of this series.
Click Next.
6. For the LAN interface, to which we're currently connected, just click Next. We'll fix it after we know that we can connect through another interface.
7. Set your administrator password on the next screen and click Next. If you can't think of a good password, use PenguinsDoNotLikeFalafel23.
8. Click Reload on the next screen to reload the webConfigurator. This means that, up to this point, no changes have been made. Once you reload, all your settings are saved. Keep this in mind if you ever forget to complete the wizard.
It's normal for this to take a long time. For some reason, I occasionally need to manually reboot the router to be able to reconnect. This is option 5.
9. Log back in with your new password.
10. If you have any additional interfaces, go ahead and configure them now. You can do this by selecting Interfaces -> OPT1 or whichever number it is.
The configuration screen is the same as what we saw for the WAN interface in step 5, except you first have to enable the interface. You do not need to configure a IPv6 address.
Be sure to Apply Changes whenever you're done making them. Otherwise, they won't take effect.
11. Now we're going to open up the firewall temporarily so that traffic can pass through. The idea is that you open it up all the way so that you can do other configuration first. That way, if you run into issues, you know that the firewall rules are not the issue. Later, when everything is working, you will go back to the inherent deny all system that I described in the previous post.
Go to Firewall -> Rules.
12. For the WAN interface, click the icon shown below to add a new rule.
13. The only thing you need to change is Protocol. Make it "any".
Click Save.
14. Click the icon for "add a new rule based on this one", shown below.
15. Change the interface to LAN. Click Save. Then repeat steps 14 and 15 for any additional interfaces. You can also make copies of your IPv4 rules and change it to IPv6 if you want. You can't have rules that apply to both IPv4 and IPv6. If you did that, you would have created 2 rules for each interface. The LAN interface should automatically have some extra rules.
16. After you have all your rules set, Apply Changes.
17. Go to System -> Routing.
18. Delete the gateway associated with the LAN interface.
(I forgot to highlight the delete button. It's the one with the X on the right side.)
19. We're now going to connect through a different interface so that we can make changes to the LAN interface, which we've been using to get to the webConfigurator. We first need to make sure you're all set with routing so you can, you know, reach the router.
Important: Keep in mind that your other routers need to be aware that the new guy and the network behind him exist. There should be a route set up on each upstream* router to direct traffic downstream. The process for this will vary greatly depending on what brand of equipment is being used. Refer to this footnote** for a little more information.
You can just try connecting via the browser at one of the other interfaces. The problem with this is that it might take longer than expected to load. That might also be annoying if you sit there waiting for it to load for a solid minute and then it fails.
You can also use these methods which will conveniently give you a tour of other parts of the interface.
If the router will have access to the Internet
The fastest way to make sure all is well is to go to Status -> Dashboard.
FYI, this is the "start screen" after you log in.
Check the interfaces. They should all be green and configured correctly--with the exception of the one you're using for the webConfigurator.
Then, look at System Information on the left.
If it says "You are on the latest version" or "Update available", then you are gravy (that's good). Go ahead and connect through the browser to one of the other interfaces.
If it says that it could not connect to check for updates, then you are not gravy. First things first, just reboot. That is pretty likely to fix it, especially if you are using pfSense version 2.1.5.
If you are still having issues, scroll to the bottom of this article and check out the Troubleshooting section.
If the router will not have Internet access
Go to Diagnostics -> Ping.
You want to make sure that you can ping the below hosts. If one works, all the ones below it should as well unless ICMP has been configured to disallow pings.
- The computer you will access the webConfigurator from, which may be the same one you're using
- The router closest to that computer along the path to the pfSense router (starting with the far interface, then the nearer one)
- The next closest router
- Any host on the directly connected network
- Itself using the specified address
- Itself using loopback (example: 127.0.0.1)
You can also do a route trace, but I think squeezing out a few pings ends up being a little faster.
If you're having problems, do a reboot. If you're still having problems, refer to the troubleshooting section at the end of this article.
Go ahead and connect to the interface in your browser and log yourself back in. Remember that you changed your password in an earlier step.
