Tài liệu hạn chế xem trước, để xem đầy đủ mời bạn chọn Tải xuống
1
/ 16 trang
THÔNG TIN TÀI LIỆU
Thông tin cơ bản
Định dạng
Số trang
16
Dung lượng
53,31 KB
Nội dung
pfSense: The Definitive Guide The Definitive Guide to the pfSense Open Source Firewall and Router Distribution Christopher M Buechler and Jim Pingle Contents Foreword xix Preface xxi Introduction 1.1 Project Inception 1.2 What does pfSense stand for/mean? 1.3 Why FreeBSD? 1.4 Common Deployments 1.5 Versions 1.6 Platforms 1.7 Networking Concepts 1.8 Interface Naming Terminology 1.9 Finding Information and Getting Help 1 13 15 Hardware 2.1 Hardware Compatibility 2.2 Minimum Hardware Requirements 2.3 Hardware Selection 2.4 Hardware Sizing Guidance 17 17 18 19 20 Installing and Upgrading 3.1 Downloading pfSense 3.2 Full Installation 3.3 Embedded Installation 3.4 Alternate Installation Techniques 3.5 Installation Troubleshooting 3.6 Recovery Installation 3.7 Upgrading an Existing Installation 25 25 26 31 37 39 44 45 Configuration 4.1 Connecting to the WebGUI 4.2 Setup Wizard 4.3 Interface Configuration 4.4 General Configuration Options 4.5 Advanced Configuration Options 4.6 Console Menu Basics 49 49 50 58 59 60 65 iii iv CONTENTS 4.7 4.8 4.9 4.10 4.11 Time Synchronization Troubleshooting pfSense’s XML Configuration File What to if you get locked out of the WebGUI Final Configuration Thoughts 69 72 75 75 79 Backup and Recovery 5.1 Backup Strategies 5.2 Making Backups in the WebGUI 5.3 Using the AutoConfigBackup Package 5.4 Alternate Remote Backup Techniques 5.5 Restoring from Backups 5.6 Backup Files and Directories with the Backup Package 5.7 Caveats and Gotchas 81 81 82 82 85 86 89 90 Firewall 6.1 Firewalling Fundamentals 6.2 Introduction to the Firewall Rules screen 6.3 Aliases 6.4 Firewall Rule Best Practices 6.5 Rule Methodology 6.6 Configuring firewall rules 6.7 Methods of Using Additional Public IPs 6.8 Virtual IPs 6.9 Time Based Rules 6.10 Viewing the Firewall Logs 6.11 Troubleshooting Firewall Rules 91 91 96 98 102 105 111 115 119 120 123 126 Network Address Translation 7.1 Default NAT Configuration 7.2 Port Forwards 7.3 1:1 NAT 7.4 Ordering of NAT and Firewall Processing 7.5 NAT Reflection 7.6 Outbound NAT 7.7 Choosing a NAT Configuration 7.8 NAT and Protocol Compatibility 7.9 Troubleshooting 129 129 130 135 139 143 146 147 147 151 Routing 8.1 Static Routes 8.2 Routing Public IPs 8.3 Routing Protocols 8.4 Route Troubleshooting 155 155 157 160 161 Bridging 167 9.1 Bridging and Layer Loops 167 9.2 Bridging and firewalling 167 v CONTENTS 9.3 9.4 9.5 Bridging two internal networks 168 Bridging OPT to WAN 169 Bridging interoperability 169 10 Virtual LANs (VLANs) 10.1 Requirements 10.2 Terminology 10.3 VLANs and Security 10.4 pfSense Configuration 10.5 Switch Configuration 175 175 176 177 179 183 11 Multiple WAN Connections 11.1 Choosing your Internet Connectivity 11.2 Multi-WAN Terminology and Concepts 11.3 Multi-WAN Caveats and Considerations 11.4 Interface and DNS Configuration 11.5 Multi-WAN Special Cases 11.6 Multi-WAN and NAT 11.7 Load Balancing 11.8 Failover 11.9 Verifying Functionality 11.10 Policy Routing, Load Balancing and Failover Strategies 11.11 Multi-WAN on a Stick 11.12 Troubleshooting 197 197 198 200 201 203 204 205 206 208 210 212 213 12 Virtual Private Networks 215 12.1 Common deployments 215 12.2 Choosing a VPN solution for your environment 217 12.3 VPNs and Firewall Rules 220 13 IPsec 13.1 13.2 13.3 13.4 13.5 13.6 13.7 13.8 13.9 IPsec Terminology Choosing configuration options IPsec and firewall rules Site to Site Mobile IPsec Testing IPsec Connectivity IPsec and NAT-T IPsec