31 Network Hardening – pfSense Intranet

This chapter walks the learner through the steps needed to add a pfSense server to an enterprise network.  Specifically, we are going to set up the lab, configure the pfSense server to act as our DHCP server, open all the firewall ports so you can see what is going on in the network, and then watch how the addition of each firewall rule affects our enterprise network.

Learning Objectives

• Configure pfSense for first use in GNS3
• Create various firewall rules to regulate IPv4 traffic
• Use pfSense as the DHCP server
• Use Wireshark to observe the effects of firewall rules

Prerequisites

• Chapter 6 – Adding a Virtual Machine to GNS3
• Chapter 10 – Create a pfSense Server
• Chapter 11 – Create a Ubuntu Desktop

Deliverables

• Screenshot of GNS3 Working environment once everything works
• Screenshot of the pfSense Dashboard
• Screenshot of all inside devices being able to ping
• Screenshot of the 3 rules for the DMZ

Resources

• We consolidated information from a wide variety of resources.  However, three sources stand out as being particularly helpful to this lab and we want to recognize them here:
  • Saifudeen Sidheeq – “How to Configure PfSense DMZ Setup? | Step by Step” – https://getlabsdone.com/how-to-configure-pfsense-dmz-setup/
  • Frank at WunderTech – “How to Set Up a DMZ in pfSense” – https://www.wundertech.net/how-to-set-up-a-dmz-in-pfsense/
  • Nikhath K – “pFSense DMZ Setup Guide” – https://bobcares.com/blog/pfsense-dmz-setup/

Contributors and Testers

• Julian H. Romano, Cybersecurity Student, ERAU-Prescott
• Dante Rocca, Cybersecurity Student, ERAU-Prescott
• Jungsoo Noh, Cybersecurity Student, ERAU-Prescott

Phase I – Setting up the Lab

The following steps are to create a baseline environment for completing the lab.  It makes assumptions about learner knowledge from completing previous labs.

The completed network topology will look like this:

1. In VirtualBox, create clones of your pfSense firewall and your Ubuntu Linux Desktop

   NOTE: When importing new VMs into GNS3, ensure that Allow GNS3 to use any configured VirtualBox adapter is selected in their network settings!

2. Start GNS3
   1. Import the devices
   2. On the pfSense Server, change the network settings to accommodate 4 adapters (Figure 2)
   3. Create a new project: LAB_16
3. Build the following network:
   

   

   1.  “Internet”: (NO BOX) – 192.168.122.0/24
      1. One switch – Ethernet switch
      2. Internet connectivity with host machine – NAT Cloud (ISP)
      3. One client machine – Guest/VM with browser (external pc)

         NOTE: While this example uses GNS3’s Chromium appliance, any device that has a browser installed will suffice.

   2. Management: (PURPLE BOX) – 99.99.99.0/24
      1. One switch – Ethernet switch
      2. One client machine – Guest/VM with browser (it admin)
   3. DMZ: (RED BOX) – 20.0.0.0/24
      1. One switch – Ethernet switch
      2. One client machine – Ubuntu Server (webserver)

         NOTE: Ensure that the Apache2 package is installed.

         > apt update

         > apt install apache2

         Since this lab isn’t focused on configuring a real webserver, we will simply use the default webpage that Apache provides out of the box. For now, simply verify that the daemon is running:

         

         If you are having issues with getting Ubuntu or Apache to work, you can “simulate” a webserver with a VPCS client. The idea is to have an end device in the DMZ that we can ping from other areas on the network.

   4. LAN: (BLUE BOX) – 10.0.0.0/24
      1. One switch – Ethernet switch
      2. Three client machines – VPCS
   5. pfSense Firewall connections:

      NOTE: This example uses the version 2.7.0 of pfSense Community Edition. You can either host this device as a VirtualBox VM or as a GNS3 appliance.

      1. Connect ethernet0 to the ISP switch (Internet)
      2. Connect ethernet1 to the Management switch
      3. Connect ethernet2 to the DMZ switch
      4. Connect ethernet3 to the LAN switch

1. In GNS3, start the pfSense server

   NOTE: There are like 3 seconds where you can change your boot options, but just let the timer click down and let it boot. The first time it starts can take a few minutes.

   

   1. Once the VM finishes booting, you should see the CLI menu below
      

      

2. As you can see, pfSense only recognizes two interfaces – em0 (WAN) and em1 (LAN) – as currently active
   1. Assign each of the pfSense interfaces on this device with a network

      NOTE: Use the table below as a configuration guide for this step.

