Article Directory
1. Overview of pfsense
1.1. Official description
The pfSense project is a free network firewall distribution based on the FreeBSD operating system with a custom kernel and includes third-party free packages for additional functionality. With the help of the package system, pfSense software can provide the same or more functions as common commercial firewalls without any artificial restrictions. It has successfully replaced every big-name commercial firewall you can imagine, including Check Point, Cisco PIX, Cisco ASA, Juniper, Sonicwall, Netgear, Watchguard, Astaro, and many more, in numerous installations around the world.
The pfSense software includes a web interface for configuring all included components. No knowledge of UNIX is required, nothing needs to be done with the command line, and no rulesets need to be manually edited. Users familiar with commercial firewalls quickly grasp the web interface, although users unfamiliar with commercial-grade firewalls may have a learning curve.
1.2. Personal description
psfense is a completely free open source firewall, you can download the image from the official website, and then install it on your own physical device, pfsense can well implement functions such as zone division, network access control, NAT, DHCP, etc.
2. pfsense download
2.1. Official website download
The official website download link is as follows:
https://www.pfsense.org/download/
After downloading, it is recommended to check the SHA256 value and develop a good habit.
The following is the cmd command for Windows:
certutil -hashfile pfSense-CE-2.6.0-RELEASE-amd64.iso.gz sha256
Put the calculated SHA256 value to the download page of the official website, and press Ctrl+F to see if the comparison results are the same.
3. pfsense installation
3.1. Official Website Manual
When I learned how to install, I just watched this installation.
https://docs.netgate.com/pfsense/en/latest/preface/index.html
3.2. Installation steps
Below are my installation steps.
(1) Decompress the gz compressed package of pfsense, I use 360 decompression software.
(2) Open VMware, mine is VMware workstation pro 16.2.5.
(3) Click File in the upper left corner—New Virtual Machine—Customization (Advanced)—Hardware compatibility defaults to workstation16.2.x—Install the system later—The guest operating system is Linux—The version is Fedora 64-bit.
(4) Virtual machine name pfsense.
(5) The number of processors is 1, and the number of cores per processor is 2.
(6) The memory of the virtual machine is 2G.
(7) Network connection: bridge.
(8) The I/O controller type uses the recommended configuration.
(9) The disk type uses the recommended configuration.
(10) Create a new virtual disk.
(11) The maximum disk size is 20G, and the virtual disk is stored as a single file.
(12) Specify the recommended configuration for the disk file.
(13) Customize the hardware and enter the page of editing the virtual machine. Mount the pfsense.iso you just extracted to CD/DVD. By the way, turn off the 3D graphics acceleration on the monitor.
(14) Add another virtual network card.
(15) Click OK—Finish, then start the virtual machine and wait for loading until the following interface appears. If the display resolution is too high and the window is too small, click "Stretch and maintain display aspect ratio" in the upper menu bar. Enter Accept.
(16) Select install to install, OK.
(17) The Keymap Selection screen selects the keyboard layout used by the installer. Select directly.
(18) I choose (UFS) BIOS here. According to the official website, UEFI cannot be selected, and it is not compatible with the Linux version of Fedora, and ZFS needs to do raid, so here you can play by yourself or not.
(19) When the system prompts for final modification, select "no".
(20) REBOOT. Select "reboot".
(21) The interface is displayed after restarting. Prompt whether to use vlan, no vlan is needed here. Type n and press Enter.
(22) Prompt to configure the network interface of WAN, enter vmx0. To configure the LAN interface, enter vmx1. Enter y, configure.
(23) Enter y. Start performing network configuration.
(24) Enter the interface familiar to network workers.
(25) Enter 2 to configure the IP address, and then enter 2 to select the lan port, and configure the lan port IP address, which is the free address of the network segment of the nat network card. The nat network segment is being edited—you can see it in the virtual machine network editor. Choose a free address as your pfsense lan port IP. If you don’t know how to check the idle IP, then type arp -a in cmd.
(26) Enter a mask of 24 and press enter. To enable DHCP, enter y. To configure a DHCP address pool, first enter the start address, and then enter the end address.
