Install a pfSense Firewall in Oracle Cloud Infrastructure: Difference between revisions

From Iwan
Jump to: navigation, search
Line 796: Line 796:


[[File:a3bd4b61a66c61bbf201306bf950a9eb.png|800px]]
[[File:a3bd4b61a66c61bbf201306bf950a9eb.png|800px]]
= Conclusion =
In this tutorial, we explained all the necessary steps that you required to set up a pfSense firewall inside OCI. We made adjustments to routing and security lists so that the pfSense firewall can be managed properly and we also did some ICMP tests to verify connectivity. This pfSense firewall setup can be used inside a Hub and Spoke VCN Routing scenario.


[[Category:Oracle Cloud]]
[[Category:Oracle Cloud]]

Revision as of 23:19, 13 June 2024

  1. Install a pfSense Firewall in Oracle Cloud Infrastructure

Introduction

Note

pfSense is not officially supported on Oracle Cloud Infrastructure by Netgate or Oracle. Contact the pfSense support team before trying this tutorial.

pfSense is a firewall that can be used for production or testing purposes where you can simulate the Oracle Cloud Infrastructure (OCI) native firewall services. This pfSense firewall set up can be used inside a hub and spoke VCN routing scenario.

A7b7f599c0c1f48e71d51d651a7c92f5.png

The following image illustrates how the environment will look like when you are finished with the deployment and configuration.

93b14b8cfbcb2cefb7886e68b44d5898.png

Objectives

- Set up a pfSense firewall inside OCI. We will make adjustments to routing and security lists so that the pfSense firewall can be managed properly and we will do some ICMP tests to verify connectivity.

Prerequisites

- Before we start setting up the pfSense firewall inside OCI it is important to have another instance that can connect to the new pfSense firewall using its web browser to perform management on the pfSense firewall. In this tutorial, we have created a Windows instance to do this. Make sure you have something similar.

Task 1 - Download the pfSense Image

- Download the pfSense image from the Netgate website. Ensure to download the `memstick-serial` version. The filename of the image that we are using is `pfSense-CE-memstick-serial-2.7.2-RELEASE-amd64.img.gz`. For more information, see [Netgate].

8d91014eab37afdb40aa85b2407047b0.png

1. The image will be in the `.gz` format.
2. If you are using OS X, right-click on the compressed file and click Open with.
3. Select Archive Utility (default) to uncompress the image.

Cbbe970a460cd6263209c5b9c6ae8767.png

- Notice that the image filename is `pfSense-CE-memstick-serial-2.7.2-RELEASE-amd64.img`.

Cfb7d8789ef6a753c2e393d0b35ff9bb.png

Task 2 - Create an OCI Object Storage Bucket

In this task, we will create an OCI Object Storage bucket that will use to upload the pfSense image and used to create a custom image.

- Create a storage bucket.

1. Click the hamburger menu (≡) from the upper left corner.
2. Click Storage.
3. Click Buckets.

F118979872a985d0c9d8bc0ed9eabb5e.png

- Click Create Bucket.

40f0afb9351013395954cfee410c2055.png

1. Enter a Bucket name.
2. Select Standard storage tier as Default Storage Tier.
3. Click Create.

7de262744dda3a2d81d0d9fb3c6c9af2.png

- Notice that the storage bucket is created.

D85e73fe9d7a2fbc9cad040ce82cb1d4.png

Task 3 - Upload the pfSense Image to the Storage Bucket

- Upload the image that we have downloaded in Task 1.

1. Scroll down.
2. Click Upload.

E944c8ac7cbd7a1d4dfdea94336091da.png

- In the Upload Objects screen, enter the following information.

1. Enter Object Name Prefix.
2. Select Standard as the Storage Tier.
3. Click select files and select the pfSense image.
4. When you have selected the pfSense image you will see it in the following section.
5. Click Upload.

4508c607d21d7a3f8cc9a2509c397ce5.png

- While the pfSense image is uploading into the storage bucket, you can monitor the progress.

080c55fb28f66904ad81023f2559407e.png

1. When the pfSense image is fully uploaded the progress status will be Finished. 2. Click Close.

5d8b7405a40cf0291fd81f2352881bcb.png

Task 4 - Create a Custom Image

We have uploaded the pfSense image. Now, we need to create a custom OCI image from this uploaded image. This custom OCI image will be used to create the pfSense firewall instance.

- Create a custom image.

1. Click the hamburger menu (≡) from the upper left corner.
2. Click Compute.
3. Click Custom Image.

Cba98847178721693e0f7e9ebcf855ca.png

- Click Import Image.

