Wednesday, December 30, 2020

Multi-Factor Authentication for the PfSense WebGUI

 Multi-Factor Authentication for the PfSense WebGUI

1. Download the "freeradius3" package

 2. Navigate to the FreeRADIUS option listed under the "Services" tab

3. Go to the "Interfaces" tab and click the green "Add" button

4. Put "Authentication" in description and hit save

5. Click "Add" again

6. Change Port to 1813

7. Change interface Type to Accounting"

8. Put "Accounting" in the description and hit save

9. Go to the "NAS/Clients" tab and click "Add"

10. Under General Configuration put "" as the Client IP address

11. Put "RadServer" (or whatever you want) in in the "Client Shared Secret"

12. Put a shared secret (keep up with shared secret)

13. Save

14. Navigate to "User Manager" under the "System" tab on the top bar of the pfSense menu

15. Go to "Authentication Servers" and click "Add"

16. Under Server Settings enter descriptive name

17. Change type to "RADIUS"

18. Under RADIUS Server Settings put "" as the "Hostname or IP address"

19. Change the "RADIUS NAS IP Attribute" to LAN

20. Enter same shared secret from step 12

21. Hit save

22. Navigate back to the "FreeRADIUS" package under the "Services" tab

23. Under the "users" tab click "Add"

24. Create a username and password and click save

25. Test by going to "Authentication" listed under the "Diagnostics" tab on the top menu of the pfSense

26. Change Authentication Server to "RadServer" (or whatever you named the server) and enter your credentials

27. Click "Test"

28. If successful it will say "User authenticated successfully"

29. Navigate back to "User Manager" under the "System" tab and click on "Authentication Servers"

30. Click the edit button on your "RADIUS" type server

31. Under the "RADIUS server settings" change the Protocol to "PAP" and click "Save"

32. Navigate to the "FreeRADIUS" package under "Services" and click on the "Settings" tab

33. Scroll down to the "Mobile-One-Time-Password Configuration" area and check the box beside "Mobile-One-Time- and click "Save"

34. Click on the "Users" tab and click to edit previously created     user

35. Scroll down to the "One-Time Password Configuration" area

36. Check box beside "One-Time Password"

37. Change "OTP Auth Method" to "Google-Authenticator"

38. Click blue "Generate OTP Secret" (copy this secret somewhere easily accessible as it will be used by the user to set up his Google Authentication on his mobile device)

39. Enter a pin ***MUST BE NUMBERS ONLY***

40. Under the "General Configuration" area remove password (password area must be blank)

41. Click "Save"

42. On the clients phone, download the  Google Authenticator app

43. Click the add button (a "+" sign on the Apple app)

44. Click "Manual entry" 

45. Enter the username from step 24 

46. Enter the OTP Secret from step 38

47. Hit save

48. Credentials are the Username from step 24, and the password is the PIN from step 39 plus the code given on the Google Authenticator app. So if you entered a PIN of "1234" on step 39 and Google Authenticator had a code of "123 4567" your password would be "12341234567"

49. Go to System / User Manager / User and click Add

50. The Username must be the exact same as one of the users you created on the FreeRADIUS service (that was step 23).

51. Create a password (I recommend a VERY long and difficult password, as pfSense will recognize this password as well as your OTP with Google Authenticator as a fail-safe in case your FreeRADIUS quits working). 

52. Add to the "admins" group and click Save. 

53. Go to Settings and change the Authentication Server to your FreeRADIUS server and hit Save.

54. Go back to the FreeRADIUS service and click to edit the user you are using for the WebGUI multi-factor authentication.

55. Scroll down to the "Advanced Configuration" area near the bottom of the page, and enter Class := "admins" into the Additional RADIUS Attributes (REPLY-ITEM) box. Click Save.

56. Test your login to make sure it works with the PIN+OTP from Google Authenticator (ie if you entered a PIN of "1234" on step 39 and Google Authenticator had a OTP code of "123 4567" your password would be "12341234567").

Monday, December 14, 2020

Suricata Startup Instructions

 This is a guide to the basic startup for Suricata on the pfSense. There are many in-depth settings that can be configured to best fit your individual needs, but for this guide I will only be going over the basics needed to start using Suricata. I wouldn’t recommend installing this on any system lower than an SG-3100 as it can be very memory intensive. 

