netgate m1n1wall pfsense quick start guide 2.1.pdf
Transcript of netgate m1n1wall pfsense quick start guide 2.1.pdf
-
2013 Rubicon Communications, LP
m1n1wall with
pfSense Certified 2.1
Quick Start Guide
Contents
Introduction .............................................................................................................................................. 2
Plugging everything in .......................................................................................................................... 2
Initial Configuration ............................................................................................................................... 3
Logging into the web interface ..................................................................................................... 3
Setup Wizard ........................................................................................................................................ 3
Hostname .......................................................................................................................................... 3
Domain .............................................................................................................................................. 3
DNS Servers ..................................................................................................................................... 3
Time Zone and Server .................................................................................................................. 4
WAN Configuration ....................................................................................................................... 4
Configure LAN Interface ............................................................................................................. 5
Setting the password ................................................................................................................... 6
Introduction to the web interface ........................................................................................... 6
Backing up and restoring ..................................................................................................................... 7
What else can I do? ................................................................................................................................. 7
Support ....................................................................................................................................................... 8
Other Support Options ..................................................................................................................... 8
Forum ................................................................................................................................................. 8
Mailing Lists .................................................................................................................................... 8
-
2
IRC ....................................................................................................................................................... 8
Using the serial console ........................................................................................................................ 8
Windows using PuTTY ..................................................................................................................... 9
Windows using Hyperterminal ..................................................................................................... 9
Additional Documentation ............................................................................................................... 10
Introduction Thank you for your purchase of the Netgate m1n1wall with pfSense Certified 2.1.
The ALIX hardware platform in combination with the popular open source pfSense
software provides a powerful, cost-effective solution for your network security
needs.
This Quick Start Guide will help you get up and running with a basic configuration
on your m1n1wall.
Plugging everything in Now you have a fully assembled system and are ready to plug it in and get started
with the configuration. The following image shows the location of the WAN and LAN
ports.
If you are replacing an existing firewall on a production network, you will want to go
through the initial configuration with the device not plugged into your production
network. You can plug a laptop or desktop PC into the LAN port to perform the
initial configuration. For new networks, you can start by plugging the LAN into your
switch.
Note: The ALIX Ethernet ports are auto MDI/MDI-X, meaning you can use
either a straight through or crossover CAT5 cable regardless of the type of
device you are connecting it to.
To get started, plug the LAN port into the network or system where you will
perform the initial configuration, and then plug in the power.
-
3
Initial Configuration After powering on your ALIX, it will boot up and be ready for the initial
configuration after approximately two minutes. The initial boot takes longer if your
WAN interface is not plugged into something where it can receive a DHCP address,
as it must wait for that to time out. Once the system is booted, you should receive a
192.168.1.X IP address on the system(s) plugged into the LAN port from the DHCP
server.
Logging into the web interface
Browse to https://192.168.1.1 to access the web interface. You will be prompted for
username and password, the default username is admin and password is pfsense.
Setup Wizard
After logging in, the setup wizard will run. This will walk you through a few steps to
get up and running with a basic configuration. At the first screen, click Next. The
subsequent screen allows you to configure the hostname, domain and DNS servers
to be used.
Hostname
For hostname, choose a name for the host. This does not affect functionality.
Domain
If you have an existing DNS domain in use inside your network (such as a Microsoft
Active Directory domain), use that domain here. This is the domain suffix assigned
to DHCP clients, which you will want to match your internal network. For networks
without any internal DNS domains, you can fill in anything you want here.
DNS Servers
The DNS server fields can be left blank if you have a WAN connection using DHCP,
PPTP or PPPoE types of Internet connections and the ISP automatically assigns DNS
servers. When using a static IP on WAN, you must enter DNS server IPs here for
name resolution to function. You can specify DNS servers here even if your ISP
assigns different ones. Either enter the IPs provided by your ISP, or you may want to
consider using a service like OpenDNS (www.opendns.com) whose free service will
allow you to add content filtering and phishing protection amongst other benefits to
your pfSense install. Using Googles public DNS servers (8.8.8.8, 8.8.4.4) is another
popular choice.
-
4
Click Next after filling in the fields as appropriate.
