Install a pfSense Firewall in Oracle Cloud Infrastructure: Difference between revisions

From Iwan
Jump to: navigation, search
No edit summary
Line 1: Line 1:
# Install a pfSense Firewall in Oracle Cloud Infrastructure
= Introduction =
= Introduction =


{{note|pfSense is not officially supported on Oracle Cloud Infrastructure by Netgate or Oracle. Contact the pfSense support team before trying this tutorial.
{{note|pfSense is not officially supported on Oracle Cloud Infrastructure by Netgate or Oracle. Contact the pfSense support team before trying this tutorial.
}}
}}


pfSense is a firewall that can be used for production or testing purposes where you can simulate the Oracle Cloud Infrastructure (OCI) native firewall services. This pfSense firewall set up can be used inside a hub and spoke VCN routing scenario.
pfSense is a firewall that can be used for production or testing purposes where you can simulate the Oracle Cloud Infrastructure (OCI) native firewall services. This pfSense firewall set up can be used inside a hub and spoke VCN routing scenario.
Line 21: Line 22:
- Before we start setting up the pfSense firewall inside OCI it is important to have another instance that can connect to the new pfSense firewall using its web browser to perform management on the pfSense firewall. In this tutorial, we have created a Windows instance to do this. Make sure you have something similar.
- Before we start setting up the pfSense firewall inside OCI it is important to have another instance that can connect to the new pfSense firewall using its web browser to perform management on the pfSense firewall. In this tutorial, we have created a Windows instance to do this. Make sure you have something similar.


= Task 1: Download the pfSense Image =  
= Task 1 Download the pfSense Image =  


- Download the pfSense image from the Netgate website. Ensure to download the `memstick-serial` version. The filename of the image that we are using is `pfSense-CE-memstick-serial-2.7.2-RELEASE-amd64.img.gz`. For more information, see [[https://sgpfiles.netgate.com/mirror/downloads Netgate]].
- Download the pfSense image from the Netgate website. Ensure to download the `memstick-serial` version. The filename of the image that we are using is `pfSense-CE-memstick-serial-2.7.2-RELEASE-amd64.img.gz`. For more information, see [[https://sgpfiles.netgate.com/mirror/downloads Netgate]].
Line 28: Line 29:


1. The image will be in the `.gz` format.
1. The image will be in the `.gz` format.
<br>
2. If you are using OS X, right-click on the compressed file and click '''Open with'''.
2. If you are using OS X, right-click on the compressed file and click '''Open with'''.
<br>
3. Select '''Archive Utility (default)''' to uncompress the image.
3. Select '''Archive Utility (default)''' to uncompress the image.


Line 37: Line 40:
[[File:cfb7d8789ef6a753c2e393d0b35ff9bb.png|800px]]
[[File:cfb7d8789ef6a753c2e393d0b35ff9bb.png|800px]]


= Task 2: Create an OCI Object Storage Bucket =
= Task 2 - Create an OCI Object Storage Bucket =


In this task, we will create an OCI Object Storage bucket that will use to upload the pfSense image and used to create a custom image.
In this task, we will create an OCI Object Storage bucket that will use to upload the pfSense image and used to create a custom image.
Line 44: Line 47:


1. Click the hamburger menu (≡) from the upper left corner.
1. Click the hamburger menu (≡) from the upper left corner.
<br>
2. Click '''Storage'''.
2. Click '''Storage'''.
<br>
3. Click '''Buckets'''.
3. Click '''Buckets'''.


Line 54: Line 59:


1. Enter a '''Bucket name'''.
1. Enter a '''Bucket name'''.
<br>
2. Select '''Standard''' storage tier as '''Default Storage Tier'''.
2. Select '''Standard''' storage tier as '''Default Storage Tier'''.
<br>
3. Click '''Create'''.
3. Click '''Create'''.


Line 63: Line 70:
[[File:d85e73fe9d7a2fbc9cad040ce82cb1d4.png|800px]]
[[File:d85e73fe9d7a2fbc9cad040ce82cb1d4.png|800px]]


= Task 3: Upload the pfSense Image to the Storage Bucket =
= Task 3 - Upload the pfSense Image to the Storage Bucket =


- Upload the image that we have downloaded in Task 1.
- Upload the image that we have downloaded in Task 1.


1. Scroll down.
1. Scroll down.
<br>
2. Click '''Upload'''.
2. Click '''Upload'''.


Line 75: Line 83:


1. Enter '''Object Name Prefix'''.
1. Enter '''Object Name Prefix'''.
<br>
2. Select '''Standard''' as the '''Storage Tier'''.
2. Select '''Standard''' as the '''Storage Tier'''.
<br>
3. Click '''select files''' and select the pfSense image.
3. Click '''select files''' and select the pfSense image.
<br>
4. When you have selected the pfSense image you will see it in the following section.
4. When you have selected the pfSense image you will see it in the following section.
<br>
5. Click '''Upload'''.
5. Click '''Upload'''.


Line 91: Line 103:
[[File:5d8b7405a40cf0291fd81f2352881bcb.png|800px]]
[[File:5d8b7405a40cf0291fd81f2352881bcb.png|800px]]


= Task 4: Create a Custom Image =
= Task 4 Create a Custom Image =


We have uploaded the pfSense image. Now, we need to create a custom OCI image from this uploaded image. This custom OCI image will be used to create the pfSense firewall instance.
We have uploaded the pfSense image. Now, we need to create a custom OCI image from this uploaded image. This custom OCI image will be used to create the pfSense firewall instance.
Line 98: Line 110:


1. Click the hamburger menu (≡) from the upper left corner.
1. Click the hamburger menu (≡) from the upper left corner.
<br>
2. Click '''Compute'''.
2. Click '''Compute'''.
<br>
3. Click '''Custom Image'''.
3. Click '''Custom Image'''.


