Overview:
pfSense is one of the best if not the best Open Source based firewall out there today and I've been using it since 2005. It's based on FreeBSD and uses OpenBSD's pf (packet filtering), not only that it's lighweight (you can install it even in an old 486 based PC, in fact my first install was using a Pentium 266 MHz MMX with just 256MB of RAM and a 10GB HDD) it's also very easy to use.
Untangle is a Linux based firewall/router and Unified Threat Management Machine (UTM) in one( a jack of all trade box) and is also a new kid on the block. It's also very easy to use caveat though is it's heavy on resources (you need at least 2GB of RAM for a decent performance) but it works best as a filtering device (anti SPAM, web filter, anti Phising and Layer 7 protocol control).
My network is setup such that pfSense is the main perimeter firewall facing the internet and Untangle as UTM as shown in the figure:
As you can see the network has several servers behind pfSense and Untangle e.g., FTP server, Web Server, Mail Server and File Server.
If you don't have yet the pfSense and Untangle iso's you can download it from the following sources:
Download pfSense (version 1.2.2 as of this writing) :
Download Untangle (version 6.1 as of this writing):
Burn the downloaded ISO's using your favorite burner.
Installing pfSense.
Installing pfSense is pretty much straight forward, all you need to have is a little understanding about slices, also don't be intimidated by its curses based install.
Set your bios to boot from cdrom and load your bootable CD so that we can boot into pfSense on your PC. You will need to have at least two network cards installed in the PC, one for the WAN interface and the other for the LAN interface.
Once the PC booted to pfSense, you will be presented with the FreeBSD bootloader screen, there are 7 options that are listed, just wait for the default option in this case Option (1) to boot up. Take a sheet of paper and write down the initials for the Valid interfaces, you will need them in a moment. Mine are em0 and em1. You will be asked if you want to configure your virtual LAN, just select no if you don't want to setup VLAN's
“Do you want to set up VLAN’s now (y|n)?” Enter “n” to select No.
Then you are asked to
“Enter your LAN interface name”
Enter one from the notes I’ve told you to create earlier, in this case ‘em0’, next you’re asked to:
“Enter your WAN interface name”
Enter ‘em1’ then press the Return key
Since we only have two interfaces just hit the Return key when the system asked about the optional interface.
You will then be asked
“Do you want to proceed? y|n”
Make sure you enter ‘y’ here to proceed or else you have to repeat the whole process.
pfSense is now running in RAM and almost fully functional. If you wish you may plug your LAN interface into a hub or switch and connect via the web interface. pfSense is by default assigned an ip of 192.168.1.1. Next we're going to install pfSense to the hard drive permanently instead of just running it on RAM.
Hard Drive Install
Select option (99) to install pfSense to the hard drive.
This is a curses based install. The install works best if you use an entire hard disk. If there is any data on the disk make sure that you have copied it to another location. Now you can as a rule of thumb accept the default settings that are presented during the curses based install.
Remember to remove the cdrom from the drive when you reboot.
Now we have rebooted and are presented with the “pfsense console setup” for a second time. At this moment you can unplug your monitor cable and manage this firewall via a browser or you could select option 8 and explore via a Shell.
Make sure your computers interface is in the 192.168.1.0 subnet, because 'pfSenses' LAN interface is by default 192.168.1.1.
The defualt username password for the web GUI is 'admin' 'pfsense'.
Now we are going to select System > Setup Wizard > The wizard will guide you through the initial configuration of pfSense.
Enter the following information:
Hostname: pfsense
Domain: local
Primary DNS: 208.67.222.222
Secondary DNS: 208.67.220.220
Notice that I used OpenDNS server's ip addresses as my Primary and Secondary DNS servers respectively and highly recommended instead of using your unpredictable ISP's DNS.
Click Next and enter your correct timeZone then click Next to configure the WAN interface.
I chose static address for the WAN interface since I've have my own Public Static IP address provided by my ISP otherwise it means you have dynamically assigned IP address so just use the default DHCP assigned and then click Next to configure the LAN interface.
For the LAN IP enter 192.168.1.1 and subnet mask /24. then click Next to change the default password.
To effect the changes you will be asked for your new username and password and will be asked to reload your browser.
For this tutorial we'll just use the default firewall rule created by pfSense, for more elaborate rules just visit http://doc.pfsense.org for more information.
Installing Untangle:
Installing Untangle is a walk in the park because of its Graphical User Interface (GUI), just follow the on screen instructions of the wizard, remember though that we're going to use Untangle in bridge mode! so don't configure it as Router! When the installation is done you'll be asked to reboot, remove the Untangle CD when you reboot.
When the system is done rebooting it will automatically start the wizard to help you configure Untangle for use in your network, follow the steps in the wizard. Download and install the following applications to extend the functionality of your Untangle box:
- Web Filter
- Anti SPAM
- Anti Phising
- Virus Control
- Protocol Control
For more information regarding Untangle just visit this URL -> http://wiki.untangle.com/index.php/Untangle_Server_User's_Guide
Network Configuration:
As you can see in the network diagram shown above, the Untangle box is behind pfSense which is our main firewall, Untangle must be in bridge mode (Untangle will not perform any routing function). The LAN interface of pfSense should be connected to Untangle's WAN (external) interface ( you can just use a cross-over cable for this or an extra switch if you have one) and the second interface of Untangle will then be bridged to its external interface hence Untangle will only have one ip address i.e. in my case 192.168.1.9.
Now we're ready to connect clients behind Untangle to see if everything works. Try to configure Untangle's web filter to block porn sites then try to surf a porn site from behind Untangle, if you see the default stop sign HTML page then it means you've configured and connected the cables correctly, if you just see a plain text block message then you have to interchange the cable connection of the Untangle box.
That's all there's to it!
Installing pfSense to Hard Disk
If you are satisfied and want to setup pfSense to your hard drive run option 99 from the shell menu now. The configuration you did will be transferred to the hard drive by the installer.(Basically you can run through the installer by just accepting all suggestions the installer is offering)
First you get some settings to localize your keyboard or change your console appearance. Change what you need or just go one by accepting the settings.
Next pfSense will present a list with detected suitable installmedias to you.
Please make sure you are not accidently overwriting data you still need. It's recommended to have a dedicated media only for your install. Any other constelations are not officially supported. Choose your media and hit enter to continue.
You should format the disk to prepare it for the installation. Beware this will whipe your entire media!
At the next step pfSense will show you the detected drive geometry. You should leave this the way it was detected as long as you don't run into any troubles
while installing with these settings. In case you get errors try to alter your bios settings befor manually entering values here. Setting your drive from auto to lba or chs in bioas already might help to detect the right settings.
Now you are at the point of no return: Only hit "Format xxX" if you are really sure there is no valuable data left at this media!
The media is now prepared to continue with partitioning. Just hit enter to move on.
pfSense suggests using the complete space of your drive for the installation. You usually should just keep this setting and move on to the next step.
In case your partitioning was the same like before as this is a reinstall confirm the changes.
You typically can confirm the following step. If you encounter problems with the bootloader after the installation is done rerun the installation and check "Packet mode" at this screen.
Select the just created partition as target for your installation.
Confirm this step. In case you skipped the above settings this is the point where your data on the media will be overwritten.
pfSense suggests a setting for your subpartitioning now which you usually should just keep.
After accepting the above settings pfSense is starting to transfer the system to the prepared media.
You will be asked after a short time to remove the CD and reboot the system to
boot your new install.
The system is now going down for reboot and your installation is finished
No comments:
Post a Comment