Getting Started with the pfSense firewall image

This page outlines the basics around pfSense firewalling and how you configure your firewall within the VDC platform.

Deploying the Firewall

The pfSense firewall should be initially deployed as per a normal Virtual Machine image. When you get to the stage of adding your network interfaces, it is important to ensure that NIC 0 (Ethernet interface 0) is the Public IP (or the first Public IP if there are many), and that NIC 1 is the Private or External interface. The base pfSense image as been preconfigured to expect these interfaces in this sequence.

firewall-security.png

For more information on how to how to do this, refer to the ‘Configure Network Resources’ section of the ‘Configuring Virtual Machines’ documentation

Configure the Firewall

You need to configure the firewall to allow traffic to and from the firewall, as well as allowing traffic from inside to outside and finally allowing port 80 (HTTP to the web server).

Firstly open up a web browser - enter the IP address of the public interface of the firewall that you allocated above.

NOTE: you need to use secure http eg: https://213.253.4.82

Ignore the certificate error by clicking on “Continue to web site”. The following screen will appear:

1-pfsense-login.jpg

The default user id and password is located in the VM Templates - Login Details for Claranet Images page. You will now be presented with the main web page of the firewall.

The first step we need to complete is changing the default password for the admin user. Move your mouse over the System menu item at the top left hand side of the page until a drop down box appears and select “User Manager”.

2-pfsense-usermanager.jpg

The following screen will appear:

3-pfsense-usermanager-2.jpg

Move the mouse over the edit icon 4-pfsense-editbutton.jpg to the right of the admin user’s line to edit the user.

The following screen will appear:

5-pfsense-passwordedit.jpg

Type a new password where indicated (Twice). Scroll down and click save.

Next we need to move the SSH port, this will allow you to access the Web Server via SSH. Select “System” – “Advanced” and the following screen will appear:

6-pfsense-adminaccess.jpg

Scroll down to the SSH section:

7-pfsense-adminssh.jpg

Click to “Enable Secure Shell” and set the SSH port to “8022”. Scroll down and click “Save”.

Next we need to configure the firewall with the following rules:

Allow SSH on port 8022 to Firewall

Select “Firewall” – “Rules”

8-pfsense-firewallrules.jpg

Select “WAN” and then click 9-pfsense-addrulebutton.jpg to add a new rule:

10-pfsense-editrule.jpg

Enter the following:

Action: Pass
Disabled: not selected
Interface: WAN
Protocol: TCP
Source: any
Destination: Wan Address
Destination Port Range – From: 8022
Description: SSH to Firewall on Port 8022

Click Save and Apply Changes. You are now able to ssh using your preferred tool on port 8022.

Example NAT rules

Please note: PfSense can only automatically configure outbound NAT if your internal interfaces are statically and not DHCP assigned. If you wish to have DHCP assigned internal interfaces, you must move to hybrid automation and configure the outbound NAT rule yourself.

The following section provides some example NAT configurations

Example NAT rule - Allow SSH on port 22 to Web Server

Select “Firewall” – “Nat” and the select “Port Forward”:

11-pfsense-addnatwindow.jpg

Click on the Add NAT Rule button

12-pfsense-editnatwindow.jpg

Configure the following:

Disabled: Not selected
No RDR (NOT): Not selected
Interface: WAN
Protocol: TCP
Source: Ignore
Destination: Wan Address
Destination Port Range – SSH
Redirect Target IP Address: 192.168.2.2 (or your webserver IP)
Redirect Target Port: SSH
Description: SSH to Web Server
NAT Reflection: leave as default
Filter Rule Association: Pass

Click on Save and then apply rule. You can now SSH into the web server (IP address as public IP on firewall with port 22), with user the username and password details of the webserver.

Example NAT rule - Allow HTTP on port 80 to Web Server

Select “Firewall” – “Nat” and the select “Port Forward”:

11-pfsense-addnatwindow.jpg

Click on the Add NAT Rule button

12-pfsense-editnatwindow.jpg

Configure the following:


Disabled: Not selected
No RDR (NOT): Not selected
Interface: WAN
Protocol: TCP
Source: Ignore
Destination: Wan Address
Destination Port Range – HTTP
Redirect Target IP Address: 192.168.2.2 (or your  webserver IP)
Redirect Target Port: HTTP
Description: HTTP to Web Server
NAT Reflection: leave as default
Filter Rule Association: Pass

Click on Save and then apply rule. You should now be able to view a webpage served from your webserver by browsing to http://#public IP of your firewall#.

1:1 NAT mapping

The following section provides instructions on how to configure 1:1 NAT mapping with multiple public IP addresses.

In this example, a Public IP of 195.157.13.200 was to be made to NAT to Private address of 192.168.0.3

Things you have to do to make this work:

  • You need a public IP interface for each public IP address you want to NAT.
  • You need to ensure additional Public IP Interfaces are numbered NIC2 or higher (preserving the 1st Public IP on NIC 0 and First Private/External IP on NIC 1 as detailed earlier)
  • You need to set up 1:1 NAT for this IP
  • You need to create a rule to allow the port you want for this IP.

Assign additional interface

Following the firewall setup instructions earlier, your first WAN interface will be assigned to em0, and your LAN to em1:

13-pfsense-assign-net1.jpg

Click the 9-pfsense-addrulebutton.jpg button to assign a new interface. OPT1 will automatically appear attached to em2:

14-pfsense-assign-net-closeup.jpg

Select Interfaces menu item, OPT1

Select Enable at the top and set type to DHCP. Save changes and click Apply changes

15-pfsense-assign-net-apply.jpg

If you are using multiple interfaces with 1:1 NAT mapping to each, you will need to add the following additional configuration parameters:

Firstly, you'll need to open up the additional firewall config options. Go to the 'System' menu, 'User Manager', then click on the 'Groups' tag.

Click on the 4-pfsense-editbutton.jpg edit button next to the 'Superuser' group. Next scroll down to the bottom of the 'Assigned Privileges' section, and click 9-pfsense-addrulebutton.jpg to add some new privileges.

On the Add Privileges page, click 'Select all', and then 'Save'.

Now you'll need to disble Reply-To. Go to the 'System' menu, 'Advanced' and click the 'Firewall / NAT' tab. Click the 'Disable reply-to on WAN rules' check box.

30-pfsense-disable-reply-to.jpg

Click 'Save'. Next, go to the 'System' menu, 'Advanced' and click on the 'Networking' tab. Click 'Suppress ARP messages':

31-pfsense-suppress-ARP.jpg

Click 'Save' to finish.

Configure 1:1 NAT

Click “FIREWALL” and “NAT”. Select the 1:1 tab.

Select 9-pfsense-addrulebutton.jpg to add new rule and set Interface to OPT1, External Subnet to the public IP address (subnet should be 32 if it is just a single IP address you want to NAT).

16-pfsense-1-1natrule.jpg

Set the Internal IP to the private IP address of the host you want to reach.

Set a description for this NAT rule and SAVE. Apply changes to the system.

Apply a firewall rule

Select the menu option FIREWALL and select RULES

Select OPT1 tab. Select 9-pfsense-addrulebutton.jpg to create new rule

17-pfsense-1-1firewalledit.jpg

Make sure interface is set to 'OPT1' or whatever interface name you are using for this public IP address. Set

Destination type to 'single address' and specify the private IP address of host you want to reach, in this case 192.168.0.3

Set the destination port range, in this case SSH. Set a description for this rule.

Save changes and apply changes.

You should now be able to make an ssh connection to the public IP address on 195.157.13.200 and this should be redirected to 192.168.0.3.