Line 110: Line 124:


1. Enter a '''name'''.
1. Enter a '''name'''.
<br>
2. Select '''Generic Linux''' as '''Operating system'''.
2. Select '''Generic Linux''' as '''Operating system'''.
<br>
3. Select '''Import from an Object Storage bucket'''.
3. Select '''Import from an Object Storage bucket'''.
<br>
4. Select the storage bucket where you uploaded the image.
4. Select the storage bucket where you uploaded the image.
<br>
5. In '''Object name''', select the pfSense image.
5. In '''Object name''', select the pfSense image.
<br>
6. Select '''VMDK''' as '''Image type'''.
6. Select '''VMDK''' as '''Image type'''.
<br>
7. Scroll down.
7. Scroll down.


Line 124: Line 144:


1. Notice that the status is '''IMPORTING'''.
1. Notice that the status is '''IMPORTING'''.
<br>
2. Scroll down.
2. Scroll down.


Line 129: Line 150:


1. Notice the state is '''In progress'''.
1. Notice the state is '''In progress'''.
<br>
2. Monitor the progress.
2. Monitor the progress.


Line 134: Line 156:


1. After a few minutes, status is '''AVAILABLE''' the state will change to '''Succeeded'''.
1. After a few minutes, status is '''AVAILABLE''' the state will change to '''Succeeded'''.
<br>
2. The '''% Complete''' will be '''100%'''.
2. The '''% Complete''' will be '''100%'''.


[[File:3fdc8da3e9086b02f51c987a5607a179.png|800px]]
[[File:3fdc8da3e9086b02f51c987a5607a179.png|800px]]


= Task 5: Create an Instance with the Custom pfSense Image =
= Task 5 - Create an Instance with the Custom pfSense Image =


- Create an instance.
- Create an instance.


1. Click the hamburger menu (≡) from the upper left corner.
1. Click the hamburger menu (≡) from the upper left corner.
<br>
2. Click '''Compute'''.
2. Click '''Compute'''.
<br>
3. Click '''Instances'''.
3. Click '''Instances'''.


Line 153: Line 178:


1. Enter the instance '''Name'''.
1. Enter the instance '''Name'''.
<br>
2. Scroll down.
2. Scroll down.


Line 162: Line 188:


1. Select '''My images'''.
1. Select '''My images'''.
<br>
2. Select '''Custom images'''.
2. Select '''Custom images'''.
<br>
3. Scroll down.
3. Scroll down.


Line 168: Line 196:


1. Select the custom image created in Task 4.
1. Select the custom image created in Task 4.
<br>
2. Click '''Select image'''.
2. Click '''Select image'''.


Line 173: Line 202:


1. Notice that the pfSense image is selected.
1. Notice that the pfSense image is selected.
<br>
2. Scroll down.
2. Scroll down.


Line 178: Line 208:


1. In '''Primary network''', select '''Select existing Virtual cloud network'''.
1. In '''Primary network''', select '''Select existing Virtual cloud network'''.
<br>
2. Select the '''VCN''' that you want to attach to the pfSense instance.
2. Select the '''VCN''' that you want to attach to the pfSense instance.
<br>
3. In '''Subnet''', select an '''Select existing subnet'''.
3. In '''Subnet''', select an '''Select existing subnet'''.
<br>
4. Select the '''Subnet''' that you want to attach to the pfSense instance.
4. Select the '''Subnet''' that you want to attach to the pfSense instance.
<br>
5. Scroll down.
5. Scroll down.


Line 186: Line 220:


1. Select '''Manually assign private IPv4 address'''.
1. Select '''Manually assign private IPv4 address'''.
<br>
2. Enter an '''IPv4 address'''.
2. Enter an '''IPv4 address'''.
<br>
3. Scroll down.
3. Scroll down.


Line 192: Line 228:


1. Select '''No SSH Keys'''.
1. Select '''No SSH Keys'''.
<br>
2. Scroll down.
2. Scroll down.


Line 212: Line 249:
[[File:f6acd8267ac8b00ea865faeed934db7c.png|800px]]
[[File:f6acd8267ac8b00ea865faeed934db7c.png|800px]]


= Task 6: Install pfSense on the Instance =
= Task 6 - Install pfSense on the Instance =


We need to do the initial installation and set up of the pfSense firewall. We already have the running instance.
We need to do the initial installation and set up of the pfSense firewall. We already have the running instance.
Line 219: Line 256:


1. Scroll down.
1. Scroll down.
<br>
2. Click '''Console connection'''.
2. Click '''Console connection'''.
<br>
3. Click '''Launch Cloud Shell connection'''.
3. Click '''Launch Cloud Shell connection'''.


Line 237: Line 276:


1. Select '''Install pfSense'''.
1. Select '''Install pfSense'''.
<br>
2. Select '''OK''' and press '''ENTER'''.
2. Select '''OK''' and press '''ENTER'''.


Line 242: Line 282:


1. Select '''Manual Disk Setup (experts)'''.
1. Select '''Manual Disk Setup (experts)'''.
<br>
2. Select '''OK''' and press '''ENTER'''.
2. Select '''OK''' and press '''ENTER'''.


Line 247: Line 288:


1. Select '''da0 - 47 GB MBR'''.
1. Select '''da0 - 47 GB MBR'''.
<br>
2. Select '''Create''' and press '''ENTER'''.
2. Select '''Create''' and press '''ENTER'''.


Line 252: Line 294:


1. In '''Type''', enter '''freebsd'''.
1. In '''Type''', enter '''freebsd'''.
<br>
2. In '''Size''', enter '''46 GB'''.
2. In '''Size''', enter '''46 GB'''.
<br>
3. Enter '''Mountpoint'''.
3. Enter '''Mountpoint'''.
<br>
4. Select '''OK''' and press '''ENTER'''.
4. Select '''OK''' and press '''ENTER'''.


