The pfSense Book

Preface
Copyright Notice
Acknowledgements
Feedback
Typographic Conventions
Authors
Foreword
Introduction
What does pfSense stand for/mean?
Why FreeBSD?
Common Deployments
Interface Naming Terminology
Finding Information and Getting Help
Project Inception
Networking Concepts
Understanding Public and Private IP Addresses
IP Subnetting Concepts
IP Address, Subnet and Gateway Configuration
Understanding CIDR Subnet Mask Notation
CIDR Summarization
Broadcast Domains
IPv6
Brief introduction to OSI Model Layers
Hardware
Minimum Hardware Requirements
Hardware Selection
Hardware Sizing Guidance
Hardware Tuning and Troubleshooting
Hardware Compatibility
Installing and Upgrading
Download Installation Media
Prepare Installation Media
Connect to the Console
Perform the Installation
Assign Interfaces
Alternate Installation Techniques
Installation Troubleshooting
Upgrading an Existing Installation
Filesystem Tweaks
Configuration
Setup Wizard
Interface Configuration
Managing Lists in the GUI
Quickly Navigate the GUI with Shortcuts
General Configuration Options
Advanced Configuration Options
Console Menu Basics
Time Synchronization
Troubleshooting
pfSense XML Configuration File
What to do when locked out of the WebGUI
Connecting to the WebGUI
Interface Types and Configuration
Interface Groups
Wireless
VLANs
QinQs
Bridges
OpenVPN
PPPs
GRE (Generic Routing Encapsulation)
GIF (Generic tunnel InterFace)
LAGG (Link Aggregation)
Interface Configuration
IPv4 WAN Types
IPv6 WAN Types
Physical and Virtual Interfaces
User Management and Authentication
User Management
Authentication Servers
External Authentication Examples
Troubleshooting
Support Throughout pfSense
Certificate Management
Certificate Authority Management
Certificate Management
Certificate Revocation List Management
Basic Introduction to X.509 Public Key Infrastructure
Backup and Recovery
Making Backups in the WebGUI
Using the AutoConfigBackup Package
Alternate Remote Backup Techniques
Restoring from Backups
Backup Files and Directories with the Backup Package
Caveats and Gotchas
Backup Strategies
Firewall
Firewalling Fundamentals
Ingress Filtering
Egress Filtering
Introduction to the Firewall Rules screen
Aliases
Firewall Rule Best Practices
Rule Methodology
Configuring firewall rules
Floating Rules
Methods of Using Additional Public IP Addresses
Virtual IP Addresses
Time Based Rules
Viewing the Firewall Logs
How Do I Block access to a Web Site?
Troubleshooting Firewall Rules
Network Address Translation
Port Forwards
1:1 NAT
Ordering of NAT and Firewall Processing
NAT Reflection
Outbound NAT
Choosing a NAT Configuration
NAT and Protocol Compatibility
IPv6 Network Prefix Translation (NPt)
Troubleshooting
Default NAT Configuration
Routing
Gateways
Gateway Settings
Gateway Groups
Static Routes
Routing Public IP Addresses
Routing Protocols
Route Troubleshooting
Bridging
Creating a Bridge
Advanced Bridge Options
Bridging and Interfaces
Bridging and firewalling
Bridging Two Internal Networks
Bridging interoperability
Types of Bridges
Bridging and Layer 2 Loops
Virtual LANs (VLANs)
Terminology
VLANs and Security
pfSense VLAN Configuration
Switch VLAN Configuration
pfSense QinQ Configuration
Requirements
Multiple WAN Connections
Multi-WAN Terminology and Concepts
Policy Routing, Load Balancing and Failover Strategies
Multi-WAN Caveats and Considerations
Summary of Multi-WAN Requirements
Load Balancing and Failover with Gateway Groups
Interface and DNS Configuration
Multi-WAN and NAT
Policy Routing Configuration
Verifying Functionality
Troubleshooting
Multi-WAN on a Stick
Multi-WAN for IPv6
Multi-Link PPPoE (MLPPP)
Choosing Internet Connectivity
Virtual Private Networks
