 Let's talk about the open-source firewall pfSense Why pfSense firewalls? It's built on a very solid free bsd platform currently on free bsd 10.1 Runs on standard white box hardware. It's very configurable customizable and we completely manage from a web interface You also have full command line access Nothing hidden all access to everything in there enterprise features such as vpn carp failover QoS third-party plug-in support There's an entire framework so people can write third-party plug-ins and add-ons to the system Commercial support available so if you're working corporate it or purchasing and you want something that's fully supported with Contracts and incident support that is available from pfSense The install system is really simple. There's two versions I'm going to be covering the full version of pfSense, but there's also a nano version So if you want to run this just off of a thumb drive, there's a special install for thumb drives as well That doesn't rate the log files persistently to the thumb drive So it's nice for building in a small home system. They're like I said, this is the full version right here Really straightforward on the install. I would get it in virtual box to run through this real quick By default when you start it up It'll ask if it finds another vert if it finds pfN's previous installed it can recover it So if you break a pfSense box it can actually go in and use this to use it as a recovery system as well The default configurations are perfectly fine change video formats keymap if you need to there's a lot of different country codes Anything that's supported in free bsd 10.1 should all be in here The quick and easy install I highly recommend you can customize everything once you get in there But if you do want to do a custom install there are options for everything from raid to Custom partition configurations that you could do inside of there Also, it's got the rescue the config xml or even push it xml in there while you're doing the install for from a previous Config let's say if you had one that had a hard drive crash you just want to rescue it Run through the easy install here It's a lot of next and yes You get a little bar going across telling you when it's done doesn't take long to install at the end You got the choice of a standard kernel in embedded kernel with no vga council or keyboard access You can lock these down so there is no vga council at all and they can push it through the serial port Unlike an embedded box for example. We're just going to use a standard vga kernel Once done you reboot It reminds you upon reboot that the default username default password is pf admin and pf sense Then once booted you see the IP address is assigned on the way on the land I didn't go through all this But it's kind of neat if you didn't have them assigned or didn't have the networks plugged in and you wanted to set them You can set them from the interface here and what it does when you go to set each one as you plug them in It assumes that is the one you want to use So it makes it easy to find if you have like four or five different nicks in the system for advanced configurations You can also from here if you forget the web password reset it or just reset the whole system the factory default Then once we go to the web interface standard right here's re-login admin and pf sense Run through the wizard get all start all the configuration First thing to ask you is you want to support the project but with a pf sense gold subscription This gives you access to the full manual and a few more features. They also from here. You can start going with the Incident support options and things like that in here set the name host name and domain By default it's going to have a time server in there. Just choose your time zone to match with your location Then it wants to know how you want to set the winner face now if you have multiple static IPs You only set the first static IP in here so when you're Building this out if it's static It's sometimes a little confusing because you don't set all your IP addresses up at the beginning You just set the first IP address up and later you add the rest of them in under alias Also support to ppoe if you're using for example a Overstyle DSL or kmodem where it needs the ppoe login. That's an option on here Set your LAN IP address and subnet for this Change the password Reload the config and you're in first thing you're presented with is a dashboard. The dashboard is customizable You can go through here and add different features add options to the dashboard things you want to see when you first log in Which even include the smart status service status system information wake on LAN or traffic graphs Once you've had these you just click the safe settings and it becomes permanent Then you can actually drag these around and rearrange them if you want all the default system on their admin access Are fine right out of the box by default you can have two up to two people logged in at once to the web configuration It does default to HTTPS with a self-signed certificate that it generates It by default has web GUI redirects when you type in the LAN IP address It starts on port 80 and then redirects you to the SSL port You can also play with some of the advanced settings fire more optimization options all the other Advanced details and you're still like I said out of the box works perfectly fine One thing I do change when I set these up is I like nat Nat reflection and then that reflection option is right in here this Pure nat option allows it if you're not from a net reflection It's so you can take a website for a web server that's internal and when you're inside the same network You can still get there We use own cloud at my office and this makes it nice because I put