Troubleshooting Configuring Third Party IPsec Devices 14 PPTP VPN 14.1 PPTP Security Warning 14.2 PPTP and Firewall Rules 14.3 PPTP and Multi-WAN 14.4 PPTP Limitations 14.5 PPTP Server Configuration 14.6 PPTP Client Configuration 221 221 222 224 224 232 251 251 252 260 265 265 265 265 266 266 269 vi CONTENTS 14.7 14.8 14.9 14.10 14.11 Increasing the Simultaneous User Limit PPTP Redirection PPTP Troubleshooting PPTP Routing Tricks PPTP Logs 289 290 290 291 292 15 OpenVPN 15.1 Basic Introduction to X.509 Public Key Infrastructure 15.2 Generating OpenVPN Keys and Certificates 15.3 OpenVPN Configuration Options 15.4 Remote Access Configuration 15.5 Site to Site Example Configuration 15.6 Filtering and NAT with OpenVPN Connections 15.7 OpenVPN and Multi-WAN 15.8 OpenVPN and CARP 15.9 Bridged OpenVPN Connections 15.10 Custom configuration options 15.11 Troubleshooting OpenVPN 293 293 294 301 305 321 322 326 327 328 328 329 16 Traffic Shaper 16.1 Traffic Shaping Basics 16.2 What the Traffic Shaper can for you 16.3 Hardware Limitations 16.4 Limitations of the Traffic Shaper implementation in 1.2.x 16.5 Configuring the Traffic Shaper With the Wizard 16.6 Monitoring the Queues 16.7 Advanced Customization 16.8 Troubleshooting Shaper Issues 333 333 334 335 335 336 340 341 346 17 Server Load Balancing 349 17.1 Explanation of Configuration Options 349 17.2 Web Server Load Balancing Example Configuration 351 17.3 Troubleshooting Server Load Balancing 357 18 Wireless 18.1 Recommended Wireless Hardware 18.2 Wireless WAN 18.3 Bridging and wireless 18.4 Using an External Access Point 18.5 pfSense as an Access Point 18.6 Additional protection for your wireless network 18.7 Configuring a Secure Wireless Hotspot 18.8 Troubleshooting Wireless Connections 361 361 362 365 366 368 372 374 375 19 Captive Portal 377 19.1 Limitations 377 19.2 Portal Configuration Without Authentication 377 19.3 Portal Configuration Using Local Authentication 379 vii CONTENTS 19.4 19.5 19.6 Portal Configuration Using RADIUS Authentication 379 Configuration Options 379 Troubleshooting Captive Portal 382 20 Firewall Redundancy / High Availability 20.1 CARP Overview 20.2 pfsync Overview 20.3 pfSense XML-RPC Sync Overview 20.4 Example Redundant Configuration 20.5 Multi-WAN with CARP 20.6 Verifying Failover Functionality 20.7 Providing Redundancy Without NAT 20.8 Layer Redundancy 20.9 CARP with Bridging 20.10 CARP Troubleshooting 383 383 384 384 384 393 397 398 401 403 403 21 Services 21.1 DHCP Server 21.2 DHCP Relay 21.3 DNS Forwarder 21.4 Dynamic DNS 21.5 SNMP 21.6 UPnP 21.7 OpenNTPD 21.8 Wake on LAN 21.9 PPPoE Server 407 407 412 412 414 416 418 422 422 424 22 System Monitoring 22.1 System Logs 22.2 System Status 22.3 Interface Status 22.4 Service Status 22.5 RRD Graphs 22.6 Firewall States 22.7 Traffic Graphs 425 425 428 430 430 430 433 434 23 Packages 23.1 Introduction to Packages 23.2 Installing Packages 23.3 Reinstalling and Updating Packages 23.4 Uninstalling Packages 23.5 Developing Packages 435 435 436 437 438 438 24 Third Party Software and pfSense 24.1 RADIUS Authentication with Windows Server 24.2 Free Content Filtering with OpenDNS 24.3 Syslog Server on Windows with Kiwi Syslog 24.4 Using Software from FreeBSD’s Ports System (Packages) 439 439 444 453 453 viii 25 Packet Capturing 25.1 Capture frame of reference 25.2 Selecting the Proper Interface 25.3 Limiting capture volume 25.4 Packet Captures from the WebGUI 25.5 Using tcpdump from the command line 25.6 Using Wireshark with pfSense 25.7 Plain Text Protocol Debugging with tcpflow 25.8 Additional References A Menu Guide CONTENTS 457 457 