Line 259: Line 304:


1. In '''da0s4''', select '''46 GB BSD'''.
1. In '''da0s4''', select '''46 GB BSD'''.
<br>
2. Select '''Create''' and press '''ENTER'''.
2. Select '''Create''' and press '''ENTER'''.


Line 264: Line 310:


1. In '''Type''', enter '''freebsd-ufs'''.
1. In '''Type''', enter '''freebsd-ufs'''.
<br>
2. In '''Size''', enter '''40 GB'''.
2. In '''Size''', enter '''40 GB'''.
<br>
3. In '''Mountpoint''', enter '''/'''.
3. In '''Mountpoint''', enter '''/'''.
<br>
4. Select '''OK''' and press '''ENTER'''.
4. Select '''OK''' and press '''ENTER'''.


Line 271: Line 320:


1. Notice that the mountpoint is created for `/`.
1. Notice that the mountpoint is created for `/`.
<br>
2. In '''da0s4''', enter '''46 GB BSD'''.
2. In '''da0s4''', enter '''46 GB BSD'''.
<br>
3. Select '''Create''' and press '''ENTER'''.
3. Select '''Create''' and press '''ENTER'''.


Line 277: Line 328:


1. In '''Type''', enter '''freebsd-swap'''.
1. In '''Type''', enter '''freebsd-swap'''.
<br>
2. In '''Size''', enter '''5770 MB'''.
2. In '''Size''', enter '''5770 MB'''.
<br>
3. Enter '''Mountpoint'''.
3. Enter '''Mountpoint'''.
<br>
4. Select '''OK''' and press '''ENTER'''.
4. Select '''OK''' and press '''ENTER'''.


Line 284: Line 338:


1. Notice that the mountpoint is created for swap.
1. Notice that the mountpoint is created for swap.
<br>
2. Select '''Finish''' and press '''ENTER'''
2. Select '''Finish''' and press '''ENTER'''


Line 327: Line 382:


1. Verify the WAN interface name.
1. Verify the WAN interface name.
<br>
2. For '''Do you want to proceed''', enter '''y''' and press '''ENTER'''.
2. For '''Do you want to proceed''', enter '''y''' and press '''ENTER'''.


Line 340: Line 396:


1. You will see that the IP address will be configured using DHCP.
1. You will see that the IP address will be configured using DHCP.
<br>
2. Note the pfSense menu to do some additional basic configuration.
2. Note the pfSense menu to do some additional basic configuration.


[[File:8a6d29053288f769ca23c79bf62ae9db.png|800px]]
[[File:8a6d29053288f769ca23c79bf62ae9db.png|800px]]


= Task 7: Connect to the pfSense Web Graphic User Interface (GUI) and Complete the Initial Set up =
= Task 7 - Connect to the pfSense Web Graphic User Interface (GUI) and Complete the Initial Set up =


The installation is finished, now we need to connect to the web interface of the pfSense firewall. But before this, we need to open some ports on the security list of the VCN.
The installation is finished, now we need to connect to the web interface of the pfSense firewall. But before this, we need to open some ports on the security list of the VCN.
Line 351: Line 408:


1. Click the hamburger menu (≡) from the upper left corner.
1. Click the hamburger menu (≡) from the upper left corner.
<br>
2. Click '''Virtual Cloud Networks''' or navigate to '''Networking''' and '''Virtual Cloud Networks'''.
2. Click '''Virtual Cloud Networks''' or navigate to '''Networking''' and '''Virtual Cloud Networks'''.


Line 360: Line 418:


1. Scroll down.
1. Scroll down.
<br>
2. Click '''Security Lists'''.
2. Click '''Security Lists'''.
<br>
3. Click the '''Default Security List for HUB-VCN'''.
3. Click the '''Default Security List for HUB-VCN'''.


Line 370: Line 430:


1. In '''Source Type''', enter '''CIDR'''.
1. In '''Source Type''', enter '''CIDR'''.
<br>
2. In '''Source CIDR''', for this tutorial, enter `172.16.0.128/25`. This is the subnet which has the Windows instance, that we will be using to connect to the pfSense firewall using the browser.
2. In '''Source CIDR''', for this tutorial, enter `172.16.0.128/25`. This is the subnet which has the Windows instance, that we will be using to connect to the pfSense firewall using the browser.
<br>
3. In '''IP Protocol''', enter '''TCP'''.
3. In '''IP Protocol''', enter '''TCP'''.
<br>
4. In '''Destination Port Range''', enter `80,443`.
4. In '''Destination Port Range''', enter `80,443`.
<br>
5. Click '''Add Ingress Rules''' .
5. Click '''Add Ingress Rules''' .


Line 382: Line 446:


1. Navigate to the '''Compute''' and '''Instances'''.
1. Navigate to the '''Compute''' and '''Instances'''.
<br>
2. Make a note of your pfSense firewall IP address.
2. Make a note of your pfSense firewall IP address.


Line 387: Line 452:


1. In your Windows instance, open a browser and navigate to the pfSense firewall IP using HTTPS.
1. In your Windows instance, open a browser and navigate to the pfSense firewall IP using HTTPS.
<br>
2. Click '''Advanced'''.
2. Click '''Advanced'''.


Line 396: Line 462:


1. Enter default username as `admin`.
1. Enter default username as `admin`.
<br>
2. Enter default password as `pfsense`.
2. Enter default password as `pfsense`.
<br>
3. Click '''Sign In'''.
3. Click '''Sign In'''.


Line 410: Line 478:


1. Enter a hostname.
1. Enter a hostname.
<br>
2. Enter a domain name or keep domain name default.
2. Enter a domain name or keep domain name default.
<br>
3. Scroll down.
3. Scroll down.


Line 427: Line 497:


1. In '''Configure WAN interface''', select '''DHCP'''.
1. In '''Configure WAN interface''', select '''DHCP'''.
<br>
2. Scroll down.
2. Scroll down.


Line 432: Line 503:


1. Keep all the IP address settings default.
1. Keep all the IP address settings default.
<br>
2. Scroll down.
2. Scroll down.


