31 Network Hardening – pfSense Intranet

Mathew J. Heath Van Horn, PhD and Jacob Christensen

This chapter walks the learner through the steps needed to add a pfSense server to an enterprise network.  Specifically, we are going to set up the lab, configure the pfSense server to act as our DHCP server, open all the firewall ports so you can see what is going on in the network, and then watch how the addition of each firewall rule affects our enterprise network.

Learning Objectives

  • Configure pfSense for first use in GNS3
  • Create various firewall rules to regulate IPv4 traffic
  • Use pfSense as the DHCP server
  • Use Wireshark to observe the effects of firewall rules

Prerequisites

Deliverables

  • Screenshot of GNS3 Working environment once everything works
  • Screenshot of the pfSense Dashboard
  • Screenshot of all inside devices being able to ping
  • Screenshot of the 3 rules for the DMZ

Resources

Contributors and Testers

  • Julian H. Romano, Cybersecurity Student, ERAU-Prescott
  • Dante Rocca, Cybersecurity Student, ERAU-Prescott
  • Jungsoo Noh, Cybersecurity Student, ERAU-Prescott

Phase I – Setting up the Lab

The following steps are to create a baseline environment for completing the lab.  It makes assumptions about learner knowledge from completing previous labs.

The completed network topology will look like this:

gns3
Figure 1 – Final network
  1. In VirtualBox, create clones of your pfSense firewall and your Ubuntu Linux Desktop

    NOTE: When importing new VMs into GNS3, ensure that Allow GNS3 to use any configured VirtualBox adapter is selected in their network settings!

  2. Start GNS3
    1. Import the devices
    2. On the pfSense Server, change the network settings to accommodate 4 adapters (Figure 2)
    3. Create a new project: LAB_16
  3. Build the following network:
    gns3
    Figure 3 – GNS3 workspace
    1.  “Internet”: (NO BOX) – 192.168.122.0/24
      1. One switch – Ethernet switch
      2. Internet connectivity with host machine – NAT Cloud (ISP)
      3. One client machine – Guest/VM with browser (external pc)

        NOTE: While this example uses GNS3’s Chromium appliance, any device that has a browser installed will suffice.

    2. Management: (PURPLE BOX) – 99.99.99.0/24
      1. One switch – Ethernet switch
      2. One client machine – Guest/VM with browser (it admin)
    3. DMZ: (RED BOX) – 20.0.0.0/24
      1. One switch – Ethernet switch
      2. One client machine – Ubuntu Server (webserver)

        NOTE: Ensure that the Apache2 package is installed.

        > apt update

        > apt install apache2

        Since this lab isn’t focused on configuring a real webserver, we will simply use the default webpage that Apache provides out of the box. For now, simply verify that the daemon is running:

        terminal command execution
        Figure 4 – Apache2 daemon status

        If you are having issues with getting Ubuntu or Apache to work, you can “simulate” a webserver with a VPCS client. The idea is to have an end device in the DMZ that we can ping from other areas on the network.

    4. LAN: (BLUE BOX) – 10.0.0.0/24
      1. One switch – Ethernet switch
      2. Three client machines – VPCS
    5. pfSense Firewall connections:

      NOTE: This example uses the version 2.7.0 of pfSense Community Edition. You can either host this device as a VirtualBox VM or as a GNS3 appliance.

      1. Connect ethernet0 to the ISP switch (Internet)
      2. Connect ethernet1 to the Management switch
      3. Connect ethernet2 to the DMZ switch
      4. Connect ethernet3 to the LAN switch

Phase II – Configuring pfSense via CLI Console

Using VirtualBox instead of a physical box has its unique challenges.  Mostly VirtualBox tries to help us do what we are trying to do and that can cause us some conflicts.  We can work around these issues, but it may stress your cyber knowledge!

  1. In GNS3, start the pfSense server

    NOTE: There are like 3 seconds where you can change your boot options, but just let the timer click down and let it boot. The first time it starts can take a few minutes.

