Networking Install and Configure pfSense in Your Home Network

30 Comments

(3.4.12 – This post has been amended to reflect changes in pfSense version 2.0.1 — iceflatline)

(20130924 – This post has been amended to reflect changes in pfSense version 2.1 — iceflatline)

Awhile back I had the opportunity to deploy pfSense for a work-related project. Impressed with its features, performance and usability, I incorporated it into my own home network. This post will describe the basics of how to install and configure pfSense version 2.0.1 (x32) in a home network and offer some recommendations based on my experiences using it.

pfSense (i.e., “making sense of packet filtering”) is a customized version of FreeBSD tailored specifically for use as a perimeter firewall and router, and managed almost entirely from a web-based GUI. In addition to being a firewall and routing platform, pfSense includes a long list of other features, as well as a package system allowing its capabilities to be expanded even further. pfSense is free and open source and its source code is released under the BSD license.

Hardware Considerations

    Minimum requirements

The minimum hardware requirements for pfSense include a 100 MHz CPU, 128 MB of system RAM, and a minimum of two Network Interface Controllers (NIC). Depending on how you decide to install pfSense, you may also need a hard drive with ~1 GB of free space as well as a CD-ROM drive or bootable USB drive in order to install pfSense to the hard drive (or to run the pfSense Live CD directly), or a 512 MB (minimum) Compact Flash (CF) card to install an embedded image of pfSense. These requirements are extremely modest, but unless your data throughput requirements are fairly small, you’re likely going to want to use hardware offering a little better performance. Since a major contributor to throughput performance is the system’s CPU, let’s start there. pfSense published guidelines for CPU sizing recommends the following:

  • 10-20 Mbps – no less than 266 MHz CPU
  • 21-50 Mbps – no less than 500 MHz CPU
  • 51-200 Mbps – no less than 1.0 GHz CPU
  • 201-500 Mbps – server class hardware with PCI-X or PCI-e network adapters, or newer desktop hardware with PCI-e network adapters. No less than 2.0 GHz CPU
  • 501+ Mbps – server class hardware with PCI-X or PCI-e network adapters. No less than 3.0 GHz CPU
  • Your choice of NICs will also have a significant impact on reliability and throughput performance. Low cost NICs, notwithstanding the potential long term reliability concerns, tend to rely much more on the system CPU to process segments and packets compared to their higher priced counterparts. Consequently, the better the NIC, the better the throughput performance you can expect from of a given CPU. In short, don’t be too frugal when it comes to the NICs you use. Intel NICs are well supported under *BSD and always a good choice. If possible use discreet NICs rather than the on-board ones featured on many motherboards.

    You should also ensure you have enough system memory. How much you’ll need depends largely on how you decide to install and operate pfSense. You can elect to run pfSense directly from a Live CD, for example; but doing so will require more RAM than installing it on a hard drive. Some of the add-on packages will increase RAM requirements significantly as well. Snort and ntop, for example, are two packages that should not be installed on a system with less than 512 MB RAM cautions the pfSense development team.

    Another factor to keep in mind when considering memory requirements is the number of active network connections. pfSense keeps track of active connections using a state table. The default state table size is 10,000 entries, each requiring ~1 KB of RAM or ~10 MB in total – likely more than adequate for handling most home networks. But, if you require a significantly larger state table, keep system memory requirements in mind.

      Compatibility

    pfSense is purportedly compatible with any hardware supported by the FreeBSD version a particular pfSense build is based upon. pfSense version 2.1 for example is based upon FreeBSD 8.3-RELEASE. It’s always a good idea, however, to check the hardware you’re planning to use against the information contained in the FreeBSD 8.3-RELEASE Hardware Notes and the hardware compatibility section of the Frequently Asked Questions for FreeBSD 7.x, 8.x and 9.x. The pfSense forums are another good resource, useful for gleaning the hardware compatibility experiences of others.