the full URL for own cloud in there Whether my laptops inside or outside the office. I don't have to change anything with the net reflection because it sees the Sees the reflection option and just redirects it internally There are options to push notifications via php growl. It's another option to uh, so you can integrate this with other Other monitoring systems in your set around your network SMTP notifications, you can set up an email server port email so you can have this notify you of any issues Users menu By default you have a admin in here You can disable admin and create a new one to keep it more secure and locked down Once you've created another administrator The it'll allow you to log in is that new miss new admin and disable the original admin Each user is defined here and you have fine grain control over their group memberships, which you can build groups for You have effective privileges so you can give them access only to the parts of the system you want And it's got a really simple menu. Just go through choose the different areas where you want them to have access to There's also the option when you're adding these to Allow access to all pages but deny right to the page So you can have another person who can let well go through and see everything in the system But then it has denied right access for them. Uh, so they can only look You can also generate internal keys and certificates for each user And what this allows you to do is these certificates are pulled in for example If you use the Open vpn firewall and with the open vpn firewall you can give each user their own certificates So you have all the factors of authentication So you've got the username password and certificate they need in order to get in i'm going to cover that later Uh, local database is the default out of the box setup. There are options for LDAP and radius servers So if you have an enterprise system you want to integrate the access rights into that's absolutely possible Here's where you create the groups You can create a group of just people who can see the web Just people who can see this or a group of admins from here And then it is apply the groups easier without having to go through the fine grain parts of the permissions Loading updates for when I started this system it was 2 2 1 um 2 2 2 became available So really simple we go through it says update available on the dashboard And you go to the auto update There's an option here to perform a full backup prior to upgrade Definitely click that if you've got plenty of space in a hard drive. It's not that big. It only takes up a couple gigs Runs through the update does it all in place? While it's loading the update which generally doesn't take very long if you have a faster machine The firewall keeps routing traffic because everything's pushed in memory But it will not let you go through and start modifying or configuring things while it's pushing the update So it minimizes the amount of downtime and only downtime really is while it's rebooting But keeps your system up and running and routing traffic This is what it shows on the vga client side So you can watch it as it runs through the update it Spelling out everything that it's done. It doesn't do it silently. So you can even watch as it Instates all the packages that are on here Upon reboot the system is available, but like the add-ons are not immediately available So it takes a few minutes while it reloads in these add-ons It's doing that too because sometimes when you go from version to version Some of the add-ons may or may not be supported as a new version came out and it just will not load those ones After a few minutes, it's all done and here's the option to restore the full backup So the full backup is only 1.2. You could delete download Or just roll back and restore and you're not just restoring settings. You're rolling backwards the entire system And it'll collect these in here once you're done and you fill those systems fine with the new version You can always delete these to free up space With the backup restore you can download the full configuration By default it does not want to add the rrd data, which is all the data logs Which is fine because again add quite a bit to the config.xml You can encrypt this file if you want add a password to it You can also tell it to back up the system but not back up package information as in the third party add-ons Whenever I do a backup I generally do a full backup because if I only want to restore One specific piece of the system it gives you fine grain restore control For example, if you wanted to download the configuration you've somehow messed up the firewall rules and you go man I only want to restore that no problem. Just use the firewall rules You can grab the xml file pull just the firewall rules out of it using this and restore those no reboot required It just instantly applies the settings There's also at the bottom an option just to reinstall the packages if you have any problems with the third party add-ons It'll just run through and rerun their setups There is also a config history the default count is 30 Or five as it says on nano bsd You can then update changes if you have quite a bit of space. It tells you how much space all the backups are using For each one of these it's got a history and kind of gives you an idea of what you did as you installed things You can also pick any two of them and do a diff and it diffs the two To configure that xml file so you can see what changes were made at the bottom here You can see like an firewall was changed from 192.168.1.22 over to 192.168.9 So you can actually go through here and look and then because it's all an xml It's fairly human readable to go through and figure out what was changed if you want to look at the