Transcription of The pfSense Book - docs.netgate.com
1 The pfSense Book Copyright 2019 Electric Sheep Fencing LLC. Netgate Sep 30, 2019. CONTENTS. 1 Preface 2. Copyright Notice .. 2. Acknowledgements .. 2. Feedback .. 4. Typographic Conventions .. 4. Authors .. 6. 2 Foreword 7. 3 Introduction 8. What does pfSense stand for/mean? .. 8. Why FreeBSD? .. 8. Common Deployments .. 9. Interface Naming Terminology .. 10. Finding Information and Getting Help .. 11. Project Inception .. 12. 4 Networking Concepts 13. Understanding Public and Private IP Addresses .. 13. IP Subnetting Concepts .. 14. IP Address, Subnet and Gateway Configuration .. 14. Understanding CIDR Subnet Mask Notation .. 15. CIDR Summarization .. 16. Broadcast Domains .. 17. IPv6 .. 17. Brief introduction to OSI Model Layers.
2 30. 5 Hardware 31. Minimum Hardware Requirements .. 31. Hardware Selection .. 31. Hardware Sizing Guidance .. 32. Hardware Tuning and Troubleshooting .. 35. Hardware Compatibility .. 36. 6 Installing and Upgrading 38. Download Installation Media .. 38. Prepare Installation Media .. 40. Connect to the Console .. 46. Perform the Installation .. 49. Assign Interfaces .. 52. Alternate Installation Techniques .. 55. i Installation Troubleshooting .. 56. Upgrading an Existing Installation .. 58. Filesystem Tweaks .. 60. 7 Configuration 62. Setup Wizard .. 62. Interface Configuration .. 69. Managing Lists in the GUI .. 71. Quickly Navigate the GUI with Shortcuts .. 71. General Configuration Options .. 72. Advanced Configuration Options.
3 74. Console Menu Basics .. 96. Time Synchronization .. 102. Troubleshooting .. 105. pfSense XML Configuration File .. 108. What to do when locked out of the WebGUI .. 108. Connecting to the WebGUI .. 113. 8 Interface Types and Configuration 114. Interface Groups .. 114. Wireless .. 116. VLANs .. 116. QinQs .. 116. Bridges .. 116. OpenVPN .. 116. PPPs .. 117. GRE (Generic Routing Encapsulation) .. 120. GIF (Generic tunnel InterFace) .. 120. LAGG (Link Aggregation) .. 121. Interface Configuration .. 123. IPv4 WAN Types .. 125. IPv6 WAN Types .. 127. Physical and Virtual Interfaces .. 129. 9 User Management and Authentication 131. User Management .. 131. Authentication Servers .. 134. External Authentication Examples.
4 138. Troubleshooting .. 139. Support Throughout pfSense .. 141. 10 Certificate Management 142. Certificate Authority Management .. 142. Certificate Management .. 145. Certificate Revocation List Management .. 149. Basic Introduction to Public Key Infrastructure .. 152. 11 Backup and Recovery 153. Making Backups in the WebGUI .. 153. Using the AutoConfigBackup Package .. 153. Alternate Remote Backup Techniques .. 156. Restoring from Backups .. 157. Backup Files and Directories with the Backup Package .. 160. Caveats and Gotchas .. 161. Backup Strategies .. 162. ii 12 Firewall 163. Firewalling Fundamentals .. 163. Ingress Filtering .. 165. Egress Filtering .. 165. Introduction to the Firewall Rules screen .. 168. Aliases.
5 172. Firewall Rule Best Practices .. 177. Rule Methodology .. 180. Configuring firewall rules .. 186. Floating Rules .. 192. Methods of Using Additional Public IP Addresses .. 194. Virtual IP Addresses .. 197. Time Based Rules .. 199. Viewing the Firewall Logs .. 201. How Do I Block access to a Web Site? .. 205. Troubleshooting Firewall Rules .. 206. 13 Network Address Translation 209. Port Forwards .. 209. 1:1 NAT .. 215. Ordering of NAT and Firewall Processing .. 218. NAT Reflection .. 220. Outbound NAT .. 223. Choosing a NAT Configuration .. 226. NAT and Protocol Compatibility .. 227. IPv6 Network Prefix Translation (NPt) .. 230. Troubleshooting .. 232. Default NAT Configuration .. 236. 14 Routing 237. Gateways.