      My components

    If you’re anything like me, you’ve likely managed (through no fault of your own of course) to build up quite a cache of “spare parts” as a result of upgrading various computers around the home or office. I was able to dig up the following parts to build my pfSense box:

  • Intel DG43NB motherboard
  • Intel E7500 2.93 GHz Core2Duo CPU
  • (2) Intel Pro/1000 PT (Intel 82772GI) NIC
  • Mushkin DDR2 667 (PC2 5300) 2GB RAM
  • Western Digital WD360GD 36GB SATA hard drive
  • PC Power & Cooling Turbo-cool 475 power supply
  • Lian-Li PC-60USB B2 mid-tower case
  • As you can see, based on pfSense’s minimum requirements and the hardware considerations discussed above, these parts were more than adequate for my project. This particular Intel motherboard turned out to be a good choice because it includes on-board graphics, removing the requirement to install a discreet graphics card to a system that will operate headless 99% of the time. I also used a CD ROM drive, but only for the amount of time needed to install pfSense from the Live CD, after that it was no longer be needed.

    Installation

    In addition to the relatively low hardware requirements, pfSense also provides a number of options for installation.

    First, you can simply run it directly from a Live CD or bootable USB drive. Any configuration changes you make can be saved on a floppy drive or USB flash drive. The downside to this approach, however, is that you won’t be able to install any of the add-on packages available to extend the capabilities of pfSense – and there are some really nice ones.

    Another option is to install an embedded image of pfSense on a CompactFlash (CF) card rather than perform a full install on a hard drive. CF cards can handle a limited number of writes, so the embedded version runs as read only, while the file system runs as read/write from system memory. You’ll want to chose an embedded image that is sized less than or equal to the size of the CF card your planning to use. The newer embedded versions of pfSense based on NanoBSD have the ability to support some packages.

    Finally, the pfSense Live CD includes an option to perform a full install to a hard drive. All add-on packages are fully supported using this method. Be aware though that the entire drive or slice will be overwritten. This is the install method I chose, primarily because pfSense was going to more or less take up permanent residency in my home network and I wanted the freedom to install and try any of the add-on packages.

    Performing a full installation of pfSense on a hard drive is a straight forward. Having gone through the process a number of times though I would recommend a couple of preliminary steps. First, make a note of the Media Access Control (“MAC”) address for each NIC you’re installing in the system as well as its physical location in the motherboard. If your memory is as bad as mine, this will save you from wondering later “damn, now which NIC did I assign as the LAN interface?…” Second, disconnect the NICs from any LAN and WAN components until you have the box up and running and configured to your requirements. Finally, if you have other hard drives in the system I recommend disconnecting them until the installation is complete so as to not accidentally install to the wrong drive.

    Download a copy of the pfSense installer and burn it to a CD or place it on a bootable USB drive. After booting the system using the disk, you’ll arrive at a screen listing the valid interfaces and a request to setup V-LANs (See Figure 1). If don’t plan to use V-LANs in your network, or perhaps have no immediate need for them, you can decline to configure them now and elect instead to configure them later using pfSense’s “webConfigurator” (webGUI) interface. Following the V-LAN option you’re asked to assign each of your interfaces to the role of either “LAN,” “WAN,” or “OPT” (Optional). Make a note as to which NIC you assigned to each interface. This will come in handy later when you physically connect them to the LAN, WAN, etc.

     Screenshot of NIC and V-LAN assignment in pfSense installation

    Figure 1

    After configuring V-LANs, if desired, and assigning NICs to interfaces, the installation continues, eventually arriving at the pfSense console menu. Note that pfSense initially configures the WAN interface to use DHCP and so you will not see an IP address assigned to that interface if it was left disconnected during installation or you use a static IP address. The LAN interface will be assigned the default address of 192.168.1.1. It’s also worth pointing out here that should you desire to forego a full installation to the hard drive and instead run pfSense from the LiveCD (not recommended), you essentially have only to reconfigure your LAN IP address, if desired, by selecting “Set interface(s) IP Address” (menu option 2), then point your browser to the LAN IP address you assigned and complete further setup and configuration using pfSense’s “webConfigurator” interface (See Figure 2).

     Screenshot of pfSense console menu

    Figure 2

    To proceed with installing pfSense to the hard drive, select “Install pfSense to a hard drive, etc.” (menu option 99). The first screen to appear after this selection allows you to change a number of console settings (video font, screen map, and keymap) before continuing. Next, you’re presented with a list of installation options. If you have only one hard drive connected to the system and no need for any custom options, select “Quick/Easy Install.” If you have more than one hard drive connected to the system, selecting this option will result in pfSense being installed to the first hard drive recognized by the system BIOS. Selecting “Custom Install” presents a choice of which hard drive to install to, along with a number of options related to drive formatting, geometry, partitioning, and bootblocks (See Figure 3).