3e77a321dcef59feb29e74222249725e.png

- In the Import image section, enter the following information.

1. Enter a name.
2. Select Generic Linux as Operating system.
3. Select Import from an Object Storage bucket.
4. Select the storage bucket where you uploaded the image.
5. In Object name, select the pfSense image.
6. Select VMDK as Image type.
7. Scroll down.

Cecb9a114524ba7d59bb680bdae266f6.png

- Keep other fields default and click Import Image.

2f1041658989f2fa60199627da73769d.png

1. Notice that the status is IMPORTING.
2. Scroll down.

899a616dc7b555120def008b8e17429a.png

1. Notice the state is In progress.
2. Monitor the progress.

71518a3e807eafd2295df268e8af3e1f.png

1. After a few minutes, status is AVAILABLE the state will change to Succeeded.
2. The % Complete will be 100%.

3fdc8da3e9086b02f51c987a5607a179.png

Task 5 - Create an Instance with the Custom pfSense Image

- Create an instance.

1. Click the hamburger menu (≡) from the upper left corner.
2. Click Compute.
3. Click Instances.

4f209acd014c01bdee15dbb5e56e3355.png

1. Click Create instance.

2e04982bc5600364b7e728a1b9e0da72.png

1. Enter the instance Name.
2. Scroll down.

Cef7fbbd9501836fc77c2495360eb0ab.png

- Click Change Image.

31220e180998e13ef7676248d22fd775.png

1. Select My images.
2. Select Custom images.
3. Scroll down.

24538bdaa4778e80009df20991cc294d.png

1. Select the custom image created in Task 4.
2. Click Select image.

040541d1bb796a8b900c3e1b26abb199.png

1. Notice that the pfSense image is selected.
2. Scroll down.

B4a7355e78ecedb842ffa4aa6dc01e91.png

1. In Primary network, select Select existing Virtual cloud network.
2. Select the VCN that you want to attach to the pfSense instance.
3. In Subnet, select an Select existing subnet.
4. Select the Subnet that you want to attach to the pfSense instance.
5. Scroll down.

F3986710d306f79ac8e85e7766b8f424.png

1. Select Manually assign private IPv4 address.
2. Enter an IPv4 address.
3. Scroll down.

9fb93d31764a1058e18e39fb02e7f45b.png

1. Select No SSH Keys.
2. Scroll down.

5dc3d8afb4ab990808bc07600b03c68a.png

- Click Create.

89425dd0f854ef31652d36153d7c3a06.png

- Notice the status is PROVISIONING.

5fd8498efba69fe00e790ce105f4ff01.png

- After a few minutes, the status will change to RUNNING.

A293ffc6b961a18a76c67860208089dd.png

- The following image illustrates the visual representation of what you have created.

F6acd8267ac8b00ea865faeed934db7c.png

Task 6 - Install pfSense on the Instance

We need to do the initial installation and set up of the pfSense firewall. We already have the running instance.

- To install the pfSense firewall software, we need to create a console connection.

1. Scroll down.
2. Click Console connection.
3. Click Launch Cloud Shell connection.

Fd9aacd5a3b0a077373b98c5ad2fba87.png

- Notice that the Cloud Shell window will open.

71e91e26f2f82c76bcf9a2ad2d459b48.png

- A few startup messages will show up. Press ENTER.

2fd782a6880234a0198ac7fe6a07da28.png

- Read the copyright messages and select Accept and then press ENTER.

2521bb6c16fa4c37880bc65e089392c9.png

1. Select Install pfSense.
2. Select OK and press ENTER.

Fe381ab3d9fae94a0d245b6242f1e4d4.png

1. Select Manual Disk Setup (experts).
2. Select OK and press ENTER.

8fd67234bd1616f7c63d417dbd9fbe93.png

1. Select da0 - 47 GB MBR.
2. Select Create and press ENTER.

61ec1c5100728b6a164085a7c042f6c5.png

1. In Type, enter freebsd.
2. In Size, enter 46 GB.
3. Enter Mountpoint.
4. Select OK and press ENTER.

C48149bf8f648470570cfcf606275f14.png

1. In da0s4, select 46 GB BSD.
2. Select Create and press ENTER.

Beb14bfc3554f018885bcecc932921bf.png

1. In Type, enter freebsd-ufs.
2. In Size, enter 40 GB.
3. In Mountpoint, enter /.
4. Select OK and press ENTER.

02607cc9e1d086e0cd0d1d1a43cab51d.png

1. Notice that the mountpoint is created for `/`.
2. In da0s4, enter 46 GB BSD.
3. Select Create and press ENTER.

Bbb169cef90cab1a7af9c2292cc57876.png

1. In Type, enter freebsd-swap.
2. In Size, enter 5770 MB.
3. Enter Mountpoint.
4. Select OK and press ENTER.

E0bad343e94feac2c5ef1754344b65f3.png

1. Notice that the mountpoint is created for swap.
2. Select Finish and press ENTER

A914f40ded09c496db1fff88c31feb99.png

- Select Commit and press ENTER.

