These are my pfSense notes and are not comprehensive because tutorials have been done for this by better people, I am just going to answer the things that stump me.

Setup

Hardware

  • Lenovo Low profile PC with i3 (Gen4/Quad Core) and a single 1000MB onboard NIC, 8GB RAM, 120GB Kingston SSD
  • Intel 4 port 1000MB low profile Network Card
  • OpenReach PPPoE DSL/VDSL modem

Installation

I saw the the installer noticed the Virtualization technologies were disabled. I don't think it needs them, but it does not harm to turn them on.

  • Partitioning

    • Choose Auto (ZFS) : Guided Root-on-ZFS
  • ZFS Configuration - Configure Options
    • Partition Scheme: GPT (BIOS+UEFI)
    • This creates an EFISYS partition on GPT hard disk (on my UEFI)
    • I had to turn on legacy booting (CSM) in my PC's BIOS to get this to work. Probably because the PC is old.
  • Pool Type/Disks



    • 1 disk striped (No Redundancy) as I can easily swap the SSD and restore config quickly.
    • Companies should always run a mirror as they cannot afford any downtime. If you cant, then use 2 SSD and mirror them.
    • ZFS Partitioning | pfSense Documentation
  • When you start the installation
  • Complete
    • Click Reboot
    • Shell is for advanced users
  • pfSense will now load to the console (WebConfigurator)


At the Console (WebConfigurator)

  • Assign Interfaces
    • No VLANs
    • WAN, Autodetect, Plug the WAN (PPPoE modem) cable into the onboard network socket, Press enter
    • LAN, Autodetect, Plug the LAN cable into the top socket (port 0) on the intel low profile NIC, press enter
    • Add no more
    • Accept settings
  • Set Interface(s) IP address
    • Set LAN
    • IPv4 = 10.0.0.1
    • Subnet: 24 (255.255.255.0)
    • No LAN IPv6 (enable at a later date)
    • Enable DHCP on LAN
    • Client address range = 10.0.0.100 --> 10.0.0.199
    • Do you want to revert to HTTP as the webConfigurator protocol?
      • Currently the web-server is using HTTPS and this is asking if you want to downgrade to HTTP
      • Select No

Setup Wizard via GUI (WebGUI)

  • If password does not work just after you set it using the setup wizard (common issue) then the solution is easy.
  • Login into pfsense GUI
  • Follow the pfSense Setup Wizard
    • Step 1 - Netgate® Global Support is available 24/7
      • Just click next.
    • Step 2 - General Information
      • Hostname: pfsense
      • Domain: mydomain.com
        gives: pfsense.mydomain.com
      • Primary DNS Server: 9.9.9.9
      • Secondary DNS Server: n/a
      • Override DNS: leave ticked
    • Step 3 - Time Server Information
      • Time server hostname: 2.pfsense.pool.ntp.org (default)
      • Timezone: GB (or what ever you require)
    • Step 4 – Configure WAN Interface
      • Fill in details as required
      • DNS Server Override: Unticked
      • Block RFC1918 Private Networks: leave ticked
      • Block bogon networks: leave ticked
    • Step 5 – Configure LAN interface
      • LAN IP Address: 10.0.0.1
      • Subnet Mask: 24
    • Step 6 – Set Admin WebGUI Password
      • Make sure you use a complex one as shortly your router will be online
    • Step 7 – Reload configuration
      • Click ‘Reload’
    • Step 8 - Reload in progress
      • Just wait
    • Step 9 – Wizard Complete
      • Check for updates (optional)
      • Click Finish

Advanced/Further settings via GUI (WebGUI)