     Screenshot of pfSense install menu

    Figure 3

    The final install screen offers a choice of custom kernel configurations. The processor in my system, for example, is an Intel dual core processor, so I chose the “Symmetric Multiprocessing Kernel” option. Note that if you plan to use an Intel processor supporting “Hyper-Threading,” you should be safe using this option. When the installation finishes you’re prompted to reboot the system.

    Configuration

    After pfSense is installed to the hard drive, it’s ready for further setup and configuration. I started by returning to the console menu and selecting “Set interface(s) IP address” (menu option 2) so that I could configure pfSense’s LAN interface IPv4 address to one that would fall within the subnet used within my network. This menu option also allows me to activate pfSense’s DHCP server and define a range of IPv4 addresses for the server to use. Once the IPv4 address and DHCP server was configured, I was asked if I wanted to revert to HTTP as the webConfigurator protocol (as opposed to using to using HTTPS), which I chose to decline for improved login security. After these steps were completed, the LAN IP address was confirmed and I was returned to the console menu. I connected to the LAN interface, fired up the web browser, and navigated to pfSense’s webGUI. The webGUI login is password protected – the default login is admin and the password is pfsense. Since this was my first time logging in to this installation of pfSense, I was greeted with the pfSense setup wizard to perform an initial configuration (See Figure 4).

    Screenshot of the pfSense setup wizard

    Figure 4

    The setup wizard starts by asking you to define the hostname for your pfSense box, the domain where it will reside, and primary and secondary DNS servers. You can use any hostname you’d like but be aware of the following constraints: the hostname you chose must start with a letter, and after that contain only letters, numbers or a hyphen (e.g., “firewall” or “firewall-1″). The “Domain” field can be filled in with any fully qualified domain (e.g., “mysite.org”) or a name of your choice (e.g., “homenet”). The hostname and domain fields are combined to create the fully qualified domain name of your pfSense box (e.g., “firewall.mysite.org” or “firewall.homenet”). If your service provider provisions your service using DHCP, then the DNS fields will be likely be filled in automatically when you connect to your provider. If you plan to use a static WAN IP address, or simply prefer to use alternative DNS providers, then you should provide at least a primary DNS address at this point.

    The next wizard screen is where a time server hostname and timezone are defined. I recommend using the default host 0.pfsense.pool.ntp.org, which results in a random server from a pool of known good NTP servers to be chosen automatically.

    Next, you’ll be taken to the WAN section of the setup wizard (See Figure 5). If your service provider provisions your service using DHCP, then you simply need to select “DHCP” from drop-down list, otherwise chose the appropriate service type. The “MAC Address” field under “General configuration” can be used to enter a MAC address that will pose as the MAC address of your WAN interface NIC. This feature came in quite handy in my case. My cable service provider in essence “binds” the WAN IP address to the MAC address of the device connected to the cable modem when it provisions service. Since my pfSense box would eventually replace an existing firewall, I simply copied the existing firewall’s MAC address in order to avoid the downtime that would otherwise occur as I sat on the phone with the service provider explaining the reason for the MAC address change. The “Block RFC1918 Private Networks” and “Block bogon networks” sections are selected by default in order to block invalid traffic from entering your network. The remaining sections in this portion of the setup wizard are specific to WAN service type chosen.

    Screenshot of pfSense setup wizard - WAN section

    Figure 5

    After the WAN section, you’ll encounter the final two sections of the setup wizard. These provide the opportunity to change, if desired, the LAN IP address as well as the default password for the admin user account. Note that this password also serves as the password for SSH access as well as the console menu (should you decide to password protect it).

    At the conclusion of the setup wizard, you’ll select “Reload” and after a few moments be returned to the webGUI. At this point basic connection options are configured enough to allow the pfSense box to be safely connected to the service provider and LAN. However, before bringing pfSense online in my network, I made several other optional changes to its configuration.

      Disable webConfigurator login autocomplete

    By default login credentials for the webConfigurator may be saved by the browser. Navigate to System->Advanced->Admin Access and select “Disable webConfigurator login autocomplete” to disable autocomplete on the login form so that browsers will not prompt to save credentials (Note that some browsers do not respect this option). When complete, select “Save.”

