Author Topic: Edd Noman's Guide to pfSense 02 - How-To Improve Network Functionality  (Read 5043 times)

Offline Edd Noman

  • Administrator
  • Newbie
  • *****
  • Posts: 33
  • Karma: +2/-0
    • View Profile
Edd Noman's Guide to pfSense 02 - How-To Improve Network Functionality whit Basic Features of pfSense 2.3

This is a follow up guide to my prevourius guide: How-To Install and Configure pfSense 2.3 inside a VM using VMware workstation I will suggest you give that a look before you continue on this as that will give you a common reference on the network layout used in this guide, since this guide starts whit a fresh install of pfSense anyone can follow along but I will use the layout referenced in my last guide for consistency purpose.
In this guide I will show you some of the basic features or services of pfSense 2.3 and how-to take advantage of them to improve your overall experience and ease of use for the LAN network.

The features and services I will be covering in this guide will be the following:
- Remote Access whit use of Firewall Aliases and Firewall Rules
- NTP Services for clock synchronizations of your LAN devices
- UPnP Service for those who use Game consoles and are stuck whit Strict-NAT error
- DNS Resolver as local DNS Server
- Dynamic DNS whit DYN or NO-IP services
- DHCP Server and Static IP assignments
- Email reports and alerts

This is again only the basic settings and configurations of said features and services, as this guide series is not a comprehensive guide on how networking or pfSense functions, do not expect a full explanations of each feature settings, I will however try to cover the most important settings for you configure for the services to function properly.

1. Remote Access and Management of pfSense
The reason you may want to configure Remote Access to your firewall is that you might not always be at the location whit physical access to your firewall, and something has happened that you need to address right away, then Remote Access is what allows you to connect from anywhere in the world from any device that has a web-browser and internet connectivity.

There are several ways of doing this but the one I am going to cover here is called Restricted Firewall Access, which means that we only open up access from known IPs and Subnets and uses a custom ports for the WebGUI and SSH Consoles of the firewall, if you are interested in other way of doing Remote Access the pfSense doc covers it here: https://doc.pfsense.org/index.php/Remote_firewall_Administration
Lets start whit changing the default ports of the WebGUI and SSH by navigate to: System -> Advanced -> Admin Access

Here you set the following options
Protocol: HTTPS
TCP Port: 8080
Anti-Lockout rule: Yes (Disabled - checked)
Secure Shell Server: Yes (Enabled - checked)
SSH Port: 2222
Save and Apply

Warning: The ports 8080 and 2222 for WebGUI and SSH is well-known managements ports by administrators and hackers and I only use them for guide purposes and you should select ports that matches your network preferences.



Now you would need to wait about 30sec for it to apply the new settings and redirect and refresh your web-browser to the new port,  your new method of accessing pfSense would be by using the following web address: https://10.99.99.1:8080 from the LAN interface.

Now that all the custom ports are set we need to create some aliases so that we can define it in our firewall rules, aliases are just like what it sounds like it is a collection of IP, Ports or URL that is given a distinctive name so that it helps us to create more human readable rules, you can get more information about Aliases in the pfSense documentation here: https://doc.pfsense.org/index.php/Aliases
To create aliases we navigate to: Firewall -> Aliases

Here we want you need to create 2 different aliases, 1 Port alias and 1 IP alias to be able to create our Remote Access rules
Port Aliases is created from:Firewall -> Aliases -> Ports

Name: MGMT_Ports
Description: pfSense Management ports
Type: Port(s)
Port: 2222, 8080
Save



IP Aliases is created from: Firewall -> Aliases -> IP
When creating IP based aliases you can choose between 2 types of aliases Host(s) based or Network(s) based alias, The main difference between them is:

Host(s) based:  You need to specify each IP Address you want in a separate entry, this is good to use for a small internal network alias where you want the rule only to apply to a small number of IPs
Network(s) based: You can specify whole network segments and subnets as a single entry, but you can also specify a single IP Address. 