Time Zone and Server
The next screen allows you to configure the time (NTP) server to be used to
synchronize your firewalls time, and also specify its time zone. The default NTP
server points you ntp.orgs NTP server pool. If you have an internal time server, you
should specify it here instead. You also want to select a city in your time zone so
your log timestamps are in local time (unless you have a policy to timestamp all logs
in GMT).
Click Next.
WAN Configuration
This page is where your Internet connection is configured. You will need
information from your ISP to configure this screen appropriately. A few notes to
assist you:
MAC address if replacing an existing firewall, you may want to enter the old
firewalls WAN MAC address here, if you can easily tell what that is. This commonly
avoids issues involved in switching out firewalls, such as ARP caches, ISPs locking to
single MAC addresses, etc.
-
5
If you cant enter the MAC of your current firewall here, it probably isnt a big deal
power cycle your router or modem and your new MAC will usually be able to get
online. For some ISPs, you have to call when switching devices, or go through an
activation process of some sort.
Static IP configurations the subnet mask is configured in CIDR format, which is
usually provided by the ISP in addition to the 255.x.x.x subnet mask. The following
table shows the most common subnet masks and their CIDR equivalent.
Block private networks and bogons these two options will block private,
unassigned, and reserved IP subnets for traffic initiated on your WAN connection
(i.e. coming in from the Internet). These IP ranges should never be seen on the
Internet, and these should both be enabled on systems that are directly connected to
the Internet. If your WAN resides on a private network, you may not want to use
these options.
Configure LAN Interface
Here you configure the IP and subnet mask to be used on your LAN. If you dont ever
plan to connect your network to any other network via VPN, the 192.168.1.x default
is fine.
If you want to be able to connect into your network using VPN from remote
locations, you should choose a private IP address range much more obscure than the
very common 192.168.1.0/24. Space within the 172.16.0.0/12 RFC1918 private
address block seems to be the least frequently used, so choose something between
172.16.x.x and 172.31.x.x for least likelihood of having VPN connectivity difficulties.
If your LAN is 192.168.1.x and you are at a wireless hotspot using 192.168.1.x (very
common), you wont be able to communicate across the VPN 192.168.1.x is the
local network, not your network over VPN.
Subnet Mask CIDR
255.255.255.252 30
255.255.255.248 29
255.255.255.240 28
255.255.255.224 27
255.255.255.192 26
255.255.255.128 25
255.255.255.0 24
255.255.254.0 23
-
6
Setting the password
Enter the admin password for your firewall here, and again to confirm. You should
choose a strong password, with a combination of letters, numbers and symbols.
Should you forget your password, you can reset it using a serial console on your
m1n1wall.
After entering your password and confirming it, click Next.
Then click Reload to apply your changes.
Introduction to the web interface
You are now at the front page of the pfSense web interface. This screen provides an
overview of your system resource utilization. The menu on the left side of the screen
groups the various configuration, status and diagnostics screens. There are also
additional themes available to change the layout of the web interface, under System
-> General Setup if you prefer a different look and feel.
Note: The default theme does not function on an iPhone, iPad, or iPod Touch,
but when browsing from one of these devices it will automatically switch to a
different, plainer theme that is functional. Yes, you can configure your
m1n1wall from your iOS devices. The default theme does function properly
in the Android browser, but is difficult to navigate due to the screen size, so it
also will switch to the plainer theme.
The default firewall rules can be viewed under Firewall -> Rules. If you need to
forward ports, you will configure them under Firewall -> NAT. More information on
port forwarding can be found here:
-
7
http://doc.pfsense.org/index.php/How_can_I_forward_ports_with_pfSense%3F
You can view your real time traffic throughput under Status -> Traffic Graph. For
many longer term statistics, browse to Status -> RRD Graphs. Logs can be viewed
under Diagnostics -> System logs.
Backing up and restoring At this point your basic two interface LAN and WAN configuration is complete.
Before proceeding with additional configuration, you will want to get a backup of
your configuration. To do so, browse to Diagnostics -> Backup/Restore in the web
interface. Click the Download Configuration button, and a copy of your configuration
will be downloaded. You can restore this configuration at the same screen, by
choosing your backup file under Restore configuration.