  • Hostname and Domain
    • System --> General Setup --> Hostname: pfsense (already done in wizard)
    • System --> General Setup --> Domain: mydomain.com (already done in wizard)
  • Custom WAN DNS Servers (Secure)
    • System --> General Setup --> DNS Servers: (DNS Server: 9.9.9.9 / DNS Hostname: dns.quad9.net) (Primary DNS) (partly already done in wizard)
    • System --> General Setup --> DNS Servers: (DNS Server: 149.112.112.112 / DNS Hostname: dns.quad9.net) (Secondary DNS) (optional)
    • System --> General Setup --> DNS Server Settings --> DNS Server Override: unticked (already done in wizard??)
    • Services --> DNS Resolver --> General Settings --> DNSSEC: unticked
      • Quad9 does all of this upstream so we dont need too.
    • Services --> DNS Resolver --> General Settings --> DNS Query Forwarding --> Enable Forwarding Mode: ticked
      • DNS Resolver uses unbound and the old way of doing things was with DNS Forwarder powered by dnsmasq which could only forward DNS requests.
      • Controls whether unbound uses resolver mode (unchecked) or forwarding mode (checked). See DNS Resolver Mode for an explanation of the modes.
    • Services --> DNS Resolver --> General Settings --> DNS Query Forwarding --> Use SSL/TLS for outgoing DNS Queries to Forwarding Servers: ticked
    • turn of DNSsec as it is not required becasue quad 9 does all of this
    • Quad9 Recommended Settings - Recommended: Malware Blocking, DNSSEC Validation (this is the most typical configuration)
    • Configuring Quad9 on pfSense - Linux Included
    • I need to put DNS Resolver into forwarder mode to utilise Quad9 blocking capabilities.
    • Configuring DNS over TLS | pfSense Documentation
    • DNS Over TLS On pfSense 2.4.5 | Lawrence Systems
      • Covers a little on PF Blocker
      • Mentions DoH and related issues with blocking it.
  • Custom LAN DNS Servers
    • Services --> DHCP Server --> LAN --> Servers --> DNS Servers: 10.0.0.1
      • This makes sure the DNS servers given out over DHCP are not those configure in General settings but the one(s) we specify.
  • Disable IPv6
    • System --> Advanced --> Networking --> Allow IPv6: unticked
    • System --> Advanced --> Networking --> Prefer IPv4 over IPv6: ticked
    • Interfaces --> WAN (pppoe0) --> General Configuration --> IPv6 Configuration Type: None
    • Interfaces --> LAN (igb0) --> General Configuration --> IPv6 Configuration Type: None (already done in wizard)
    • This is done because I want to make sure I control all of my traffic and I dont fully understand IPv6.
  • Set DHCP Pool
    • Services --> DHCP Server --> LAN --> General Options --> Range: 10.0.0.100 – 10.0.0.199 (already done in wizard)
    • It did not seem to get setup correctly in the GUI, however pfSense was respecting this range. So perhaps a small GUI bug fixed by just re-saving the range here.
  • Automatic Hostnames
    • Services --> DNS Resolver --> General Settings --> DHCP Registration: Ticked
      • Note that this will cause the Resolver to reload and flush its resolution cache whenever a DHCP lease is issued.
    • Services --> DNS Resolver --> General Settings --> Static DHCP: ticked
  • Manual Hostnames
  • pfBlocker-NG
    • Install
      • System --> Package Manager --> Available Packages --> Search: pfBlockerNG 3  (3.1.0_4 at time of writing) --> Install
    • Wizard (can be re-run)
      • Firewall --> pfBlockerNG
      • Step 1 (pfBlockerNG Components)
        • Click next
      • Step 2 (pfBlockerNG IP Component Configuration)
        • Select Inbound Firewall Interface: WAN
        • Select Outbound Firewall Interface: LAN
      • Step 3 (pfBlockerNG DNSBL Component Configuration)
        • VIP Address: 10.10.10.1
        • Port: 8081
        • SSL Port: 8443
        • IPv6 DNSBL: unticked (Lawrence does not mention about this so leave as is)
        • DNSBL Whitelist: ticked
      • Step 4 (pfBlockerNG Finalize)
        • Click Finish
        • pfBlockerNG has been successfully configured and updated. This installation will now block IPs based on some recommended Feed source providers. It will also block most ADverts based on Feed sources including EasyList/EasyPrivacy. Some additional Feed source providers include some malicious domain blocking.
    • Advanced Setup from Lawrence Systems
    • Force reload of settings
      • Firewall --> pfBlockerNG --> Update -->  Select 'Force' option: Reload
      • Firewall --> pfBlockerNG --> Update -->  Select 'Reload' option: All
      • Click 'Run' for the changes to apply
      • When the updates are downloaded for the lists, this makes sure they are applied (otherwise a bit pointless)
      • This is a one time manual update
    • Firewall Rule handling
      • Firewall --> pfBlockerNG --> IP --> IP Interface/Rules Configuration --> Floating Rules: ticked
        • Apply rules not specific to any interface
        • All rules appear in one place
        • Appear in the floating tab instead of sepearate WAN/LAN/LAN2 tabs
          • Firewall --> Rules
        • Firewall --> pfBlockerNG --> IP --> IP Interface/Rules Configuration --> Kill States: ticked
          • If an IP appears in a Blocklist which you have live connections too, drop them
      • Force reload of settings for the floating rules to appear in floating tab instead of WAN and LAN tabs in the firewall rules
        • Firewall --> Rules
    • Maxmind GeoIP Inital Setup
      • Firewall --> pfBlockerNG --> IP --> MaxMind GeoIP configuration
      • Register and get a license key
        • GeoLite2 Sign Up | MaxMind
        • Account --> Manage License Keys --> Generate new license key
          • License key description: pfSense
          • Old versions of our GeoIP Update program use a different license key format. Will this key be used for GeoIP Update?: Yes
          • Select "Generate a license key and config file for use with geoipupdate version 3.1.1 or newer."
          • Click Confirm
          • Store the Key somewhere safe
      • Enter the settings
        • MaxMind License Key: xxxxx
        • MaxMind Localized Language: Your language
        • Check to disable MaxMind CSV updates: unticked
        • Click 'Save IP Settings'
      • All settings usually require a reload to apply them, so do this now.
      • Blocking outbound and Inbound are different
