Installing and Configuring pfSense
Firewalls act as the first line of defense in the network. It serves as the boundary between the big bad internet and one’s internal network. Therefore, understanding and configuring firewalls are essential in cybersecurity.
I will be using an open source firewall called pfSense for my lab.
These are the specifications of the pfSense virtual machine that I will use:
1 GB RAM
1 processor
20 GB HD
4 network adapters — NAT, Host-only, VMnet2, VMnet3 and VMnet4
Power on the VM. Select Accept > Install > Auto (ZFS) > Install > Stripe.
Press space to select the only option on the screen.
Select Yes and then reboot once done.
After the reboot, you will be greeted with the following screen.
We will now assign the interfaces. These interfaces will correspond to the VMnet network adapters that we set on VMWare.
Choose 1 > N.
Enter em0, em1, em2, em3 and em4 respectively > Y.
We will be routed to the main screen. Afterwards, we will need to set the interface IP Addresses for em1, em3 and em4. My home network already uses the 192.168.0.0/16 RFC1918 range. So I decided to use the 172.16.0.0/16 RFC1918 range instead. We will skip em2 since it will serve as our mirror/span port. Therefore, em2 does not need to have an IP address assigned to it.
Press 2 to set IP address for the LAN > n > 172.16.1.1 > 24 > press ENTER for none.
Enter N > press ENTER for none > Y > 172.16.1.10 > 172.16.1.254 > N.
Take note of the IP address showing on the next screen. We will use this to access the web GUI later.
Once routed to the main screen, select 2 again and then press 4 to choose the OPT2/em3 interface. We will skip assigning an IP address to the span port which is OPT1/em2.
Select N > 172.16.2.1 > 24 > press ENTER for none.
Select N > press ENTER for none > Y > 172.16.2.10 > 172.16.2.254 > N.
Once routed to the main screen, select 2 again and then press 5 to choose the OPT3/em4 interface.
Select N > 172.16.3.1 > 24 > press ENTER for none.
Select N > press ENTER for none > Y > 172.16.3.10 > 172.16.3.254 > N.
Access the pfSense web GUI (172.16.1.1) using your host computer’s browser. We will be getting an error when accessing the IP address. Select Advanced > Accept the Risk and Continue.
Login with the default credentials (admin: pfsense).
Click next and next.
On the next screen, we will use Google’s DNS (Primary DNS: 8.8.8.8, Secondary DNS: 8.8.4.4) > Next.
Select your preferred timezone > Next.
On the configure WAN interface screen, scroll down and uncheck the last two options and select Next.
We will not change anything on the next screen so just select Next.
Enter your desired admin password > Next.
Select Reload and finish.
We will make a minor change by changing the default theme. Go to System > General Setup > under webConfigurator, change theme to pfSense-dark. Scroll down and click save.
Select Interface > Assignments. This will display the current interface assignments and they correspond to the interface assignments that we set on the command line interface while setting up pfSense.
We will be changing the names of these interfaces to something we can easily remember. However, we will be not be renaming WAN.
Click Interfaces from the menu > LAN > change description to SOC.
Click save below and select apply changes.
Click Interfaces from the menu > OPT1 > make sure to put a check on “enable interface” > change description to SPANPORT. Click save below and select apply changes.
Click Interfaces from the menu > OPT2 > change description to VICTIM_NETWORK. Click save below and select apply changes.
Click Interfaces from the menu > OPT3 > change description to KALI. Click save below and select apply changes.
If we go back to Assignments, we can see that all the interfaces have been renamed. The names of these interfaces will also reflect on the CLI of pfSense.
Now that we have renamed all the interfaces, we will now set up the span port. The span port will mirror the traffic coming from the VICTIM_NETWORK and send it to Security Onion (SOC/em1) for monitoring.
From the same screen (Interface Assignments), click Bridges > add.
Select VICTIM_NETWORK > name it “Mirror port for Security Onion” > click display advanced > go to Span Port and select SPANPORT.
Scroll down and click save.
We are almost done setting up pfSense. We will just add a firewall rule for the KALI interface. Select Firewall > Rules.
We will not make any changes on WAN, SPANPORT and VICTIM_NETWORK. If there are no explicit rules listed on the firewall rules screen of a particular interface, then all inbound traffic from the internet to the interfaces are always blocked.
This is especially important in the VICTIM_NETWORK interface because we do not want anyone from the internet to access our metasploitable2 VM (our intentionally vulnerable machine).
We will also not make any changes to the SOC interface. As opposed to the default deny rule for the WAN, SPANPORT and VICTIM_NETWORK interfaces, the second and third rules are the default allow rules configured for the LAN (SOC) interface. This means all traffic (inbound and outbound) are permitted.
We will also be creating a default allow rule for the KALI interface. As you can see there are two add buttons on the screen. The first one (arrow pointing up) will put the newly created rule at the top of the table while the other one (arrow pointing down) will put it at the bottom of the table. Since there are no existing rules for this interface, you can choose either button but for the purposes of this write-up I will be using the add button with the arrow pointing up.
Configure the rule as per the screenshots below. Under Protocol, select “Any.” Under Description, type in “Default any/any rule for KALI.”
Click save below and select apply changes.
We are almost done with the configuration of pfSense. We will be using pfSense’s DHCP server to reserve IP addresses for our other VMs. This will allow us to bind a specific IP address to the corresponding MAC address that our VMs use. By doing this, we can make sure that our VMs will always have the same IP address upon boot up. However, this IP address must be outside of the DHCP scope we set earlier. Take the screenshot below:
The screenshot is from the initial SOC interface setup. The IPv4 client address range we set is from 172.16.1.10 to 172.16.1.254. Aside from the IP address 172.16.1.1 which is already reserved for pfSense, we can use any of the IP addresses from 172.16.1.2 to 172.16.1.9 when assigning it to any machine connected to the SOC network. However, we have already assigned 172.16.1.2 to the Host Only interface so only the IP addresses from 172.16.1.3 to 172.16.1.9 are technically available.
This does not make sense now since the other VMs are not yet set up so we will do the static DHCP mapping later as we build the other VMs.
Before I forget, make sure to take a snapshot of the pfSense machine. This will serve as our baseline for pfSense. In case we mess things up while experimenting or fiddling around pfSense, we can just revert back to our fresh install snapshot.