differences Once you choose any one of those backups, you just hit confirm and it applies all the settings from that restore firewall and nat Here is the nat port forward system And we're just going to start here because it's got an option to create linked rules on the firewall side So for any rule you can by by default the rule is going to be enabled but you can Disable this rule. Uh, you can also choose the interface protocol source Any source by default or you can say specific IP addresses so you can have this rule be very restricted both on the only certain Networks or certain areas can come through this port Then you have the different addresses and I have the wan address which was Set up and then I added two alias addresses now you get to name I called it second and third wan address. You can really call these whatever you want So if you have multiple IP addresses, you can give each one of them a name To make it easier for you when you're setting up the firewall rule So you can say which port which IP address this nat rule needs to listen on Then you set the destination port range just out of habit. I type The port number is I find it faster than scrolling through but you can't choose all the predefined services smdp web If it's not defined, it'll just simply say other You'll see how it automatically changes that later A redirected ip is the internal ip address where you want this port 80 to land on and redirected target port Now when you have a port range Going alls you need to do on the redirected target port is put the first port and it'll figure out the rest So if the redirected port range was 80 to 100 You just still have to put 80 under the redirected target port and it'll fill in the blanks for the other one You don't have to add that in there Or if you were doing redirected target port and you bring a different port range Starting from 80 to 100 and you wanted this 100 it'll go from 100 to 120 on the redirected target port Then you have a description for my internal web server nat reflection if it's turned on which How we did in beginning use system defaults perfectly fine Or you can actually say specifically for this firewall don't use nat reflection on this rule Also add associated filter rule that's important leave these on this will automatically create an entry in the firewall table to allow that traffic to pass on that ip address Once you're done adding any of the firewall configurations apply changes comes up and that runs through and Reloads the queue that actually applies all the same so you can have all these in there And until you apply the changes they're not actually pushed into being active in the services added Also, you can see the linked rule in there where you've got the two little Lions on there So the linked rule part here is going to show you that there's a rule on the firewall side associated with it Once the firewall been reloaded it actually has a page that monitors the filter reloads I imagine if you had a slow system it would take a long time by time you even click that on Any faster system all the firewall rules reloaded imagine if you also if you had a very long list of firewall rules It may take a little longer to load Now if you want to take a look at these rules again There's also a system in here by which it figures out which admin changed it So you can see at the bottom here. It says firewall created by admin Right here on this date updated by admin on this day if for each user We put that user and what ip address they logged in from so it gives you Tracking so if you created the rules and the rule got changed later And you want to know who changed it the system documents under each rule that person's Username and ip address and time date. They changed any of the rules or updated them And you can see up here at the top that it's changed over to http instead of just putting 80 in there Now on the firewall rules themselves Here is the my internal web server 80. This is the linked rule that was created And you can see that it's grayed out under source advanced single or alias The reason it does this is because anything you change on the net rule Is actually going to be reflected in here. So you don't want to break the two You can not create the automatic rule Which would be more complicated because you'd have two separate rules You have to manage if you want to change things you'd have to then and create Information on the firewall rules. This saves you the trouble of the two step process Also, when you're looking at the firewall rules the option to view the net rule is right here Let you go right back to where you started. So if you want to know from either side, you can get back to the linked rule There's a lot of advanced features in under the firewall system Which even includes source os it uses an nmap style fingerprinting which allows you to see how the See the os incoming and then we create a firewall rule based on that Big list on here. Like I said, I believe it's all based off of the same one that you find in nmap It's as accurate as os detection is which is got it's pretty reasonably accurate Kind of a novel feature being able to create a firewall rule based on that You also have a lot of other advanced options state entries Pat match packet on mark place Lots of really detailed you can get in here if you have something very specific Maximum new connections per host per second for tcp So you can really get into some fine grain control on one single rule Or you can leave it all at default Here's under virtual ip addresses where I added the second and third wan address really simple to add these Simply type them in the network address Whether it's a single address whether it's ip which interface those addresses are tied to because you can time to the wan Or the