Install Suricata package under “Package Manager”.
Navigate to Suricata under the “Services” tab and click on “Global Settings”.
Check the box for “Install ETOpen Emerging Threats rules” under the “Please Choose The Type Of Rules You Wish To Download” section.
Check the boxes for “Install Snort GPLv2 Community rules” and “Hide Deprecated Rules Categories” under the same section as step 3.
While in the same section, check the box for “Use a custom URL for ETOpen downloads” and on a separate window navigate to the following site:
Copy and paste the following link from the site into the box for “ETOpen Custom Rule Download URL” on the pfSense (be aware that this link may change if Suricata is updated to a different version in the future, so always get the link from site and not this document):
Under the “General Settings” section towards the bottom of the page it is recommended that the time for “Remove Blocked Hosts Interval” be set to 1 hour.
Click the “Save” button at the bottom of the page.
Click on the “Updates” tab and then click “Update” under the “UPDATE YOUR RULE SET” section.
Once updated, navigate to the “Global Settings” tab and change the “Update Interval” to once a day under the “Rules Update Settings” section and click “Save” at the bottom of the page.
Navigate to the “Interfaces” tab and click “Add”.
Under “General Settings” change the “Interface” and “Description” to LAN and click “Save” at the bottom of the page.
Click on the “LAN Categories” tab and click “Select All” under the “Select the rulesets (Categories) Suricata will load at startup” section, then click “Save” at the bottom of the page.
Click on the “Interfaces” tab and click on the blue “play” type button on the interface to start Suricata on this interface.
Click the edit button on that interface and make sure the “Block Offenders” box isn’t checked under the “Alert and Block Settings”.

 I suggest monitoring the feed on the “Alerts” tab for at least a week to check for false positives before implementing it with blocking enabled. If a false positive is found click the red “x” to the right of the alert to force disable the rule and remove it from the current ruleset.

Monday, November 30, 2020

Squid Installation Step By Step For HTTP sites

Just a quick walkthrough on installing SquidGuard and getting it up and running.

1. Install squid and SquidGuard packages from package manager
2. After installation, go to Squid Proxy Server under services
3. Go to the Local Cache and scroll down to the Squid Hard Disk Cache Size area and click the orange "Clear Disk Cache NOW" option
4. Go back to the General tab and scroll down to the Transparent HTTP Proxy area and check the box for Transparent HTTP Proxy "Enable transparent mode to forward all requests for destination port 80 to the proxy server."
5. Scroll to the bottom of the page and save
6. Go to SquidGuard Proxy Filter under services
7. Scroll down to Blacklist options and check box to enable Blacklist
8. Add into Blacklist URL
9. Save
10. Scroll up and go to the Blacklist tab
11. Click the green Download option and wait for download to complete
12. Go to Common ACL tab
13. Click on Target Rules List + sign
14. Scroll down and change Default access [all] to "allow"
15. Deny Porn and Spyware categories (and any other categories you wish to block)
16. Scroll down and save
17. Go back to General settings tab and hit green "Apply" button
18. Go back to Squid Proxy Server under Services tab
19. Check box to enable Squid Proxy and save
20. Go back to Squidguard Proxy Filter
21. Check box to enable and save
22. White box should say "STARTED"

Monday, November 23, 2020

pfBlockerNG: Internet Goes Out After Reboot

While using pfBlockerNG (including the "devel" version) on the SG-3100 and SG-1100 we ran into a problem where all internet traffic would stop after a power loss or a reboot. The only way to get traffic to flow again would be to get into the firewall and disable pfBlocker. The fix ended up being very simple, though, surprisingly we could not find it listed or mentioned anywhere on the Internet. There are just a few settings that I found needed to be changed:

1. Increase Firewall Maximum Table Entries on the System / Advanced / Firewall & NAT page from 400,000 to 600,000 (could be higher but 600,000 has worked very well for me).

2. Enable De-Duplication, CIDR Aggregation and Suppression pfBlockerNG options on the Firewall / pfBlockerNG / IP page.

After changing those settings I haven't been able to recreate the problem at all, even after adding multiple memory intensive packages to the firewall.

Monday, November 16, 2020

Netgate Or Not Netgate

 Personally,  we do use a lot of Netgate gear.  Is it the best thing out there?  Probably not.  But,  the pfsense updates are tested on Netgate gear,  and that does make it more valuable to our customers.  I have not had any complaints or of using Netgate gear,  but I have also put in many pfSense boxes that was something else without issue.  I just think the updates being tested on Netgate gear before you see the update is pretty important. 

Sunday, November 8, 2020

PBR (Policy Based Routing) And PFSense

Another post from sister blog on June 2, 2020.

I went to a customer site today (June 2nd) where they had a Toshiba IP phone system that would not route but to only one destination (the default gateway). But the need was to have certain traffic go out one internet connection (smtp) and the voice traffic out the other. So, I put a Netgate SG-1100 in to do the PBR and it worked great. Doing PBR on PFSense was easy and made sense for this customer. And yes, it's setup with only the LAN port. It's all they needed.

Thursday, October 29, 2020

PFSense: 1:1 NAT Configuration

Vendor documentation is really key to helping admins setup and configure, well, really anything.  You can say that about firewall vendors, network vendors, server vendors, etc.  One thing I always admired about Cisco was their documentation on how to configure different things.  I still believe they are one of the best at documentation.