Choosing a VPN solution
VPNs and Firewall Rules
VPNs and IPv6
PPTP Warning
Common deployments
IPsec
IPsec and IPv6
Choosing configuration options
IPsec and firewall rules
Site-to-Site
Mobile IPsec
Testing IPsec Connectivity
IPsec Troubleshooting
Configuring Third Party IPsec Devices
IPsec Terminology
OpenVPN
OpenVPN and IPv6
OpenVPN Configuration Options
Using the OpenVPN Server Wizard for Remote Access
Configuring Users
OpenVPN Client Installation
Site-to-Site Example (Shared Key)
Site-to-Site Example Configuration (SSL/TLS)
Checking the Status of OpenVPN Clients and Servers
Permitting traffic to the OpenVPN server
Allowing traffic over OpenVPN Tunnels
OpenVPN clients and Internet Access
Assigning OpenVPN Interfaces
NAT with OpenVPN Connections
OpenVPN and Multi-WAN
OpenVPN and CARP
Bridged OpenVPN Connections
Custom configuration options
Sharing a Port with OpenVPN and a Web Server
Controlling Client Parameters via RADIUS
Troubleshooting OpenVPN
OpenVPN and Certificates
L2TP VPN
L2TP and Firewall Rules
L2TP and Multi-WAN
L2TP Server Configuration
L2TP with IPsec
L2TP Troubleshooting
L2TP Logs
L2TP Security Warning
Traffic Shaper
What the Traffic Shaper can do for a Network
Hardware Limitations
ALTQ Scheduler Types
Configuring the ALTQ Traffic Shaper With the Wizard
Monitoring the Queues
Advanced Customization
Limiters
Traffic Shaping and VPNs
Troubleshooting Shaper Issues
Traffic Shaping Types
Traffic Shaping Basics
Server Load Balancing
Server Load Balancing Configuration Options
Web Server Load Balancing Example Configuration
Troubleshooting Server Load Balancing
Wireless
Recommended Wireless Hardware
Working with Virtual Access Point Wireless Interfaces
Wireless WAN
Bridging and wireless
Using an External Access Point
pfSense as an Access Point
Additional protection for a wireless network
Configuring a Secure Wireless Hotspot
Troubleshooting Wireless Connections
Captive Portal
Captive Portal Zones
Common Captive Portal Scenarios
Zone Configuration Options
MAC Address Control
Allowed IP Address
Allowed Hostnames
Vouchers
File Manager
Viewing Authenticated Captive Portal Users
Troubleshooting Captive Portal
Limitations
High Availability
pfsync Overview
pfSense XML-RPC Config Sync Overview
Example Redundant Configuration
Multi-WAN with HA
Verifying Failover Functionality
Providing Redundancy Without NAT
Layer 2 Redundancy
High Availability with Bridging
Using IP Aliases to Reduce Heartbeat Traffic
Interface
High Availability Troubleshooting
CARP Overview
Services
IPv4 DHCP Server
IPv6 DHCP Server and Router Advertisements
DHCP & DHCPv6 Relay
DNS Resolver
DNS Forwarder
Dynamic DNS
SNMP
UPnP & NAT-PMP
NTPD
Wake on LAN
PPPoE Server
IGMP Proxy
System Monitoring
System Logs
Remote Logging with Syslog
Dashboard
Interface Status
Service Status
Monitoring Graphs
Firewall States
Traffic Graphs
System Activity (Top)
pfInfo
S.M.A.R.T. Hard Disk Status
SMTP and Growl Notifications
Viewing the Contents of Tables
Testing DNS
Testing a TCP Port
Packages
Installing Packages
Reinstalling and Updating Packages
Uninstalling Packages
Developing Packages
A Brief Introduction to Web Proxies and Reporting: Squid, SquidGuard, and Lightsquid
Introduction to Packages
Third Party Software and pfSense
RADIUS Authentication with Windows Server
Syslog Server on Windows with Kiwi Syslog
Using Software from FreeBSD’s Ports System (Packages)
Configure BIND as an RFC 2136 Dynamic DNS Server
Packet Capturing
Selecting the Proper Interface
Limiting capture volume
Packet Captures from the WebGUI
Using tcpdump from the command line
Using Wireshark with pfSense
Additional References
Capture frame of reference
Menu Guide
System
Interfaces
Firewall
Services
VPN
Status
Diagnostics