land and start adding multiple addresses In a way you go The traffic shaping is really extensive on this and really really nice Gives you a lot of rules for traffic shaping you can create all the rules by hand and that would be difficult I really recommend using the wizard the wizards very thorough and once you've created with the wizard It's no problem to go back in and edit all the details under the rule sets There's a couple different wizard wizards one for multiple land wan dedicated links When you set this up The wizard will guide you through the pf sense traffic shaping be aware of the custom bandwidth Should not exceed 30 of the interface link bandwidth keep this mind during the wizard I have one land one wan and I'm going to explain some of this here next You choose on the wan side what the upload and download speed for the circuit We have an 11 meg 50 here So we put in 11 50 and what this does is so the system understands How much bandwidth could potentially be available on the wan and then from here It's going to ask me percentages so I can say I want to allow only a percentage of the bandwidth Well, they need to know what the total bandwidth is so they can control the percentage of it Against the bandwidth. So when you're doing this, you can get very fine grained If you're using VoIP in your office and we are for example You putting your upstream sip server prioritize all the voice over IP traffic. This is great. So you can Completely keep your phones isolated if you have a lot of traffic on your network But of course phones are really important. You can't have your traffic jittering on the phones You put this in it's going to absolutely prioritize that traffic over the other traffic and keep the voice system rolling This is great because even BitTorrent traffic can be shaped in here all the pdp traffic You can control the bandwidth for a catch all which BitTorrent traffic can be a little bit hard to identify if it's some of the more obscure ones You can say only allow it percent or kilobytes per second or bytes With the pole downstairs so you can allocate spirit amount of bandwidth with a catch all You can also go through each one of these and say only manage manage a bit torrent traffic Uh You can do it for all e-donkey fast track nutella. There's a big list of them here that are in there as options You can also raise the priority of gaming traffic to hire the most traffic This is kind of fun in a home network So you can say even take like the playstation system or steam we consoles xbox Prioritize that traffic over other traffic. So you could actually take it keep your torrents running and keep your games running at the same time Actually has a long list of games in here as well battlefields and whatnot This will also raise your priority of other protocols other than our traffic For example pc anywhere vnc apple remote desktop aim facetime icq You can re-prioritize google hangouts is nice because if you're doing a lot of hangouts And you want to have the system prioritize that so there was no problems there No problem. You can choose that to a higher priority if you're using remote desktop You can prioritize that so that way any remote desktop connections don't get affected by traffic on your network You can also prioritize vpn traffic across your network. Either pptp ip sec You can also do itunes mp3's web priority Email if you have a mail server and you want to make sure it gets more bandwidth You can do that some of the steam downloader and battle net supporter a battle net downloader supported Also has a crash plan apple mobile sync A lot of options in here Once it's done traffic shape hit finish It'll apply all of your rules then from here you can go through and start Going in all the detail for like the games i had chose Or any of the other options in here and then drill down to a lot of detail You can also just remove the shape or all the other so it is completely customized Well, even though you're in the wizard anything in here can go back and be edited If you want to do something really simple you can go to the limiter. I created a Rule called test limit in and test them it out. I actually set them both the same to limit the bandwidth to 512 Now whenever you create A traffic limit in the limiter It doesn't do anything to the firewall unless you apply it to a firewall rule You can apply it to a blanket rule like all in all out for one specific land Or you can apply it to something like just port 80 traffic So you could actually limit if you have a web server in turn You can force a limit on the bandwidth that the web server is allowed to use or any other service You do this under advanced senator d in and out So I got the tesla limit in tesla and out both set to 512 And then from here I set it to the land and stars all the way across means all traffic So I had applied this to the land rule in general Also, you see the little a next to this rule and this little a let you know that there's an advanced setting on this rule So that way, you know, which rule it is which rules have advanced settings and here was the Traffic speeds before the rule 56 11 and a half After the rule 0.5 1.5 2 so it instantly applied the rule to it. No problem DHCP server The DHCP service can be standard you set your standard ranges You can also add multiple pools So you can say I need from this range to this range and in this range to this range So you can build different pool areas on there You can also deny unknown clients so it will only give out addresses to The people you have predefined in the registers or in the with their MAC addresses You have all the other options static our time format changes. There's a lot of little options in here You also have TFTP servers and TP servers and network booting We use