Today’s post will be about setting up the DMZ (de-militarized zone). DMZ is a place where some traffic is allowed to pass and the rest is denied. The DMZ is the middle man when it comes to the LAN. To make this work you will need to have three NiC’s.
Configuring the DMZ
- Open the web GUI by using your local IP address. We will navigate to the tab named Interfaces and click on OPT1 or DMZ. If you do not see OPT1 or DMZ you will want to click on assign and then on the OPT1 or DMZ to enter the setup.
- Now enable the port and start filling out the following details.
Enable: Enable Interface
IP Address: 192.168.100.x or 192.168.200.x (shouldn’t be the same as your current subnet)
Block Private Networks: unchecked
Block bogon networks: unchecked
- Then click on Save and Apply Changes
Once completed you will have a DMZ configured. The DMZ allows access from the WAN and LAN interfaces, but it will not send traffic to the LAN. The DMZ is used as a guest network, Edge Exchange server, FTP server, and many more. Adding an access point and a switch to the DMZ interface is recommended.
What is pfSense? pfSense is an open source network firewall/router software distribution which is based on the FreeBSD operating system. pfSense software is used to make dedicated firewall/router for a network and it is considered for its reliability, and offers many features which mostly found in commercial firewalls. pfSense can be included with many third party free software packages for additional functionality.
The popular firewalls in industry today are: Cisco ASA, Watchguard, Juniper, Sonicwall, Netgear, and so many more. We can use the pfSense software free of cost and it doesn’t have any licenses. It has rich web interface which allows you to configure all of our network components. pfSense has diagnostic tools to help with troubleshooting network issues.
This post will guide you through the basic instructions on how to install and configure pfSense version 2.2.2 and a few recommendations.
You can also install this as an edge firmware between ESXi boxes. pfSense recommends that you use this document when setting it up.
ac12veur2 or ac12vus
wle200nx or Access Point
All of the above on Ebay as a combined package!
pfSense 2.2.2 ISO
CPU: AMD 1Ghz+
Storage: 16GB SD card or m-SATA SSD
NICs: 2 Gigabit Ethernet
pfSense 2.2.2 ISO
- Use your favorite internet browser and navigate to pfSense Download. Here you will want to click on the current release which is 2.2.2 Install.
- Which Image do I need? I recommend using a 64-bit AMD processor in the above recommendations and the reason for this is, because pfSense offers only one 64-bit ISO. AMD processors are a lot cheaper than Intel processors at the time of this post.
- Pick the Computer Architecture: AMD64 (64-bit)
Platform: Live CD with Installer or Live CD with Installer (on USB Memstick)
Note* You can always change the ISO into a bootable image by using Microsoft’s Windows 7 USB DVD Download Tool. I have written a post about this here.
- Select the mirror link that is near you. With average speed internet it will take about 2-5 minutes. This will download the ISO file and allow us to move to the next step.
- Place the USB/CD/SSD into the device and boot the device. If everything was done correctly you will see the pfSense loading like any other OS install.
- As the pfSense starts booting, a prompt is displayed with 8 options, and a countdown timer. At this step you will want to pick option 1. If the timer goes out before you choose an option it will automatically choose option 1 for you.
- Next, it will ask you if you need to recover or do an installer. This screen also has a timer and will pick installer for you. So you want to press “I” at this time.
- The next screen talks about the environment of the software. I haven’t needed to change any of this. Hit Enter on “Accept these Settings” for the next step.
- You can use the “Quick/Easy Install”, but if you are like me you like to see how everything works. I will be clicking on “Custom Install”.
- Next, pick the disk. You should only have one, because I do not see any reason to have multiple disk for a firewall.
- The next step talks about formatting the disk selected in the last step. It does this to make sure that you want to delete it. Maybe you have an old config that you didn’t backup. This is the time to hit enter on “Format this Disk”.
- One of my favorite parts of the install. “If you don’t understand what any of this means, just select “Use this Geometry” to continue.
- It asked you to format, but it hasn’t done it yet. It will ask you one more time to make sure it is ok to format this drive. I do think the developers of pfSense have some humor. Hit enter on the “Format ada0”.
- Now it is time to partition the disk. This is step is for people who are making a firmware/router out of an old PC and they want to keep the OS on it. Since we are not doing that we are going to click on “Skip this Step”
- Now it is time for bootblock. What is bootblock? Bootblock is a secure way to encrypt the machine code needed for the pfSense software. Click “Accept and Install Bootblocks”.
- Select a partition to install the pfSense OS. Since we only have one partition we will choose that.
- Once again it will warn us that everything here will be erased. Click “OK”
- The Subpartitions screen will follow. Just pick “Accept and Create”.
- Now after 13 steps it is time to install the pfSense OS.
- Install Kernel screen will come after. I just use the “Standard Kernel”, because it is the standard.
- After the Kernel install it will be time to reboot the system. Choose “Reboot”.
- We are now more than half way done. After the rebooting is finished the interface config will appear.
- The next steps will make or break the install process. As it is reloading it will tell you the default Username and Password.
- Make sure you know the names of the interfaces. This is the time to write it down.
The two interfaces:
em0 and le0 We will make em0 the WAN and le0 the LAN.
- It is now asking “Do you want to set up VLANs now?” We have no VLANs at this time so enter “n” and hit enter.
- Now enter the name of your WAN interface. Stated on step 23 we will be adding em0.
- Now enter the name of your LAN interface. Stated on step 23 we will be adding le0.
- Do you want to proceed? Type “y” and enter.
- After you have configured the WAN and LAN interface it will bring you the pfSense menu. This has 16 options and you can play around with them later.
- Now we have only enabled the WAN and LAN. Now it is time to setup the IP information. Pick option “2” and hit enter.
- Configure IPv4 address WAN interface via DHCP? If you do not know the static IP this should say “Y”, but I know the static IP and for this post we will be using “N”.
- Now we enter the IPv4 address: If you did DHCP you will not see this. I am going to enter a random one in “192.168.50.1” and hit enter.
- What is the subnet for the address you entered? So I am using a 24 bit subnet. Enter your subnet in “24” and hit enter.
- You do the same thing for the LAN. The only change is that it will ask you for IPv6, but you can say “n” if you do not want to deal with this now.
- When you get near the end it will ask you: “Do you want to revert to HTTP as the webConfigurator protocol?” This will change the HTTPS into HTTP. It’s less secure, but leaving it only has HTTPS is fine. Enter “n” and enter.
- You have configured the start of the pfSense software. You will want to write down the information about how you can access the GUI part of the setup.
- Enter in the Username and Password and click on Login.
- You should now see the following page. This is the wizard and it will guide you with a basic configuration setup.
- The General Information screen will ask you the following:
Hostname: pfSense – It will give you a warning because of the capital letter.
Primary DNS Server: 126.96.36.199
Secondary DNS Server: 188.8.131.52
Now click Next
- Choose the timezone and click Next.
- WAN Configure screen. This screen is for more info on the WAN interface. Enter what you need.
- We configured the LAN inside the pfSense software. Verify the information and click Next.
- Do what the next image shows.Click “Reload“
- Now it has reloaded and you can click “Click here to continue on to pfSense webConfigurator.”
- Once clicked on the link it will require you to login again. Login and the first page you see will be the GUI Dashboard.
I will be writing more post about the pfSense router in the coming days. Make sure you follow and like the post if it was helpful.