pfSense Virtual Firewall

pfSense Virtual Firewall

What if you can manage routing, DNS, DHCP, NAT, IPSEC VPN, SSL VPN, deploy IDS/IPS, firewall networks? Configure forward and reverse proxy, authenticate users with Radius or Mobile OTP, integrate AD / LDAP user accounts, manage SSL certificates, and use a single platform and dashboard. PFsense brings powerful power to various network services in one fell swoop.

FreeBSD based open source pfSense is the perfect combination of networking and security features. With 14 years of continuous development and deployment in the production network, pfSense has become a Swiss Army knife for routing, security and other network services (such as DNS, DHCP, packet capture, VPN services, etc.). The “more” part comes from the easy addition of other well-known open source web tools as software packages to the pfSense platform. PfSense uses hardware, software, and cloud deployment models. The company behind the development and maintenance of pfSense is Netgate, which provides hardware and official support. Let’s take a look at some of the features of pfsense that can support a full-featured, secure, and flexible network.

pfSense as a virtual device

The software-based pfsense solution is easy to deploy and configure, cost-effective, open source, and suitable for small and medium-sized offices or home networks. Of course, if it is deployed on powerful hardware, it can handle more things. pfSense can be deployed on VMware workstations, ESXi, Microsoft Hyper-V, proxmox and any other virtualization platform. pfSense maintains a large number of wiki documents and forums, and I found it very useful for installation, configuration, and troubleshooting. The ISO file for installing pFsense can be downloaded from here.

During the installation of vmware, the operating system platform to be selected is FreeBSD 64 Bit, of course, the underlying platform must also support 64-bit. The hardware resources can be as low as 512 MB RAM, 1x vCPU, 20 GB hard drive, but I use 1 GB RAM, 30 GB hard drive, 2x vCPU to manage the small lab environment. I also use another pFsense virtual appliance on the Amazon Cloud, which provides VPN, firewall, and NAT capabilities for my single test EC2 instance.

1

The advantages of pfSense virtual appliances:

  • Free, cost-effective
  • CPU, RAM, HDD may increase as demand increases
  • Lowest resources, maximum utilization
  • Increase the number of interfaces as needed
  • Can be deployed on cloud platforms

Some great built-in features:

  • Routing – Static routing support is built in. Packages such as FRR, Quagga_OSPF, OpenBGPD, etc. can be used to enable dynamic protocols such as BGP, OSPF, OSPFv6.
  • Firewall – Stateful firewall that supports interface-based rules. It is the easiest interface to use to manage inbound and outbound traffic. You can add notes and sections to make the interface organized and easy to manage.
  • NAT – NAT rules can be created in the NAT section. It supports port forwarding, one-to-one NAT. Each time a regular NAT rule is created, the firewall rules are created/updated automatically. This is one of the useful features. Otherwise, only NAT is created. Rules and missed firewall rules, traffic still fails.
  • Multiple WAN HA – Multi-WAN high availability features can be configured by creating a set of gateways and assigning them a priority.
  • VPN – pFsense has 5 different types of VPN options, regular IPsec can be used for site 2 site vpn or client 2 site vpn, OpenVPN is a well-known SSL vpn tool with L2TP vpn, Apple IPsec vpn, AWS VPC VPN (Applies to Amazon AMI Images).
  • DHCP server and relay agent – In the built-in DHCP server and repeater, each interface/network can be configured to assign IP to the range of end devices.
  • Traffic adjustment – Use pFsense and each interface to achieve certain traffic adjustments.
  • Load Balancing – You can create pools, virtual servers, and monitors for load balancing back-end servers.

Other powerful packages

  • Forward and Reverse Proxies (Squid) – Squid is a well-known Linux-based forward and reverse proxy solution that has been in use for more than a decade. The proxy server can be used to control Internet traffic from internal users, or can be used as a redirection rule for internal servers in reverse mode.
  • SSL Certificate Management (ACME) – An automated certificate management environment is a great tool for leveraging the global free LetsEncrypt SSL certificate.
  • Bandwidth Monitoring (Bandwidth) – This service tracks network bandwidth usage and builds useful IP address based graphs based on bandwidth utilization.