network booting in my office and this is nice You can specify what the TFTP server you want is And some of the network booting options within there and which file which pxc linux here was one we're using So you can list all of these little details right in here to get it set up This is nice a lot of DHCP servers do not have this feature You have to drop to the command line on some of the other firewalls I've seen and manually add them in which is kind of a pain in the butt Once done, you can see all the DHCP leases on the log page Then there's a plus next to any one of those leases that allows it to become a static lease that's simple From there It'll let you fill out all the different details It'll also let you copy your MAC address This shows up a few spots in pfSense where you can just hit copy MAC address and it copies the MAC address of your system Then you have client identifier IP address you want to sign Netboot file name root path It'll actually even let you on a per client basis push different DNS servers or wind servers or even a gateway To each thing it finds on the network And all the other rules with specific specifying TFTP server and TP servers still apply So you could actually set up network boot and specify multiple servers by adding static entries Captive portal really neat feature built right into the system So we're going to start here and this has a wizard as well that makes it really easy to do It's not too hard to do manually, but I do the wizard makes it simple and then customize later So we're just going to create one called zone one description You shall not pass and what this is going to do is run through the captive portal settings Set it up on your LAN interface if you have multiple LAN interfaces For example, if you have a business and you have a restaurant You want to create a secondary LAN where you have the captive portal applied to so you can have people who Have to log in or get a password from you and don't just get free internet access This is an option where this would be used or like in a hotel Or any other environment where you want to delegate it out We've actually put this in schools and set up systems So the kids have to have a password in order to get on the internet They can get on to the network for local access but have to get on through the Get through the captive portal actually get out to the internet for each one of these you can Choose how many concurrent connections per client idle time out hard time out So you can say exactly 30 minutes after they log in they're forced to log out which will bring up the login page And after authentication URL And a block mac address URL so you can customize this By default it automatically supports redirect So if they're not logged into captive portal, they try to go to google.com It'll redirect it to the captive portal They enter a username and password and then it redirects them back to wherever they were heading Which would that case be google This got an option for automatic pass through mac conditions under certain conditions You can also create without going into the firewall qos system a per user bandwidth restriction So any of the users that log into the captive portal you can set their bandwidth options The other things are you can use by default the local user manager or vouchers for the login And we'll cover vouchers in a minute or you can federate the access through radius You can force it to he tps using the self sign certificate or you can import other certificates in here Portal page Contents you can customize how the portal page looks the default will work. It's just a generic, you know username password It comes up But you can copy and paste this form here and integrate it into your own custom form Upload it and have a completely customized landing page with your company logo Or however you want to put it on there with the information This is what the default pfSense captive portal looks like just username and password Once it's done for each person who's authenticated you can see their username start session last activity seen And mac address From here you can actually just go and edit and add their mac addresses for example to put them on a permanent list The school for example all the teachers their mac addresses automatically are in here The teachers never see the captive portal, but all the students do And this is just the entry for it. You can force block a mac address or force Pass a mac address and you can bypass the bandwidth restrictions by leaving it Zero for no bandwidth restrictions or set per user bandwidth restrictions to this The voucher system is really neat. It's let's say you have a coffee shop, for example And you wanted to give out a custom digit for each of your Customers and that would allow them access through the firewall for some a lot of amount of time You can control how long each ticket would last for let's say an hour And then you create these ticket numbers each one you give they have one hour access when their one hour access is up It brings them back to the captive portal page and it needs a new voucher number The default character set Is set down here. So you have the all the default characters of a user to generate the voucher So you can choose a custom character set to make it easier It already has a couple things avoided like zero as you see is not in here And o is not here. So you don't have people confused when they do it It does have option to set up an external voucher database and sync port. So this could probably be integrated It does say for example into a point of sale system Or some other ways with some scripting When you want to create the vouchers, I just created one I called the comment a thousand tickets Roll number one. I set it to 60 minutes per ticket and I