Line 445: Line 517:


1. Enter a new admin password.
1. Enter a new admin password.
<br>
2. Enter a admin password again.
2. Enter a admin password again.
<br>
3. Click '''Next'''.
3. Click '''Next'''.


Line 485: Line 559:


1. Notice that the pfSense firewall is installed and the dashboard is visible.
1. Notice that the pfSense firewall is installed and the dashboard is visible.
<br>
2. Notice that the support information is not available. This is because the pfSense firewall is installed on a private subnet and this private subnet is not able to reach the internet by default.
2. Notice that the support information is not available. This is because the pfSense firewall is installed on a private subnet and this private subnet is not able to reach the internet by default.


Line 492: Line 567:


1. Click the hamburger menu (≡) from the upper left corner.
1. Click the hamburger menu (≡) from the upper left corner.
<br>
2. Click '''Virtual Cloud Networks''' or navigate to '''Networking''' and '''Virtual Cloud Networks'''.
2. Click '''Virtual Cloud Networks''' or navigate to '''Networking''' and '''Virtual Cloud Networks'''.


Line 501: Line 577:


1. Click '''Route Tables'''.
1. Click '''Route Tables'''.
<br>
2. Click '''Default Route Table for HUB-VCN'''.
2. Click '''Default Route Table for HUB-VCN'''.


Line 506: Line 583:


1. Notice that the default route table has a route in there that will route all the traffic towards the internet gateway. This is not usable for us as we need to route the traffic for the private subnet towards the NAT gateway.
1. Notice that the default route table has a route in there that will route all the traffic towards the internet gateway. This is not usable for us as we need to route the traffic for the private subnet towards the NAT gateway.
<br>
2. Click '''HUB-VCN''' to go back one page from '''Route Table Details''' page.
2. Click '''HUB-VCN''' to go back one page from '''Route Table Details''' page.


Line 515: Line 593:


1. Enter a name.
1. Enter a name.
<br>
2. In '''Target Type''', enter '''NAT Gateway'''.
2. In '''Target Type''', enter '''NAT Gateway'''.
<br>
3. In '''Destination CIDR Block''', enter `0.0.0.0/0`.
3. In '''Destination CIDR Block''', enter `0.0.0.0/0`.
<br>
4. Scroll down.
4. Scroll down.


Line 522: Line 603:


1. Select the '''NAT Gateway''' that you already have available in the VCN. If you do not have a NAT gateway, click '''Cancel''' and create a NAT gateway.
1. Select the '''NAT Gateway''' that you already have available in the VCN. If you do not have a NAT gateway, click '''Cancel''' and create a NAT gateway.
<br>
2. Click '''Create'''.
2. Click '''Create'''.


Line 527: Line 609:


1. Notice that the static route towards the NAT gateway is now created.
1. Notice that the static route towards the NAT gateway is now created.
<br>
2. Click '''HUB-VCN''' to go back one page from '''Route Table Details''' page.
2. Click '''HUB-VCN''' to go back one page from '''Route Table Details''' page.


Line 538: Line 621:


1. Click '''Subnets'''.
1. Click '''Subnets'''.
<br>
2. Click '''Private subnet''', the subnet to where the pfSense instance is currently attached.
2. Click '''Private subnet''', the subnet to where the pfSense instance is currently attached.


Line 547: Line 631:


1. Select the route table you just created.
1. Select the route table you just created.
<br>
2. Click '''Save Changes'''.
2. Click '''Save Changes'''.


Line 558: Line 643:


1. Refresh the page.
1. Refresh the page.
<br>
2. Scroll down.
2. Scroll down.


Line 571: Line 657:


- Notice that the '''Netgate Services and Support''' section will change.
- Notice that the '''Netgate Services and Support''' section will change.
- The response time of the dashboard page will also be quicker.
- The response time of the dashboard page will also be quicker.


Line 594: Line 681:
[[File:335255883f0a0bbee0ed469eaaf3e292.png|800px]]
[[File:335255883f0a0bbee0ed469eaaf3e292.png|800px]]


= Task 8: Verify the Connectivity with Ping =
= Task 8 - Verify the Connectivity with Ping =


- Verifying the connectivity using ping (ICMP) is a good starting point for testing.
- Verifying the connectivity using ping (ICMP) is a good starting point for testing.


1. In the Windows instance, open the '''Command Prompt''' and try to ping the pfSense firewall IP address.
1. In the Windows instance, open the '''Command Prompt''' and try to ping the pfSense firewall IP address.
<br>
2. Notice that the ping results are showing a '''100% packet loss'''.
2. Notice that the ping results are showing a '''100% packet loss'''.


Line 606: Line 694:


- Open Internet Control Message Protocol (ICMP) on the default security list that is attached to the VCN.
- Open Internet Control Message Protocol (ICMP) on the default security list that is attached to the VCN.
- Open ICMP on the pfSense firewall.
- Open ICMP on the pfSense firewall.


Line 611: Line 700:


1. Click the hamburger menu (≡) from the upper left corner.
1. Click the hamburger menu (≡) from the upper left corner.
<br>
2. Click '''Virtual Cloud Networks''' or navigate to '''Networking''' and '''Virtual Cloud Networks'''.
2. Click '''Virtual Cloud Networks''' or navigate to '''Networking''' and '''Virtual Cloud Networks'''.


Line 620: Line 710:


1. Scroll down.
1. Scroll down.
<br>
2. Click '''Security Lists'''.
2. Click '''Security Lists'''.
<br>
3. Click '''Default Security List for HUB-VCN'''.
3. Click '''Default Security List for HUB-VCN'''.


Line 630: Line 722:


1. In '''Source Type''', enter '''CIDR'''.
1. In '''Source Type''', enter '''CIDR'''.
<br>
2. In '''Source CIDR''', enter `0.0.0.0/0`.
2. In '''Source CIDR''', enter `0.0.0.0/0`.
<br>
3. In '''IP Protocol''', enter '''ICMP'''.
3. In '''IP Protocol''', enter '''ICMP'''.
<br>
4. Click '''Add Ingress Rules'''.
4. Click '''Add Ingress Rules'''.