(27) Finally enter y. Enter the carriage return, it is configured.
(28) Now you can use the browser to log in to the webpage. Open the http URL in the picture above. You have successfully entered the pfsense web configuration interface.
(29) As shown in the figure above, you have successfully installed it.
4. pfsense configuration
4.1. Default account password
The default account provided by the official website is admin, and the default password is pfsense.
4.2. Initial configuration
(1) Log in with the default account and password. Enter the configuration wizard.
(2) Step one is nonsense.
(3) Step 2, configure domain name, configure dns. Ali dns I wrote, 223.5.5.5
(4) Step 3, configure the ntp time server, ntp1.aliyun.com, configure the time zone utc+8, Asia/Shanghai
(5) Step 4, configure the wan port. If there is basic self-research, I will default to the next step.
(6) Step five, configure the lan port. If there is basic self-research, I will default to the next step.
(7) Step 6, modify the default password.
(8) Step 7, make the configuration take effect by restarting.
(9) Step 8 restart stage, skip it at once, step 9, configuration is complete, you will be reminded to update the software online, no need to update for the time being.
4.3. Switch language
Click system on the top menu bar, then click general setup.
Pull down, find localization, and find language. Choose Chinese.
Scroll to the bottom and save. The language of the webpage is switched to Chinese successfully.
5. Simple test
5.1. Adjust the test network
(1) Now you have learned how to install pfsense. It's time to make pfsense work like a corporate firewall on your personal computer. Now design a topology map.
(2) A host-only network card is now required. It is not recommended to use the host-only virtual network that comes with VMware workstation, because the DHCP function of the VMware virtual network needs to be turned off for testing. If your foundation is not good enough, you will forget it later, and a lot of time will be wasted on network adjustments.
(3) Choose to add a new virtual network here, named DMZ, demilitarized zone, that is, the network area that provides services to the outside world.
(4) Open VMware workstation—Edit—Virtual Machine Network Editor
(5) Add network (host mode only, close DHCP) - rename the network. FYI, don't create so many. Different service networks can be represented here.
(6) On the menu bar of VMware workstation, virtual machine - settings - network adapter 2 - custom - DMZ virtual network - OK
(7) Then go back to the pfsense virtual machine.
(8) Modify the network configuration of the lan port and plan a network segment by yourself. For example, you design an IP subnet for the customer's server network segment in the enterprise.
The following is my configuration: IP is 10.0.0.254, mask is 24, DHCP pool start address is 10.0.0.10, DHCP pool end address is 10.0.0.20
(9) Enter 2—2—lan port address—24—directly enter—directly enter—enter y—enter the start address of the dhcp pool—enter the end address of the dhcp pool—enter.
(10) Using the url in the figure, you can use the DMZ virtual network to access the pfsense web page.
5.2. Test results
Use a win10 virtual machine, edit the virtual machine settings, connect to the network adapter, customize, DMZ virtual network card. It can be seen that the IP address can be obtained normally, and then the external network can be pinged normally. Test Ali's DNS here.
6. Explanation of virtual machine operation interface
(0) Log out, if you log in with ssh.
(1) Specify the interface, you can specify the network adapter for the interface of your pfsense firewall, here is the virtual network of VMware workstation, just bridge to bridge.
(2) Set the interface IP address, configure the interface IP, and configure DHCP.
(3) Reset the password of the web page.
(4) Restore factory settings.
(5) Restart the system.
(6) shutdown.
(7) Ping network test. CTRL+C to exit.
(8) The shell interface of the underlying Linux. exitExit.
(9) Look at the network connection. CTRL+C to exit.
It is not commonly used later and will not be expanded for the time being.
7. Finally
The function of the web page has not been explained yet, and the space is limited. I plan to open another article. Editing the tutorial is too time-consuming, and I will talk about it later.
The following are the problems I have encountered before, and I have not studied them in detail.
If your pfsense virtual machine has only one network card and only one wan port during configuration, it can be used normally, but when a lan port is added later, you cannot use the wan port IP to log in. At this time, it needs to be performed at the bottom of the pfsense of VMware workstation Debugging, just like the testing chapter.
Edited 20230425.