want a thousand tickets Once you create it, you see the voucher rolls right here Thousand tickets minutes a ticket and then you have a little eye for information here and what that does Is let you download this as a CSV file and here's all the ticket numbers all incremented out and there's a thousand of them here You could just for example have these behind the counter and just give them out to people But each one of these represents a 60 minute block of time that people would have and once the tickets are expired They're expired You can just go back in the system and recreate several of these sheets as many as you want Also at the end of the captive portal zone There's a file manager with the file manager allows you to do Is obviously you need more than just the web interface you can because they don't have external access You can upload the files that you need so it comes through when you customize there And you can see it gives you briefly how to do it and set up the image sources to Customize the graphics on the captive portal page Dynamic dns Lots of services are supported for dynamic dns So if you're doing this from home and you've got a rotating ip address There's a lot of them in here and you can add as many as you want of these for each one on here. So you Choose the interface to monitor choose all the different ones such as zone edit self host And you can add them in there to get your dynamic dns working Here's some of the packages that I have installed on here that'll show End top open vpn client export utility snort if top and dark stat These are all really slick sys really slick easy to install on the package manager The way you put a package in you go to the system go to packages Here's all the packages you can just scroll through here if you want any of them installed You just click the plus they install really quickly They're all checked and installed and pulled through pf sense So they're not being pulled from third-party websites pf sense validates each one of these packages Click confirm to install the package that runs through downloads configures and set this up and any Thing that needs any dependencies it needs. It just puts them all in There's really nothing you need to do to get these to work Once the packages are installed you'll see the list of them right here Now if any of the packages have an update the update does not update them with the Updater you have to look at the install packages and you would just click on the package name itself And it has an option to update till the latest version of that package I have sort snort installed in this By default I set it up on the wan of course Real straightforward run through the setup on here snort is a great utility for keeping an eye on things in intrusion detection And it does easily support just with a checkbox to block offenders I have it set up so it automatically blocks any unusual attacks that come in through here It has a rule set update if you have a purchase version of the snort rules You can have set up your username password and download the ones I'm just using the snort gpl community rule and emergency threat rules It automatically updates. I have it set to update every 12 hours real straightforward real simple very automated system Plus has lots of customization in here Here's a quick look at the alerts for the different ones that are coming through and the attacks that are coming through scan You can see the type of protocol attacks You can see the general description of the attack. You can Click I to resolve the address on there tells you when the attack comes through the priority You can download all the log log files. You can set it to auto refresh show filtering options And here's the block list I have set up so automatically when these IP addresses come in scan I have them blocked by default for an hour And for each one of them when you click on a little blue it does a resolve Oh, this is actually kind of interesting. This company scans me a lot and it turns out that if you go to pacifics senses that showed in diet IO showed an IO is a Scanner to find open webcams and open systems that have the fault passwords So it actually just goes out in the internet scanning them and create some index of them that you can go through Unless kind of a neat service I found by watching them scan my system so much looking for open ports End top end top is nice. Uh, it shows up under the diagnostics menu once you do the install and You can set the end top admin password. This is something that they don't have in the description If you don't set the password, it doesn't work. So you do have to go in here set the password not just go right to end top Choose the interfaces you want. Uh, it's a scan. I chose my land land to and when And then it gives you all the traffic information for them So it breaks down IP addresses inside your domain. You can store it by data store by tcp ic and pmp Um, most all the end top features the only downside is under pf sense Somewhere a few versions ago. They broke the r or d graphs that were real fancy and end top which is unfortunate But this all works just the graphing doesn't work in here's quite like it should there's some type of font system There's a lot of talk in the forums about fixing it. No one's really got around to fixing it It will break down so you can look at top talkers by hour Great when you're trying to trace out where the noise is coming from on your network If you have a larger network trying to figure out who's pulling too much bandwidth So it breaks down in kilobits for example here by hour for each segment I f top This is a command line option. So you can install it go to your ssh into your system drop to your shell And you can use i f top to watch from the command line the top talkers