If you purchased support with your m1n1wall, you also have access to the
AutoConfigBackup service. This will encrypt your configuration and upload it to our
servers every time you make a configuration change. Just dont lose your encryption
key its impossible for us to read anything in your backup, and it cannot be
restored without the key. You can find more information here:
http://doc.pfsense.org/index.php/AutoConfigBackup
What else can I do? The pfSense software provides a wide array of functionality beyond the simple
configuration documented here. See the Additional Documentation section to find
information on this functionality and more. A few of the most commonly used
possibilities follow.
IPv6 support for native IPv6 connectivity on the LAN and several variations
of IPv6 connectivity on the WAN is available.
Captive portal allows you to present a splash page to all users upon
connecting to your network, optionally with authentication. This is
commonly used with wireless hot spots, or as an additional layer of
protection for wireless networks with authentication against a local user
database, or external RADIUS server such as Microsoft Active Directory.
VPN three types of VPNs are supported, IPsec, OpenVPN and PPTP. You can
use these options to connect roaming users for remote access, or site to site
connectivity to connect multiple locations.
Multi-WAN multiple Internet connections with failover and load balancing
are supported. In combination with a VLAN capable switch, you can connect
numerous Internet connections over a single physical interface on the
firewall.
Dynamic DNS if your public IP is dynamic, you may want to sign up with a
dynamic DNS provider (many options are free) and use the Dynamic DNS
-
8
client to keep your hostname updated. This is especially helpful if you want
to access services like VPN remotely.
Wireless with a wireless kit available from Netgate, your m1n1wall can act
as a wireless access point, or be used in Ad-hoc networks. It can also connect
to a wireless access point as a client use your neighbors wireless as a
second WAN (with permission, of course), amongst many other possible
deployments.
Support Newly-purchased eligible firewall products come with one year of Netgates
Premium Support. If you are eligible for this, you should have received a welcome
letter with your login credentials to http://support.netgate.com. This service
entitles you to access to our dedicated support portal for subscribers of Netgates
Premium Support, free updates to new version releases of pfSense Certified
pfSense 2.1, and much more.
Other Support Options
There is a large community of pfSense users who volunteer their time to help others.
You may find all the help you need through the community, though generally not as
promptly as with commercial support, and with no assurance of response or a
resolution.
Forum
There is a very active forum at http://forum.pfsense.org.
Mailing Lists
Mailing lists are also available, with information at
http://www.pfsense.org/mailinglists.
IRC
The official IRC channel is ##pfsense on FreeNode.
Using the serial console With the pre-assigned interfaces on the m1n1wall, you do not need to use the serial
console to setup the device. You may want to access the console menu at times, for
instance if you need to reset your admin password. A null modem cable is required.
Most network professionals should already have one, they come with many
switches, routers and other network equipment (with Cisco being one notable
exception). They can be found for purchase at many electronics stores, and
considerably cheaper online.
Plug one end of the null modem cable into the serial port on the m1n1wall, and the
other into a serial port on a computer with a terminal emulator. USB to serial
adapters should work well for systems that dont have a serial port.
-
9
Currently, as of version 2.0.3p2, the m1n1wall ships with the serial port speed set to
38400 so that the speed of the BIOS and the speed of the console match. In previous
versions, the serial speed had also been set to 115200 (2.0.3p1) and 9600 (Before
2.0.3p1). If you are unable to get a working console using a serial speed of 38400,
try the other listed serial speed settings. If your unit shipped with a different speed
than 38400 and a firmware update was performed to the newest Netgate firmware
for the m1n1wall, the serial speed will be 38400 after the upgrade.
Windows using PuTTY
PuTTY is a free option for Windows that includes serial console support.
http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html
Select Connection type Serial, type in the COM port, and enter 38400 for the speed.
Windows using Hyperterminal
Hyperterminal is another free option for Windows.
http://www.hilgraeve.com/hyperterminal.html
Configure it as shown in the following screenshot.
-
10
Additional Documentation This guide illustrates the basics for getting up and running with your m1n1wall.
There is much more that can be accomplished with the pfSense software. The best
source of information is the book pfSense: The Definitive Guide available from
Amazon, Barnes & Noble, and other booksellers. If you purchased support, contact
us and we will provide the latest work in progress copy electronically. The book
was written for pfSense 1.2.3, but the fundamentals and much of the GUI
instructions still apply. There will be an updated book in the near future, available
from the same retailers.
There is also a growing amount of information freely available on the pfSense
documentation site at http://doc.pfsense.org.