      Password protect the console menu

    While pfSense is managed almost entirely from its webGUI, it does allow some configuration management through its console menu (See Figure 2). By default, pfSense does not secure this menu, therefore, anyone who can physically connect a monitor to the pfsense machine will have root level shell access. To prevent this (or at least make it more difficult), navigate to System->Advanced->Admin Access and select “Password protect the console menu.” When complete, select “Save.” You’ll need to reboot the box for this change to take effect. Note that the user name for the console menu is always admin or root and the password will be “pfsense” by default, or the one you chose if you elected to change the default admin password when running the setup wizard. It’s also worth noting here that if you create a new user, this new user will only be allowed access to a command line prompt at the terminal, not the console menu itself, even if you add them to the system’s admins group (See System->User Manager).

      NAT Reflection mode for port forwards

    By default pfSense prevents hosts within the LAN from accessing your public IP addresses. This can be inconvenient at times, particular when testing port forwarding from within the LAN. To change this, navigate to System->Advanced->Firewall / NAT and, depending on your requirements, select either “Enable (NAT + Proxy)” or “Enable (Pure NAT)” from among the options in the drop down list under “NAT Reflection mode for port forwards”. When complete, select “Save.” A reboot is not needed when selecting this option so you can use it on an as-needed basis if desired.

      Packages

    As mentioned, pfSense offers a fairly extensive package system allowing you to extend its capabilities. To find a list of packages that can be added, navigate to System->Packages->Available Packages. Two packages I particularly like are RRD Summary, which will give a total amount of traffic passed in/out during the current and previous month, and iperf, a tool for testing network throughput, loss, and jitter.

      Firewall

    Setting up NAT port forwarding and firewall rules in pfSense can be a bit daunting at first. Once you get the hang of it though you’ll realize just how flexible and powerful the system is. Options for configuring port forwarding and firewall rules can be found under Firewall->NAT and Firewall->Rules respectively. I recommend setting up any port forwarding rules you may have first. Then, for each port forwarding rule, you’ll need to set up an associated firewall rule. When complete, select “Save”, then “Apply changes”.

      DHCP

    Options for configuring the DHCP server on the LAN interface can be found under Services->DHCP server. If you’re deploying pfSense in a typical home network where the availability of IP addresses is not a concern, one option you may want to consider changing is the default lease time of 7200 seconds (two hours). In order to pare down the number of lease requests in my network, for example, I increased lease time to 604860 seconds (seven days). This is also the section where you can assign static IP addresses to hosts if desired. I typically assign static IP addresses to servers and network devices (managed switches, network printers, etc.), as well as to any hosts I intend to build long-term port forwarding rules for.

      UPnP

    If you use Microsoft’s Xbox Live service in conjunction with your Xbox 360, you know what a pain in the ass it can be at times to get it to work reliability through your home network gateway/firewall. A common solution is to forward the necessary ports to the device, but what if you have two Xbox 360s? If you want one or more Xbox 360s to have reliable access to/from Xbox Live, the only real solution is to use Universal Plug and Play (UPnP). Fortunately, pfSense’s UPnP service works remarkable well. To activate it, navigate to Services->UPnP & NAT PMP and select “Enable UPnP & NAT PMP,” and “Allow UPnP Port Mapping” then ensure that the LAN interface is selected under “Interfaces (generally LAN)”. When complete, select “Change.” That’s it. Your Xbox 360’s will discover pfSense’s UPnP server and the necessary port forwarding rules will be built automatically as needed. You can check which ports have been forwarded by navigating to Status->UPnP & NAT PMP.

      Wake on LAN

    Say I’m at the office and need to grab a file from a host on my home network. But what if that host is a laptop or desktop that isn’t normally powered on? With Wake on LAN implemented in the firewall, I can remotely instruct it to send the Wake on LAN “magic packet” to the host I need powered up. To setup Wake on LAN, navigate to Services->Wake on LAN and select the “+” icon. Select the LAN interface and enter the MAC addresses for the host you’d like to send magic packets to. When complete, select “Save.”