457 459 459 460 470 473 474 475 List of Figures 1.1 1.2 1.3 Subnet Mask Converter Network/Node Calculator Network/Node Calculator Example 11 12 13 3.1 Interface Assignment Screen 29 4.1 4.2 4.3 4.4 4.5 4.6 4.7 4.8 4.9 4.10 4.11 4.12 4.13 4.14 Setup Wizard Starting Screen General Information Screen NTP and Time Zone Setup Screen WAN Configuration General WAN Configuration Static IP Settings DHCP Hostname Setting PPPoE Configuration PPTP WAN Configuration Built-in Ingress Filtering Options LAN Configuration Change Administrative Password Reload pfSense WebGUI Setting up a port 80 SSH Tunnel in PuTTY 50 51 51 52 53 53 53 54 55 55 56 57 57 78 5.1 5.2 5.3 WebGUI Backup WebGUI Restore Configuration History 82 87 87 6.1 6.2 6.3 6.4 6.5 6.6 6.7 6.8 6.9 6.10 6.11 6.12 6.13 Increased state table size to 50,000 Default WAN rules Default LAN rules Add LAN rule options Example hosts alias Example network alias Example ports alias Autocompletion of hosts alias Autocompletion of ports alias Example Rule Using Aliases Hovering shows Hosts contents Hovering shows Ports contents Firewall Rule to Prevent Logging Broadcasts ix 92 96 96 97 99 100 100 101 101 101 102 102 104 x LIST OF FIGURES 6.14 6.15 6.16 6.17 6.18 6.19 6.20 6.21 6.22 6.25 6.23 6.24 6.26 6.27 6.28 Alias for management ports Alias for management hosts Alias list Example restricted management LAN rules Restricted management LAN rules — alternate example Anti-lockout rule disabled Testing name resolution for bogon updates Multiple public IPs in use — single IP block Multiple public IPs in use — two IP blocks Schedule List after Adding Adding a Time Range Added Time Range Choosing a Schedule for a Firewall Rule Firewall Rule List with Schedule Example Log Entries viewed from the WebGUI 106 107 108 108 109 109 110 117 118 121 122 122 123 123 124 7.1 7.2 7.3 7.4 7.5 7.6 7.7 7.8 7.9 7.10 7.11 7.12 7.13 7.14 7.15 7.16 7.17 Add Port Forward Port Forward Example Port Forward List Port Forward Firewall Rule Example redirect port forward 1:1 NAT Edit screen 1:1 NAT Entry 1:1 NAT Example — Single inside and outside IP 1:1 NAT entry for /30 CIDR range Ordering of NAT and Firewall Processing LAN to WAN Processing WAN to LAN Processing Firewall Rule for Port Forward to LAN Host Enable NAT Reflection Add DNS Forwarder Override Add DNS Forwarder Override for example.com DNS Forwarder Override for www.example.com 131 132 132 133 134 135 136 137 138 140 141 142 143 144 144 145 145 8.1 8.2 8.3 8.4 8.5 8.6 8.7 8.8 8.9 Static Route Static route configuration Asymmetric routing WAN IP and gateway configuration Routing OPT1 configuration Outbound NAT configuration OPT1 firewall rules WAN firewall rules Route Display 155 156 156 158 159 159 160 160 161 9.1 Firewall Rule to Allow DHCP 168 10.1 10.2 Interfaces: Assign 181 VLAN List 182 xi LIST OF FIGURES 10.3 10.4 10.5 10.6 10.7 10.8 10.9 10.10 10.11 10.12 10.13 10.14 10.15 10.16 10.17 10.18 10.19 Edit VLAN VLAN List Interface list with VLANs VLAN Group Setting Enable 802.1Q VLANs Confirm change to 802.1Q VLAN Default 802.1Q configuration Add new VLAN Add VLAN 10 Add VLAN 20 Toggle VLAN membership Configure VLAN 10 membership Configure VLAN 20 membership PVID Setting Default PVID Configuration VLAN 10 and 20 PVID Configuration Remove VLAN membership 11.1 11.2 11.3 Example static route configuration for Multi-WAN DNS services 203 Unequal cost load balancing configuration 212 Multi-WAN on a stick 213 13.1 13.2 13.3 13.4 13.5 13.6 13.7 13.8 13.9 13.10 13.11 13.12 13.13 13.14 13.15 13.16 13.17 13.18 13.19 13.20 13.21 13.22 13.23 13.24 13.25 13.26 Enable IPsec Site A VPN Tunnel Settings Site