Mastering pfSense Second Edition Manage, secure, and monitor your on-premise and cloud network with pfSense 2.4 David Zientara BIRMINGHAM - MUMBAI Mastering pfSense Second Edition Copyright © 2018 Packt Publishing All rights reserved No part of this book may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written permission of the publisher, except in the case of brief quotations embedded in critical articles or reviews Every effort has been made in the preparation of this book to ensure the accuracy of the information presented However, the information contained in this book is sold without warranty, either express or implied Neither the author, nor Packt Publishing or its dealers and distributors, will be held liable for any damages caused or alleged to have been caused directly or indirectly by this book Packt Publishing has endeavored to provide trademark information about all of the companies and products mentioned in this book by the appropriate use of capitals However, Packt Publishing cannot guarantee the accuracy of this information Commissioning Editor: Vijin Boricha Acquisition Editor: Shrilekha Inani Content Development Editor: Priyanka Deshpande Technical Editor: Mohit Hassija Copy Editor: Safis Editing Project Coordinator: Virginia Dias Proofreader: Safis Editing Indexer: Mariammal Chettiyar Graphics: Tom Scaria Production Coordinator: Shantanu Zagade First published: August 2016 Second edition: May 2018 Production reference: 1040518 Published by Packt Publishing Ltd Livery Place 35 Livery Street Birmingham B3 2PB, UK ISBN 978-1-78899-317-3 www.packtpub.com To my mother, Isabel Zientara, and to the memory of my father, Francis, for their constant encouragement and support, and for always keeping me focused on what is important To my siblings, who have always been there when needed mapt.io Mapt is an online digital library that gives you full access to over 5,000 books and videos, as well as industry leading tools to help you plan your personal development and advance your career For more information, please visit our website Why subscribe? Spend less time learning and more time coding with practical eBooks and Videos from over 4,000 industry professionals Improve your learning with Skill Plans built especially for you Get a free eBook or video every month Mapt is fully searchable Copy and paste, print, and bookmark content PacktPub.com Did you know that Packt offers eBook versions of every book published, with PDF and ePub files available? You can upgrade to the eBook version at www.PacktPub.com and as a print book customer, you are entitled to a discount on the eBook copy Get in touch with us at service@packtpub.com for more details At www.PacktPub.com, you can also read a collection of free technical articles, sign up for a range of free newsletters, and receive exclusive discounts and offers on Packt books and eBooks Contributors Chapter – Revisiting pfSense Basics 10 Demilitarized zone (DMZ) CPU: 500 MHz or greater; RAM: 512 MB; disk space: GB KB Checksums ensure the integrity of a download; running a checksum on a binary guarantees that the download has completed and that the binaries have not been tampered with by a third party (a) ZFS (b) UFS (DOS is also an acceptable answer) At the console/shell and in the web GUI The following are all valid answers: Static; DHCP; PPTP; PPPoE; PPP; L2TP (a) Enabled (b) Disabled (c) The reason Block Private Networks is blocked on the WAN interface is that private addresses by definition are nonroutable and therefore should never pass through the WAN interface On the LAN interface and other local interfaces, however, we generally want private addresses to work Via Setup Wizard and System | General Setup The following are all valid answers: Hostname, Domain, DNS Servers, Timezone, NTP Server, WAN Interface, LAN Interface, Password Chapter – Advanced pfSense Configuration (a) Transport Control Protocol (TCP) (b) 67 and 68 (c) User Datagram Protocol (UDP) (d) 67 and 68 M flag: 0; O flag: 1; L flag: 1; A flag: DNS Resolver (the default) and DNS Forwarder (a) UDP (b) 53 It can be updated much more rapidly than traditional DNS, making it suitable for scenarios in which the IP address associated with a domain name will change rapidly User Manager, Voucher, and RADIUS Global Positioning System (GPS) or Pulse Per Second (PPS) The structure into which management data is hierarchically organized in an SNMP-managed network 10 161 Chapter – VLANs 10 802.1Q 1, 4094 Switch spoofing, double tagging It increases the number of possible VLANs (16,752,649 with a single level of nesting, with even more VLANs possible if there are multiple levels of nesting) Increased throughput, redundancy None (we have to create rules to allow access from VLANs to other networks ourselves) Trunk ports and VLAN ports PVID Static, Dynamic Trunking Protocol (DTP), VLAN Trunking Protocol (VTP) Chapter – Using pfSense as