    1. Once the VM finishes booting, you should see the CLI menu below
      pfsense
      Figure 5 – pfSense command line console
  2. As you can see, pfSense only recognizes two interfaces – em0 (WAN) and em1 (LAN) – as currently active
    1. Assign each of the pfSense interfaces on this device with a network

      NOTE: Use the table below as a configuration guide for this step.

      GNS3 Interface pfSense Interface pfSense Interface Name
      Ethernet0 em0 WAN
      Ethernet1 em1 LAN
      Ethernet2 em2 OPT1
      Ethernet4 em3 OPT2
    2. Select option 1  to Assign Interfaces (Figure 6)
      1. When prompted – Should VLANs be set up now [y|n]? – type

        n

      2. Enter the WAN interface name or ‘a’ for auto-detection

        em0

      3. Enter the LAN interface name…

        em1

      4. Similarly, use em2 for the Optional 1 (OPT1) and em3 for the Optional 2 (OPT2)
      5. Verify the settings and type y to proceed (Figure 7)
    3. You can see that all interfaces are now correctly assigned and active (Figure 8)
  3. Configure IP and DHCP settings
    1. Select option 2 to Set interface(s) IP address
    2. You will see a menu of the 4 interfaces with their current network settings (Figure 8)

      NOTE: We will walk you through the first two interfaces, and leave the rest for you to complete on your own. Use the table below to assist with configuration settings.

      pfSense Interface pfSense Interface IPv4 Address
      em0 WAN Dynamic – DHCP
      em1 LAN Static – 20.2.2.1/24
      em2 OPT1 Static – 10.1.1.1/24
      em3 OPT2 Static – 212.10.10.1/24
    3. Select interface 1 – WAN
      1. Configure IPv4 address WAN interface via DHCP? (y/n)

        y

      2. Configure IPv6 address WAN interface via DHCP6? (y/n)

        n

      3. Enter the new WAN IPv6 address
        Press Enter for none (we are not using IPv6)
      4. Do you want to revert to HTTP as the webConfigurator protocol? (y/n)

        n

      5. Press Enter to finish em0 configuration and proceed
    4. Select interface 2 – LAN
      1. Configure IPv4 address LAN interface via DHCP?

        n

      2. Enter the new LAN IPv4 address

        99.99.99.1/24

      3. Enter the new LAN IPv4 upstream gateway address
        Press Enter for none
      4. Configure IPv6 address LAN interface via DHCP6? (y/n)

        n

      5. Enter the new WAN IPv6 address
        Press Enter for none (we are not using IPv6)
      6. Do you want to enable the DHCP server on LAN? (y/n)

        y

      7. Enter the start address of the IPv4 client address range:

        99.99.99.5

      8. Enter the end address of the IPv4 client address range:

        99.99.99.100

      9. Do you want to revert to HTTP as the webConfigurator protocol?

        n

      10. You should get a message on how to access the Web Configurator and be instructed to press Enter to continue (Figure 10)
    5. Setup em2 (OPT1), and em3 (OPT2) in a similar fashion as em1 using the IP address spaces we picked earlier (Figure 11)
  4. In GNS3, start the desktop in the Management LAN and check the current network settings
    1. Verify that DHCP works and that our management PC has an IP address in the range of 99.99.99.5 – 99.99.99.100
      terminal command execution
      Figure 12 – Client network settings verified

      NOTE: You can request a new IP address at any time with the following commands (some Linux distros may vary…)

      Release the currently assigned address on the interface named enp0s3.

      > dhclient -r -i enp0s3 -v

      Broadcast DHCP Discover packets to assign a new address.

      > dhclient -i enp0s3 -v

    2. Open Firefox and type the IP address you were given for webConfigurator (it should be https://99.99.99.1/)

      We haven’t set up any certificates yet, so you will get a big warning.  Just click Advanced… and go to the site anyway by accepting the risk and continuing. This will take you to the pfSense GUI interface to Sign In. Previously, when you were asked to revert to HTTP, if you said y, you will not get any warnings. Great choice to avoid a security message, but bad practice because everything you do can be read by others monitoring your network traffic.

      pfsense login
      Figure 13 – Caution page connecting to pfSense
  5. Return to the GNS3 workspace, start the other devices in the DMZ and LAN spaces, and verify they are receiving IP addresses

    NOTE: If a PC doesn’t get a DHCP IP, don’t worry about it, we’ll address it later using the GUI.

