- Last Updated: 07/31/2019
Note: for this lab you will need the pfsense_guest.img, fios.img, fios.xml, google.img, and google.xml files. Make sure to install these files using the methods described on the wiki if they are not already located on the server: https://neatrack.globalweb.net/documents/26
Now that you know the basic uses and function of firewalls in networking, it's time to apply your knowledge. In this lab you will create a firewall that separates the "internet" (which in this case will be a vm) and your internal network, including vlans 60, 70, and any others created from other labs.
For this lab we will be using a vm to simulate the firewall. This vm will be running PFSense, a free to use firewall that works out of a web interface. PFSense is based on FreeBSD which, along with NetBSD and OpenBSD, comes from BSD, a unix-like distribution. There are other options (the other common one being OpenBSD) that we will not use today due to either complexity or other reasons. Feel free to look them up on your own.
As said, we will be running the firewall in a vm. The end goal is to have the firewall block ping requests to "google"- a vm with the same ip address that Google uses in real life.
But firewalls have multiple uses- they don't just scan packets. Right now, we are using the dhcp vm to give out ip addresses to all connected machines to the system. We can consolidate this inside of the firewall. We will also use our firewall as a NAT (network address translation) device. It will turn all of the local networks under the firewall into a single ip address that the "internet" will see.
It is easier to visualize:
Set up Google and FIOS¶
We need to start the fios and google machines before we continue. They operate on vlans 990 and 991- add these to your switch with the following:
trainswitch(config)#vlan 990 trainswitch(config-vlan)#name fwlab
***This is just one of the configs, make sure to add the other one.
You also need to add the vlans in /etc/network/interfaces. Edit that file with your favorite text editor and add the following.
auto vlan990 iface vlan990 inet manual vlan-raw-device eth0 auto vmbr990 iface vmbr990 inet manual bridge_ports vlan990 bridge_hello 2 bridge_maxage 12 bridge_sftp off bridge_fd 9 up /sbin/ifconfig $IFACE up || /bin/true
***This is just one of the configs, make sure to add the other one
Before we continue, there are two VMs that you need to grab. Go ahead and start FIOS and Google through the following commands. Make sure you aren't connected to the internet before continuing.
virsh start fios virsh start google
If you get an error when starting the google vm "missing target information for device /data/google.img" go to
<disk type='file' device='disk'>in google.xml and add this below that line:
<target dev='vda' bus='virtio'/>
These machines are already premade and simulate an internet connection to a remote site. Later, this will allow you to test your firewall by "pinging 22.214.171.124" which, in real life, is one of Google's DNS servers. FIOS will simulate an ISP that gives dhcp to your firewall. This will be a public ip address under 126.96.36.199/24. Make sure both of these machines are started for the duration of the lab.
Preparing the vlans¶
Before we go through and set up the firewall, we need to make sure the vlans we need are defined. The firewall will operate on three vlans: 60, 70, and 990. Add these vlans to the switch config. They should look something like so:
Enter configuration commands, one per line. End with CNTL/Z. trainswitch(config)#vlan 60 trainswitch(config-vlan)#name fwlan1
We also need to add these vlans to the /etc/network/interfaces file of the host machine. Use the text editor of your choice and add one of the following for each of the vlans, changing the numbers for each:
auto vlan751 iface vlan751 inet manual vlan-raw-device eth0 auto vmbr751 iface vmbr751 inet manual bridge_ports vlan751 bridge_hello 2 bridge_maxage 12 bridge_sftp off bridge_fd 9 up /sbin/ifconfig $IFACE up || /bin/true
***This config won't help you. Change the numbers to what you need.
Creating the firewall¶
We have given you a file called pfsense_guest.img. Create a copy of this file with a different name and a copy of guest.xml with the same name. We will be using pfsense as our name in these examples.Edit pfsense.xml. Edit the following:
- Change the name
- Change the source img file
The firewall needs to have access to both its WAN and LAN networks. Its WAN network will be vmbr990 for the purposes of this lab, even though the internet doesn't work on a vlan. It actually has two LAN networks it will manage: 60 and 70. Add an interface all three. An example is below:
<interface type='bridge'> <source bridge='vmbr80'/> <model type='virtio'/> </interface>
After you do this, define, boot, and console into the vm.
Firewall Install Guide¶
- Note: if this doesn't appear for you and a list of number commands appears instead, type 1 then enter.
When you initially console into the firewall, you will be greeted by an option to configure vlans. Say yes and press enter through the first prompt.
A prompt like so will appear:
VLAN Capable interfaces: vtnet0 52:54:00:76:2c:88 (up) vtnet1 52:54:00:54:4e:21 (up) vtnet2 52:54:00:f1:06:5a (up) Enter the parent interface name for the new VLAN (or nothing if finished): If the names of the interfaces are not known, auto-detection can be used instead. To use auto-detection, please disconnect all interfaces before pressing 'a' to begin the process. Enter the WAN interface name or 'a' for auto-detection (vtnet0 vtnet1 vtnet2 or a):
On the top we see a list of MAC addresses. We also have vtnet0, vtnet1,and vtnet2 listed on the bottom. These are the different vlans going into your firewall. One is the WAN interface that faces the internet while the other two are your internal vlan60 and vlan70 networks.
