Wednesday, May 16, 2012

Setting up pfSense as main firewall and Untangle in bridge mode as UTM

Overview:
pfSense is one of the best if not the best Open Source based firewall out there today and I've been using it since 2005. It's based on FreeBSD and uses OpenBSD's pf (packet filtering), not only that it's lighweight (you can install it even in an old 486 based PC, in fact my first install was using a Pentium 266 MHz MMX with just 256MB of RAM and a 10GB HDD) it's also very easy to use. 
Untangle is a Linux based firewall/router and Unified Threat Management Machine (UTM) in one( a jack of all trade box) and is also a new kid on the block. It's also very easy to use caveat though is it's heavy on resources (you need at least 2GB of RAM for a decent performance) but it works best as a filtering device (anti SPAM, web filter, anti Phising and Layer 7 protocol control).
My network is setup such that pfSense is the main perimeter firewall facing the internet and Untangle as UTM as shown in the figure:
As you can see the network has several servers behind pfSense and Untangle e.g., FTP server, Web Server, Mail Server and File Server.
If you don't have yet the pfSense and Untangle iso's you can download it from the following sources:
 
Download pfSense (version 1.2.2 as of this writing) :
Download Untangle (version 6.1 as of this writing):
Burn the downloaded ISO's using your favorite burner.
 
Installing pfSense.
Installing pfSense is pretty much straight forward, all you need to have is a little understanding about slices, also don't be intimidated by its curses based install.
 
Set your bios to boot from cdrom and load your bootable CD so that we can boot into pfSense on your PC. You will need to have at least two network cards installed in the PC, one for the WAN interface and the other for the LAN interface.
Once the PC booted to pfSense, you will be presented with the FreeBSD bootloader screen, there are 7 options that are listed, just wait for the default option in this case Option (1) to boot up. Take a sheet of paper and write down the initials for the Valid interfaces, you will need them in a moment. Mine are em0 and em1. You will be asked if you want to configure your virtual LAN, just select no if you don't want to setup VLAN's
“Do you want to set up VLAN’s now (y|n)?” Enter “n” to select No.
Then you are asked to
“Enter your LAN interface name”
Enter one from the notes I’ve told you to create earlier, in this case ‘em0’, next you’re asked to:
“Enter your WAN interface name”
Enter ‘em1’ then press the Return key
Since we only have two interfaces just hit the Return key when the system asked about the optional interface.
You will then be asked
 “Do you want to proceed? y|n”
Make sure you enter ‘y’ here to proceed or else you have to repeat the whole process.
pfSense is now running in RAM and almost fully functional. If you wish you may plug your LAN interface into a hub or switch and connect via the web interface. pfSense is by default assigned an ip of 192.168.1.1. Next we're going to install pfSense to the hard drive permanently instead of just running it on RAM.
Hard Drive Install
Select option (99) to install pfSense to the hard drive.
This is a curses based install. The install works best if you use an entire hard disk. If there is any data on the disk make sure that you have copied it to another location. Now you can as a rule of thumb accept the default settings that are presented during the curses based install.
Remember to remove the cdrom from the drive when you reboot.
Now we have rebooted and are presented with the “pfsense console setup” for a second time. At this moment you can unplug your monitor cable and manage this firewall via a browser or you could select option 8 and explore via a Shell.
Make sure your computers interface is in the 192.168.1.0 subnet, because 'pfSenses' LAN interface is by default 192.168.1.1.
The defualt username password for the web GUI is 'admin' 'pfsense'.
Now we are going to select System > Setup Wizard > The wizard will guide you through the initial configuration of pfSense.
Enter the following information:
Hostname: pfsense
Domain: local
Primary DNS: 208.67.222.222
Secondary DNS: 208.67.220.220
Notice that I used OpenDNS server's ip addresses as my Primary and Secondary DNS servers respectively and highly recommended instead of using your unpredictable ISP's DNS.
Click Next and enter your correct timeZone then click Next to configure the WAN interface.
I chose static address for the WAN interface since I've have my own Public Static IP address provided by my ISP otherwise it means you have dynamically assigned IP address so just use the default DHCP assigned and then click Next to configure the LAN interface.
For the LAN IP enter 192.168.1.1 and subnet mask /24. then click Next to change the default password.
To effect the changes you will be asked for your new username and password and will be asked to reload your browser.
For this tutorial we'll just use the default firewall rule created by pfSense, for more elaborate rules just visit http://doc.pfsense.org for more information.
Installing Untangle:
Installing Untangle is a walk in the park because of its Graphical User Interface (GUI), just follow the on screen instructions of the wizard, remember though that we're going to use Untangle in bridge mode! so don't configure it as Router! When the installation is done you'll be asked to reboot, remove the Untangle CD when you reboot.
When the system is done rebooting it will automatically start the wizard to help you configure Untangle for use in your network, follow the steps in the wizard. Download and install the following applications to extend the functionality of your Untangle box:
  • Web Filter
  • Anti SPAM
  • Anti Phising
  • Virus Control
  • Protocol Control
For more information regarding Untangle just visit this URL -> http://wiki.untangle.com/index.php/Untangle_Server_User's_Guide
Network Configuration:
As you can see in the network diagram shown above, the Untangle box is behind pfSense which is our main firewall, Untangle must be in bridge mode (Untangle will not perform any routing function). The LAN interface of pfSense should be connected to Untangle's WAN (external) interface ( you can just use a cross-over cable for this or an extra switch if you have one) and the second interface of Untangle will then be bridged to its external interface hence Untangle will only have one ip address i.e. in my case 192.168.1.9.
Now we're ready to connect clients behind Untangle to see if everything works. Try to configure Untangle's web filter to block porn sites then try to surf a porn site from behind Untangle, if you see the default stop sign HTML page then it means you've configured and connected the cables correctly, if you just see a plain text block message then you have to interchange the cable connection of the Untangle box.
That's all there's to it!

