This is a follow-up article to the part 1 pfSense article that I wrote a while back. In this article I will focus on packages that can be installed on pfSense as well as configuring snort which is an IPS/IDS that integrates well with the pfSense firewall.

In order to see which packages are available for installation you want to start by heading over to System–>Packages

packages-1

On the package manager window head over to the “Available Packages” tab. In here you will have a list of system packages that you can download and install for pfSense.

packages-2

The first package that I recommend getting is a system enhancement and it is called “widescreen”. If you have a widescreen monitor and are using a resolution that has an aspect ratio of 16:9 or 16:10 then this is a must. This package will give you a better experience while navigating pfSense.

widescreen-1

The next package that you should grab is called “arpwatch”. This package monitors ARP request on your local area network and keeps a list of MAC address to IP address pairings. This is useful in case you want to see which hosts are connected to your LAN. It is also a great tool to see if there are any intruders in your network.

arpwatch-1

Configuring arpwatch takes a matter of seconds and once you have downloaded the package all you have to do is head over to services–>arpwatch. In here you want to select your LAN interfaces as the listening interface since we want to monitor for ARP packets that are being sent in the local area network.

arpwatch-2

Once you have configured arpwatch, it will take a couple of minutes for it to populate its entry table. You can view the entry table by clicking on the reports tab.

arpwatch-3

From the screenshot above you can see that we have an IP address to MAC address mapping and it also gives you the hostname of those computers in your local area network. You can tell that I am using addresses from the 192.168.x.x class C private network and that I removed the last 6 hex digits since those are unique to my devices.

Moving onto other packages, I also recommend getting “bandwidthd”. This is a very useful tool that allows you to view the traffic usage of the clients in your local network. You will be able to tell which clients have consumed the most bandwidth over a certain period of time, all formatted into one nice chart.

bandwidthd-1

Once you have the package installed you can go ahead and view the settings by going over to services–>BandwidthD. In here you want to enable bandwidthd and select the interface that it will bind to. If you are monitoring the usage of clients from your local area network then you should select that interface. The other thing that you want to specify here is the subnet that you want to report on. This is normally the private IP range(s) that you are using in your LAN  and in my case I am using the 192.168.x.x class C private network for my internal addressing.

bandwidthd-2

After it has been configured and it is up and running then you should start seeing reports from bandwidthD by click on the “access bandwidthD” tab. A daily traffic report will look like the following:

bandwidthd-3

In here you can see which IP addresses have consumed the most bandwidth and the type of traffic that it belongs to. This is useful for finding bandwidth hogs in your LAN so that you can take appropriate action.

Now that we have some of the basic packages installed and configured, we can go ahead and get started on snort. Snort is an Intrusion detection system/Intrusion prevention system that will monitor traffic on your WAN or internet interface and will proactively block anything that seems questionable based on predefined rules. Start by installing snort from the list of packages.

snort-1

Once you have snort installed, head over to Services–>Snort–>Global Settings.

snort-2

At the top you will have three choices for which snort rules to use. It is highly recommended to pay for the Snort VRT premium rules as these get updated at least twice a week. The basic accounts gets rules that are only older than 30 days. This means that you will essentially be running and IDS/IPS that is outdated and might be leaving yourself vulnerable. The snort community rules are a subset of the snort VRT rules and are therefore not needed if you are already subscribed to the premium rules. The last rule set is the Emerging Threats which contains current rules and are geared towards more advanced users. The recommended rules for everyone is the Snort VRT Premium rules. You can click on the links provided and have it guide you to get a premium account. Once you have a premium account created you should have received an Oinkmaster code which you can paste into the blacked out configuration box above.

Once you have configured your rules, you want to head over and modify the update interval and start time. I set mine to 6 hours rather than 12 hours so that in a given day I will check 4 times to see if there are any updates to rules that I signed up for. The other things that I modified here is checking the “settings will not be removed during deinstall” box. I also modified the settings for the directory size limit and gave it 1GB as I had enough space.

In the updates tab you can manually update the Snort rules that you are subscribed to and also view the logs to see when the last update occurred.

snort-3

The next three tabs Alerts, blocked, and Whitelists will list IP addresses that are suspicious, have been blocked, or are whitelisted. Currently those tabs should not have any data as snort is not enabled yet. Head back over to the snort interfaces tab after you hit the “Update Rules” button once on the updates window.

In the “Snort Interfaces” tab you want to hit the “+” button to add an interface that snort will monitor.

snort-4

You should be presented with a new window where you can configure the listening interface.

snort-5

Under the “WAN Settings” tab you want to go ahead and select the enable check box. You must then select an interface where snort will bind to and you will most likely want to choose the WAN interface or your outer facing port that uplinks you to the internet. I also checked the option to have snort send alerts to the main System logs and automatically block offenders that generate snort alerts. This means that I am running in blocking mode rather than passive mode since hosts will automatically get block if they generate an alert. It is not necessary to automatically block offenders or host that generate an alert but I do it since I want to block anything that’s suspicious and have it whitelisted if it is something that I trust. This will require you to check the “Blocked” tab a couple of times a day to see what host are listed there so that you can whitelists anything that you trust. The IP addresses that you are blocking should be the src(source) IP address as the destination address will be your public IP address when you get a packet from the outside and you should not block your address.