Phase III – Configuring pfSense via GUI Console

pfSense is not generally configured using the CLI menu. The GUI interface provides much more options and is easier to work with.  At this point, all of your devices should be getting IP addresses from the pfSense DHCP server.  If they aren’t getting a DHCP IP address, don’t worry, we’ll check them in the GUI.

  1. On the Management PC, return to the login page at https://99.99.99.1 (Figure 14)
    1. At the Sign In screen use the default creds to log in:
      Username: admin
      Password: pfsense
  2. Once logged in, on the top ribbon menu select Status–>Dashboard (Figure 15)

    NOTE: At the top, you will see a large warning about using the default username and password. Normally I would say change this, but I’ve had too many students ask me, “Dr. HVH?  What’s my password?” so please leave this alone for this exercise. On the right, you can see the interface settings we made earlier. I recommend that you click on these to get an idea of how the GUI and CLI commands line up but do not make any changes.

  3. At the top menu bar, select Interfaces–>Assignments (Figure 16)
    1. Click on WAN to bring up the configuration settings for just that interface (Figure 17)
      1. Review the various options to get familiar with the available options
      2. Make the following changes as necessary
        Option Value
        Description ISP
        IPv4 Configuration Type DHCP
        IPv6 Configuration Type None
      3. Scroll to the bottom and press Save
      4. Now you will see a double-check prompt, so select Apply Changes (Figure 18)
    2. Return to the Interface Assignments page and make the following adjustments to the remain adapters (Figure 19):
      1. LAN – change to “Management” and verify static IP assignment of 99.99.99.1/24
      2. OPT1 – change to “DMZ” and verify static IP assignment of 20.0.0.1/24
      3. OPT2 – change to “LAN” and verify static IP assignment of 10.0.0.1/24

        NOTE: Yes, we could have assigned LAN to em3 from the get-go.  However, by doing it this way, you gain experience in using the GUI.  You will encounter a few of these moments in these labs. The goal is to help you learn, not just read and click.

  4. Select Services –>DHCP Server to open the DHCP settings (Figure 20)
    1. View the details for the DHCP services on the Management interface
    2.  Let’s pretend that we have reserved the IP addresses 99.99.99.101-99.99.99.110 so we will add a DHCP pool to use the remaining IP address
      1. Click on + Add Pool
      2. Pool Description –> “Management”
      3. Range –> 99.99.99.111 to 99.99.99.254
      4. Click on save
      5. Your settings should look like (Figure 21)
    3. Verify DHCP services for the ISP, DMZ, and LAN networks and change as necessary

      NOTE: Remember that all DHCP servers need to provide a gateway address to their clients too.

  5. Return to the Dashboard by selecting Status –>Dashboard

Phase IV – Open Everything Up

In a default two-interface LAN and WAN configuration, pfSense software utilizes default deny on the WAN and default allow on the LAN. Everything inbound from the Internet is denied, and everything out to the Internet from the LAN is permitted. All home-grade routers use this methodology, as do all similar open-source projects and most similar commercial offerings. It’s what most people expect out of the box, therefore it is the default configuration. That said, while it is a convenient way to start, it is not the recommended means of long-term operation. – (Last accessed 25 October 2023 https://docs.netgate.com/pfsense/en/latest/firewall/best-practices.html )

We are going to violate these settings for demonstration purposes.  Don’t worry, we’ll put them back.