Name: RemoteAdmin
Description: Remote Administrators
Type: Network(s)
Network or FQDN: 192.168.1.199/32 or 192.168.1.0/24

If I only want access from my computer whit IP 192.168.1.199 I need to set that as a /32 network and all single devices need to be specified by IP-address+/32 in the alias, this should only be used if you have a static IP address on the computer as if the IP change after a reboot or something you will no longer have access to your firewall.

If I would like to give every one that connects to the D-Link Home-Router access to connect to pfSense I need to specify the Home-Router LAN network of 192.168.1.0/24 in this alias, whit this set anyone whit the IP-address from 192.168.1.1 to 192.168.1.254 will be able to connect to your firewall and manage it.
As you can see in the picture below I have added both 192.168.1.199/32 and 192.168.1.0/24 and only 1 of them is really needed as 192.168.1.199 is part of the 192.168.1.0/24 network I only added it for comparison reason.



Since I trust my own Home Router network the alias would be

Name: RemoteAdmin
Description: Remote Administrators
Type: Network(s)
Network or FQDN: 192.168.1.0/24
Save and Apply



Now that our ports and aliases are set and created we are ready to create the actually rules to allow the traffic to pass and connect to the firewall, to do this navigate to: Firewall -> Rules -> WAN

Action: Pass
Disabled: NO
Interface: WAN
Address Family: IPv4
Protocol: TCP
Source: Single host or alias:  RemoteAdmin
Destination: This Firewall (Self)
Destination Port Range: From: other Custom  MGMT_Ports To: other Custom  MGMT_Ports
Log: Yes
Description: Allow RemoteAdmin access to pfSense
Save and Apply





Now when you have saved and applied the rules you should be able to access your firewall from the Home-Router LAN network and you should see the following Firewall Rule list for WAN interface



This is all there is to setup Remote Access and Management of your firewall, Just a word of warning if you intend to do this when directly connected to internet and not behind your ISP or Home-Router you need to be very specific of what IP addresses and networks you allow to connect and you should use a custom username and strong password.

2. NTP Services for Clock Synchronizations of your Devices
The NTP Service (ntpd), is configured at Services -> NTP, allows pfSense to act as a Network Time Protocol server for a network, and also keeps the clock in sync against remote NTP servers as an NTP client itself.
Before enabling this service, ensure that the router's clock keeps fairly accurate time. By default the NTP server will bind to and act as an NTP server on all available IP addresses. This may be restricted using the Interface(s) selection on Services -> NTP.

This service should not be exposed publicly. Ensure inbound rules on WANs do not allow connections from the Internet to reach the NTP server on the firewall.
https://doc.pfsense.org/index.php/NTP_Server

When you are to configure this you want the NTP servers you are using to be as close and local to you as possible for you to have the most accurate overall time, to find the best NTP Servers I use the NTP POOL Project website https://pool.ntp.org

To keep this guide as generic  as possible I am going to use the following servers:
0.pool.ntp.org
1.pool.ntp.org
2.pool.ntp.org
3.pool.ntp.org

But as stated you should find the ones that are closest to where you actually are, whit that said lets start configuring it by navigating to: Service -> NTP

NTP Server Configuration:
Interface: LAN
Time Servers:  0.pfsense.pool.ntp.org, 0.pool.ntp.org, 1.pool.ntp.org, 2.pool.ntp.org, 3.pool.ntp.org
Orphan Mode: 12
NTP Graphs: Yes (Enabled checked)
Save and Apply





Now it will use some time to synchronize the clock of pfSense and setup the service to serve your network the correct time, You can check the NTP Server status by navigating to: Status -> NTP



And that is all it is to setting up NTP Service of pfSense.

3. UPnP and NAT-PMP Service for Game consoles
What are UPnP and NAT-PMP?
UPnP is short for Universal Plug and Play and is commonly found on Windows, BSD, Linux systems and common home routers.
NAT-PMP is short for NAT Port Mapping Protocol and is similar to UPnP but found more commonly on Apple devices and programs. A growing number of programs support both methods. pfSense supports both, and the service may be configured at Services -> UPnP & NAT-PMP.