Line 647: Line 742:


1. '''Action:''' Select '''Pass'''.
1. '''Action:''' Select '''Pass'''.
<br>
2. '''Protocol:''' Select '''ICMP'''.
2. '''Protocol:''' Select '''ICMP'''.
<br>
3. '''ICMP Subtypes:''' Select '''Any'''.
3. '''ICMP Subtypes:''' Select '''Any'''.
<br>
4. Scroll down.
4. Scroll down.


Line 654: Line 752:


1. '''Source:''' Select '''Any'''.
1. '''Source:''' Select '''Any'''.
<br>
2. '''Destination:''' Select '''Any'''.
2. '''Destination:''' Select '''Any'''.
<br>
3. Click '''Save'''.
3. Click '''Save'''.


Line 660: Line 760:


1. Notice that the new ICMP rule is in place.
1. Notice that the new ICMP rule is in place.
<br>
2. Click '''Apply Changes''' to commit the changes.
2. Click '''Apply Changes''' to commit the changes.


Line 669: Line 770:


1. In the Windows instance, open the '''Command Prompt''' and try to ping the pfSense firewall IP address.
1. In the Windows instance, open the '''Command Prompt''' and try to ping the pfSense firewall IP address.
<br>
2. Notice that the ping results are showing a '''0% packet loss'''.
2. Notice that the ping results are showing a '''0% packet loss'''.


Line 676: Line 778:


1. Click '''Diagnostics'''.
1. Click '''Diagnostics'''.
<br>
2. Click '''Ping'''.
2. Click '''Ping'''.


Line 681: Line 784:


1. In '''Hostname''', enter `8.8.8.8`.
1. In '''Hostname''', enter `8.8.8.8`.
<br>
2. Click '''Ping'''.
2. Click '''Ping'''.



Revision as of 17:21, 7 June 2024

  1. Install a pfSense Firewall in Oracle Cloud Infrastructure

Introduction

Note

pfSense is not officially supported on Oracle Cloud Infrastructure by Netgate or Oracle. Contact the pfSense support team before trying this tutorial.

pfSense is a firewall that can be used for production or testing purposes where you can simulate the Oracle Cloud Infrastructure (OCI) native firewall services. This pfSense firewall set up can be used inside a hub and spoke VCN routing scenario.

A7b7f599c0c1f48e71d51d651a7c92f5.png

The following image illustrates how the environment will look like when you are finished with the deployment and configuration.

93b14b8cfbcb2cefb7886e68b44d5898.png

Objectives

- Set up a pfSense firewall inside OCI. We will make adjustments to routing and security lists so that the pfSense firewall can be managed properly and we will do some ICMP tests to verify connectivity.

Prerequisites

- Before we start setting up the pfSense firewall inside OCI it is important to have another instance that can connect to the new pfSense firewall using its web browser to perform management on the pfSense firewall. In this tutorial, we have created a Windows instance to do this. Make sure you have something similar.

Task 1 - Download the pfSense Image

- Download the pfSense image from the Netgate website. Ensure to download the `memstick-serial` version. The filename of the image that we are using is `pfSense-CE-memstick-serial-2.7.2-RELEASE-amd64.img.gz`. For more information, see [Netgate].

8d91014eab37afdb40aa85b2407047b0.png

1. The image will be in the `.gz` format.
2. If you are using OS X, right-click on the compressed file and click Open with.
3. Select Archive Utility (default) to uncompress the image.

Cbbe970a460cd6263209c5b9c6ae8767.png

- Notice that the image filename is `pfSense-CE-memstick-serial-2.7.2-RELEASE-amd64.img`.

Cfb7d8789ef6a753c2e393d0b35ff9bb.png

Task 2 - Create an OCI Object Storage Bucket

In this task, we will create an OCI Object Storage bucket that will use to upload the pfSense image and used to create a custom image.

- Create a storage bucket.

1. Click the hamburger menu (≡) from the upper left corner.
2. Click Storage.
3. Click Buckets.

F118979872a985d0c9d8bc0ed9eabb5e.png

- Click Create Bucket.

40f0afb9351013395954cfee410c2055.png

1. Enter a Bucket name.
2. Select Standard storage tier as Default Storage Tier.
3. Click Create.

7de262744dda3a2d81d0d9fb3c6c9af2.png

- Notice that the storage bucket is created.

D85e73fe9d7a2fbc9cad040ce82cb1d4.png

Task 3 - Upload the pfSense Image to the Storage Bucket

- Upload the image that we have downloaded in Task 1.

1. Scroll down.
2. Click Upload.

E944c8ac7cbd7a1d4dfdea94336091da.png

- In the Upload Objects screen, enter the following information.

1. Enter Object Name Prefix.
2. Select Standard as the Storage Tier.
3. Click select files and select the pfSense image.
4. When you have selected the pfSense image you will see it in the following section.
5. Click Upload.

4508c607d21d7a3f8cc9a2509c397ce5.png

- While the pfSense image is uploading into the storage bucket, you can monitor the progress.

080c55fb28f66904ad81023f2559407e.png

1. When the pfSense image is fully uploaded the progress status will be Finished. 2. Click Close.

5d8b7405a40cf0291fd81f2352881bcb.png

Task 4 - Create a Custom Image

We have uploaded the pfSense image. Now, we need to create a custom OCI image from this uploaded image. This custom OCI image will be used to create the pfSense firewall instance.

- Create a custom image.

1. Click the hamburger menu (≡) from the upper left corner.
2. Click Compute.
3. Click Custom Image.

Cba98847178721693e0f7e9ebcf855ca.png

- Click Import Image.

3e77a321dcef59feb29e74222249725e.png

- In the Import image section, enter the following information.