      GNS3 Interface	pfSense Interface	pfSense Interface Name
      Ethernet0	em0	WAN
      Ethernet1	em1	LAN
      Ethernet2	em2	OPT1
      Ethernet4	em3	OPT2

   2. Select option 1  to Assign Interfaces (Figure 6)
      1. When prompted – Should VLANs be set up now [y|n]? – type

         n

      2. Enter the WAN interface name or ‘a’ for auto-detection

         em0

      3. Enter the LAN interface name…

         em1

      4. Similarly, use em2 for the Optional 1 (OPT1) and em3 for the Optional 2 (OPT2)
      5. Verify the settings and type y to proceed (Figure 7)
   3. You can see that all interfaces are now correctly assigned and active (Figure 8)
3. Configure IP and DHCP settings
   1. Select option 2 to Set interface(s) IP address
   2. You will see a menu of the 4 interfaces with their current network settings (Figure 8)

      NOTE: We will walk you through the first two interfaces, and leave the rest for you to complete on your own. Use the table below to assist with configuration settings.

      pfSense Interface	pfSense Interface	IPv4 Address
      em0	WAN	Dynamic – DHCP
      em1	LAN	Static – 20.2.2.1/24
      em2	OPT1	Static – 10.1.1.1/24
      em3	OPT2	Static – 212.10.10.1/24

   3. Select interface 1 – WAN
      1. Configure IPv4 address WAN interface via DHCP? (y/n)

         y

      2. Configure IPv6 address WAN interface via DHCP6? (y/n)

         n

      3. Enter the new WAN IPv6 address
         Press Enter for none (we are not using IPv6)
      4. Do you want to revert to HTTP as the webConfigurator protocol? (y/n)

         n

      5. Press Enter to finish em0 configuration and proceed
   4. Select interface 2 – LAN
      1. Configure IPv4 address LAN interface via DHCP?

         n

      2. Enter the new LAN IPv4 address

         99.99.99.1/24

      3. Enter the new LAN IPv4 upstream gateway address
         Press Enter for none
      4. Configure IPv6 address LAN interface via DHCP6? (y/n)

         n

      5. Enter the new WAN IPv6 address
         Press Enter for none (we are not using IPv6)
      6. Do you want to enable the DHCP server on LAN? (y/n)

         y

      7. Enter the start address of the IPv4 client address range:

         99.99.99.5

      8. Enter the end address of the IPv4 client address range:

         99.99.99.100

      9. Do you want to revert to HTTP as the webConfigurator protocol?

         n

      10. You should get a message on how to access the Web Configurator and be instructed to press Enter to continue (Figure 10)
   5. Setup em2 (OPT1), and em3 (OPT2) in a similar fashion as em1 using the IP address spaces we picked earlier (Figure 11)
4. In GNS3, start the desktop in the Management LAN and check the current network settings
   1. Verify that DHCP works and that our management PC has an IP address in the range of 99.99.99.5 – 99.99.99.100
      

      

      NOTE: You can request a new IP address at any time with the following commands (some Linux distros may vary…)

      Release the currently assigned address on the interface named enp0s3.

      > dhclient -r -i enp0s3 -v

      Broadcast DHCP Discover packets to assign a new address.

      > dhclient -i enp0s3 -v

   2. Open Firefox and type the IP address you were given for webConfigurator (it should be https://99.99.99.1/)

      We haven’t set up any certificates yet, so you will get a big warning.  Just click Advanced… and go to the site anyway by accepting the risk and continuing. This will take you to the pfSense GUI interface to Sign In. Previously, when you were asked to revert to HTTP, if you said y, you will not get any warnings. Great choice to avoid a security message, but bad practice because everything you do can be read by others monitoring your network traffic.

      

5. Return to the GNS3 workspace, start the other devices in the DMZ and LAN spaces, and verify they are receiving IP addresses

   NOTE: If a PC doesn’t get a DHCP IP, don’t worry about it, we’ll address it later using the GUI.

1. On the Management PC, return to the login page at https://99.99.99.1 (Figure 14)
   1. At the Sign In screen use the default creds to log in:
      Username: admin
      Password: pfsense
2. Once logged in, on the top ribbon menu select Status–>Dashboard (Figure 15)

   NOTE: At the top, you will see a large warning about using the default username and password. Normally I would say change this, but I’ve had too many students ask me, “Dr. HVH?  What’s my password?” so please leave this alone for this exercise. On the right, you can see the interface settings we made earlier. I recommend that you click on these to get an idea of how the GUI and CLI commands line up but do not make any changes.

3. At the top menu bar, select Interfaces–>Assignments (Figure 16)
   1. Click on WAN to bring up the configuration settings for just that interface (Figure 17)
      1. Review the various options to get familiar with the available options
      2. Make the following changes as necessary
         

         Option	Value
         Description	ISP
         IPv4 Configuration Type	DHCP
         IPv6 Configuration Type	None

      3. Scroll to the bottom and press Save
      4. Now you will see a double-check prompt, so select Apply Changes (Figure 18)
   2. Return to the Interface Assignments page and make the following adjustments to the remain adapters (Figure 19):
      1. LAN – change to “Management” and verify static IP assignment of 99.99.99.1/24
      2. OPT1 – change to “DMZ” and verify static IP assignment of 20.0.0.1/24
      3. OPT2 – change to “LAN” and verify static IP assignment of 10.0.0.1/24

         NOTE: Yes, we could have assigned LAN to em3 from the get-go.  However, by doing it this way, you gain experience in using the GUI.  You will encounter a few of these moments in these labs. The goal is to help you learn, not just read and click.