UPnP and NAT-PMP both allow devices and programs that support them to automatically add dynamic port forwards and firewall entries. The most common uses are in gaming systems (XBox, PlayStation, etc) and Bit Torrent programs like µTorrent, which both rely on allowing inbound connections to a local service.

There are some potential security risks using this feature like:
When UPnP or NAT-PMP are enabled, use only devices and programs which are trusted. These mechanisms will allow these entities to bypass the firewall to allow incoming connections with no additional control or authorization. Do not be surprised when this happens.
Access permissions for the service may be crafted in the options on pfSense. The format of these is shown in the GUI at Services > UPnP & NAT-PMP in the User specified permissions boxes. Using these, access could be restricted to a specific workstation or device.
https://doc.pfsense.org/index.php/What_are_UPnP_and_NAT-PMP

To configure UPnp & NAT-PMP navigate to:  Services -> UPnP & NAT-PMP

UPnP & NAT-PMP Settings:
Enable:  Yes (checked)
UPnP Port Mapping:  Yes (checked)
NAT-PMP Port Mapping:  Yes (checked)
External Interface: WAN
Interfaces: LAN
Log packets: Yes (checked)
Default Deny: Yes (checked)



UPnP Access Control Lists:
ACL Entries: allow 1024-65535 10.99.99.150/32 1024-65535
Save and Apply



Whit these settings UPnP & NAT-PMP is enabled but only the LAN client whit IP address of 10.99.99.15 are allowed to use this feature to open and close networks ports as needed and should help against Strict-NAT or NAT Type 3 issues on game consoles like PlayStation and Xbox devices behind pfSense firewall

4. DNS Resolver and Dynamic DNS Configuration

DNS Resolver:
Unbound DNS Resolver is a validating, recursive and caching DNS resolver. It provides various modules so that DNSSEC (secure DNS) validation and stub-resolvers are possible. Unbound was integrated into the base system in pfSense 2.2. Unbound is also the default DNS Resolver.
https://doc.pfsense.org/index.php/Unbound_DNS_Resolver

We start by configuring DNS Resolver general options by navigating to: Services -> DNS Resolver

General DNS Resolver Options:
Enable
:  Yes (checked)
Listen Port: 53
Network Interfaces:  ALL
Outgoing Network Interfaces:  ALL
System Domain Local Zone Type: Transparent
DNSSEC:  Yes (checked)
DNS Query Forwarding:  Yes (checked)
DHCP Registration:  Yes (checked)
Static DHCP:  Yes (checked)
Save and Apply





Now whit the above settings you would have a working DNS Resolver setup, however one of the advantages and cool thing of having your own DNS Resolver service running in your network is that you can assign your own custom domain addresses for your devices, to illustrate this option I am going to convert the access address of pfSense to use the URL of router.vmlab.lan and firewall.vmlab.lan instead of having to remember 10.99.99.1 IP address for it, to do this we use the Host Override Option.

Host Override Options:
Host: router
Domain: vmlab.lan
IP Address: 10.99.99.1
Description: DNS Record for pfSense Server

Additional Names for this Host
Host: firewall
Domain: vmlab.lan
IP Address: 10.99.99.1
Description: DNS Record for pfSense Server
Save and Apply



Now you should be able to access your pfSense firewall using the following URL and web-addresses:
pfSense.vmlab.lan
router.vmlab.lan
firewall.vmlab.lan

You can test this form CMD or Terminal whit the commands
Windows: nslookup
MAC \ Linux: dig



Hopefully you now see a lot of advantages of using the DNS Resolver in your network.

Dynamic DNS Service:
Dynamic DNS (DynDNS), found under Services -> Dynamic DNS, will update an external provider with the current public IP address on the firewall. This keeps a constant DNS hostname, even if the IP address changes periodically. Whenever an interface changes in some way, DHCP lease renew, PPPoE logout/login, etc, the IP will be updated.