949d03402c59a0810ab43c32ec8ef740.png

- The installation will start Initializing the set up.

C751769adb65d7d3aae163d7d8afae2e.png

The installation will do a quick Checksum verification.

244c423b81dbc67911da0437b7c05608.png

The installation will do an Archive Extraction.

Dffe649a041f36287807e619c04419c4.png

- You will get a message Could not locate an existing `config.xml` file! as this is a new installation.

06af60f1bd96b276ada73f8665a975b8.png

- Select Reboot and press ENTER.

23a3c432d7a5f4c365c973476c63a6a8.png

- After the first reboot you will get a few configuration options to configure the WAN interface.

- For Should VLANS be set up, enter n and press ENTER.

Ae6625dea9917a7f8fb0754ab263db5c.png

- For Enter the WAN interface name or 'a' for auto-detection (vtnet0 or a), enter `vtnet0`.

698e263a34848e20813264998770e2b0.png

- In this set up, we are creating a firewall with only one interface, so we will not configure the LAN interface, therefore, for Enter the LAN interface name or 'a' for auto-detection, press ENTER to skip this interface set up.

C700d5ba99f70e7f3c5c1516cb4af385.png

1. Verify the WAN interface name.
2. For Do you want to proceed, enter y and press ENTER.

2a2603931613405ae5b2d9fca27d48d8.png

- Notice some messages and the configuration will be done.

97cb92fde1b7bd25dc308989d0f5458b.png

- The pfSense OS will do a full boot.

5c8fc540389730ccf69d442e684fdf5e.png

1. You will see that the IP address will be configured using DHCP.
2. Note the pfSense menu to do some additional basic configuration.

8a6d29053288f769ca23c79bf62ae9db.png

Task 7 - Connect to the pfSense Web Graphic User Interface -GUI- and Complete the Initial Set up

The installation is finished, now we need to connect to the web interface of the pfSense firewall. But before this, we need to open some ports on the security list of the VCN.

- Add ingress rule.

1. Click the hamburger menu (≡) from the upper left corner.
2. Click Virtual Cloud Networks or navigate to Networking and Virtual Cloud Networks.

382a8caedf3cdb3cedcf5d343a1f1a4d.png

- Select the VCN to which your pfSense firewall is attached.

Bd02860caef6720b5bd451a221aa241e.png

1. Scroll down.
2. Click Security Lists.
3. Click the Default Security List for HUB-VCN.

C72da3e94dc023f2ce9205a3e99e9d70.png

- Click Add Ingress Rules to create the ingress rule.

326ac8041cd82f794353595a44da15cd.png

1. In Source Type, enter CIDR.
2. In Source CIDR, for this tutorial, enter `172.16.0.128/25`. This is the subnet which has the Windows instance, that we will be using to connect to the pfSense firewall using the browser.
3. In IP Protocol, enter TCP.
4. In Destination Port Range, enter `80,443`.
5. Click Add Ingress Rules .

A1339dd96861808e67f4b54a2c4953ca.png

- Notice that the Security Rule is added to allow the TCP/`80` and TCP/`443` ports on the security list that is attached to VCN. This will allow you to set up an HTTP and HTTPS connection from the Windows instance to this new pfSense firewall instance.

6be157ddcb3f517cc3b0791ef9829e94.png

1. Navigate to the Compute and Instances.
2. Make a note of your pfSense firewall IP address.

28b4f616fcdd6d881d886e0b96d19448.png

1. In your Windows instance, open a browser and navigate to the pfSense firewall IP using HTTPS.
2. Click Advanced.

76bcf1e35d4282b15c2d2afa926ed91a.png

- Click Continue.

10ad4159aaffacc027033f78509f5016.png

1. Enter default username as `admin`.
2. Enter default password as `pfsense`.
3. Click Sign In.

097722693ac3b73d126bac70d00c2e84.png

- Click Next.

F419ef020b6cb218379f275bf318112b.png

- Click Next.