1. Enter a name.
2. Select Generic Linux as Operating system.
3. Select Import from an Object Storage bucket.
4. Select the storage bucket where you uploaded the image.
5. In Object name, select the pfSense image.
6. Select VMDK as Image type.
7. Scroll down.

Cecb9a114524ba7d59bb680bdae266f6.png

- Keep other fields default and click Import Image.

2f1041658989f2fa60199627da73769d.png

1. Notice that the status is IMPORTING.
2. Scroll down.

899a616dc7b555120def008b8e17429a.png

1. Notice the state is In progress.
2. Monitor the progress.

71518a3e807eafd2295df268e8af3e1f.png

1. After a few minutes, status is AVAILABLE the state will change to Succeeded.
2. The % Complete will be 100%.

3fdc8da3e9086b02f51c987a5607a179.png

Task 5 - Create an Instance with the Custom pfSense Image

- Create an instance.

1. Click the hamburger menu (≡) from the upper left corner.
2. Click Compute.
3. Click Instances.

4f209acd014c01bdee15dbb5e56e3355.png

1. Click Create instance.

2e04982bc5600364b7e728a1b9e0da72.png

1. Enter the instance Name.
2. Scroll down.

Cef7fbbd9501836fc77c2495360eb0ab.png

- Click Change Image.

31220e180998e13ef7676248d22fd775.png

1. Select My images.
2. Select Custom images.
3. Scroll down.

24538bdaa4778e80009df20991cc294d.png

1. Select the custom image created in Task 4.
2. Click Select image.

040541d1bb796a8b900c3e1b26abb199.png

1. Notice that the pfSense image is selected.
2. Scroll down.

B4a7355e78ecedb842ffa4aa6dc01e91.png

1. In Primary network, select Select existing Virtual cloud network.
2. Select the VCN that you want to attach to the pfSense instance.
3. In Subnet, select an Select existing subnet.
4. Select the Subnet that you want to attach to the pfSense instance.
5. Scroll down.

F3986710d306f79ac8e85e7766b8f424.png

1. Select Manually assign private IPv4 address.
2. Enter an IPv4 address.
3. Scroll down.

9fb93d31764a1058e18e39fb02e7f45b.png

1. Select No SSH Keys.
2. Scroll down.

5dc3d8afb4ab990808bc07600b03c68a.png

- Click Create.

89425dd0f854ef31652d36153d7c3a06.png

- Notice the status is PROVISIONING.

5fd8498efba69fe00e790ce105f4ff01.png

- After a few minutes, the status will change to RUNNING.

A293ffc6b961a18a76c67860208089dd.png

- The following image illustrates the visual representation of what you have created.

F6acd8267ac8b00ea865faeed934db7c.png

Task 6 - Install pfSense on the Instance

We need to do the initial installation and set up of the pfSense firewall. We already have the running instance.

- To install the pfSense firewall software, we need to create a console connection.

1. Scroll down.
2. Click Console connection.
3. Click Launch Cloud Shell connection.

Fd9aacd5a3b0a077373b98c5ad2fba87.png

- Notice that the Cloud Shell window will open.

71e91e26f2f82c76bcf9a2ad2d459b48.png

- A few startup messages will show up. Press ENTER.

2fd782a6880234a0198ac7fe6a07da28.png

- Read the copyright messages and select Accept and then press ENTER.

2521bb6c16fa4c37880bc65e089392c9.png

1. Select Install pfSense.
2. Select OK and press ENTER.

Fe381ab3d9fae94a0d245b6242f1e4d4.png

1. Select Manual Disk Setup (experts).
2. Select OK and press ENTER.

8fd67234bd1616f7c63d417dbd9fbe93.png

1. Select da0 - 47 GB MBR.
2. Select Create and press ENTER.

61ec1c5100728b6a164085a7c042f6c5.png

1. In Type, enter freebsd.
2. In Size, enter 46 GB.
3. Enter Mountpoint.
4. Select OK and press ENTER.

C48149bf8f648470570cfcf606275f14.png

1. In da0s4, select 46 GB BSD.
2. Select Create and press ENTER.

Beb14bfc3554f018885bcecc932921bf.png

1. In Type, enter freebsd-ufs.
2. In Size, enter 40 GB.
3. In Mountpoint, enter /.
4. Select OK and press ENTER.

02607cc9e1d086e0cd0d1d1a43cab51d.png

1. Notice that the mountpoint is created for `/`.
2. In da0s4, enter 46 GB BSD.
3. Select Create and press ENTER.

Bbb169cef90cab1a7af9c2292cc57876.png

1. In Type, enter freebsd-swap.
2. In Size, enter 5770 MB.
3. Enter Mountpoint.
4. Select OK and press ENTER.

E0bad343e94feac2c5ef1754344b65f3.png

1. Notice that the mountpoint is created for swap.
2. Select Finish and press ENTER

A914f40ded09c496db1fff88c31feb99.png

- Select Commit and press ENTER.

949d03402c59a0810ab43c32ec8ef740.png

- The installation will start Initializing the set up.

C751769adb65d7d3aae163d7d8afae2e.png

 The installation will do a quick Checksum verification.

244c423b81dbc67911da0437b7c05608.png

 The installation will do an Archive Extraction.

Dffe649a041f36287807e619c04419c4.png

- You will get a message Could not locate an existing `config.xml` file! as this is a new installation.

06af60f1bd96b276ada73f8665a975b8.png

- Select Reboot and press ENTER.

23a3c432d7a5f4c365c973476c63a6a8.png

- After the first reboot you will get a few configuration options to configure the WAN interface.

- For Should VLANS be set up, enter n and press ENTER.

Ae6625dea9917a7f8fb0754ab263db5c.png

- For Enter the WAN interface name or 'a' for auto-detection (vtnet0 or a), enter `vtnet0`.