the same i f top That's available for free bsd. It just drops it onto the command line through the package installer So you can see the different ip addresses where they're talking to and in real time watch this update For example, I kicked off a Lookup for doing the speed test on comcast and you can see it's pulling right here, you know 38 megs 46 or 46 Megs 42 with 11 total so it actually can give you these real-time statistics So you can watch what's going on on your network and once again go back to doing some tracing on there Dark stat does the same thing, but it does it right through the web interface Choose where what you want it to watch land land to an Access dark stat these graphs will roll and move in real time And it's kind of nice so you can just watch your bandwidth usage go up and down You can see each and sort each ip address to figure how much bandwidth each one's using Sort by in out total look at the mac address and ip address of that bandwidth And then for each one it lets you click on i mean You can see the total type of services that we're using grouped by protocol udp tcp And with totals next to each one of them And it works for the external ip addresses so you can see how much ssl traffic for example went to this ip Which is actually our ring central for our phones Vpn support i love the vpn support that's built in the pf sense The open vpn is great. So it does cover ip sack l2p pptp It does give you a warning if you go to pptp that it's been compromised and is no longer secure By default it wants to use your local user database, but it does support ldap and radius For a vpn authentication You can add your own ca's or you can do self sign-up And i created my own certificates And i did these you do these in the beginning in the cert manager where you can just create your own certificates for the system run through the wizard here And select wan udp i called it test vpn. The wizard is very handy anywhere on the system where it's available It'll set all those default settings to make everything work into the faults the kettings are secure And you can easily without breaking anything after you've set it up with the wizard Go back and choose this so this ran through the wizard here To set this up. This is one of the pages You set your tunnel network whether or not you want to force all client traffic through the tunnel local network concurrent connections So if you want unlimited or you say, you know, this server only has so much bandwidth I don't want more than five people logging in at time compression preferences type of service Inter client communication if you want even the vpn people to be able to see each other And allow duplicate connections Uh Probably not needed. There's not really too many scenarios I think of where you do because each it'll kill out one that sees it the client's gone It didn't create a new session for them. So you don't really want them. They'll be able to log in twice You can push different default domains dns servers NTP servers over the network So when you're assigning the ip address via the vpn gives you all these custom options These are checked by default and I highly recommend them firewall rule Add a rule to permit connections to the vpn server process from clients anywhere on the internet Or anywhere. Yeah, anywhere on the internet and also add an open vpn ruled a lot of traffic from connected clients past to the vpn tunnel If you don't do it the wizard and you forget to do this You end up like me pulling your hair out go and I thought I knew what I was doing But then I didn't realize I forgot to create a firewall rule So I could connect with vpn, but it wasn't routing traffic And you can see from The system here. It's all set up. You've got uh disabled. No udp You can set up multiple vpns on here So you can actually set up different vpns per different When in our face on here for example is another option You would just run through the wizard again. It would add another one Client export now This is one of the packages that I showed on the system I was confused when I first set it because I was looking for it into menus It's not into menus. It adds a tab directly to the open vpn This is one of my favorite plugins for bf sense because it makes life so much easier when we deploy these clients What this will do is create a client export And for example, I put mine and my wife's name in here and really easy I can download a windows xp 32 or 64 or windows 7 on up or vista 7 windows 8 I've not tried it with windows 10, but I as I understand it works You have an x86 and x64 version And it downloads the entire packaged installer with the security certificates because as we showed in the user side You can create a security tip get per user. This actually creates the entire bundle with it in there So when you run the install, it's a single executable that you're going to run on a windows machine that Does everything for you. It's going to set it up. It's going to put the gateway in it's going to put the vpn It's going to put the vpns Keys in and it will put the users keys in so you don't have to go through and figure out how to get all these things On there and set up so it literally takes your setup You top you this to a thumb drive you put it on the client's laptop and you have them completely connected to the vpn Generally in under five minutes The installer really just a standard windows installer using the open vpn software Straightforward next next and yes, and it puts all certificates in and you're done. They can log in It does still ask them for their username and password without the option to save which I really like There is a way if you change the settings and open vpn to say They only need a certificate and then you could control the users by