Monday, July 18, 2016

pfSense Secure Interface Access, Part 2

In the second portion of the section, I am going to address secure LAN access to your pfSense firewall. The structure of the first section is also used here, although not required to be enabled (with the caveat that you can undo a bad rule if you accidentally lock yourself out. Even though I have a separate administrative network to access my pfSense firewall, I am going to describe how you tighten security from a single LAN interface (it may actually be more important in this example). There is also the side benefit of being able to lock down access to external equipment to a limited number of your systems when your WAN IP address is on an ACL for that equipment.

Initially we will need to work with the DHCP server functionality, some planning, and the "Reserved" IP addresses possible with pfSense. Mark Furneaux covers the DHCP server of pfSense in a video I haven't linked (yet), but I'll show how to do the steps I am referring to here. The 2.3 release of pfSense makes setting a reserved address extremely easy.

First, we're going to look at the configuration of the DHCP Server, which you can do by selecting 'DHCP Server' from the 'Services' menu. Again, ignore that I have an 'ADMIN' and 'DMZ' interface. Your subnet of the LAN interface will be shown ( would be common), and the range of IP addresses on that interface (the subnet is also common, meaning 254 available IP addresses, with the firewall using one of them for that interface).

We want to have the DHCP server enabled for the LAN interface, and 'Deny Unknown Clients' unchecked at this point. You will either need to know how to determine the MAC address of your systems and devices, or get them on the network one at a time. It will be helpful to start up an Excel spreadsheet (or Google Sheets) to be organized. I set a small DHCP pool in a range of about 20 to 30 addresses, then start arranging blocks above that range of IP addresses for the "reservations".

For this example (with the address range example above) we will set a DHCP pool range 'From' 'To' (30 available IP addresses). I've obscured the address ranges I use, but you can see where the entries go. Here is a screenshot:

Now we are going to pull up the 'DHCP Leases' screen under the 'Status' menu. You will need to determine which systems have a 'dynamic' address, and the IP address that you want to assign them (outside the DHCP pool, on the same subnet, and uniquely on that IP address, however pfSense will check all that when you try to apply the static mapping). That is where you spreadsheet will come into play for organization. You are going to set one column for the IP addresses, one column for the systems, and a column for the MAC address.

I'm extremely organized, and provide a range of ten to twenty addresses for each person (depending how many Internet-enabled devices they have) in the household. There are separate entries when a device or system (like some Roku models or a laptop) that have both a wired and wireless connection. Click on the left-most '+' ('Add Static Mapping', without the blue background) under the 'Actions' column for the system we are going to add for the first "reserved" address.

Come up with a descriptive hostname for the system, and describe it appropriately. Remember to use your spreadsheet to be organized. Apply the settings after you have filled out at least the needed entries:

I recommend setting all the devices and systems (except for your network infrastructure that has addresses statically assigned) on your network this way. Put the "IoT" devices on your DMZ network, as described in my earlier article "Internet of Things, Isolated Networks". Then you are going to check 'Deny Unknown Clients' in the DHCP Server section (for all the network interfaces you have), and tell household members not to give out the wireless password to their friends.

Of course you would have followed my "Guest Wireless Access Point Security" entry earlier this year to set up a DMZ network. Yes, there will be devices that household members will need to add from time-to-time, and you might also need to set up a block of IP addresses for statically mapping those "friend's" devices that haven't followed your rules.

Once you have your spreadsheet completed, with which systems you want to be able to access your pfSense firewall, we are going to create an alias (internally I just have a single entry, with all of the IP addresses I allow) for those systems:

Then we will create the rule(s) for allowing these systems to access the firewall interface. The second rule is not needed, it is just an implicit block I have set up for all other systems on the LAN. Note that I am not showing the "Anti-Lockout Rule" (that we will disable later) at the top of the list:

To disable the "Anti-Lockout Rule", one way is to select 'Advanced' from the 'System' menu, or just click on the blue gear to the far-right of that specific rule. Scroll down to this portion and check the box. If you accidentally lock yourself out on the LAN interface entirely (and don't have a similar set of rules set up on your equivalent of my "ADMIN" network), then access the firewall from the WAN side and re-enable the 'Anti-Lockout Rule".

If there are any steps that I need to explain better, or you feel I should add something, please comment below. The next blog entries will be the remainder of the Mark Furneaux series on pfSense, without many comments. Stay tuned for further pfSense configurations!

No comments:

Post a Comment