PRO NET­WORK­ING

Con­trol your net­work k with pfSense

Maximum PC - - FRONT PAGE -

YOU’LL NEED THIS

PFSENSE Down­load it from www.pfsense.org. SERVER HARD­WARE

Any 64-bit ma­chine will do. MANY OF US TRUST OUR HOME NET­WORKS to sub-stan­dard hard­ware we rent from our ISPs. We’re not about to shoo that mo­dem out of your front door—you’ll still, most likely, need the right dig­i­tally signed hard­ware to get that broad­band bit­stream flow­ing—but the man­age­ment por­tion is prob­a­bly much bet­ter served by some­thing that re­ally knows what it’s do­ing. What bet­ter than pfSense? It’s pri­mar­ily a fire­wall, but ca­pa­ble of much more, from rout­ing to traf­fic man­age­ment; run your In­ter­net con­nec­tion through it, and it takes care of every­thing. Many busi­nesses rely on pfSense for their se­cu­rity but, if you’re will­ing to roll up your sleeves, you can down­load and run it for free.

In­tim­i­dat­ingly, pfSense is ac­tu­ally a FreeBSD dis­tro—a Unix-like architecture sim­i­lar to and, in many ways, com­pat­i­ble with Linux. But don’t let that worry you. Once pfSense is in­stalled, you can con­fig­ure and mon­i­tor every­thing through a sim­ple web-based in­ter­face. All you need is some server hard­ware run­ning a 64-bit pro­ces­sor (or an older ver­sion of pfSense that sup­ports 32-bit hard­ware), the soft­ware it­self, and some way of rout­ing Eth­er­net traf­fic through that ma­chine. A USB 3.0 Eth­er­net don­gle should set you back no more than around $20.– ALEX COX 1 THE RIGHT MEDIUM First of all, head over to www.pfsense.org. Wade through the cor­po­rate stuff—as so many of th­ese things are, pfSense is propped up by busi­ness im­ple­men­ta­tion and sup­port sales, but it’s still free soft­ware—and head to the “Down­load” link, top-right. You’re given a num­ber of choices, which cover the architecture of the ma­chine you’ll be in­stalling to, which in our case is AMD64, and the for­mat, or plat­form, you would like to use. Whether you choose the CD or USB in­stal­la­tion me­dia is up to you, but it’s worth bear­ing in mind that whichever one you use, pfSense in­stalls it­self to your hard drive, and you lose any­thing that’s there al­ready. 2 WRITE IT If you select the USB in­staller, you can use Ru­fus ( https:// ru­fus.akeo.ie) to write it to a stick; for the disc ISO, use ImgBurn or the tool of your choice. Be­cause the down­loads come in gzip for­mat, you do need to ex­tract them us­ing a tool such as 7-Zip ( www.7-zip.org) be­fore you can fill up your me­dia. The ma­chine you in­stall it on ob­vi­ously has to be able to boot from what­ever me­dia you choose, but other than that, there’s not an aw­ful lot that you need to con­sider. Around 1GB of RAM and a 1GHz pro­ces­sor is rec­om­mended, so your only real con­cern is putting de­cent Eth­er­net in­ter­faces on the in­put and out­put. Don’t cheap out on them, though, be­cause a poor in­ter­face could hit your over­all net­work through­put hard. 3 INI­TIAL IN­STAL­LA­TION Boot your hard­ware from your pfSense disc or USB stick. On the ini­tial menu [ Im­age A], select “Multi User” mode, then hit I to be­gin in­stal­la­tion when prompted. You can safely ig­nore the con­sole con­fig­u­ra­tion screen, un­less you’re us­ing an odd key­board; if so, use the ar­row keys to select it via the third op­tion down [ Im­age B], then choose “Ac­cept Th­ese Set­tings” to move on.