      • pfBlockerNG MaxMind Registration required to continue to use the GeoIP functionality! | Lawrence Systems
    • Maxmind GeoIP Configuration
      • GeoIP
        • Firewall --> pfBlockerNG --> IP --> GeoIP
        • By Default all list are disabled. You need to edit each list as required and then save
        • Action: Deny Inbound (stops spammers coming in)
      • Apply Block Rules to Inbound and Outbound IPv4 traffic
        • Firewall --> pfBlockerNG --> IP --> IPv4 --> [PRI1] --> Action: Deny Both
        • Do for each group
      • View/Delete Block Lists
        • They are in different locations for the different type of list
        • Firewall --> pfBlockerNG --> IP --> IPv4 --> [PRI1] --> Edit
        • Firewall --> pfBlockerNG --> DNSBL --> DNSBL Groups [Name] --> Trash Can
      • Add a Block List Feed (IPv4/IPv6/DNSBL)
        • Firewall --> pfBlockerNG --> Feeds
        • Click on a desired list
        • Changes the state to ON
        • Save Settings
        • (Optional) Firewall --> pfBlockerNG --> IP --> IPv4
          • Enable the relevant group and click save
          • Might already be on
          • NB: The added list will be assigned to it's relevant group
        • A file pole is required because we need to get the newly specified file
          • Firewall --> pfBlockerNG --> Update --> Select 'Force' option: Reload
          • Click 'Run' for the changes to apply
  • DNS Hijacking
    Clients can make their own connections to direct connections to DNS servers, so block them on TCP/UDP ports 53 and 853 to ensure the clients only query the pfSense DNS Resolver. We also have to block DNS requests sent over HTTPS (DoH) which is harder to do.
    • DNS/DoT
      • Blocking External Client DNS Queries | pfSense Documentation
        • Block DNS Queries (Port 53)
          • Do not add the pass rule
          • Do for both IpV4 and IPv6
          • Name: Deny DNS
        • Allow Local DNS Queries (Port 53)
          • Do for both IpV4 and IPv6
          • Name: Allow Local DNS
        • Block DNS Over TLS (Port 853)
          • Do for both IpV4 and IPv6
          • Name: Deny DoT
          • Do not add the pass rule.
    • Redirecting Client DNS Requests | pfSense Documentation
      • Instead of dropping all of the DNS requests we can re-route them through our secure DNS chain.
      • This has the benefit of your can see all of the requests.
      • Redirecting DoT (853) requests would have issues with the certificates not matching up. So this only worked for standard DHCP
      • You need one rule for Ipv4 (127.0.0.1) and one for IPv6 (::1)
      • This option might be better for some IoT devices by not hard blocking DNS requests but just sending to my router. IoT might not resend a DNS request, however do you want these sorts of devices sending dodgy DNS requests.
      • This will grab all traffic on port 53/853.
    • DoH Blocking
      • Firewall --> pfBlockerNG --> DNSBL DNSBL SafeSearch --> DNS over HTTPS/TLS Blocking --> DoH/DoT Blocking: Enable
        • Select all domains
      • Canary Domain (FireFox Only)
        • This is not needed if using pfBockerNG
        • Add as per the document above
          Services --> DNS Resolver --> General Settings --> Custom options
          server:
local-zone: "use-application-dns.net" always_nxdomain
        • This canary domain is in pfBlockerNG
      • Chrome does not have a canary domain as it works on a different model
      • Add a Custom DoH DNSBL Block List into pfBlockerNG
        • Firewall --> pfBlockerNG --> DNSBL --> Add
        • Info 
          • Name: DoH_Block
          • Description: Custom DoH Block List
        • DNSBL Source Defintions
        • Settings
          • Action: Unbound
          • Update Frequency: Once a day
          • Weekly (day of Week): Monday
          • Auto-Sort Header field: Enable auto-sort
          • Group Order: Default
          • Logging / Blocking Mode: DNSBL WebServer/VIP
          • TOP1M Whitelist: unticked
        • Advanced Tuneables
          • Leave as is
        • DNSBL Custom_List
          • Leave as is
        • Move to the top of the list and save
          • Firewall --> pfBlockerNG --> DNSBL --> DNSBL Groups
  • Enable Auto Config Backup (Free service)
    • Auto Configuration Backup automatically encrypts configuration backup content using the Encryption Password below and then securely uploads the encrypted backup over HTTPS to Netgate servers.
    • Get your 'Device key' and store it somewhere safe
      • Services --> Auto Configuration Backup --> Backup Now --> Device key
    • Services --> Auto Configuration Backup --> Settings
      • Enable automatic configuration backups: ticked
      • Backup Frequency: Automatically backup on every configuration change
      • Encryption Password: Make this very complex and then back it up somewhere safe
      • Hint/Identifier: Something human readable and unique
      • Manual backups to keep: 20
    • Run a backup now
      • Services --> Auto Configuration Backup --> Backup Now --> Backup
    • [pfSense] Making automatic backups with AutoConfigBackup – Provya
    • This Stores the last 100 configs at Netgate hashed by your encryption Key
    • This only backs up the basic configurations, not the extended information of pfSense.
  • Enable SSH
    • System --> Advanced --> Admin Access --> Secure Shell --> Enable Secure Shell: Ticked
    • Username: root
    • Password: same as you admin password
    • Protocol: SFTP over SSH
    • Granting Users Access to SSH | pfSense Documentation
    • It should be noted that this will not be available on the WAN unless you setup firewall rules (i am guessing)
  • pfSense Dark Theme
    • System --> General Setup --> WebConfigurator --> Theme: pfsense-dark
  • Port Forwarding
  • Allow Ping (optional, but useful)
  • Allow IGMP (optional)
  • NAT Reflection (Globally)
  • Manual Config Backup
    • Diagnostics --> Backup & Restore --> Backup & Restore
      • Backup area: All
      • Skip packages: unticked
      • Skip RRD data: ticked
      • Include extra data: unticked (no good for long term config backups)
      • Backup SSH keys: ticked
      • Encryption: optional
    • Click on 'Download configuration as XML'
    • Save the file somewhere safe
    • Backup and Recovery — Making Backups in the GUI | pfSense Documentation
    • You can back up all required aspects of pfSense with this feature