B77392b01de1006e3266fa9d7688a2ef.png

1. Enter a hostname.
2. Enter a domain name or keep domain name default.
3. Scroll down.

1fdd21cb8071a3fc3a54d97414c92ba8.png

- Click Next.

8a674ab9e934bc9bc588084b0876d24e.png

- Click Next.

88a9500a771a04038b014437e24176c4.png

Note

If you are into networks this may look a bit weird as we have specified to use a static IPv4 address during the instance creation. The way how it works in this particular case is that Oracle will reserve the static IP in its DHCP server, and will assign this address to the pfSense firewall. So the pfSense firewall will always get the same IP address, but from the OCI perspective, this will be a static IP, and from the pfSense perspective this will be a DHCP address.


1. In Configure WAN interface, select DHCP.
2. Scroll down.

F69f72ba451a33eab682f34a4c44e6c7.png

1. Keep all the IP address settings default.
2. Scroll down.

1f4b2103a0f9241b8c97a98c99936c33.png

- Scroll down.

5be462242d453f77985da1ba1809528f.png

- Click Next.

8b6ad4097b1e321af3fe0d7bb974a312.png

1. Enter a new admin password.
2. Enter a admin password again.
3. Click Next.

5935dbf18ec28a0b69fd9592adc2fb4e.png

- Click Reload.

A59b1b6b8071ab962ce3a322649ff8a3.png

- Notice that the pfSense firewall configuration is reloaded.

3c8a65935c122a5ece6e8289ecdbdc03.png

- Scroll down.

A770c2454734a3e284c1d4f6aea42a3e.png

- Click Finish.

C69ff0d7b7bdd309ead48149f3391121.png

- Scroll down.

A79cfea4c9125e3543d25078b383ba9e.png

- Click Accept.

6a4aca2278c3fc913c2354bb1ca534ef.png

- Click Close.

84c68e8aef774def49c6d56897234fd3.png

- The following image illustrates a visual representation of what you have created. Notice that we will use the Windows stepping stone to connect to the pfSense firewall.

Ee8213698f66635d76e66c88ceb96c04.png

- If the pfSense firewall is not able to reach the internet, the dashboard page will take a bit longer to load. But this can be fixed by allowing the pfSense firewall to the internet by using the OCI NAT gateway.

1. Notice that the pfSense firewall is installed and the dashboard is visible.
2. Notice that the support information is not available. This is because the pfSense firewall is installed on a private subnet and this private subnet is not able to reach the internet by default.

3fbb271c84dee9216fc18b07b28a3cb0.png

- Let us route the internet traffic towards the NAT gateway. Make sure you have a NAT gateway present in the VCN.

1. Click the hamburger menu (≡) from the upper left corner.
2. Click Virtual Cloud Networks or navigate to Networking and Virtual Cloud Networks.

18ceb173b49ffbdf6b939ebfc05f2989.png

- Select the VCN where your pfSense firewall is attached to and the NAT gateway is present.

C0a7538d897965e16fc0ca6402b23ff0.png

1. Click Route Tables.
2. Click Default Route Table for HUB-VCN.

3e020f5880bd480549b9d6cf0d04fe89.png

1. Notice that the default route table has a route in there that will route all the traffic towards the internet gateway. This is not usable for us as we need to route the traffic for the private subnet towards the NAT gateway.
2. Click HUB-VCN to go back one page from Route Table Details page.

74c4ed474630d1ca52a39c67d63039e8.png

- To route the traffic towards the NAT gateway for a specific subnet we need to create a new route table and attach that route table to the private subnet. Click Create Route Table.

91258b4310c50ba3cd39302452da9032.png

1. Enter a name.
2. In Target Type, enter NAT Gateway.
3. In Destination CIDR Block, enter `0.0.0.0/0`.
4. Scroll down.

F1b0a39b731ef60dc51baf651251886d.png

1. Select the NAT Gateway that you already have available in the VCN. If you do not have a NAT gateway, click Cancel and create a NAT gateway.
2. Click Create.

E68152748342aa139eb7a5045f2713ef.png

1. Notice that the static route towards the NAT gateway is now created.
2. Click HUB-VCN to go back one page from Route Table Details page.

65396f0a516c7a98fa9a45ff9df93457.png

- Notice that you have created a new route table.

B85590da4c737e92299f7a9c391dc88b.png

- Now, it is time to bind that route table to the subnet.

1. Click Subnets.
2. Click Private subnet, the subnet to where the pfSense instance is currently attached.

Ae0aea5b596d6ef5baf0a35c371e8816.png

- Click Edit.