a Firewall The principle of least privilege Block will drop traffic silently, while Reject will send back a packet (RST for TCP or ICMP Port Unreachable for UDP) We will be able to connect to Recode; the block rule will have no effect because it was placed after the "Allow LAN to any" rule We will not be able to connect to Recode; the block rule will match the traffic to Recode before the “Allow LAN to any” rule (a) We will not be able to connect to Recode; the new “default allow” rule will be invoked after the block rule (b) We will be able to connect to Recode; the new "default allow" rule will be invoked before the block rule (c) The default "Allow LAN to any" rules have no effect on traffic flow anymore because they are never reached; the floating "default allow" rule is invoked first IP, Network, Port, URL (a) Navigate to Firewall | Aliases, click on the IP tab, click on Add, and enter each IP address manually; (b) navigate to Diagnostics | DNS Lookup, perform a DNS lookup, and create an alias from it; (c) navigate to Firewall | Aliases, click on the Import button, a bulk import IP Alias Chapter – Network Address Translation Classless networks (CIDR), private networks (RFC 1918 networks), and IPv6 Any two would be acceptable No; we not need to alter the Outbound NAT settings because outbound NAT rules were generated for each of the non-WAN interfaces Two rules (one for IPsec and the other for all other traffic) 1:1 NAT The port forwarding traffic will be blocked by the firewall We normally don’t care what the source of the incoming traffic is (a) 7000; (b) 3389 (a) Multihoming and route aggregation are both valid answers (b) DHCPv6 Chapter – Traffic Shaping To ensure that network traffic conforms to certain predefined constraints (a) Priority queuing (PRIQ), class-based queuing (CBQ), and Hierarchical Fair-Service Curve (HFSC) (b) Class-based queuing (c) Hierarchical Fair-Service Curve No; we can only implement it with third-party packages such as Snort (a) The Multiple Lan/Wan configuration wizard; (b) the Dedicated Links wizard Explicit Congestion Notification The Floating Rules tab None; we have to manually enable each interface By navigating to Status | Queues and looking under the Length column Chapter – Virtual Private Networks Peer-to-peer and client-server (a) IPsec, L2TP, and OpenVPN (b) L2TP Authentication Headers (AH), Encapsulating Security Protocol (ESP), and Security Association (SA) (a) The connection will fail because when the Key Exchange version is set to Auto and pfSense is the initiator, it will use IKEv2 (since the other firewall is using IKEv1, there will be a mismatch) (b) The connection will succeed because pfSense as the initiator will again use IKEv2, and the protocols will match (a) 500; (b) 1194 Challenge-Handshake Authentication Protocol (CHAP), MSCHAPv2, and Password Authentication Protocol (PAP) Elliptic-curve Diffie-Hellman (ECDH) Lightweight Directory Access Protocol (LDAP) and Remote Authentication Dial-In User Protocol (RADIUS) Chapter – Redundancy and High Availability Any three of these: random, round robin, weighed round robin, least connection, least traffic, least latency, IP hash, URL hash, SDN adaptive Client-side load balancing: easy to implement and effective Server-side load balancing: better able to guarantee load balancing; transparent to client; more secure; we can provide a message to client when all servers are down Load balancing and Failover The most likely cause is that I forgot to update the alias for the server pool to include the new server Since the firewall rule to allow traffic to pass to the server pool uses this alias, it allows traffic to pass to every server except the new one (a) Yes; (b) no; (c) yes; (d) no No; we not have to create a virtual IP for the PFSYNC interface because use it to pass synchronization data between firewalls; we don’t want any redundancy on this interface The firewall rule will get overwritten when data is synchronized with the master firewall Because, if the Advertising frequency is the same on two or more backup firewalls, if the master goes down, two or more backup firewalls will try to become master at the same time Use HAProxy and select Least Connections as the load balancing for Balance when configuring the backend 10 Navigate to Status | CARP (failover) and click on the Enter Persistent CARP Maintenance Mode button Chapter – Multiple WANs Service-Level Agreement (SLA) Routing in which routing decisions are dictated by administrative policy (a) Load balancing (b) Failover Traffic between local interfaces will be routed through the original WAN interface and will never reach the gateway group; pfSense’s default behavior is to route external traffic to the primary WAN interface You are configuring an OPT_WAN interface and the OPT_WAN’s DNS server is not the same as the Monitor IP We not have to configure a static route for the primary WAN