Installing pfSense to Hard Disk

If you are satisfied and want to setup pfSense to your hard drive run option 99 from the shell menu now. The configuration you did will be transferred to the hard drive by the installer.

(Basically you can run through the installer by just accepting all suggestions the installer is offering)
 
Pfsense main menu.png


First you get some settings to localize your keyboard or change your console appearance. Change what you need or just go one by accepting the settings.


Pfsense initial installer screen.png

Next pfSense will present a list with detected suitable installmedias to you.

Please make sure you are not accidently overwriting data you still need. It's recommended to have a dedicated media only for your install. Any other constelations are not officially supported. Choose your media and hit enter to continue.


Installer select a disk.png


You should format the disk to prepare it for the installation. Beware this will whipe your entire media!

 
Installer format this disk.png

At the next step pfSense will show you the detected drive geometry. You should leave this the way it was detected as long as you don't run into any troubles

while installing with these settings. In case you get errors try to alter your bios settings befor manually entering values here. Setting your drive from auto to lba or chs in bioas already might help to detect the right settings.


Installer select geometry.png

Now you are at the point of no return: Only hit "Format xxX" if you are really sure there is no valuable data left at this media!
 
Installer about to format proceed.png


The media is now prepared to continue with partitioning. Just hit enter to move on.

Installer partition disk.png


pfSense suggests using the complete space of your drive for the installation. You usually should just keep this setting and move on to the next step.



Installer edit partitions.png


In case your partitioning was the same like before as this is a reinstall confirm the changes.


Installer partition anyway.png

You typically can confirm the following step. If you encounter problems with the bootloader after the installation is done rerun the installation and check "Packet mode" at this screen.


Installer install bootblocks.png

Select the just created partition as target for your installation.

Installer select a partition for install.png

Confirm this step. In case you skipped the above settings this is the point where your data on the media will be overwritten.

Installer are you sure.png

pfSense suggests a setting for your subpartitioning now which you usually should just keep.




Installer select subpartitions.png

After accepting the above settings pfSense is starting to transfer the system to the prepared media.


Installer executing commands 41.png
You will be asked after a short time to remove the CD and reboot the system to

boot your new install.

Installer reboot.png

The system is now going down for reboot and your installation is finished



Pfsense is now rebooting after installation.png

Additional Information

For additional information on Installing pfSense, see the page Category:Installation.


1 comment:

  1. We are the worlds leading publisher of Squid 'Native ACL' formatted blacklists, that allow for web filtering directly with Squid proxy. Of course we also offer alternative formats for the most widely used third party plugins, such as DansGuardian and Squidguard. And while our blacklists are subscription based, they are as a result of our efforts, of a much higher degree of quality than the free alternatives.

    We hope to serve you,

    --
    Signed,

    Benjamin E. Nichols
    http://www.squidblacklist.org

    ReplyDelete