B962fd28006c652ff87bb2b64041145a.png

1. Select the route table you just created.
2. Click Save Changes.

F65947c2c5e3146530f92cb64d96ea46.png

- Notice that the route table has been changed for the private subnet.

7bafa510b043ecd4f141cc599122c8dd.png

- Go back to the Windows instance.

1. Refresh the page.
2. Scroll down.

E32865d1c394d1c8a1c162b7dcac1f01.png

- Click Accept.

1f7bd4cef6ae59272f0e74518680c209.png

- Click Close.

354446069d65f648528cb84074148d03.png

- Notice that the Netgate Services and Support section will change.

- The response time of the dashboard page will also be quicker.

768db7350efa713977f4ba1c523eb7c8.png

- Use the pfSense web management interface.

1. Click Firewall. 2. Click Rules.

2e128c98d2e202498f640a180d024fac.png

- Notice the default rules of the pfSense firewall.

1a4ece95b0c87335ef26a86361afde39.png

- The following image illustrates a visual representation of what you have created.

- Notice that the NAT gateway will be used so that the pfSense firewall can communicate with the internet.

- Notice we have also opened ports TCP/`80` and TCP/`443` on the default security list.

335255883f0a0bbee0ed469eaaf3e292.png

Task 8 - Verify the Connectivity with Ping

- Verifying the connectivity using ping (ICMP) is a good starting point for testing.

1. In the Windows instance, open the Command Prompt and try to ping the pfSense firewall IP address.
2. Notice that the ping results are showing a 100% packet loss.

E7e4709e641f5e6c86bdaf226356b90b.png

- To solve this, we need to:

- Open Internet Control Message Protocol (ICMP) on the default security list that is attached to the VCN.

- Open ICMP on the pfSense firewall.

- Let us first start with the default security list.

1. Click the hamburger menu (≡) from the upper left corner.
2. Click Virtual Cloud Networks or navigate to Networking and Virtual Cloud Networks.

Bfbf9ebc41a70f2ae52213091e40cb3d.png

- Select the VCN, where your pfSense firewall is attached and has the NAT gateway.

D6315b3654dd2b6dbe4e136691ccac21.png

1. Scroll down.
2. Click Security Lists.
3. Click Default Security List for HUB-VCN.

9544779687129ea524ed4d85320c4b81.png

- Click Add Ingress Rules to create the ingress rule.

A4c088f501942467d43f57a1f19fbddf.png

1. In Source Type, enter CIDR.
2. In Source CIDR, enter `0.0.0.0/0`.
3. In IP Protocol, enter ICMP.
4. Click Add Ingress Rules.

781040ff9b9bec94580b5eb148351bbc.png

- Notice the ICMP rules we have just added.

Cc6c159a12691eb43f9a3ac3709792ac.png

- In the pfSense firewall management interface, click Firewall, Rules and Add to add a new rule.

48bdb8b198b789d87bc981366834658e.png

- Enter the following information.

1. Action: Select Pass.
2. Protocol: Select ICMP.
3. ICMP Subtypes: Select Any.
4. Scroll down.

Ce75db189e4a619f1273cbb054494a4e.png

1. Source: Select Any.
2. Destination: Select Any.
3. Click Save.

2dd9a7994184a4186792720e2cb52517.png

1. Notice that the new ICMP rule is in place.
2. Click Apply Changes to commit the changes.

C4cafae349270240779367109df7d21a.png

- Notice that the changes have been applied successfully.

945efea2f8497fece21fbf1db989be9c.png

1. In the Windows instance, open the Command Prompt and try to ping the pfSense firewall IP address.
2. Notice that the ping results are showing a 0% packet loss.

Ba5905fab3167067d913d9ba261039ea.png

- Another ping test that we can do is from the pfSense firewall towards the internet.

1. Click Diagnostics.
2. Click Ping.

0bf3a8cd21799313693e09cfcc106d2f.png

1. In Hostname, enter `8.8.8.8`.
2. Click Ping.

6bb5027545215f95a9e85add28de413c.png

- Notice that the ping results are showing a 0% packet loss.

B51067574524d9f87d04c4c8717f8360.png

- The following image illustrates a visual representation of what you have created. Notice we have also opened ICMP on the default security list.

A3bd4b61a66c61bbf201306bf950a9eb.png

Conclusion

In this tutorial, we explained all the necessary steps that you required to set up a pfSense firewall inside OCI. We made adjustments to routing and security lists so that the pfSense firewall can be managed properly and we also did some ICMP tests to verify connectivity. This pfSense firewall setup can be used inside a Hub and Spoke VCN Routing scenario.