To Sort

  • https://docs.netgate.com/pfsense/en/latest/recipes/index.html - a very useful page
  • port forwarding / Firewall rules / add rules from openwrt
  • TCP Dump
  • OpenVPN / vpn
  • VMware Tools?
  • VLANs
  • Disable IPv6 or NAT or block etc..
    • Block IPv6 because I don’t understand it and I want to control all trwaffic. IPv6 NAT + add these to openwrt notes
  • Statistics / Reporting
  • Syslog (add notes to open wrt that this is a good thing)
  • NAT Loopback / NAT Relections – update my openwrt notes - 
    • Network Loopback (prevent RFC error  so external traffic is)
    • NAT Reflection (preffered) / Hostfile entry --> both will re-direct external traffic locally (host option will have issue with IP address etc.. + add to opwenrt doc if not already + add term NAT Refelction to opwenr wrt notes as correct
    • https://quantumwarp.com/kb/articles/34-web-server/963-cwp-full-setup-in-virtualbox-on-windows-behind-a-nat
    • Eg OpenWRT à Network à Firewall à Port Forwards à CWP (All Ports / LAN Only) à Advanced Settings à Nat Loopback (if the DNS resolution points to the public IP then forward to 10.0.41)
    • I think if a hostname is set in hostnames local routing happens
      OpenWRT à Network à Hostnames à add (if in the list, resolve to the IP in this list)
    • Look at OpenWRT à Network à DHCP and DNS à
      • Local server (Names matching this domain are never forwarded and are resolved from DHCP or hosts files only)
      • Local domain (Local domain suffix appended to DHCP names and hosts file entries)
    • In PC BIOS: make sure power on after power off.
    • DHCP Scope / Address assignment
    • Set 10.0.0. – lats?
    • Block eternal ping + openwrt notes
    • Firewall rules from openwrt
    • Password – do last
    • #dpcument notes – one page fopr specific product brief + long (* only for sinlge page/products)
    • Don’t have any network cables plugged in
    • Set some shit from console – seperte section
    • Have I got some pictures from a VM for pfsense
    • DNS hijacking, firewall zones, openwrt rules, rfc nat loopback, ad blocking. Pfsense has no firewall rules
  • do your own certifiacte authority