DNS Binding – Another well-known open source DNS solution, pFsense allows the graphical user interface to configure all the details of DNS binding settings. If you have all the information at hand, you can set up a complete DNS server in minutes.

Snort IDS / IPS – A powerful open source intrusion prevention and detection system that can monitor and analyze real-time traffic, content search, and protocol analysis are some of Snort’s other useful features. It can be deployed as an additional package on pFsense.

  • Suricata IPS
  • FreeRadius authentication
  • Port Scan/Security Audit (NMAP)

This is not all, there are more software packages that can be integrated into pfsense installations to increase availability.

Some use cases where pfSense can be deployed:

  • Small office/home network using a small amount of pc, wifi
  • Amazon cloud v space vpn
  • Laboratory environment
  • Medium-sized companies
  • Large enterprises (with professional support and dedicated hardware devices)

If you have trouble deploying pfsense on a virtual appliance, please feel free to leave a comment on Forum, and you may receive answers from people who have been tested.

 

Advertisements

F5 Online Virtual Lab

F5 Online Virtual Lab

The F5 Lab consists of 2 virtual devices, all of which can be used for configuration. It also includes 3 small web servers for testing load balancer configurations. On this page, you can find useful information about lab equipment, links, useful tutorials, and troubleshooting information.

F5 BigIP settings

  1. The device is installed and licensed
  2. IP address (configured on F5 management interface) – 192.168.80.2 on F5-1
  3. The Managemnt IP on F5-2 is 192.168.80.3 and the universal IP is 192.168.80.5 (this IP is not pre-configured)
  4. Internal IP on F5 (can be found in the drawing)
  5. The device FQDN has been created on the lab DNS server (Details below)
  6. For creating a virtual IP on F5, use the IP in this range shown in the experiment map (link shared on this page)
  7. F5 device interface and VLAN information – Interface 1.1 is the INSIDE interface, 1.2 is OUTSIDE, you can use any VLAN number, but leave it untagged.

LAN server settings:

  1. Services running on LAN server – SSH, HTTP, HTTPS, FTP, TFTP
  2. The website is already installed and running on all 3 servers and is accessible via TCP ports 80 and 443.
  3. The server is in an isolated network and will not connect to the server until F5’s internal IP settings are complete.
  4. The IP address of the web server can be found in the following network diagram.
  5. The web server 1 is blue, the web server 2 is black, and the web server 3 is purple. (URL in the FQDN section below)
  6. Different color servers can easily reflect the load balancing operation of the LTM.
  7. If necessary, you can deploy other services on the web server. If necessary, please let us know.

Test F5 VIP configuration from the Internet

The IP address 10.1.2.200 (from the VIP pool/range) is NATed and accessible via ports 80 and 443:

For the above working link, nodes, pools, and HTTP(s)VIP (10.1.2.200) need to be set up on the F5 device.

Available modules:

  • LTM
  • GTM
  • AFM
  • ASM
  • Version 13.x

Download Network Diagram

Laboratory information and instructions:

If you have already booked your server time, log in to the lab console below and email your credentials during the booking process. To book a new time, click here.

Online Lab Console

  1. Log in via email user/pass via connection above
  2. Level 2 certification, emailed
  3. The device list will be available for connection – Windows PC, F5 BigIP-1, F5-BigIP-2
  4. Connect from the listed connection to Windows 7 PC, with – labuser/Labroot12! @
  5. F5 Device Login – GUI – Administrator/Administrator
  6. F5 Device Login – CLI – admin / You need to allow user administrators to access the CLI through the GUI
  7. The laboratory will automatically destroy after 10 minutes from the end of the meeting

Device FQDN (all available from Windows 7 Lab PC):

  1. F5-BigIP-1:f5bigip1.testclue.local
  2. F5-BigIP-2:f5bigip2.testclue.local
  3. Web server 1: webserver1.testclue.local
  4. Web server 2: webserver2.testclue.local
  5. Web server 3: webserver3.testclue.local
  6. The network map provides the device’s IP address
  7. DNS Server – win2k12.testclue.local

Useful links (for small-scale lab deployments):

Discuss F5 configuration in this forum:

Discussion Forum

Questions during the experiment class

Provide a red “Technical Support” button in the upper right corner of the page to open tickets and contact the support team.