There are many free DynDNS services out there, and pfSense supports more than 15 different providers. In addition to the normal public services, pfSense also supports RFC 2136 DNS updates to DNS servers.
In currently supported versions of pfSense, the DynDNS client supports using multiple DynDNS and RFC 2136 clients. These can be used to update multiple services on the same interface, or multiple interfaces.

There are two tabs under Dynamic DNS, one for DynDNS providers, and one for RFC 2136 servers. Each tab has a list of currently configured clients, which reflects not only their configuration but also their status. Additional clients can be managed from these lists.
When editing a DynDNS client, first pick a DynDNS service provider, then choose Interface with the IP address to update. Enter a hostname, username, password, and description. Optionally, an MX record and wildcard support may be enabled depending on the provider.

When editing an RFC 2136 client, first pick the interface with the IP to update, enter a hostname, Time To Live (TTL) for the DNS record, Key name (which must match the setting on the server), Key type of Host, Zone, or User, an HMAC-MD5 key, the DNS server IP address, and a description. TCP transactions may optionally be used instead of UDP.
https://doc.pfsense.org/index.php/Dynamic_DNS

As for configuring this service it heavily depend on your your DDNS provider, however I have a demo account whit 2 of the most popular providers 1 is the free provider NO-IP(noip.com) and a paid alternative Dyn DNS(dyn.com) and most of these provider have their own instructions on how to set it up using different router clients, so when you have singned up for a Domain whit one of the provider and read through their configuration document you can navigate to Services -> Dynamic DNS

Dynamic DNS Client Example:
Disable: No
Service Type: Your provider, if it is not in the list select other
Interface to monitor: WAN
Hostname: Your full domain name whit the host record you created ie, firewall.mydomain.com
MX: this is only used in special cases where you have an email server behind pfSense
Wildcards: Depends on your provider
Verbose logging: Only used for troubleshooting
Username: Your username \ email that you use for login at your provider
Password: Your password or update key used at your provider
Confirm Password: Your password or update key used at your provider
Description: Your description of the config ie, Provider DNS Service

This is the most generic and non-provider specific example I can give anyone for this service, as this is just a update client and all the different providers have their own way of authenticate and verify your account. However I have specific instruction for NO-IP and DYN provider

NO-IP Dynamic DNS Client:
Disable: No
Service Type: NO-IP (free)
Interface to monitor: WAN
Hostname:  lablan.ddns.net
Username:  EddNoman (no you do not get my account details)
Password:  MysuperSecretandSEXYkeY  (no you do not get my account details)
Confirm Password:  MysuperSecretandSEXYkeY  (no you do not get my account details)
Description:  NO-IP DNS Service
Save & Force update



For NO-IP they use the email address (username) and password you created to sign up for their service, however for DYN DNS service you get assigned a Update API Key that you need for your password in the client



DYN Dynamic DNS Client:
Disable: No
Service Type: DynDNS (dynamic)
Interface to monitor: WAN
Hostname:  lablan2.qnett.net
Username:  EddNoman (no you do not get my account details)
Password:  MysuperSecretandSEXYkeY  (no you do not get my account details)
Confirm Password:  MysuperSecretandSEXYkeY  (no you do not get my account details)
Description:  DYN DNS Service
Save & Force update



As you can see from these pictures it is not hard to setup it is just a matter of filling in the correct provider information about your domain and account detail, also as you can see from the picture there is no issue whit having multiple providers and DNS entries pointing to the same router and firewall.



If you do not have any Dynamic DNS provider or account yet, I have a 15% off referral code for DYN DNS (dyn.com) that you can use, if you sign up for DYN DNS then I strongly recommend the Managed DNS Services as then you get your own fully fledged DNS Service whit all the features and benefits of your own public DNS Servers.
Referral Code:  RFE2X07RS8

5. DHCP Server and Static IP Assignments
The DHCP server in pfSense will hand out addresses to DHCP clients and automatically configure them for network access. By default, the DHCP server is enabled on the LAN interface.
The DHCP server page, found under Services -> DHCP Server, has a tab for each available interface. The DHCP daemon can only run on interfaces with a Static IP address, so if a tab for an interface is not present, check that it is enabled and set with a Static IP. The DHCP server cannot be active on any interface if the DHCP Relay service is in use.

