pfSense® FW-7551 with pfSense® Version 2.1.X Basic Installation Guide

2

Table of Contents Table of Contents ................................................................................................................ 2

Introduction ........................................................................................................................ 3

Product includes ................................................................................................................. 3

Key features ........................................................................................................................ 4

Specifications ...................................................................................................................... 4

Plugging everything in ......................................................................................................... 5

Initial Configuration ............................................................................................................ 5

Logging into the web interface ........................................................................................... 5

Setup Wizard ....................................................................................................................... 6

Hostname ............................................................................................................................ 7

Domain ................................................................................................................................ 7

DNS Servers ......................................................................................................................... 7

Time Zone and Server ......................................................................................................... 7

WAN Configuration ............................................................................................................. 8

Configure LAN Interface ...................................................................................................... 9

Setting the password .......................................................................................................... 9

Introduction to the web interface .................................................................................... 10

Backing up and restoring .................................................................................................. 10

What else can I do? ........................................................................................................... 10

Console Access by Serial Interface .................................................................................... 11

Null Modem Cable ............................................................................................................ 11

Serial Terminal Emulation Client ...................................................................................... 11

Accessing the Console ....................................................................................................... 11

Configuring Serial Terminal Emulator ............................................................................... 11

Additional Support ............................................................................................................. 13

pfSense University .............................................................................................................. 14

Additional Support ............................................................................................................. 14

3

Introduction Thank you for your purchase of the pfSense FW-7551 with pfSense® 2.1.x The Lanner hardware platform in combination with the popular open source pfSense software provides a powerful, cost-effective solution for your network security needs. This Quick Start Guide will help you get up and running with a basic configuration on your FW-7551.

Product includes

Figure 1 1 pfSense preloaded with pfSense 2.1

Figure 2

12VDC auto-switching power supply Null modem cable to connect to the serial console (not pictured) Ethernet cable to connect to modem and computer (not pictured)

4

Key features Intel Dual-core Atom C2000 SoC CPU (codenamed "Rangeley")

Compact desktop design

4 built-in GbE LAN ports

Supports Intel QuickAssist crypto acceleration

Supports up to 8 GB ECC DDR3 Memory

Intel i210AT LAN controller

1 x system cooling fan

Specifications

CPU 2-core Intel® AtomTM processor C2000 series (Rangeley)

BIOS AMI BIOS 16 Mb

Memory Technology Dual-channel DDR3 1333/1600 MHz (ECC)

Memory Capacity 8 GB

Memory Socket 1 x 240-pin DIMM

IDE storage S1 x CF card Type II

SATA storage 1 x 2.5” HDD/SSD kit (Optional)

Ethernet controller 2 x Intel i210AT, 1 x Marvell 88E1543

Ethernet 4 GbE RJ-45

Fan cooling 1 smart fan

Console 1 x RJ45 Serial

USB 2.0 2 x Type A

Processor cooling CPU heatsink with fan duct

Operating temperature 0ºC to 40ºC

5

Plugging everything in

Figure 3 shows the location of the Reset button, power input, power button, serial console, USB, 4 x GbE ports.

Figure 3

If you are replacing an existing firewall on a production network, you will want to go through the initial configuration with the device not plugged into your production network. You can plug a laptop or desktop PC into the LAN port to perform the initial configuration. For new networks, you can start by plugging the LAN into your switch.

Note: The Lanner Ethernet ports are auto MDI/MDI-X, meaning you can use either a straight through or crossover CAT5/6 cable regardless of the type of device you are connecting it to.

To get started, plug the LAN port into the network or system where you will perform the initial configuration, and then plug in the power.

Initial Configuration After powering on your Lanner, it will boot up and be ready for the initial configuration after approximately two minutes. The initial boot takes longer if your WAN interface is not plugged into something where it can receive a DHCP address, as it must wait for that to time out. Once the system is booted, you should receive a 192.168.1.X IP address on the system(s) plugged into the LAN port from the DHCP server.

Logging into the web interface Browse to https://192.168.1.1 to access the web interface. In some instances, the browser will respond with a message indicating a problem with an untrusted certificate. This is normal since the pfSense WebGUI uses a self-signed certificate. Figure 4 is a typical example from Google Chrome. If this message or similar message is encountered, it is safe to proceed.

6

Figure 4

You will be prompted for username and password, the default username is admin and password is pfsense.

Figure 5

Setup Wizard After logging in, the setup wizard will run. This will walk you through a few steps to get up and running with a basic configuration. At the first screen, click Next. The subsequent screen allows you to configure the hostname, domain and DNS servers to be used.

Figure 6

7

Hostname For hostname, choose a name for the host. This does not affect functionality.

Domain If you have an existing DNS domain in use inside your network (such as a Microsoft Active Directory domain), use that domain here. This is the domain suffix assigned to DHCP clients, which you will want to match your internal network. For networks without any internal DNS domains, you can fill in anything you want here.