PFSense has some decent documentation, but not always the most clear documentation.  1:1 NAT'ing is one of those things to me.  So I have outlined what you need to do for a 1:1 NAT'ing when you need access to an internal device from the Internet. 
Now first, I hate when people go into these long paragraphs of how things are supposed to work.  I just want the answer I'm looking for.  But, one thing needs to be clarified here.  1:1 NAT and Port Forwarding are two different things.  Port forwarding uses the IP address of the firewall interface to get to your internal traffic, via different ports you configure.  1:1 NAT uses an IP address on the same network as your WAN interface, but not the interface of the firewall itself.  Clear?
Ok, so in most firewalls, you generally need a couple of things to make getting to an internal device from the Internet happen.
1.  A NAT rule.
2.  A firewall rule.
In Palo Alto, Cisco, Check Point, SonicWall, etc, that's all you need.  However, in PFSense, there is one more thing you have to do to make this work.  Its called a virtual IP (under Firewall --> Virtual IP).  What you do with a virtual IP address is that you are telling the firewall that it needs to handle requests for an internal device you are trying to NAT to.  If you don't, the firewall wont respond to ARP requests made on the WAN side.  If you do add the virtual IP address that you want to use for the WAN IP address you want for your web server, etc, then it will respond to the ARP request and NAT your traffic through.  I verified this with a packet capture, so you can be sure you do need this.
So for a PFSense 1:1 NAT, you need the following:
1.  A NAT rule.
2.  A firewall rule.
AND 3. A virtual IP address that is the same as your WAN side NAT that you configured in #1.  (The subnet mask will be the same as your WAN interface subnet mask.)
Note that you can use this for port forwarding also. 

Wednesday, October 28, 2020

Pfsense: DHCP And What It Won't Do

From our sister blog . We will be moving those pfSense blog posts from there to good blog for ease of finding. 

I always like to talk about what a firewall will do. But sometimes I have to talk about what a firewall won't do. Today, it's PFSense's day to get this kind of talk.

I have a lot of customers that run DHCP on the firewall. Right, wrong, or indifferent doesn't matter for this conversation. What does matter is that Pfsense will do DHCP for any directly connected network. What it won't do is DHCP for a non directly connected network. Is that a need for some people? Yes. Is that the firewalls job to do? It doesn't matter if that's what the customer wants. I personally wouldn't do it there, but in reality, it doesn't really matter. If the firewall goes down, you have bigger problems than DHCP.
So why doesn't PFSense do DHCP for non connected networks? I don't know the answer. What I do know is that other vendors, like Palo Alto and Sonicwall will do DHCP for non directly connected networks. It's not the end of the world, but just something to note.

Saturday, October 24, 2020

How To Do A Password Reset For A pfSense Box

I thought we would start off with how to do a password reset in pfSense.  I have come across this several times when either taking over a firewall or I just plain forgot it.  Either way, you need a console cable to get into CLI to do this.  Below is how it looked.  Its pretty simple, you select "3", then "y", then you are done.  

FreeBSD/arm (FW.localdomain) (ttyu0)

Netgate SG-3100 - Serial: XXXXXXXX - Netgate Device ID: 

*** Welcome to pfSense 2.4.5-RELEASE-p1 (arm) on FW ***

 WAN (wan)       -> mvneta2    -> v4/DHCP4:
 LAN (lan)       -> mvneta1    -> v4:
 OPT1 (opt1)     -> mvneta0    -> 

 0) Logout (SSH only)                  9) pfTop
 1) Assign Interfaces                 10) Filter Logs
 2) Set interface(s) IP address       11) Restart webConfigurator
 3) Reset webConfigurator password    12) PHP shell + pfSense tools
 4) Reset to factory defaults         13) Update from console
 5) Reboot system                     14) Disable Secure Shell (sshd)
 6) Halt system                       15) Restore recent configuration
 7) Ping host                         16) Restart PHP-FPM
 8) Shell

Enter an option: 3

The webConfigurator admin password and privileges will be reset to the default (which is "pfsense").
Do you want to proceed [y|n]? y

The password for the webConfigurator has been reset and
the default username has been set to "admin".

Remember to set the password to something else than
the default as soon as you have logged into the webConfigurator.

Press ENTER to continue.

Friday, October 23, 2020

pfSense Blog Startup

 I'd like to introduce to you our new blog on the pfSense firewall, or anything related to pfSense.  The blog will be written by White Rhino Security engineers for the benefit of the general public, in the hopes that it will help with configurations, etc.  As we have not had a dedicated site for one single firewall at this point in time, we thought we would try this out and see how it goes.  Some of the content may be "article like", while others may be direct and to the point on how to configure a certain technology.  It will depend on who is writing the blog post at that particular time.  We hope you find this helpful in some way.

White Rhino Security is a security managed services provider for anyone in the United States.