>> While there’s an op­tion to per­form a quick in­stall, the more gran­u­lar ac­tion of a cus­tom in­stall is what we’re after, so select that. Pick your tar­get hard drive, for­mat­ting it when prompted, and stick­ing to the de­fault geom­e­try. You’ll see an op­tion to par­ti­tion your drive, which would be handy if you were plan­ning to put other op­er­at­ing sys­tems on there—but you’re ab­so­lutely not, since your pfSense server will be run­ning 24/7/365, so don’t bother with this. In­stall the boot­block on your pri­mary drive (and your se­condary disk, if that’s where you’ve cho­sen to in­stall

pfSense), then stick with the de­fault sub­par­ti­tion con­fig­u­ra­tion [ Im­age C], which re­serves a slice of drive space for swap (handy on low-RAM de­vices), and gives the rest up to the OS. 4 KER­NEL PANIC You can now select one of two ker­nel op­tions, the ker­nel be­ing the main con­trol­ling layer of the op­er­at­ing sys­tem. One gives you ac­cess to pfSense lo­cally through a key­board and VGA mon­i­tor, as well as through its web browser in­ter­face. The other, the em­bed­ded ker­nel, does away with th­ese niceties in fa­vor of slightly more ef­fi­ciency. The only way you’ll be able to con­trol an em­bed­ded pfSense box is via its web in­ter­face and, if you want ac­cess to its BSD shell, by us­ing an SSH client such as Putty ( www.putty.org) on your desk­top ma­chine. If you’re un­sure of which you’ll use, select the for­mer. 5 CON­NECT­ING Re­move your in­stal­la­tion me­dia when prompted, and re­boot your pfSense box. If you’ve elected for the full ker­nel, you’ll now see a list of op­tions [ Im­age D], which in­cludes, just above, in­for­ma­tion on your IP ad­dresses—one for the WAN, or your In­ter­net con­nec­tion, and one, which you should note down, for your LAN. pfSense should sort th­ese au­to­mat­i­cally, but you may need to as­sign them man­u­ally be­fore you go any fur­ther; if you fum­ble on this step and select the wrong card for the wrong job, just switch your Eth­er­net ca­bles. We won’t tell any­one. Ini­tial setup is done through pfSense’s web in­ter­face so, for now, sim­ply plug a ma­chine di­rectly into its LAN port. Fire up a web browser, and head to the ad­dress you noted ear­lier—prob­a­bly 192.168.1.1—to be­gin con­fig­u­ra­tion. If you get an alert about an in­valid cer­tifi­cate, you need to by­pass it for now. 6 CON­FIG­UR­ING Log in with the de­fault user­name “ad­min” and pass­word “pfsense,” and the setup wizard be­gins. Sidestep the pleas to sign up for a gold sub­scrip­tion (you can do this later if you find you re­ally love pfSense), and head to a bit of gen­eral con­fig­u­ra­tion. Your host­name can be what­ever you like, and set the do­main, if you’re al­ready

us­ing one on your home net­work, to the same value. You can also set your pre­ferred net­work DNS servers here. Keep the bot­tom box checked if you would like pfSense to pull th­ese from your ISP, or fill in the boxes and uncheck the box if you would pre­fer to use, for ex­am­ple, Google’s su­per-fast pub­lic DNS servers, which are lo­cated at 8.8.8.8 and 8.8.4.4. Hit “Next” to select a time server for your net­work (although the de­fault is just fine), and set your time zone.

>> The next screen is, at first glance, quite in­tim­i­dat­ing, although it’s likely you won’t have to touch much of it, un­less your ISP is par­tic­u­larly harsh about its hard­ware re­stric­tions. You’ll likely be able to leave “DHCP” se­lected, scroll to the bot­tom, and move on. Leave the IP ad­dress as is, then set your ad­min pass­word. Hit “Reload,” and pfSense is all set up. 7 ADDING WI-FI If all has gone well, you don’t need to do any­thing else to pfSense to en­joy its ben­e­fits. It’s now work­ing as a fire­wall, traf­fic log­ger, and DHCP server, mean­ing it takes re­spon­si­bil­ity for hand­ing out IP ad­dresses to ma­chines on your lo­cal net­work, and bat­ting away traf­fic from sources that aren’t wel­come. The DHCP as­pect can cause prob­lems if you want to use Wi-Fi, be­cause your router will likely put up a fight and try to push its own DHCP agenda, so that’s the next step. Switch on your Wi-Fi router (though leave it free of net­work con­nec­tions for now), and head to its set­tings screen.