Under the “Detection Performance Settings” you might want to modify the “search method” based on the hardware that pfSense is running on. Look at the descriptions to pick an option that matches your machine performance. The rest of the options here should be left at their default values. Hit save when done and return to the snort interface tab. In here you should see listed the interface that you just added. The next step is to go ahead and modify this interface by hitting the “e” button next to it.

snort-6

Head over to the “WAN Preprocessors” tab and modify the following options here:

snort-7

Make sure that everything in the general preprocessor settings section is checked except for the sensitive data which will cause a lot of alerts. I have snort set to automatically block alerts so this option will block a lot of different sites. I tend to view the list of block host every hour or so and create a whitelist for things that I trust. You will eventually get to a point where your everyday traffic will work fine and only things that are untrustworthy will get blocked. This usually takes like two weeks until you build a good whitelist.

The other thing that I modified here is the portscan detection settings to detect port scans that might be running against my public IP address.

snort-8

The last thing that we must modify is under the “WAN Categories” tab and we will choose a detection policy as well as which rules to use.

snort-9

In here you will check the “use IPS policy” box and select an IPS Policy. You might want to select connectivity as this has few or no false positives. If you are the type of person that has time to go through the block and alerts list daily then I recommend the balanced policy. The balanced policy will require tuning on your end as you will notice that a lot of things will get blocked if you are running in blocking mode like I am. Hit save at the bottom when done and head over to the snort interface window.

In here hit the red X icon to start snort.

snort-10

Started:

snort-11

You might want to look at the alerts tab in a couple of minutes to see what hosts are throwing alerts. Similarly, if you are running in blocking mode like I am then you will have hosts listed in your blocked tab as well. The whitelist tab will hold a list of host that have been white listed by you. Thank you for reading this article and I hope to see you here next time.

6 Responses to “pfSense: Installation and Configuration Part 2”

  1. I was wondering if you can point my in the right direction you mentioned in the open vpn for pfsense article the following, Under the CAs tab you might already have a CA created if you followed one of my previous articles as we needed to created one in order to sign an internal certificate to be used for securing the pfSense web interface. I could not find it any where, I also wanted to create a Ca to secure the Web interface and dont know how to do it thanks.

    • Jose,

      In order to secure the Web interface you need to create a CA(certificate authority) by going to system–>cert manager–>CAs(Tab). Once you have a CA created then you can issue certificates to secure the web interface. When you create a CA make sure that in the “method” field you select “Create an Internal Certificate Authority”. You should do 2048 bits or higher for the key length and SHA 512 for the digest. Fill out the rest of the information under distinguished name.

      Once you have the CA created head over to the Certificates tab in the same area and create a certificate.For the method you want to select “Create an internal certificate”. The “certificate authority” field should reflect the name of the CA that you created earlier. The key length should be 2048 or higher and the digest SHA 512. The “certificate type” field should be set to “server certificate”. Fill out the rest of the information in the “Distinguished Name” area.

      Head over to System–>Advanced–>Admin Access Tab and change the protocol to HTTPS. Under the “SSL Certificate” select the name of the certificate that we created above. Hit save when you are done and that will secure the web interface. You should then be able to access your pfsense box using “https://YOURGATEWAYIPADDRESS”. Let me know if you have any other questions.

      Regards,

      Glenn

      • Thanks for your quick reply I really appreciate it I will try it and let you know if I have any questions thank again!

  2. Well, thank you for this tutorial it really helps
    I have a problem with my pfsense, the rules that I set do not work
    for exemple : I have 2 areas: “prod” area and “dev” area, I have to see the prod area from the dev areathrough port 80. And even when I allow all interfaces through any port I can’t get my goal
    What should I do ?
    Thanks for help

    • Are you creating the rules on both sides? For a simple test head over to firewall–>Prod and create a rule.
      Action=Pass, Interface=Prod, Version=IPv4, Protocol=TCP/UDP, Source = Single Host or Alias(type in the IP address of a client in prod), Destination = Single Host or Alias(type in the IP address of a client in dev)

      After creating the rule make sure that you put it at the top of the list. Head over to Firewall–>Dev and create a rule. Do the same as above except that your source address is the IP should be the “destination address” that you used in the previous rule. The destination address should be the “source address” that you used in the previous rule.

  3. I am actually running the pfSense on ESxi. I was wondering if or when you are going to write a tutorial on this as I am experiencing a little trouble. I have a 4 port nic and was also going about having 4 different vpns load balanced.

Leave a Reply

Your email address will not be published. Required fields are marked *