  1. Navigate to the pfSense top ribbon and select Firewall–>Rules
  2. Click on the Management tab, observe the firewall rules and read the descriptions (Figure 22)
    1. Anti-Lockout Rule – keeps users from accidentally locking themselves out of the GUI interface
    2. Default allow LAN to any rule – Does not restrict any access for IPv4 hosts
    3. Default allow LAN IPv6 to any rule – Does not restrict any access for IPv6 hosts

      NOTE: We aren’t using IPv6, so you can delete the Default allow LAN IPV6 to any rule by pressing the trashcan button.

  3. Click on the DMZ tab to open the rules for the DMZ
  4. Click on Add (there are no rules so it doesn’t matter which one) to open the Edit Firewall Rule page (Figure 23)
    1. Make the following changes using the drop-down menus and textboxes:
      Option Value
      Action Pass
      Interface DMZ
      Address Family IPv4
      Protocol Any
      Source DMZ net
      Destination Any
      Description Allow DMZ to any rule
    2. Save and apply changes
  5. Repeat the above steps for the LAN interface

    NOTE: We are going to leave the ISP interface completely blocked for now.

  6. Test the firewall settings
    1. From the Management PC, ping the simulated webserver and any of the LAN PCs

      NOTE: If you still can’t ping, you have done something wrong and will need to troubleshoot the problem. Did you remember to apply DHCP to all the end devices?

    2. From the webserver, ping a LAN PC and the Management PC
    3. From the Management PC, view the webpage hosted on the webserver (http://20.0.0.5:80)
      apache default page
      Figure 24 – Default Apache2 website

Phase V – Separate the DMZ from the LAN

The whole point of a DMZ is to have two separate infrastructures that can’t interact with each other directly, they have to negotiate data transfer through a 3rd party, in this case, pfSense.  So we are going to set up traffic blocking between the DMZ and the LAN.

  1. On the pfSense top menu bar, select Firewall–>Rules–>DMZ
    1. Edit the existing rule with the following changes:
      Option Value
      Action Block
      Interface DMZ
      Address Family IPv4
      Protocol Any
      Source DMZ net
      Destination LAN net
      Description Separating the LAN from the DMZ
    2. Click on Save and of course Apply Changes
  2. Now navigate to the web server console and try pinging the LAN PC again.  You should get a timeout error
    terminal command execution
    Figure 25 – Webserver pinging PC1
  3. Right-click on the connection on the webserver-pfSense link and start a Wireshark capture
    1. Try to ping the LAN PC again. Notice that there is no response from the pfSense server now
      wireshark
      Figure 26 – Failed communication from DMZ to LAN
    2. Navigate to one of the LAN PCs and try to ping the webserver.  It should be successful
      wireshark
      Figure 27 – Successful communication from LAN to DMZ

Phase VI – Access the Internet

Our web server needs access to the Internet.  So we are going to add a rule to allow this to occur.  Remember, we are going to use the ISP_Test_PC as our simulated Internet.  We are going to allow only the Web_Server to access the Internet through the Firewall.  We are going to introduce using Aliases in pfSense for this phase.

  1. Navigate to the Ubuntu_Desktop and use the browser to get access to the pfSense GUI
  2. Using the top ribbon menu select Firewall –>Aliases–>Ports
    1. Select Add and adjust the properties of the Alias as follows (Figure 28)
      Option Value
      Name Internet_Ports
      Description Access to the Internet
      Type Port(s)
      Port(s) Description
      443 https
      80 http
      53 dns
    2. Save and Apply Changes
  3. Using the top ribbon menu select Firewall –>Aliases–>IP
    1. Select Add and adjust the properties of the Alias as follows (Figure 29)
      Option Value
      Name DMZ_Internet_Enabled_Hosts
      Description Allows machines in DMZ to access the Internet
      Type Host(s)
      Host(s) Description
      20.0.0.5-20.0.0.100 DMZ network
    2. Save and Apply Changes
  4. Using the top ribbon menu select Firewall–>Rules–>DMZ
    1. Select Add and adjust the properties as follows (Figure 30)
      Option Value
      Action Pass
      Interface DMZ
      Address Family IPv4
      Protocol TCP/UDP
      Source Single host or alias
      Source Address DMZ_Internet_Enabled_Hosts
      Destination Any
      Description Allow DMZ Internet access
      Destination Port Range Value
      From (other)
      Custom Internet_Ports
      To (other)
      Custom Internet_Ports
    2. Save and Apply Changes (Figure 31)

Phase VII – ICMP

If you were working ahead, you might have noticed that you can’t ping from the webserver to the ISP_Test_IP.  Remember we opened some ports, but Ping is a function of ICMP that doesn’t use ports. We need a separate Alias to allow this.