DNS Servers The DNS server fields can be left blank if you have a WAN connection using DHCP, PPTP or PPPoE types of Internet connections and the ISP automatically assigns DNS servers. When using a static IP on WAN, you must enter DNS server IPs here for name resolution to function. You can specify DNS servers here even if your ISP assigns different ones. Either enter the IP addresses provided by your ISP, or consider using a service like OpenDNS (www.opendns.com) whose service will allow you to add content filtering and phishing protection amongst other benefits to your pfSense install. Using Google’s public DNS servers (8.8.8.8, 8.8.4.4) is another popular choice.

Figure 7

Click Next after filling in the appropriate fields.

Time Zone and Server The next screen allows you to configure the time (NTP) server to be used to synchronize your firewall’s time, and also specify its time zone. The default NTP server points you ntp.org’s NTP server pool. If you have an internal time server, you should specify it here instead. You also want to select a city in your time zone so your log timestamps are in local time (unless you have a policy to timestamp all logs in GMT).

8

Figure 8

Click Next.

WAN Configuration This page is where your Internet connection is configured. You will need information from your ISP to configure this screen appropriately. A few notes to assist you: MAC address – if replacing an existing firewall, you may want to enter the old firewall’s WAN MAC address here, if you can easily tell what that is. This commonly avoids issues involved in switching out firewalls, such as ARP caches, ISPs locking to single MAC addresses, etc. If you can’t enter the MAC of your current firewall here, it probably isn’t a big deal – power cycle your router or modem and your new MAC will usually be able to get online. For some ISPs, you have to call when switching devices, or go through an activation process of some sort. Static IP configurations – the subnet mask is configured in CIDR format, which is usually provided by the ISP in addition to the 255.x.x.x subnet mask. The following table shows the most common subnet masks and their CIDR equivalent.

Block private networks and bogons – these two options will block private, unassigned, and reserved IP subnets for traffic initiated on your WAN connection (i.e. coming in from the Internet). These IP ranges should never be seen on the Internet, and these should both be enabled on systems that are directly

Subnet Mask CIDR

255.255.255.252 30

255.255.255.248 29

255.255.255.240 28

255.255.255.224 27

255.255.255.192 26

255.255.255.128 25

255.255.255.0 24

255.255.254.0 23

9

connected to the Internet. If your WAN resides on a private network, you may not want to use these options.

Configure LAN Interface Here you configure the IP and subnet mask to be used on your LAN. If you don’t ever plan to connect your network to any other network via VPN, the 192.168.1.x default is fine. If you want to be able to connect into your network using VPN from remote locations, you should choose a private IP address range much more obscure than the very common 192.168.1.0/24. Space within the 172.16.0.0/12 RFC1918 private address block seems to be the least frequently used, so choose something between 172.16.x.x and 172.31.x.x for least likelihood of having VPN connectivity difficulties. If your LAN is 192.168.1.x and you are at a wireless hotspot using 192.168.1.x (very common), you won’t be able to communicate across the VPN – 192.168.1.x is the local network, not your network over VPN.

Figure 9

Setting the password Enter the admin password for your firewall and again to confirm. You should choose a strong password, with a combination of letters, numbers and symbols. Should you forget your password, you can reset it using a serial console on your FW-7551.

Figure 10

After entering your password and confirming it, click Next. Then click Reload to apply your changes.

10

Introduction to the web interface You are now at the front page of the pfSense web interface. This screen provides an overview of your system resource utilization. The menu on the left side of the screen groups the various configuration, status and diagnostics screens. There are also additional themes available to change the layout of the web interface, under System -> General Setup if you prefer a different look and feel.

Note: The default theme does not function on an iPhone, iPad, or iPod Touch, but when browsing from one of these devices it will automatically switch to a different, plainer theme that is functional. Yes, you can configure your FW-7551 from your iOS devices. The default theme does function properly in the Android browser, but is difficult to navigate due to the screen size, so it also will switch to the plainer theme.

The default firewall rules can be viewed under Firewall -> Rules. If you need to forward ports, you will configure them under Firewall -> NAT. More information on port forwarding can be found here: http://doc.pfsense.org/index.php/How_can_I_forward_ports_with_pfSense%3F You can view your real time traffic throughput under Status -> Traffic Graph. For many longer term statistics, browse to Status -> RRD Graphs. Logs can be viewed under Diagnostics -> System logs.

Backing up and restoring At this point your basic two interface LAN and WAN configuration is complete. Before proceeding with additional configuration, you will want to get a backup of your configuration. To do so, browse to Diagnostics -> Backup/Restore in the web interface. Click the Download Configuration button, and a copy of your configuration will be downloaded. You can restore this configuration at the same screen, by choosing your backup file under “Restore configuration”.

What else can I do? The pfSense software provides a wide array of functionality beyond the simple configuration documented here. See the Additional Documentation section to find information on this functionality and more. A few of the most commonly used possibilities follow.

IPv6 – support for native IPv6 connectivity on the LAN and several variations of IPv6 connectivity on the WAN is available.