A Phase Settings Site A Phase Settings Site A Keep Alive Apply IPsec Settings Site B VPN Tunnel Settings Site B Keep Alive Site to Site IPsec Where pfSense is not the Gateway Site to Site IPsec Site A — Static route to remote subnet Site B — Static route to remote subnet Enable Mobile IPsec Clients Mobile Clients Phase Mobile Clients Phase Apply Mobile Tunnel Settings IPsec Pre-shared Key "User" List Adding an Identifier/Pre-Shared Key Pair Applying Changes; PSK List Shrew Soft VPN Access Manager — No Connections Yet Client Setup: General Tab Client Setup: Client Tab Client Setup: Name Resolution Tab Client Setup: Authentication, Local Identity Client Setup: Authentication, Remote Identity Client Setup: Authentication, Credentials 182 182 183 188 188 189 189 190 190 191 192 192 193 193 193 194 194 225 226 227 227 228 228 229 229 230 231 232 232 233 234 235 235 236 236 236 238 239 240 241 242 243 244 xii LIST OF FIGURES 13.27 13.28 13.29 13.30 13.31 13.32 13.33 Client Setup: Phase Client Setup: Phase Client Setup: Policy Client Setup: Policy, Add Topology Client Setup: New Connection Name Ready To Use Connection Connected Tunnel 245 246 247 248 249 249 250 14.1 14.2 14.3 14.4 14.5 14.6 14.7 14.8 14.9 14.10 14.11 14.12 14.13 14.14 14.15 14.16 14.17 14.18 14.19 14.20 14.21 14.22 14.23 14.24 14.25 14.26 14.27 14.28 14.29 14.30 14.31 14.32 14.33 14.34 14.35 PPTP IP Addressing PPTP VPN Firewall Rule PPTP Users Tab Adding a PPTP User Applying PPTP Changes List of PPTP Users Network Connections Network Tasks Workplace Connection Connect to VPN Connection Name Connection Host Finishing the Connection Connect Dialog Connection Properties Security Tab Networking Tab Remote Gateway Setting Vista Network Connections Setup A Connection Connect to a Workplace Connect using VPN Connection Setup Authentication Settings Connection is Ready Get Connection Properties VPN Security Settings VPN Networking Settings VPN Gateway Add network connection Add PPTP VPN connection Configure PPTP VPN connection Advanced options Connect to PPTP VPN PPTP Logs 266 267 268 268 269 269 270 270 271 272 273 274 275 276 277 278 279 280 281 281 281 282 282 283 283 284 284 285 286 287 287 288 289 289 292 15.1 15.2 15.3 15.4 easy-rsa Backup OpenVPN example remote access network OpenVPN server WAN rule Viscosity Preferences 297 306 307 310 xiii LIST OF FIGURES 15.5 15.6 15.7 15.8 15.9 15.10 15.11 15.12 15.13 15.14 15.15 15.16 15.17 15.18 15.19 15.20 15.21 Viscosity Add Connection Viscosity Configuration: General Viscosity Configuration: Certificates Viscosity Configuration: Options Viscosity Configuration: Networking Viscosity connect Viscosity menu Viscosity details Viscosity details: Traffic Statistics Viscosity details: Logs OpenVPN example site to site network OpenVPN example site to site WAN firewall rule Assign tun0 interface Site to site with conflicting subnets Site A 1:1 NAT configuration Site B 1:1 NAT configuration Example static route for OpenVPN Client on OPT WAN 311 312 313 314 315 316 317 318 319 320 321 322 323 324 325 325 327 16.1 16.2 16.3 16.4 16.5 16.6 16.7 16.8 16.9 16.10 Starting the Shaper Wizard Shaper Configuration Voice over IP Penalty Box Peer-to-Peer Networking Network Games Raise or Lower Other Applications Basic WAN Queues Traffic Shaper Queues List Traffic Shaper Rules List 336 337 337 338 339 339 340 341 342 345 17.1 17.2 17.3 17.4 17.5 17.6 17.7 Server load balancing example network Pool configuration Virtual Server configuration Alias for web servers Adding firewall rule for web servers Firewall rule for web servers Virtual Server status 352 353 354 355 356 356 