20. Go to Interfaces -> LAN. Configure this interface correctly and apply your changes.
21. Go back to System -> Routing.
22. Make sure you have routes for any networks that:
- Aren't already going to go out through the default gateway
- Aren't directly connected (i.e. you don't need a route for 172.16.0.0 if the router interface's IP address is 172.16.0.1 /24)
I am going to add a gateway for 10.123.123.13 /30 because that is how traffic will get to network 10.10.0.0 /24 on the LAN interface. Make sure you do NOT select "default gateway" for this gateway. You should only have one default gateway.
23. Click on the Routes tab.
24. Add any static routes that you need to create. For example:
Apply changes.
Verification
That should be it. The easiest way to verify is to ping a host through the router using another router. Trace route also comes in handy here because you can see the response from our new router.
Also check out Diagnostics -> Routes to make sure nothing is missing. Both the Diagnostics and Status menus are chock full of helpful information and tools.
Extras
I'm just going to point you in the right direction for a few things.
- Backup/Restore: Backup frequently! It's really easy!! Go to Diagnostics -> Backup/Restore.
- NAT/Port Forwarding: Go to Firewall -> NAT for both of these.
- High Availability: Here's a great article on CARP
- Download add-on packages (I highly recommend using pfSense 2.1.5 for 3rd party stuff): Go to System -> Packages, then click the Available Packages tab
- Snort: For free, it is an Intrusion Detection System (IDS), letting you know when bad traffic is coming in. For a really great price, it becomes an Intrusion Prevention System (IPS), stopping the traffic as well.
- Squid ("Squid3"): Forward proxy, reverse proxy, and more. Totally free and totally great.
- Squidguard: Added to Squid to do URL filtering. Free.
- iperf: I haven't personally used this on pfSense, but it will tell you all kinds of network information including data transfer rates. Free.
- HAVP: I honestly haven't used this one personally either, but I've heard great things. It helps prevent viruses from entering the network. Free.
Troubleshooting
If you're having problems, check the following in no particular order:
- WAN interface (or the one with the default gateway route):
- Subnet (it might have defaulted to 1 or 32)
- IP address
- Network/bogon filters at the bottom are empty
- Gateway is correct and says it is a default gateway
- IPv6 address is static or not enabled -- DHCP can be problematic during setup
- Routes/Gateways:
- If you've been following along, you should only have one gateway and it should be a default gateway
- Make sure you only have one default gateway
- Make sure the gateway is on the same subnet as your interface (it will yell at you if it isn't)
- Firewall rules:
- The interface that isn't working should have at least one rule allowing all traffic over IPv4
- The rule allowing all traffic should be at the top of the list, although this likely isn't an issue yet (the rules are processed in order, from top to bottom, with the invisible implicit deny all hiding at the very bottom)
- Go to Diagnostics at the top and choose Ping, then start pinging address close to the interface and then move farther away (you can also do Trace Route, but I find that you can throw out quick pings a little faster)
- Make sure your other routers contain the right networks in their routing tables
- Remember: rebooting is your friend
- If all else fails, disable and re-enable the interface. If that doesn't work, uninstall the interface and reinstall. This is more likely to fix the problem if your other interfaces are working correctly.
Footnotes
* The terms upstream and downstream traffic refer to the directions to get out of or deeper into the network. Upstream traffic is heading outward to a WAN interface where it can reach the Internet or get directed to another site. Downstream traffic is heading farther into the network, meaning it will have to pass through another router when it heads upstream. Upstream/downstream can also be used when referring to servers. For example, an upstream Windows Server Update Services (WSUS) server can download Windows updates and pass them to a downstream WSUS server.
** For very basic systems, detailed (static) route information is needed. For example, you would have to use 10.20.30.64 /26 as the destination and it would reach IP addresses from 10.20.30.64 to 10.20.30.127. However, many systems, including pfSense, allow for route aggregation. This lets you specify a range of addresses to route to even if they are spread across multiple subnets. For example, you could just put 10.0.0.0 /8 to send all traffic with a destination IP address starting with "10" in that direction. The majority of hardware routing is managed with routing protocols and does not use static routes, but this is beyond our scope for today.
No comments:
Post a Comment