>> The process is go­ing to be dif­fer­ent for ev­ery router, but you need to switch off just about every­thing, from DHCP to fire­wall. When you’re sat­is­fied that you’ve prop­erly neutered the hard­ware, you can con­nect it to your pfSense box, plug­ging the LAN Eth­er­net ca­ble into one of its client ports—not the In­ter­net port, as you might pre­sume. Con­nect to it via Wi-Fi, and you should see that you’re on­line. 8 SEE IT ALL Open a browser and head back to the pfSense set­tings screen, via the same IP ad­dress we used ear­lier. The ini­tial dash­board [ Im­age E] is a good place to see what it’s cur­rently up to, but there’s not a huge amount on dis­play by de­fault, just a pro­file of your hard­ware and sys­tem re­sources, and in­for­ma­tion on its net­work con­nec­tions. Click the red plus icon at the top of the screen to add more. We rec­om­mend adding the likes of “Ser­vices sta­tus,” to see which ex­tra ser­vices are run­ning on top of

the fire­wall, and stop or restart them at will; “In­ter­face statis­tics” for an at-a-glance view of how much traf­fic has been mov­ing through your net­work; and “Fire­wall logs” to quickly see a wor­ry­ing pic­ture of just how many Chi­nese IP ad­dresses have at­tempted to sniff around your net­work. You can con­fig­ure each of th­ese mod­ules with the wrench icon, and drag their head­ers to re­order them on the page [ Im­age F]. 9 GET­TING IN Pri­mar­ily, while it per­forms a host of other net­work func­tions, pfSense is a fire­wall. As such, it blocks ac­cess to it­self from any ma­chine out­side of your lo­cal net­work, but we can use a rule, or ex­cep­tion, to ferry traf­fic to the right place. First, let’s build in a lit­tle se­cu­rity, and place pfSense on a dif­fer­ent port than the de­fault, to pre­vent it be­ing sniffed out by un­scrupu­lous net­work in­vaders.

>> Open “Sys­tem / Ad­vanced,” make sure the “HTTPS” ra­dio but­ton is se­lected, and en­ter some­thing along the lines of “8080” in the “TCP port” box near the top [ Im­age G]. Scroll down and select the boxes to dis­able DNS re­bind­ing checks and HTTP re­fer­rer en­force­ment, hit “Save,” and you’re au­to­mat­i­cally redi­rected to the pfSense ad­min pages via the new port—bear in mind that, from now on, you’ll have to ac­cess it via this port, ap­pend­ing “:8080,” for ex­am­ple, to the IP ad­dress. 10 OUT­SIDE AC­CESS With our stealthy port in place, we can head to “Fire­wall / Rules.” You’ll see a cou­ple of de­fault en­tries, both of which are de­signed to pre­vent WAN ac­cess from ad­dresses that re­ally shouldn’t be able to ac­cess your net­work any­way. “RFC 1918” refers to those IP ad­dresses that are re­served for in­ter­nal net­works only (10.x.x.x, 192.168.x.x, and so on), and unas­signed ad­dresses are also, log­i­cally, banned. In fact, ev­ery di­rect con­nec­tion to your net­work is cur­rently ver­boten un­til you ex­plic­itly say oth­er­wise. So, let’s do that: Click ei­ther of the “Add” but­tons, leave the de­fault ac­tion as “pass,” and set the desti­na­tion ad­dress to “WAN ad­dress” with the drop­down menu. Set the port range to be from 8080 to 8080— es­sen­tially telling the fire­wall to only ac­cept con­nec­tions from that par­tic­u­lar port—and you’re now able to con­nect to pfSense by typ­ing your WAN IP ad­dress, fol­lowed by a colon, and the ap­pro­pri­ate port num­ber, into any web browser. Check your dash­board page to find this ad­dress out; your ISP may oc­ca­sion­ally change it, but not of­ten. For a touch of ex­tra se­cu­rity, set up a new user with ad­min rights in “Sys­tem / User Man­ager” [ Im­age H], then delete the orig­i­nal ad­min ac­count to foil in­trud­ers tar­get­ing the most com­mon user­names.

Newspapers in English

Newspapers from Australia

© PressReader. All rights reserved.