      System Logs

    I like having my logs arranged so that the newest entries appear first. To do that, navigate to Status->System logs->Settings and select “Show log entries in reverse order (newest entries on top).” When complete, select “Save.”

    Remote Access

    With my pfSense box configured, it was time to move on and setup remote access to it. pfSense’s webGUI uses https and port 443 by default, and accessing it remotely is simply a matter of navigating to your WAN address. Unfortunately, many ISPs block incoming port 443 traffic. You can chose an alternate incoming TCP port by navigating to System->Advanced->Admin Access and entering the port number in the “TCP port” field. When complete, select “Save.” You will also need to create a new firewall rule under Firewall->Rules that will allow a connection on the WAN interface to pass through to pfSense’s webGUI server on the port you specify. At a minimum, this rule should define following parameters:

    Action: Pass
    Interface: WAN
    TCP/IP Version: IPv4
    Protocol: TCP
    Destination: WAN address
    Destination port range: your alternate webGUI port selection
    Description: web admin

    pfSense’s SSH server may also be enabled to allow remote access to the console menu via an SSH client. To enable the SSH server, navigate to System->Advanced and select “Enable Secure Shell.” For improved security, I recommend using an incoming port other than 22, and a key-based login instead of a password. To use a key-based login, select “Disable password login for Secure Shell (RSA/DSA key only)” and select “Save.” Then navigate to System->User Manager. Select the “e” icon next to the admin account, then select “Click to paste an authorized key” and paste your public key into the “Authorized keys” field. When complete, select “Save.” Note: your public SSH key is stored in /root/.ssh/authorized_keys. Should you need help generating a public/private key pair, please see my previous post. Don’t forget to create a new firewall rule under Firewall->Rules that will allow a connection on the WAN interface to pass through to pfSense’s SSH server should you decide to use an alternate SSH port.

    Conclusion

    This concludes the post on how to install and configure pfSense on your home network. pfSense isn’t hard to configure nor complicated to manage, and proves to be a nice open source package for implementing a robust and scalable perimeter firewall and router.

    References

    http://www.pfsense.org/index.php?option=com_content&task=view&id=52&Itemid=49

    Tags: , , ,

    30 Responses to “Install and Configure pfSense in Your Home Network”

    1. angeb Says:

      thank you
      for this article!
      but I’m a bit stuck because I do not manage to access the web interface
      have you any idea the top

    2. iceflatline Says:

      angeb, happy to try to help. What seems to be the problem?

    3. Luke Says:

      Hi there, can you help please.. I have 3 NIC’s. 1 on board and 2 PCI cards, but when i run the installer it says there is only 1 valid interface.. How do i get the 3 of them working?

    4. iceflatline Says:

      Luke, it sounds like pfSense may be lacking driver support for the two NICs it isn’t recognizing. pfSense 1.2.3 is based on FreeBSD v7.2. Therefore, its hardware compatibility list will be the same as FreeBSD’s.

      You should start by checking that list to verify your NICs are supported. If they are not, then you’ll have to install the driver, assuming one is available for FreeBSD. There are tutorials on the Internet on how to do that. You might also try installing the latest pfSense 2.0 “snapshot” build to see if that supports your NICs.

      If you find that your NICs are listed as supported, then I’m not quite sure how to advise you. They should work. You might try simply re-seating them.

      Good luck and please post again with if and how you resolved.

    5. Luke Says:

      Thanks for the reply, my NIC’s both are identical with realtek chipsets (Tenda TEL9901G).

      According to the manufacturer website, it is FreeBSD friendly

    6. iceflatline Says:

      Luke, apologies for the delay. Here is the FreeBSD 7.2 hardware compatibility list, however your Realtek NICs don’t seem to be among those listed.

    7. sachin Says:

      Hi

      This is great work u have doing thanks a lot

      i just want 1 help for how to configure firewall rules we have maintain small company and we want to block all unwanted site like porn like downloading i have little bit configured pf sense but still jot good my office user using proxy address and open unwanted site so how can i stop this

    8. iceflatline Says:

      sachin, I’m afraid I won’t be of help here. I suggest you post this question on the pfSense IRC channel. You can find it at #pfsense on irc.freenode.net.

    9. erkko Says:

      typo: The default state table size is 10,000 entries, each requiring ~1 KB of RAM or 10 GB in total

      You surely meant to say 10MB

    10. iceflatline Says:

      erkko, indeed. Thank you, correction made.