To correctly match up the interfaces, we need to open another window in the base server and run the following command:
virsh dumpxml pfsense | less
This will list all the interfaces with their respective MAC addresses. You need to match the MAC addresses on the firewall to the ones in the ip config. Assign the WAN to the interface attached to vlan990 and so on. You should then assign vlan60 as your LAN and the other(s) as OPTs.
Firewall Console Configuration¶
Once the firewall is configured, you will see a menu like so:
*** Welcome to pfSense 2.3.2-RELEASE (amd64 nanobsd) on pfSense *** WAN (wan) -> vtnet0 -> v4/DHCP4: 188.8.131.52/24 LAN (lan) -> vtnet1 -> v4: 192.168.1.1/24 OPT1 (opt1) -> vtnet2 -> 0) Logout (SSH only) 9) pfTop 1) Assign Interfaces 10) Filter Logs 2) Set interface(s) IP address 11) Restart webConfigurator 3) Reset webConfigurator password 12) PHP shell + pfSense tools 4) Reset to factory defaults 13) Update from console 5) Reboot system 14) Enable Secure Shell (sshd) 6) Halt system 15) Restore recent configuration 7) Ping host 16) Restart PHP-FPM 8) Shell Enter an option:
Note: if at any time you need to escape from an option from this point onward, do ctrl-c followed by ctrl-d to get back to that menu.
This is the terminal for PFSense. If you look towards the top, the interfaces are listed with the matched pieces used earlier and an ip address. We need to change these addresses. If done correctly, our network should look like so:
Change the WAN IPv4 address to dhcp from the internet vm. Change your lan network IPv4 ip to 172.30.60.1/24 and your OPT1 IPv4 ip to 172.30.70.1/24. Don't add a IPv6 address. ONLY Enable the DHCP server on the LAN, NOT ON OPT1. Update the web interface urls to their respective ip addresses. All this can be accessed under #2 in the menu.
Finally, go into #3 of the menu and reset the password to its default which is "pfsense" you'll use this to log in to web interface.
To check your progress, at this point, attempt to ping fios from the firewall by using #7. If you can't ping the ip you gave to fios, try rebooting both machines. If you still can't ping the ip, try going back and making sure all your ips are configured properly.
But why can't you ping the firewall from fios? If you can go one way you should be able to go back the other way, right?
By default, firewalls drop all packets. So your ping packets you are sending are being dropped. We will fix this later in the web interface.
For this part, you need a computer with access to an web browser (Chrome or Firefox recommended) and an ethernet port. You do not need to connect that computer to anything else besides the server (including WIFI). Make sure your machine is connected to vlan 60 or 70 w/ an appropriate IP address. You can change this in the switch if need be. Select a port and give it:
switchport access vlan 60
If this doesn't work you can always give your machine a static ip address (you can google how to do this) that would be on the 60 network and plug in anyway.
Navigate to the address you gave the firewall in a web browser and log in. The default username is admin and password is pfsense
Continue through the install wizard. Make the hostname anything of your choosing and leave the domain alone. Select the correct time zone and continue. Uncheck block private networks from entering via lan and uncheck block bogon networks. We need to allow these requests to come through the allow pinging back and forth between the vlans and the internet. Set the admin password to that of your system. Continue to the web config.
To make sure that it is configured correctly, take a machine on the 60 or 70 vlan and ping google. Your packets should go through. If they don't check to make sure that the boxes allowing private ips through the firewall were unchecked.
Enable DHCP in web client¶
We already should have given our vlan 60 a dhcp server when we initially configured the server. If it isn't added, duplicate this step for both the 60 and 70 networks.
To enable the dhcp server, navigate to Services -> DHCP Server in the web interface.
Make sure you are doing this for the OPT1 interface and check the "Enable DHCP server on LAN interface" box. Make sure the subnet and subnet mask are correct (172.30.70.1, 255.255.255.0) and change the range to give addresses from 172.30.70.100 to 172.30.70.200. Save the settings and apply the changes to the server. If you turn on dhcp on your host machine and plug into vlan 70 now, you should get an ip from the firewall.
Try to ping firewall.ext. You will get no response.
This firewall, by default, acts as a DNS resolver. What we want to do is create a web url to access the server. Enter the settings for the DNS resolver under the services tab. Navigate to hosts overrides and add an overwrite like so:
Now, if you were to ping firewall.ext, you should get an instant response, like so:
PING firewall.ext (172.30.60.1) 56(84) bytes of data. 64 bytes from pfSense.localdomain (172.30.60.1): icmp_seq=1 ttl=64 time=0.469 ms
If you get no response, make sure you used a host override and not a domain override and are using the DNS Resolver, not Forwarder.
Now for some testing with the main functionality of the firewall: the rules. Make sure you can ping your url for the internet before continuing.
Navigate to Firewall > Rules in the web GUI. Create the following rule to block traffic to the internet under the floating tab.
If the rule is finished correctly, you should not be able to ping the internet. If you can still ping the internet, make sure the rule is quick, all interfaces are selected, and all protocols are selected.
Once you are sure you can't ping the internet, disable the rule and apply your work to the firewall. Congrats! You have completed the Firewall Lab! Show your teacher your computer for grading.