Captive portal – allows you to present a splash page to all users upon connecting to your network, optionally with authentication. This is commonly used with wireless hot spots, or as an additional layer of protection for wireless networks with authentication against a local user database, or external RADIUS server such as Microsoft Active Directory.

VPN – three types of VPNs are supported, IPsec, OpenVPN and PPTP. You can use these options to connect roaming users for remote access, or site to site connectivity to connect multiple locations.

Multi-WAN – multiple Internet connections with failover and load balancing are supported. In combination with a VLAN capable switch, you can connect numerous Internet connections over a single physical interface on the firewall.

11

Dynamic DNS – if your public IP is dynamic, you may want to sign up with a dynamic DNS provider (many options are free) and use the Dynamic DNS client to keep your hostname updated. This is especially helpful if you want to access services like VPN remotely.

Wireless – Your FW-7551 can be used in Ad-hoc networks or use your neighbor’s wireless as a second WAN (with permission, of course), amongst many other possible deployments.

Console Access by Serial Interface There are times you may want to access the console through the FW-7551 serial interface. Perhaps you have accidentally locked yourself out of the GUI console or you may want to assign a new password. To do so, a null modem cable and a serial terminal emulation program is required.

Null Modem Cable A null modem cable is a 9 pin D-Shell connector serial cable where the transmit pin on one end connected to the receive pin on the other. You can make your own or purchase them inexpensively. A null modem cable pinout is represented in Figure 11 USB to serial adapters can be used on systems that don’t have a standard 9-pin DB-9 serial port.

Figure 11

Serial Terminal Emulation Client A serial terminal emulation program is required to access the FW-7551 console through the serial interface. Microsoft Windows no longer includes HyperTerminal in Versions 7 and up. PuTTY is free and can be downloaded from:

http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html

Accessing the Console Connect one end of the null modem cable to the serial port on the FW-7551 and the other to a serial port on the computer with a terminal emulation program installed. USB to serial adapters should work for systems that don’t have a standard 9 pin serial port

Configuring Serial Terminal Emulator PuTTY must be configured to communicate with the FW-7551. In order to do so, you must first know what Com Port your computer has assigned to your serial port. Even if you assigned your serial port to COM1 in the BIOS, Windows may remap it to a different COM Port. To determine this, you must open Windows Device Manager and view the COM port assignment.

12

Figure 12

Open PuTTY and locate the Session display as shown in Figure 13. Set the Com Port to that which is displayed in Windows Device Manager and the Speed to 115200.

Figure 13 Match the COM Port with what was reported in Windows Device Manager. We will use COM3 for this example. The FW-7551 serial port speed is 115200 bits per second. The speed of the BIOS and the speed of the console must match so change the speed in PuTTy to 115200 bps.

13

Figure 14 Select Serial as shown in Figure 14 and configure the Com Port and Serial Speed as displayed. Select Open strike the enter key and following will be displayed.

Figure 15

Additional Support

Newly-purchased eligible firewall products come with one year of support provided by Electric Sheep Fencing, the company behind the pfSense project. If eligible for support, you will have received a

14

‘Welcome to Support’ booklet with a coupon code that entitles you to a 100% discount on the first year of support. You may also purchase a 2nd year of support through the portal. The support provided by Electric Sheep Fencing covers any questions or problems you may experience with pfSense or the hardware appliance purchased from Netgate.

Configuration Review and Configuration Assistance Support does not cover more complex tasks such as CARP configuration for redundancy on multiple firewalls or circuits, network design, and conversion from other firewalls to pfSense. These items are offered as professional services and can be purchased and scheduled accordingly.

Please see https://www.pfsense.org/our-services/professional-services.html for more details.

pfSense University

pfSense University offers courses for increasing your knowledge of pfSense products and services. Whether you need to maintain or improve the security skills of your staff or offer highly specialized support and improve your customer satisfaction; pfSense University has got you covered. Check us out at https://www.pfsense.org/university/

Additional Support

Newly-purchased eligible firewall products come with one year of support provided by Electric Sheep Fencing, the company behind the pfSense project. If eligible for support, you will have received a ‘Welcome to Support’ booklet with a coupon code that entitles you to a 100% discount on the first year of support. You may also purchase a 2nd year of support through the portal. The support provided by Electric Sheep Fencing covers any questions or problems you may experience with pfSense or the hardware appliance purchased from Netgate.

Configuration Review and Configuration Assistance

Support does not cover more complex tasks such as CARP configuration for redundancy on multiple firewalls or circuits, network design, and conversion from other firewalls to pfSense. These items are offered as professional services and can be purchased and scheduled accordingly. Please see https://www.pfsense.org/our-services/professional-services.html for more details.

Other Support Options

https://www.pfsense.org/get-support/#community-support

Additional Documentation

This guide illustrates the basics for getting up and running with your FW-7551. There is much more that can be accomplished with pfSense software. The best source of information is

15

the book pfSense 2.1: The Definitive Guide available to Gold pfSense subscribers at https://portal.pfsense.org

There is also community documentation freely available on the pfSense site at https://doc.pfsense.org