  1. Navigate back to Firewall –> Rules–>DMZ
    1. Add another rule, below the others, with the following settings:
      Option Value
      Action Pass
      Interface DMZ
      Address Family IPv4
      Protocol ICMP
      ICMP Subtypes Any
      Source DMZ net
      Destination Any
      Description Allow for Pings
    2. Save and Apply Changes
  2. Verify that you now have three firewalls in place for the DMZ network
    pfsense login
    Figure 32 – DMZ firewall rules
  3. Test the communication of the network as it currently stands
    1. From the Webserver, ping the External PC (it should be successful)
    2. From PC1, ping the webserver (it should be successful)
    3. From the External PC, ping the Webserver…
      terminal command execution
      Figure 33 – External PC failed to see webserver

      Failure! Whether we try to ping or view the default Apache webpage, the external PC is unable to communicate with our DMZ. So how are people going to be able to reach our webserver?

End of Lab

Deliverables

Four screenshots are required to receive credit for completing this exercise:

  • Screenshot of the GNS3 workspace with all devices placed and labeled (Phase II)
  • Screenshot of the pfSense services dashboard after DHCP has been set up (Phase III)
  • Screenshot of the web server successfully pinging a LAN PC and the Management PC (Phase IV)
  • Screenshot of the 3 rules for the DMZ (Phase VII)

Homeworks

Assignment 1 – Scan the networks using Kali Linux and nmap

  • Import a Kali Linux VM into the GNS3 environment.  Use the same network settings as the other devices used in this chapter.
  • Attach a cable from the Kali machine to a switch and run nmap looking for active IP addresses and open ports. (type man nmap at the command prompt to read instructions about using nmap)
    • Screenshot of ISP switch
    • Screenshot of Management Switch
    • Screenshot of DMZ switch
    • Screenshot of LAN Switch

RECOMMENDED GRADING CRITERIA:

  • four screenshots
    • ISP has no open ports
    • Management has open ports
    • DMZ has open ports
    • LAN has open ports
List of Figures
gns3 configuration
Figure 2 – GNS3 pfSense template configuration
pfsense
Figure 6 – List of pfSense interfaces ready to be assigned
pfsense
Figure 7 – pfSense interfaces correctly assigned
pfsense
Figure 8 – Updated pfSense CLI console
pfsense
Figure 10 – em1 interface configured
pfsense
Figure 11 – All pfSense interfaces configured
pfsense login
Figure 14 – pfSense webConfigurator login page
pfsense login
Figure 15 – pfSense main dashboard
pfsense login
Figure 16 – pfSense interface assignments
pfsense login
Figure 17 – em0 interface configuration
pfsense login
Figure 18 – Apply changes after saving
pfsense login
Figure 19 – Updated interface assignments
pfsense login
Figure 20 – DHCP server management screen
pfsense login
Figure 21 – Updated DHCP settings for Management LAN
pfsense login
Figure 22 – Default firewall rules on Management LAN
pfsense login
Figure 23 – Editing first firewall rule
pfsense login
Figure 28 – Internet port alias
pfsense login
Figure 29 – Internet enabled host alias
pfsense login
Figure 30 – DMZ rule configuration
pfsense intranet
Figure 31 – New DMZ firewall rule

License

Icon for the Creative Commons Attribution 4.0 International License

Mastering Enterprise Networks Copyright © 2024 by Mathew J. Heath Van Horn is licensed under a Creative Commons Attribution 4.0 International License, except where otherwise noted.

Share This Book