DHCP Options
For each Interface, there are many options to choose from. At a minimum, the Enable box must be checked on the interface tab and an address range (starting and ending IP addresses) to use for DHCP clients must be defined. The other settings may be configured, but are optional. Each option is explained in more detail on the page and also in The pfSense Book.
See the DNS Forwarder article for information on the default DNS server behavior.
Some other options which may be set for clients include TFTP server, LDAP URI, and the ability to add in any custom DHCP option number and value.

Static IP Mappings
Static IP mappings can be added at the bottom of the DHCP server tab for a given interface.
To add a Static IP mapping, click "+", and then enter a MAC address, IP address, Hostname, and Description. These mappings can also be created from the DHCP Leases view. There are many other per-host options which can be sent as well. https://doc.pfsense.org/index.php/DHCP_Server

Lets define our network settings by configuring the DHCP Server, navigate to Services -> DHCP Server

General Options:
Enable: Yes (checked)
Subnet: 10.99.99.0
Subnet mask: 255.255.255.0
Available range: 10.99.99.1 - 10.99.99.254
Range: from 10.99.99.100 to 10.99.99.200



Servers
DNS server1: 10.99.99.1



Other Options
Gateway: 10.99.99.1
Domain name: vmlab.lan
Default lease time: 7200 (2Hours)
Maximum lease time: 14400 (4Hours)
Time format change: Yes
NTP:  Yes
NTP Server 1: pfsense.vmlab.lan
NTP Server 2: 10.99.99.1
Save and Apply





As you can see from this page there is a lot of information and configuration parameters you can give your devices and computers through the use of DHCP Server that is not covered in common Home-Routers that you can pick up at your local electronics or computer shop so you need to do some research if you want to use some of the other options as I am only covering what is necessary for the services we have configured in this guide.

Static DHCP Mapping on LAN
MAC Address: 00:0c:29:fa:58:63
IP Address: 10.99.99.15
Hostname: admin-pc
Description: admin pc static ip
Save and Apply





As you can see there is a lot of options that can be assigned on a per device \ IP basis when you create a static IP assignment, but the 2 main thing to keep in mind is that MAC Addresses are unique to every network device and the IP Address need to be outside of what you assigned for the DHCP Range and those IPs are already in use by the server and would make it a IP conflict. And that is all there is to configure DHCP and or a Static IP in pfSense.

6. Email Reports and Alerts
Now I am going to cover something most people neglect to setup in their home or small networks and that is email alerts and reports on events whit the add-on Mailreport as it allows you to setup periodic e-mail reports containing command output, and log file contents, this is a very useful tool to use and see what is going on whit your firewall and network so that you can be ahead and proactive against any issues that are on the rise and all this from the comfort of your email inbox.

Now since this is about sending emails the configuration for this package is very dependent on what email provider you have and I have gotten this to work whit the following providers: Google Gmail, Microsoft Hotmail (live\outlook), Yahoo Mail and Mail.com and it will work for any provider that allows you to connect to it using SMTP and IMAP applications like Thunderbird or Offic-Outlook.

Before we start configuring the notifications and mailreport features I strongly recommend that you have the following information ready:
IP Address of E-Mail server: IP address or FQDN of the SMTP E-Mail Server
From e-mail address: E-mail address that will appear in the from field. (Ex. hostname@domain.com)
Notification E-Mail address: E-mail address which will receive email notifications
Notification E-Mail auth username (optional): Username for SMTP authentication
Notification E-Mail auth password (optional): Password for SMTP authentication

When looking for this information you want the Outgoing SMTP and IMAP server settings from the provider, for your benefit I will add the provider settings I have used in the past below, We start the configuration whit setting the notifications details under System -> Advanced -> Notification

Google Gmail
smtp.gmail.com
Requires SSL: Yes
Requires TLS: Yes (if available)
Requires Authentication: Yes
Port for SSL: 465
Port for TLS/STARTTLS: 587
Account Name, User name, or Email address: Your full email address
Password: Your Gmail password