698e263a34848e20813264998770e2b0.png

- In this set up, we are creating a firewall with only one interface, so we will not configure the LAN interface, therefore, for Enter the LAN interface name or 'a' for auto-detection, press ENTER to skip this interface set up.

C700d5ba99f70e7f3c5c1516cb4af385.png

1. Verify the WAN interface name.
2. For Do you want to proceed, enter y and press ENTER.

2a2603931613405ae5b2d9fca27d48d8.png

- Notice some messages and the configuration will be done.

97cb92fde1b7bd25dc308989d0f5458b.png

- The pfSense OS will do a full boot.

5c8fc540389730ccf69d442e684fdf5e.png

1. You will see that the IP address will be configured using DHCP.
2. Note the pfSense menu to do some additional basic configuration.

8a6d29053288f769ca23c79bf62ae9db.png

Task 7 - Connect to the pfSense Web Graphic User Interface (GUI) and Complete the Initial Set up

The installation is finished, now we need to connect to the web interface of the pfSense firewall. But before this, we need to open some ports on the security list of the VCN.

- Add ingress rule.

1. Click the hamburger menu (≡) from the upper left corner.
2. Click Virtual Cloud Networks or navigate to Networking and Virtual Cloud Networks.

382a8caedf3cdb3cedcf5d343a1f1a4d.png

- Select the VCN to which your pfSense firewall is attached.

Bd02860caef6720b5bd451a221aa241e.png

1. Scroll down.
2. Click Security Lists.
3. Click the Default Security List for HUB-VCN.

C72da3e94dc023f2ce9205a3e99e9d70.png

- Click Add Ingress Rules to create the ingress rule.

326ac8041cd82f794353595a44da15cd.png

1. In Source Type, enter CIDR.
2. In Source CIDR, for this tutorial, enter `172.16.0.128/25`. This is the subnet which has the Windows instance, that we will be using to connect to the pfSense firewall using the browser.
3. In IP Protocol, enter TCP.
4. In Destination Port Range, enter `80,443`.
5. Click Add Ingress Rules .

A1339dd96861808e67f4b54a2c4953ca.png

- Notice that the Security Rule is added to allow the TCP/`80` and TCP/`443` ports on the security list that is attached to VCN. This will allow you to set up an HTTP and HTTPS connection from the Windows instance to this new pfSense firewall instance.

6be157ddcb3f517cc3b0791ef9829e94.png

1. Navigate to the Compute and Instances.
2. Make a note of your pfSense firewall IP address.

28b4f616fcdd6d881d886e0b96d19448.png

1. In your Windows instance, open a browser and navigate to the pfSense firewall IP using HTTPS.
2. Click Advanced.

76bcf1e35d4282b15c2d2afa926ed91a.png

- Click Continue.

10ad4159aaffacc027033f78509f5016.png

1. Enter default username as `admin`.
2. Enter default password as `pfsense`.
3. Click Sign In.

097722693ac3b73d126bac70d00c2e84.png

- Click Next.

F419ef020b6cb218379f275bf318112b.png

- Click Next.

B77392b01de1006e3266fa9d7688a2ef.png

1. Enter a hostname.
2. Enter a domain name or keep domain name default.
3. Scroll down.

1fdd21cb8071a3fc3a54d97414c92ba8.png

- Click Next.

8a674ab9e934bc9bc588084b0876d24e.png

- Click Next.

88a9500a771a04038b014437e24176c4.png

Note

If you are into networks this may look a bit weird as we have specified to use a static IPv4 address during the instance creation. The way how it works in this particular case is that Oracle will reserve the static IP in its DHCP server, and will assign this address to the pfSense firewall. So the pfSense firewall will always get the same IP address, but from the OCI perspective, this will be a static IP, and from the pfSense perspective this will be a DHCP address.


1. In Configure WAN interface, select DHCP.
2. Scroll down.

F69f72ba451a33eab682f34a4c44e6c7.png

1. Keep all the IP address settings default.
2. Scroll down.

1f4b2103a0f9241b8c97a98c99936c33.png

- Scroll down.

5be462242d453f77985da1ba1809528f.png

- Click Next.

8b6ad4097b1e321af3fe0d7bb974a312.png

1. Enter a new admin password.
2. Enter a admin password again.
3. Click Next.

5935dbf18ec28a0b69fd9592adc2fb4e.png

- Click Reload.

A59b1b6b8071ab962ce3a322649ff8a3.png

- Notice that the pfSense firewall configuration is reloaded.

3c8a65935c122a5ece6e8289ecdbdc03.png

- Scroll down.

A770c2454734a3e284c1d4f6aea42a3e.png

- Click Finish.

C69ff0d7b7bdd309ead48149f3391121.png

- Scroll down.

A79cfea4c9125e3543d25078b383ba9e.png

- Click Accept.

6a4aca2278c3fc913c2354bb1ca534ef.png

- Click Close.

84c68e8aef774def49c6d56897234fd3.png

- The following image illustrates a visual representation of what you have created. Notice that we will use the Windows stepping stone to connect to the pfSense firewall.

Ee8213698f66635d76e66c88ceb96c04.png

- If the pfSense firewall is not able to reach the internet, the dashboard page will take a bit longer to load. But this can be fixed by allowing the pfSense firewall to the internet by using the OCI NAT gateway.

1. Notice that the pfSense firewall is installed and the dashboard is visible.
2. Notice that the support information is not available. This is because the pfSense firewall is installed on a private subnet and this private subnet is not able to reach the internet by default.

3fbb271c84dee9216fc18b07b28a3cb0.png

- Let us route the internet traffic towards the NAT gateway. Make sure you have a NAT gateway present in the VCN.

1. Click the hamburger menu (≡) from the upper left corner.
2. Click Virtual Cloud Networks or navigate to Networking and Virtual Cloud Networks.

18ceb173b49ffbdf6b939ebfc05f2989.png

- Select the VCN where your pfSense firewall is attached to and the NAT gateway is present.