 

 

 

Notes

Data loss is a major problem that is faced by all organizations and home users. Loss of data due to theft can never be recovered yet many organizations still lose a large volume of data as a result of improper handling. Sometimes, you may delete data and then later when you find out that the data is actually important  you will need file recovery services. For these services you can call Lancastrian IT.

Lancastrian IT provides an excellent computer repair service. We have an experienced team of technicians who are capable of resolving any of your computer problems. Your computer is made up of hardware and software. Hardware and software problems may arise at any time, sometimes issues can be caused by a combination of the two.

A company web site is more than just a presence on the web, it is an online portal to your company. Companies that are serious about marketing themselves on the Internet need to think carefully about the type of image they want to project.

Lancastrian IT has seen most types of damage a laptop can suffer. We can assess your laptop and let you know the costs of fixing it. Repairing laptops is not always possible and if this is the case we will advise you.

Lancastian IT can arrange all your webhosting needs holding page.

Are your computers running slow when opening applications, or when browsing the Internet. Computers like all things need an annual service to keep them working smoothly like when you originally purchased them.

Lancastrian IT can help get you to the top of the search engines so that you can increase your online turnover or page hits. We will take care of all your internet search engine needs and increase the traffic to your site. More traffic, More Sales, More Profit !!!

Viruses and Spyware can cause many computer problems and it has been known for many people to actually purchase a new computer rather than getting their computer repaired.

For an Ecommerce website on the internet it is not enough just to announce to your clients that your business now has a website where they can purchase online. You need to get traffic from search engines so your online business can make regular sales to new and exisitng customers.

Lancastrian IT utilises local suppliers and brand names goods of the internet so we do not need to build our own computers or increase our costs by keeping a large stock of parts. This allows us to give the customer the best deal and lets Lancastrian IT do what it does best at, Onsite Work.

Business processes are made simple with the evolution of computer programming. To meet your business goals, you need professional assistance and this can be obtained from computer programs. Anyone who has a basic knowledge about computers can start working using our applications. If you need a customized software or application for your business purpose, call Preston PC Repair to design your own bespoke program.

As with most modern electrical equipment, PCs get old but unlike other devices you can upgrade a PC to make it last longer or perform better withou having to outlay for a new machine.

Today, you can't have a computer at home or in the office without a broadband internet connection. All software and services expect that you have broadband. eg Windows Updates, Google Earth, Youtube and BBC iPlayer. Tradition Dial Up Modems are far to slow to work for anything more than small emails.

Lancastrian IT has a range of printer services for both business and home users. We work closely with local suppliers to ensure prompt service and in general deal with Epson printers. We also deal with other brands such as HP (Hewelett Packard) and Cannon. When the need arises we can supply and service these printers aswell.

Lancastrian IT offers networking services for both the home and office enviroments. Networks are becoming more important everyday for normal life and they are getting faster to cope with all the extra bandwidth we need.

Lancastrian IT specialises in Onsite support for both home and business users. Lancastrian IT will come out to either your home or office and repair the computer Onsite.

For any type of home or office, with any number of computers, Lancastrian IT offers installation and configuration of wireless networks and devices. We provide services for both business and home users.

This services requires that you have a broadband or faster internet connection and for obvious reasons, the issue must not be to do with internet connectivity.