357 18.1 18.2 18.3 18.4 18.5 18.6 18.7 Interface assignment — wireless WAN Wireless WAN Associated No carrier on wireless WAN Wireless Status Rules to allow only IPsec from wireless Rules to allow only OpenVPN from wireless Rules to allow only PPTP from wireless 363 364 365 365 373 373 374 19.1 Captive Portal on multiple subnets 378 20.1 Example CARP network diagram 386 xiv LIST OF FIGURES 20.2 20.3 20.4 20.5 20.6 20.7 20.8 20.9 20.10 20.11 20.12 WAN CARP IP LAN CARP IP Virtual IP list Outbound NAT Entry Advanced Outbound NAT Configuration pfsync Interface Configuration Firewall rule on pfsync interface Diagram of Multi-WAN CARP with DMZ DHCP Failover Pool Status Diagram of CARP with Routed IPs Diagram of CARP with Redundant Switches 387 388 389 390 391 391 392 396 397 400 402 21.1 21.2 21.3 21.4 DHCP Daemon Service Status DNS Override Example UPnP status screen showing client PCs with forwarded ports pfSense system as seen by Windows when browsing the Network 411 414 421 421 22.1 22.2 22.3 22.4 22.5 22.6 22.7 Example System Log Entries System Status Interface Status Services Status WAN Traffic Graph Example States Example WAN Graph 426 428 429 430 431 433 434 23.1 23.2 23.3 23.4 Package information retrieval failed Package Listing Post-Install Package Screen Installed Package List 436 437 437 438 24.1 24.2 24.3 24.4 24.5 24.6 24.7 24.8 24.9 24.10 24.11 24.12 24.13 24.14 24.15 24.16 Add new RADIUS client Add new RADIUS client — name and client address Add new RADIUS client — Shared secret Listing of the RADIUS Client IAS Ports Configuring OpenDNS on pfSense Windows Server DNS Properties Windows Server DNS Forwarders Add a network Adding a dynamic IP connection Adding a static IP connection Network successfully added Content filtering level Manage individual domains DNS servers alias LAN rules to restrict DNS 440 441 442 443 444 445 445 446 447 448 449 450 451 451 452 453 25.1 Capture reference 458 LIST OF FIGURES 25.2 25.3 xv Wireshark Capture View 471 Wireshark RTP Analysis 472 List of Tables 1.1 1.2 1.3 RFC 1918 Private IP Address Space CIDR Subnet Table CIDR Route Summarization 10 11 2.1 2.2 2.3 2.4 2.5 Maximum Throughput by CPU 500,000 pps throughput at various frame sizes Large State Table RAM Consumption IPsec Throughput by Cipher — ALIX IPsec Throughput by CPU 21 21 22 23 23 3.1 Kernel Choices 31 6.1 Egress traffic required 94 7.1 7.2 /30 CIDR mapping — matching final octet 138 /30 CIDR mapping — non-matching final octet 138 8.1 8.2 8.3 WAN IP Block 158 Inside IP Block 158 Route Table Flags and Meanings 163 10.1 Netgear GS108T VLAN Configuration 188 11.1 11.2 Dissecting the ping monitoring 200 Unequal cost load balancing 211 12.1 Features and Characteristics by VPN Type 220 13.1 IPsec Endpoint Settings 225 20.1 20.2 20.3 20.4 20.5 20.6 20.7 20.8 WAN IP Address Assignments LAN IP Address Assignments pfsync IP Address Assignments WAN IP Addressing WAN2 IP Addressing LAN IP Address Assignments DMZ IP Address Assignments pfsync IP Address Assignments xvi 385 385 386 394 394 394 395 395 LIST OF TABLES 25.1 25.2 25.3 xvii Real Interface vs Friendly Names 459 Commonly used tcpdump flags 461 Example uses of tcpdump -s 462 ... Site B VPN Tunnel Settings Site B Keep Alive Site to Site IPsec Where pfSense is not the Gateway Site to Site IPsec Site A —... pfsync interface Diagram of Multi-WAN CARP with DMZ DHCP Failover Pool Status Diagram of CARP with Routed IPs Diagram of CARP with Redundant Switches ... example site to site WAN firewall rule Assign tun0 interface Site to site with conflicting subnets Site A 1:1 NAT configuration Site B 1:1 NAT configuration