4. Select Services –>DHCP Server to open the DHCP settings (Figure 20)
   1. View the details for the DHCP services on the Management interface
   2.  Let’s pretend that we have reserved the IP addresses 99.99.99.101-99.99.99.110 so we will add a DHCP pool to use the remaining IP address
      1. Click on + Add Pool
      2. Pool Description –> “Management”
      3. Range –> 99.99.99.111 to 99.99.99.254
      4. Click on save
      5. Your settings should look like (Figure 21)
   3. Verify DHCP services for the ISP, DMZ, and LAN networks and change as necessary

      NOTE: Remember that all DHCP servers need to provide a gateway address to their clients too.

5. Return to the Dashboard by selecting Status –>Dashboard

1. Navigate to the pfSense top ribbon and select Firewall–>Rules
2. Click on the Management tab, observe the firewall rules and read the descriptions (Figure 22)
   1. Anti-Lockout Rule – keeps users from accidentally locking themselves out of the GUI interface
   2. Default allow LAN to any rule – Does not restrict any access for IPv4 hosts
   3. Default allow LAN IPv6 to any rule – Does not restrict any access for IPv6 hosts

      NOTE: We aren’t using IPv6, so you can delete the Default allow LAN IPV6 to any rule by pressing the trashcan button.

3. Click on the DMZ tab to open the rules for the DMZ
4. Click on Add (there are no rules so it doesn’t matter which one) to open the Edit Firewall Rule page (Figure 23)
   1. Make the following changes using the drop-down menus and textboxes:
      

      Option	Value
      Action	Pass
      Interface	DMZ
      Address Family	IPv4
      Protocol	Any
      Source	DMZ net
      Destination	Any
      Description	Allow DMZ to any rule

   2. Save and apply changes
5. Repeat the above steps for the LAN interface

   NOTE: We are going to leave the ISP interface completely blocked for now.

6. Test the firewall settings
   1. From the Management PC, ping the simulated webserver and any of the LAN PCs

      NOTE: If you still can’t ping, you have done something wrong and will need to troubleshoot the problem. Did you remember to apply DHCP to all the end devices?

   2. From the webserver, ping a LAN PC and the Management PC
   3. From the Management PC, view the webpage hosted on the webserver (http://20.0.0.5:80)
      

      

1. On the pfSense top menu bar, select Firewall–>Rules–>DMZ
   1. Edit the existing rule with the following changes:
      

      Option	Value
      Action	Block
      Interface	DMZ
      Address Family	IPv4
      Protocol	Any
      Source	DMZ net
      Destination	LAN net
      Description	Separating the LAN from the DMZ

   2. Click on Save and of course Apply Changes
2. Now navigate to the web server console and try pinging the LAN PC again.  You should get a timeout error
   

   

3. Right-click on the connection on the webserver-pfSense link and start a Wireshark capture
   1. Try to ping the LAN PC again. Notice that there is no response from the pfSense server now
      

      

   2. Navigate to one of the LAN PCs and try to ping the webserver.  It should be successful
      

      

1. Navigate to the Ubuntu_Desktop and use the browser to get access to the pfSense GUI
2. Using the top ribbon menu select Firewall –>Aliases–>Ports
   1. Select Add and adjust the properties of the Alias as follows (Figure 28)
      

      Option	Value
      Name	Internet_Ports
      Description	Access to the Internet
      Type	Port(s)
      Port(s)	Description
      443	https
      80	http
      53	dns

   2. Save and Apply Changes
3. Using the top ribbon menu select Firewall –>Aliases–>IP
   1. Select Add and adjust the properties of the Alias as follows (Figure 29)
      

      Option	Value
      Name	DMZ_Internet_Enabled_Hosts
      Description	Allows machines in DMZ to access the Internet
      Type	Host(s)
      Host(s)	Description
      20.0.0.5-20.0.0.100	DMZ network

   2. Save and Apply Changes
4. Using the top ribbon menu select Firewall–>Rules–>DMZ
   1. Select Add and adjust the properties as follows (Figure 30)
      

      Option	Value
      Action	Pass
      Interface	DMZ
      Address Family	IPv4
      Protocol	TCP/UDP
      Source	Single host or alias
      Source Address	DMZ_Internet_Enabled_Hosts
      Destination	Any
      Description	Allow DMZ Internet access
      Destination Port Range	Value
      From	(other)
      Custom	Internet_Ports
      To	(other)
      Custom	Internet_Ports

   2. Save and Apply Changes (Figure 31)

1. Navigate back to Firewall –> Rules–>DMZ
   1. Add another rule, below the others, with the following settings:
      

      Option	Value
      Action	Pass
      Interface	DMZ
      Address Family	IPv4
      Protocol	ICMP
      ICMP Subtypes	Any
      Source	DMZ net
      Destination	Any
      Description	Allow for Pings

   2. Save and Apply Changes
2. Verify that you now have three firewalls in place for the DMZ network
   

   

3. Test the communication of the network as it currently stands
   1. From the Webserver, ping the External PC (it should be successful)
   2. From PC1, ping the webserver (it should be successful)
   3. From the External PC, ping the Webserver…
      

      

      Failure! Whether we try to ping or view the default Apache webpage, the external PC is unable to communicate with our DMZ. So how are people going to be able to reach our webserver?

End of Lab

List of Figures