C0a7538d897965e16fc0ca6402b23ff0.png

1. Click Route Tables.
2. Click Default Route Table for HUB-VCN.

3e020f5880bd480549b9d6cf0d04fe89.png

1. Notice that the default route table has a route in there that will route all the traffic towards the internet gateway. This is not usable for us as we need to route the traffic for the private subnet towards the NAT gateway.
2. Click HUB-VCN to go back one page from Route Table Details page.

74c4ed474630d1ca52a39c67d63039e8.png

- To route the traffic towards the NAT gateway for a specific subnet we need to create a new route table and attach that route table to the private subnet. Click Create Route Table.

91258b4310c50ba3cd39302452da9032.png

1. Enter a name.
2. In Target Type, enter NAT Gateway.
3. In Destination CIDR Block, enter `0.0.0.0/0`.
4. Scroll down.

F1b0a39b731ef60dc51baf651251886d.png

1. Select the NAT Gateway that you already have available in the VCN. If you do not have a NAT gateway, click Cancel and create a NAT gateway.
2. Click Create.

E68152748342aa139eb7a5045f2713ef.png

1. Notice that the static route towards the NAT gateway is now created.
2. Click HUB-VCN to go back one page from Route Table Details page.

65396f0a516c7a98fa9a45ff9df93457.png

- Notice that you have created a new route table.

B85590da4c737e92299f7a9c391dc88b.png

- Now, it is time to bind that route table to the subnet.

1. Click Subnets.
2. Click Private subnet, the subnet to where the pfSense instance is currently attached.

Ae0aea5b596d6ef5baf0a35c371e8816.png

- Click Edit.

B962fd28006c652ff87bb2b64041145a.png

1. Select the route table you just created.
2. Click Save Changes.

F65947c2c5e3146530f92cb64d96ea46.png

- Notice that the route table has been changed for the private subnet.

7bafa510b043ecd4f141cc599122c8dd.png

- Go back to the Windows instance.

1. Refresh the page.
2. Scroll down.

E32865d1c394d1c8a1c162b7dcac1f01.png

- Click Accept.

1f7bd4cef6ae59272f0e74518680c209.png

- Click Close.

354446069d65f648528cb84074148d03.png

- Notice that the Netgate Services and Support section will change.

- The response time of the dashboard page will also be quicker.

768db7350efa713977f4ba1c523eb7c8.png

- Use the pfSense web management interface.

1. Click Firewall. 2. Click Rules.

2e128c98d2e202498f640a180d024fac.png

- Notice the default rules of the pfSense firewall.

1a4ece95b0c87335ef26a86361afde39.png

- The following image illustrates a visual representation of what you have created.

- Notice that the NAT gateway will be used so that the pfSense firewall can communicate with the internet.

- Notice we have also opened ports TCP/`80` and TCP/`443` on the default security list.

335255883f0a0bbee0ed469eaaf3e292.png

Task 8 - Verify the Connectivity with Ping

- Verifying the connectivity using ping (ICMP) is a good starting point for testing.

1. In the Windows instance, open the Command Prompt and try to ping the pfSense firewall IP address.
2. Notice that the ping results are showing a 100% packet loss.

E7e4709e641f5e6c86bdaf226356b90b.png

- To solve this, we need to:

- Open Internet Control Message Protocol (ICMP) on the default security list that is attached to the VCN.

- Open ICMP on the pfSense firewall.

- Let us first start with the default security list.

1. Click the hamburger menu (≡) from the upper left corner.
2. Click Virtual Cloud Networks or navigate to Networking and Virtual Cloud Networks.

Bfbf9ebc41a70f2ae52213091e40cb3d.png

- Select the VCN, where your pfSense firewall is attached and has the NAT gateway.

D6315b3654dd2b6dbe4e136691ccac21.png

1. Scroll down.
2. Click Security Lists.
3. Click Default Security List for HUB-VCN.

9544779687129ea524ed4d85320c4b81.png

- Click Add Ingress Rules to create the ingress rule.

A4c088f501942467d43f57a1f19fbddf.png

1. In Source Type, enter CIDR.
2. In Source CIDR, enter `0.0.0.0/0`.
3. In IP Protocol, enter ICMP.
4. Click Add Ingress Rules.

781040ff9b9bec94580b5eb148351bbc.png

- Notice the ICMP rules we have just added.

Cc6c159a12691eb43f9a3ac3709792ac.png

- In the pfSense firewall management interface, click Firewall, Rules and Add to add a new rule.

48bdb8b198b789d87bc981366834658e.png

- Enter the following information.

1. Action: Select Pass.
2. Protocol: Select ICMP.
3. ICMP Subtypes: Select Any.
4. Scroll down.

Ce75db189e4a619f1273cbb054494a4e.png

1. Source: Select Any.
2. Destination: Select Any.
3. Click Save.

2dd9a7994184a4186792720e2cb52517.png

1. Notice that the new ICMP rule is in place.
2. Click Apply Changes to commit the changes.

C4cafae349270240779367109df7d21a.png

- Notice that the changes have been applied successfully.

945efea2f8497fece21fbf1db989be9c.png

1. In the Windows instance, open the Command Prompt and try to ping the pfSense firewall IP address.
2. Notice that the ping results are showing a 0% packet loss.

Ba5905fab3167067d913d9ba261039ea.png

- Another ping test that we can do is from the pfSense firewall towards the internet.

1. Click Diagnostics.
2. Click Ping.

0bf3a8cd21799313693e09cfcc106d2f.png

1. In Hostname, enter `8.8.8.8`.
2. Click Ping.

6bb5027545215f95a9e85add28de413c.png

- Notice that the ping results are showing a 0% packet loss.

B51067574524d9f87d04c4c8717f8360.png

- The following image illustrates a visual representation of what you have created. Notice we have also opened ICMP on the default security list.

A3bd4b61a66c61bbf201306bf950a9eb.png