 

Deploying Cisco Practice Lab

Deploying Cisco Practice Lab

The Cisco Online Lab consists of 17 virtual appliances, including NX-OS, ASA FW, Cisco routers, and switches. It also includes two small servers for testing end-to-end configurations and topologies. On this page, you can find useful information about lab equipment, links, useful tutorials, and troubleshooting information. The network is based on VIRL and is built on a machine that provides 8 vCPUs, 21 GB RAM and 200 GB HDD storage.

Cisco Online Lab Setup

There may be a total of 17 nodes in different configurations (see the device list section below)

You can choose to use an existing topology or design your own exercise.

Once configured, local devices can be accessed via SSH / Putty.

Access the browser-based console session to configure the device.

The ready topology is shown on this page and can also be downloaded.

LAN server:

Two ubuntu servers are also provided in the topology

These are ubuntu machines that can be used for end-to-end testing of the network.

Find the server’s IP address by running the “ifconfig” command from the console

Device List:

6x Cisco IOSv Router

4x Cisco IOSvL2 Switch

2x Mode Cisco ASA Firewall

2 NX-OS devices

2x Ubuntu Application Test Server

1 Windows 7 PC to configure

Internal network: DATA network 10.1.1.0/24

Download Network Diagram      

Laboratory information and instructions:

If you have already booked your server time, log in to the lab console below and email your credentials during the booking process. To book a new time, click here.

Online laboratory console

Log in to email user/pass via link above

Level 2 certification, will be emailed

List of Devices Available for Connection – Windows PC, Cisco Devices

Connect from listed connection to Windows 7 PC, with – labuser/Labroot12! @

Cisco Device Login – Cisco/Cisco

The laboratory will automatically destroy after 10 minutes from the end of the meeting

All lab devices are accessible via browser-based console/CLI access

To enable SSH to access the device from the Internet, add a default route to 192.168.80.1

Device IP Addressing and SSH Port (Available after adding a default route from the CLI console access)

Public IP SSH Access Port Cisco Device IP Device Type

No 192.168.80.221 2001 77.93.215.14

77.93.215.14 2002 192.168.80.222 LXC

77.93.215.14 2003 192.168.80.223 ASA 1

77.93.215.14 2004 192.168.80.224 ASA 2

77.93.215.14 2005 192.168.80.225 CSR

77.93.215.14 2006 192.168.80.226 Router 1

77.93.215.14 2007 192.168.80.227 Router 2

77.93.215.14 2008 192.168.80.228 Router 3

77.93.215.14 2009 192.168.80.229 Router 4

77.93.215.14 2010 192.168.80.230 Router 5

77.93.215.14 2011 192.168.80.231 Router 6

77.93.215.14 2012 192.168.80.232 Switch 1

77.93.215.14 2013 192.168.80.233 Switch 2

77.93.215.14 2014 192.168.80.234 Switch 3

77.93.215.14 2015 192.168.80.235 Switch 4

77.93.215.14 2016 192.168.80.236 NX-OS 1

77.93.215.14 2017 192.168.80.237 NX-OS 2

No NA 192.168.80.238 Ubuntu 1

No NA 192.168.80.239 Ubuntu 2

Useful links:

Cisco ASA Firewall Configuration Guides

Cisco ASA Firewall Configuration using CLI 8.2

Cisco NX-OS Configuration Guide

For troubleshooting and technical discussions, use this forum:

Discussion Forum

Questions during the experiment class

Have problems during the lab meeting? Please email support@testclue.com and we will respond to your question within 10 minutes. Frequently asked questions can also be discussed and supported through the forum. Loss of connectivity, loss of connectivity to the lab portal, topology changes, etc. can be sent directly to master@testclue.com

