It’s been a few days and I’m sure that billions of you have been waiting for the next thrilling installment of earning S+ CEUs theater, er I mean configuring pfSense in a virtual machine on Xubuntu. When we last left off, the VM wasn’t really configured to do much of anything. Fortunately, my pfSense VM decided to deny access to the web configurator so I get to start over and share all the fun clicks and whatnot with the Internet. As a reason for the lack of access, I attribute that the VMs, disk image is located in a bad section of the host machines hard drive. Who would have thought that a laptop proudly sporting a “Designed for Microsoft® Windows® XP” sticker would have a failing hard drive?
Moving along at near breakneck pace, I reset pfSense to factory defaults via the menu that I accessed via SSH. This led to the dilemma that I was unable to configure the now headless VM. A few commands on the host machines terminal would kill the appliance. First, ps -A | grep VBox showed the processes that were running the VM. From there, I could either kill each process by the associated PID or be lazy and just use pkill VBox to kill them all. Laziness won out and another ps -A | grep VBox showed that the processes were gone. Having killed the headless server, I restarted it via the GUI (laziness again versus learning the correct command line verbiage to do it from there).
The now restarted server was back to square one asking me about configuring VLANs and which interfaces were to serve as WAN and LAN. For my setup, em1 was WAN and em0 was LAN and I’m not configuring any VLANs at this point. The WAN connection retrieved its address via DHCP from my other laptop that was sharing its Internet connection. The LAN connection auto-configured to a 192.168.1.0 subnet taking address 192.168.1.1 and enabled its own DHCP server and gave the host machine an IP address from its pool.
I wanted to change the default addressing scheme on the LAN interface so I selected option 2- Set interface(s) IP address. It then prompts for which interface (WAN or LAN), what IPv4 address, subnet mask in classless inter-domain routing notation, if the DHCP server was to be enabled on this interface, the starting and ending address of the DHCP pool, and if the webConfigurator was to use HTTP or HTTPS. In this case, I wanted to keep a class C network and for security, one should use HTTPS vs the unsecured HTTP. After entering the desired info, pfSense reconfigured the interface as I requested. The host machine hadn’t released its IP address because its lease wasn’t anywhere close to its expiration so a quick unplug and replug of the ethernet cable yielded a new IP address on the correct network.
Upon entering the IP address into the web browser on the host machine, it noted that the site’s security certificate isn’t trusted by the machine. Having duly noted this, I chose to accept the risk that I could be the victim of an attacker that could be nestled inside my newly minted network. Having braved ahead, I was greeted by the login screen. Using the default username and password, admin/pfsense, I logged on and began to go through the initial config wizard (intial config part 2 if you will). Options in this second initial config include hostname, domain, DNS servers, timeserver info, WAN specific configuration, LAN config, and admin password change (probably a good idea to do that if you are actually going to be exposing this thing to the Internet even if you are configuring it to only allow logins from the LAN connection). After it applies the desired config, it prompts you to reload the page which lands you on the dashboard. This is where the real fun and configuration begins. On the main menu under system/packages, there is a plethora of services that are available, from Asterisk to Zabbix to be somewhat specific. Looking through the list of services, a proxy server may be a good place to start.
One option for a such a service is squid coupled with squidGuard. The first time I installed and configured these services, I had a problem with squid not loading properly. Googling for a solution revealed that it is somewhat recommended to install squidGuard first as it may attempt to overwrite squid with some older files. Having completed the installation of both these packages, configuration can begin under services/ proxy server and services/ proxy filter.
Looking under the general tab of proxy server shows such options as what interface to bind to, what port to use and whether local LAN users will be allowed on the interface. Also on this page is the option to enable logging and how frequently to rotate the logs. In this case, I enabled logging and set the logs to rotate weekly.
Skipping remote cache tab (as I’m not using this feature), I next configure the local cache. The default settings in cache general settings are fine for my application here so I leave those as is. The hard disk cache settings however need some adjustment. 100MB of disk space for cache is hardly anything especially if I have more than one user. I increase this to 2000MB and adjust the default maximum object size from 4KB to 4000KB (roughly 4MB). The default memory settings are also a bit on the small side so I increase them as well. Memory cache size goes from 8MB to 200MB and maximum object size in RAM goes from 32KB to 512KB.
The ACLs tab can be left as is if desired or specific subnets, IPs or hosts may be blocked or whitelisted if so desired. Specific ports outside of the default list (21, 70, 80, 210, 280, 443, 488, 563, 591, 631, 777, 901, 1025-65535) may also be allowed. The defaults here suit my application just fine. On the traffic management tab, I configure the throttle options for binary and CD images as these aren’t high priority (and if they are, I can simply disable throttling).
Next time on the exciting adventures of pfSense setup, configuring squidGuard! (Probably)
No comments:
Post a Comment