6 237. Gateway Settings .. 238. Gateway Groups .. 241. Static Routes .. 241. Routing Public IP Addresses .. 245. Routing Protocols .. 248. Route Troubleshooting .. 250. 15 Bridging 254. Creating a Bridge .. 254. Advanced Bridge Options .. 254. Bridging and Interfaces .. 257. Bridging and firewalling .. 259. Bridging Two Internal Networks .. 260. Bridging interoperability .. 261. Types of Bridges .. 262. Bridging and Layer 2 Loops .. 263. 16 Virtual LANs (VLANs) 264. Terminology .. 264. VLANs and Security .. 265. pfSense VLAN Configuration .. 266. Switch VLAN Configuration .. 270. pfSense QinQ Configuration .. 280. Requirements .. 282. iii 17 Multiple WAN Connections 284. Multi-WAN Terminology and Concepts .. 284. Policy Routing, Load Balancing and Failover Strategies.
7 286. Multi-WAN Caveats and Considerations .. 287. Summary of Multi-WAN Requirements .. 289. Load Balancing and Failover with Gateway Groups .. 289. Interface and DNS Configuration .. 291. Multi-WAN and NAT .. 292. Policy Routing Configuration .. 293. Verifying Functionality .. 295. Troubleshooting .. 297. Multi-WAN on a Stick .. 298. Multi-WAN for IPv6 .. 298. Multi-Link PPPoE (MLPPP) .. 300. Choosing Internet Connectivity .. 301. 18 Virtual Private Networks 303. Choosing a VPN solution .. 303. VPNs and Firewall Rules .. 305. VPNs and IPv6 .. 306. PPTP Warning .. 307. Common deployments .. 307. 19 IPsec 310. IPsec and IPv6 .. 310. Choosing configuration options .. 310. IPsec and firewall rules .. 319. Site-to-Site.
8 319. Mobile IPsec .. 328. Testing IPsec Connectivity .. 364. IPsec Troubleshooting .. 365. Configuring Third Party IPsec Devices .. 373. IPsec Terminology .. 377. 20 OpenVPN 378. OpenVPN and IPv6 .. 378. OpenVPN Configuration Options .. 378. Using the OpenVPN Server Wizard for Remote Access .. 389. Configuring Users .. 395. OpenVPN Client Installation .. 396. Site-to-Site Example (Shared Key) .. 409. Site-to-Site Example Configuration (SSL/TLS) .. 411. Checking the Status of OpenVPN Clients and Servers .. 415. Permitting traffic to the OpenVPN server .. 416. Allowing traffic over OpenVPN Tunnels .. 417. OpenVPN clients and Internet Access .. 417. Assigning OpenVPN Interfaces .. 418. NAT with OpenVPN Connections.
9 419. OpenVPN and Multi-WAN .. 422. OpenVPN and CARP .. 424. Bridged OpenVPN Connections .. 425. Custom configuration options .. 426. Sharing a Port with OpenVPN and a Web Server .. 427. Controlling Client Parameters via RADIUS .. 427. iv Troubleshooting OpenVPN .. 428. OpenVPN and Certificates .. 432. 21 L2TP VPN 433. L2TP and Firewall Rules .. 433. L2TP and Multi-WAN .. 433. L2TP Server Configuration .. 433. L2TP with IPsec .. 435. L2TP Troubleshooting .. 438. L2TP Logs .. 439. L2TP Security Warning .. 440. 22 Traffic Shaper 441. What the Traffic Shaper can do for a Network .. 441. Hardware Limitations .. 442. ALTQ Scheduler Types .. 442. Configuring the ALTQ Traffic Shaper With the Wizard .. 445. Monitoring the Queues.
10 453. Advanced Customization .. 454. Limiters .. 458. Traffic Shaping and VPNs .. 462. Troubleshooting Shaper Issues .. 463. Traffic Shaping Types .. 464. Traffic Shaping Basics .. 464. 23 Server Load Balancing 466. Server Load Balancing Configuration Options .. 466. Web Server Load Balancing Example Configuration .. 470. Troubleshooting Server Load Balancing .. 476. 24 Wireless 478. Recommended Wireless Hardware .. 478. Working with Virtual Access Point Wireless Interfaces .. 481. Wireless WAN .. 482. Bridging and wireless .. 485. Using an External Access Point .. 487. pfSense as an Access Point .. 488. Additional protection for a wireless network .. 494. Configuring a Secure Wireless Hotspot .. 495. Troubleshooting Wireless Connections.