interface because external traffic is routed to it by default, and we not have to configure a static route if the OPT_WAN’s DNS server is the same as the Monitor IP because pfSense will add a static route for the Monitor IP One for each OPT_WAN interface (and one for each 1:1 NAT mapping, if we have any) Use Sticky Connections Acceptable answers: The load balancing gateway group isn’t working properly; the web page is cached and therefore isn’t refreshing when we reload it; the connections are weighted such that the secondary connection handles very little traffic; Use Sticky Connections or some other persistent connection option is enabled; other users are on the network and generating a share of the connections going to the nonprimary connections Chapter 10 – Routing and Bridging Routing involves moving traffic between networks (internetwork traffic), whereas bridging involves connecting segments on the same network (intranetwork traffic) (a) Distance vector protocols (b) Link-state protocols Enable Static route filtering in System | Advanced (Firewall and NAT tab) or create firewall rules to deal with the static routes (a) routed (b) Quagga OSPF or FRR (FRRouting) (c) FRR Adding one or more gateways Spanning Tree Protocol (STP) and Rapid Spanning Tree Protocol (RSTP) Looping The routing table found at Diagnostics | Routes Chapter 11 – Extending pfSense with Packages The web GUI and the command line 3128 (a) Access to the website will still be blocked because the installation of Squid does not enable Squid by default (b) Access to the website will be possible because Squid takes precedence over firewall rules, and we have not added the site to Squid’s blacklist pfBlockerNG HAProxy Packet sniffing mode, packet logging mode, and network intrusion prevention mode Ntopng, nmap, Zabbix, and Suricata would all be acceptable answers A Zabbix agent collects information from the local host and passes it on to the Zabbix server, whereas a Zabbix proxy collects information from hosts and is capable of offloading the Zabbix server so that the workload can be distributed Chapter 12 – Diagnostics and Troubleshooting Documenting the problem and solution A DNS failure 802.11b and 802.11n Wireless Encryption Privacy (WEP) Status | Interfaces, or use the Dashboard pfTop tcpping (1) To show the path of packets and (2) to display the transit delays along each step Another Book You May Enjoy If you enjoyed this book, you may be interested in another book by Packt: pfSense Cookbook Matt Williamson ISBN: 978-1-84951-486-6 Determine your deployment scenario, hardware/throughput/interface requirements, form-factor, and which platform version of pfSense is right for you Secure remote access using the SSH and/or HTTPS protocols Add, assign, and configure network interfaces Configure essential networking services (such as DHCP, DNS, Dynamic DNS) Create aliases, firewall rules, NAT port-forward rules, and rule schedules Enable external Remote Desktop Access to an internal machine, following a complete example of the core pfSense functionality Configure the PPTP, IPSec, L2TP, and/or OpenVPN services Create virtual IPs, a virtual LAN, 1:1 and outbound NAT rules, gateways, static routes, and bridged interfaces Configure traffic-shaping and Quality of Service (QoS) Create multiple WAN interfaces in load-balanced or failover configurations Configure firewall redundancy with a CARP firewall failover Configure external logging with syslog Use a variety of built-in networking tools such as Ping and traceroute Configuration backup/restoration and automatic configuration-file backup Update the pfSense firmware Monitor and view all sorts of system and feature statuses/logs using RRD graphs and status monitoring tools Leave a review - let other readers know what you think Please share your thoughts on this book with others by leaving a review on the site that you bought it from If you purchased the book from Amazon, please leave us an honest review on this book's Amazon page This is vital so that other potential readers can see and use your unbiased opinion to make purchasing decisions, we can understand what our customers think about our products, and our authors can see your feedback on the title that they have worked with Packt to create It will only take a few minutes of your time, but is valuable to other potential customers, our authors, and Packt Thank you! ... Assessments Chapter – Revisiting pfSense Basics Chapter – Advanced pfSense Configuration Chapter – VLANs Chapter – Using pfSense as a Firewall Chapter – Network Address.. .Mastering pfSense Second Edition Manage, secure, and monitor your on-premise and cloud network with pfSense 2. 4 David Zientara BIRMINGHAM - MUMBAI Mastering pfSense Second Edition... – filtering outbound NAT for a single network 1:1 NAT Example – mapping a file server Port forwarding Example – setting up DCC Example – excluding a port Example –