    11. eric Says:

      any one how to configure the Lucent-Alacatel Voip to pfsense as firewall

      Thanks

    12. Neubie2 Says:

      Just installed 2.01 on an old machine sitting around (P3-900mhz-1Gb ram) and I am impressed how feature rich this program is. I am on a small home network here with 8 machines and I have the basics set up and functioning well. Just a bit in arms with all the rules/Nat/internet connections etc, and your how-to has helped tremendously. I still need to fit a few pieces of the puzzle together to gain optimum efficiency with the program, but that will be simply a time thing. Thanks for your insight here.

    13. iceflatline Says:

      Neubie2, thanks for posting your experience. For me, pfSense was very much an iterative experience. Getting the basics down I found was far more important than diving into the deep end on the first go. Once I felt more comfortable using it, I started experimenting with some of its more advanced features.

      Remember to save your config file once in awhile; that way, you can revert back if you experiment a little too much ;-)

    14. Dashpuppy Says:

      Thanks for this article, worked great..

      Thanks

      Dashpuppy

    15. iceflatline Says:

      Dashpuppy, awesome. Glad it worked for you.

    16. Vishal Gupta Says:

      Please bare with my long explanation but this is important to explain the actual problem. Please also pardon my knowledge with PFsense as i am new to

      this.

      I have single PFSense box with 3 Ethernet adapter. Before moving to configuration for these, i want to let you know i have two Ethernet based

      Internet Leased Line Connectivity let’s call them ISP A and ISP B. Then last inetrface is LAN which is connected to network switch.

      Typical network diagram

      ISP A —–>

      PFSense —-> Switch —- > Servers

      ISP B —–>

      ISP A (Initially Purchased)

      WAN IP:- 113.193.X.X /29

      Gateway IP :- 113.193.X.A

      and other 4 usable public IP in same subnet(So the gateway for those IP are also same).

      ISP B (Recently Purchased)

      WAN IP:- 115.115.X.X /30

      Gateway IP :- 115.115.X.B

      and other 5 usable public IP in different subnet(So the gateway for those IP is different), for example if 115.119.X.X2 is one of the IP from that

      list then the gateway for this IP is 115.119.X.X1.

      Configuration for 3 Interfaces

      Interface : WAN

      Network Port : nfe0

      Type : Static

      IP Address : 113.193.X.X /29

      Gateway : 113.193.X.A

      Interface : LAN

      Network Port : vr0

      Type : Static

      IP Address : 192.168.1.1 /24

      Gateway : None

      Interface : RELWAN

      Network Port : rl0

      Type : Static

      IP Address : 115.115.X.X /30 (I am not sure of the subnet)

      Gateway : 115.115.X.B

      To use Public IP from ISP A i have done following steps

      a) Created Virtual IP using either ARP or IP Alias.

      b) Using Firewall: NAT: Port Forward >> i have created specific natting from one public IP to my internal Lan private IP for example :-

      WAN TCP/UDP * * 113.193.X.X1 53 (DNS) 192.168.1.5 53 (DNS)

      WAN TCP/UDP * * 113.193.X.X1 80 (HTTP) 192.168.1.5 80 (HTTP)

      WAN TCP * * 113.193.X.X2 80 (HTTP) 192.168.1.7 80 (HTTP)

      etc.,

      c) Current state for Firewall: NAT: Outbound is Manual and whatever default rule are defined for the WAN those are only present.

      d) If this section in relevant then for Firewall: Rules at WAN tab then following default rule has been generated.

      RFC 1918 networks * * * * * Block private networks

      Reserved/not assigned by IANA * * * * * *

      To use Public IP from ISP B i have done following steps

      a) Created Virtual IP using either ARP or IP Alias.

      b) Using Firewall: NAT: Port Forward >> i have created specific natting from one public IP to my internal Lan private IP for example :-

      RELWAN TCP/UDP * * 115.119.116.X.X1 80 (HTTP) 192.168.1.11 80 (HTTP)

      c) Current state for Firewall: NAT: Outbound is Manual and whatever default rule are defined for the RELWAN those are only present.

      d) If this section in relevant then for Firewall: Rules at RELWAN tab then following default rule has been generated.