Microsoft Hotmail (live\outlook)
smtp-mail.outlook.com
Requires SSL: Yes
Requires TLS: Yes (if available)
Requires Authentication: Yes
Port for SSL: 587
Port for TLS/STARTTLS:
Account Name, User name, or Email address: Your full email address
Password: Your Hotmail, Live or Outlook password



Yahoo Mail
smtp.mail.yahoo.com
Requires SSL: Yes
Requires TLS: Yes (if available)
Requires Authentication: Yes
Port for SSL: 465
Port for TLS/STARTTLS: 587
Account Name, User name, or Email address: Your full email address
Password: Your Yahoo password



Apple iCloud Mail
smtp.mail.me.com
Requires SSL: Yes
Requires TLS: Yes (if available)
Requires Authentication: Yes
Port for SSL: 587
Port for TLS/STARTTLS:
Account Name, User name, or Email address: the name part of your iCloud address (so without @icloud.com behind it)
Password: Your iCloud password



MAILcom
smtp.mail.com
Requires SSL: Yes
Requires TLS: Yes (if available)
Requires Authentication: Yes
Port for SSL:
Port for TLS/STARTTLS: 587
Account Name, User name, or Email address: Your full email address
Password: Your Mailcom password



Now make sure you save the settings before you test the SMTP settings. You should see a green bar at the top saying successes if everything is working if not it will be red whit an indication of what went wrong, in most cases that would be a case sensitive username \ password or that the provider changed ports.

Now that we have enabled pfSense to email us we can continue to install the Mailreport package from System -> Packet Manager
When at the Package Manager -> Available Packages search for "mail" and Mailreprter should be the only hit, now click install



You should always be prompted to confirm any installation so click on the green confirm button



Now some text should fly over the screen and a progress bar should follow until the installation is done, this should only take a minute or so to complete and you should see a installation success message when done.



When the package is installed it would be accessible under Status -> Email Reports
From here you need to add a report schedule before you can add what types of logs it should send you, I usually have it set to once a week on every Sunday at 05:00 in the morning since there should not be any activity on the network at that time in my case

Report Settings
Description: Weekly Report

Schedule
Frequency: Weekly
Day of the Week: Sunday
Hour of Day: 05
Save



Now we need to go back and edit the Weekly Report and add what logs it should send us, this is done by clicking on the pen icon under Actions



When your back at the Weekly reports you should see 2 new fields for Include Commands and Include Logs, I usually include the logs of System, Gateway Events and Firewall to get a overview of what is going on there
Send Now will send you a copy of the current setup to review, then Save to store the configuration



That is it for this guide.

If you follow this guide and it is not working for you and it broke your system, I am not responsible or liability for that as you should not take anything you read on the internet at face value and you should test settings like this in a lab environment and not on your production servers
« Last Edit: June 02, 2017, 02:40:07 PM by noman »

Offline Kam

  • Newbie
  • *
  • Posts: 1
  • Karma: +0/-0
    • View Profile
Good post ... thank you ..
One question though ... for mail report ... do I need to write the log locally on the Pfsense ...?

Offline Edd Noman

  • Administrator
  • Newbie
  • *****
  • Posts: 33
  • Karma: +2/-0
    • View Profile
Thank you,

Yes the mailreport package can only send the logs that are local on pfSense, but you can use external syslog server whit pfSense and then have the syslog server email you whit the same report, this would be the preferd way of doing things like that but that is out of scope for this guide as it is for improved network functionality whit basic features of pfSense and not how-to configure a syslog server and export pfSense logs to it

Offline DarkAngel

  • Newbie
  • *
  • Posts: 2
  • Karma: +0/-0
    • View Profile
Where can i send the beer! well writ! thanks! ;)

Offline mhon2016

  • Newbie
  • *
  • Posts: 1
  • Karma: +0/-0
    • View Profile
 Nice Post Mentor, Thank you so much for this...
Hope you can create a thread also for how to generate a report on bandwidth usage per IP.  :) :) :D :D :D :D