Building VMware Practice Lab

Building VMware Practice Lab

The VMware lab setup tutorial is designed to help create a small lab environment consisting of three ESXi hosts, one of the three hosts will host vCenter, and therefore need to have more resources than the other two hosts. . A host with vCenter requires at least 12 GB of RAM (10 GB for vCenter, 2 GB for other virtual machines), and 6 vCPUs. Each ESXi host will have four network interfaces, namely management, storage, vmotion, and data (see the downloadable diagram below), and each ESXi will be able to connect to network-based storage targets (iSCSi and NFS shares). This VMware lab setup can be rented on test hardware, please click here to book a meeting.

ESXI Host Settings (more explanation of the useful links section):

On each ESXi host interface, vmnic0 is used for mgmt, vmnic1 for storage, vmnic2 for vmotion, and vmnic3 for data networks.

The ESXi host is up and running.

First, you will connect to the Windows Management PC (Login – labuser / Labroot12!@)

Connect to each ESXi host from the PC through a browser (FQDN provided on this page) (Login – root / Labroot12!@)

The IP address of the network interface can be found in the download map.

vCenter installer:

Download vCenter here (60-day free trial, unable to download eval version after 60 days expire)

The above download must be done on the Windows Management PC

Download the ISO image, open it as a CD, and find the folder named vcsa-ui-installer

Start installer.exe from the win32 folder to start the installation.

Following the guided step-by-step installation process, the ESXi server can also be used as an NTP source or any NTP source of your choice.

The required IP address can be found in the drawing

This setup will be performed in two stages and requires the correct information, otherwise it will fail and the installation will take time.

The DNS server IP to use is 192.168.100.5

Use thin disk allocation to avoid keeping all available disk space.

Storage connection:

iSCSI and NFS share targets are located on server – 10.1.2.5

You need to use an HBA connection to add to the target (in the storage configuration of ESXi or vCenter)

Each ESXi host must create a VMK interface (as shown in the figure on this page), and assign 10.1.2.x IP and upload it to vmnic2 to access the storage.

Sub VM settings:

Install 1 VM on each ESXI host

IP address can be found in the drawing

The ISO image of the child virtual machine can be downloaded from here, as well as other useful software.

The image to use is: turnkey-wordpress-14.2-jessie-amd64.iso

Allocate 256 MB of RAM and 1x vCPU to this VM

After successful installation, you will be able to access the website homepage through the Windows Management PC

Download Network Diagram

Laboratory information and instructions:

If you have already booked your server time, log in to the lab console below and email your credentials during the booking process. To book a new time, click here.

Online laboratory console

Log in to email user/pass via link above

Level 2 certification, emailed

The device list will show the connection – window, esxi, vcenter

Connect from listed connection to Windows 7 PC, with – labuser/Labroot12! @

ESXI login details – root / Labroot12! @

vCenter login root, administrator@testclue.local / Labroot12! @

Please use root user or administrator as user, Labroot12! @ for any other vmware device you deploy

The laboratory will automatically destroy after 10 minutes from the end of the meeting

Device FQDN (all available from Windows 7 Lab PC):

ESXI-1 – https://ESXI-1.testclue.local

ESXI-2 – https://ESXI-2.testclue.local

ESXI-3 – https://ESXI-3.testclue.local

vCenter – https://vcsa.testclue.local

The network map provides the virtual machine’s IP address

DNS server – win2k12.testclue.local(192.168.100.5)

Useful links:

https://docs.vmware.com/en/VMware-vSphere/index.html

For troubleshooting and technical discussions, use this forum:

Discussion Forum

Questions during the experiment class

Have problems during the lab meeting? Please email support@testclue.com and we will respond to your question within 10 minutes. Frequently asked questions can also be discussed and supported through the forum. Loss of connectivity, loss of connectivity to the lab portal, topology changes, etc. can be sent directly to support@testclue.com