      RFC 1918 networks * * * * *

      Reserved/not assigned by IANA * * * * * *

      Last thing before my actual query is to make you aware

      that to have multiple Wan setup i have done following steps

      a) Under System: Gateways at Groups Tab i have created new group as following

      MultipleGateway WANGW, RELWAN Tier 2,Tier 1 Multiple Gateway Test

      b) Then Under Firewall: Rules at LAN tab i have created a rule for internal traffic as follows

      LAN net * * * MultipleGateway none

      c) This setup works if unplug first ISP traffic start routing using ISP 2 and vice-versa.

      Now my main query and problem is i am not able to use public IP address allocated by ISP B, i have tried many small tweaks but not successful in

      anyone. The notable difference between the two ISP is

      a) In case of ISP A there Public usable IP address are on same subnet so the gateway used for the WAN ip is same for the other public IP address.

      b) In case of ISP B there public usable IP address are on different subnet so the obvious the gateway IP for them is different from WAN gateway’s IP.

      Please let me know how to use ISP B public usable IP address, in future also i am going to rely for more IPs from ISP B only.

    17. iceflatline Says:

      Vishal, I believe you must build a route between ISP B’s /30 and the subnet they allocated to you for WAN connectivity. You could try setting up the route under System->Routes; although, I personally have not tried using pfSense for routing. The other option of course is to place an actual router on that circuit with the correct route configured. My advice is to consult with representatives from ISP B and see what they suggest. You could also post your question(s) in the pfSense forum or their IRC channel and see if further help can be offered.

    18. sreeraj Says:

      I have two ISP’s static Ip configured in WAN and opt .I want to forward internet traffic from Wan to LAN 192.168.1.10 to150 range and traffic from OPT to LAN 192.168.1.151 to 250 range.Is it possible ,can u help me Iam stucked here.

    19. iceflatline Says:

      sreeraj, I would suggest you post your question(s) in the pfSense forum or their IRC channel.

    20. shawn Says:

      nice write up. thanks man!

    21. iceflatline Says:

      shawn, thanks!

    22. jj Says:

      Hi,

      Thanks for the tutorial! A couple of comments, as I follow along and experiment. You write: “By default, access to the webConfigurator is always permitted on port 80″ Having tried to access the machine from outside, it seems that access is not enabled by having this set to port 80, as long as the LAN is locked down with no NAT rules. It takes a port forward under >Firewall>NAT to enable access. Also, you write: “By default, pfSense does not secure this menu, therefore, anyone who can physically connect a monitor to the pfsense machine will have root level shell access.” Actually, anyone on the LAN can connect via SSH if this is not password-protected; it doesn’t take physical access to the machine.

      Just a few additions (hopefully I’m not mistaken) to your helpful guide. Thanks.

    23. iceflatline Says:

      jj, thanks for commenting. Using v2.1 Beta I have quite the opposite experience. I’m always allowed access on port 80 unless I change the TCP listening port under System -> Advanced regardless of whether or not the WebGUI redirect or the anti lockout options are selected. Weird. Anyway, I’ve removed the offending paragraph to avoid confusion.

      Regarding SSH, the SSH server must be started in pfSense before LAN users can access a shell. When they attempt to get a shell they will need to provide a password by default. Whereas with respect to the console, unless the “Password protect the console menu” option under System -> Advanced is selected anyone with a monitor and a keyboard will have shell access and can simply su to root.

    24. YahayKa Says:

      hi!

      can you help…
      how can i access the web interface???

    25. iceflatline Says:

      YahayKa, point your browser to the IP address you configured for the LAN interface. If you elected to retain the HTTPS protocol when you set up the LAN interface then the URL would be https://your_LAN_IP_address.

    26. YahayKa Says:

      ok, should i used another computer to enter in in web interface???…

    27. YahayKa Says:

      ok, should i used another computer to enter in the web interface???…

    28. iceflatline Says:

      YahayKa, Correct. The computer should be on the same IP subnet as the LAN interface of the pfSense box.

    29. YahayKa Says:

      thank you…i try it (^^,)

    30. pfSense Setup: Part Two - pfsense Setup HQ Says:

      [...] Another useful guide on installing and configuring pfSense (from the iceflatline blog) [...]

    Leave a Reply