Certificate revocation That's another option too if you just wanted them to connect without having to use a password I prefer the combination of Certificate and username password so that way if you disabled an employee for example They wouldn't be able to log in with someone else's because they wouldn't have that person's matching certificate installed on their system extra layer of security when you're talking about people getting access to your internal network Once it's done and the status page you can see that they're logged in you can force them to log out bites received And here is the firewall rules for open vpn the default rule it created was They can see everything and we call the opening test It tells you that this firewall rule at the end of the description was created with the wizard But then you can go in here and start all the controls So let's say you want you have a remote contractor You only want him to have access to one single ip address you could filter that right through here You could get through and do all the fine-grained rules and controls just like you can on any of other firewall sides Diagnostics pages There are a lot of different diagnostics options in here So you do not have to go to the command line You can sit here in the web interface and take a look at everything which is really nice You can take a look at the art tables Uh, the ndp tables for ipv6. This is a completely ipv A complete ipv6 compatible system Testing user authentication. I like this. This is a nice system If someone says my username password is not working You don't want to open up another window to even log in and try it And this will authenticate whether it's a local database or external databases such as radius or lda Put the username's password in here hit test it'll give you what the response is on the system for it Executed command you can actually just push something right to the command line download a file upload a file Or execute special php code on the system This function is unsupported use at your own risk as it says yes because you can break the system with it But if you wanted to just have some command that you wanted to push to reset something You could put this in here put this in there Diagnostic dns lookup. Uh, if you want to know how the system sees it and the dns service you have listed Type it in it also allows you to create an alias the firewall system I didn't get in detail with it but it does have an alias system in it So you could do this create aliases to add to the firewall rules without having to type in it every time Ping and trace shroud are supported in here as well Uh, it does have a file editor So you could go load and browse through anything you want here and find a file and edit it Without having to go to the command line Uh factory reset you just want to blow the system away and restore it to factory fresh Just go here to factory defaults and hit yes Pftop, but you can run from the command line But it'll actually run through in this updates in real time number of states Sort by bytes view speed So all your general options you can do these and change so you can go through and start tracing things out Show states it shows all the different connections and the state that they're in This is nice too because it gives you the option to reset all the states So you can just push and reset all connections on there so if you wanted to create a traffic rule And apply it and then you just want to clear all the states and watch them rebuild gives you that option Diagnostics packet capture you can capture the WAN LAN or any of the other interfaces See the specific protocol a specific host a specific port a specific packet length count Level of detail and lookups. This is nice because what it does is you can create a large pcap file Then download it and use another external packet analyzer to really try to trace out some of the traffic On your network because you were looking for something or wanting to see something It does save it to the hard drive. You don't want to leave it on too long because obviously you could fill up But if you it's nice because it gives you some fine-grained tracing options right into the firewall Of course because all traffic is passing through it. It can grab it You know gives you all that level of detail that you're looking for you're trying to trace something out It'll bottom it'll give you the brief of it on the packets captured and information you can scroll through And like so there's the download button where you can download it and import it into whatever packet capture analyzing tool you have Uh diagnostic and smart monitoring tools It will give you health smart or all informations for each of the devices if you're running this on a standard hard drive View the smart test errors or abort some of the tests if you've set up a long test on it And it tells you whether or not it's passed and you can break down all the detail inside of there system status Lots of different statuses for all the interfaces gateway filters dgp leases You see all the running services I do like that each of them you can start and stop the service from here or you can go to the services pages Or even the log entry pages on there. So if you look at a service, it's not running or has an error You can jump right to its configuration page or you can jump right to its Log page and start doing diagnostics on there or start and stop the service as needed System logs you can go through and all the details for any of the logs for any of the systems on there firewall system status open vpn logs The firewall logs are really cool. You've got a couple options in here that are nice So as you're watching the traffic and you can have more detailed log entries created under each rule It can tell you to do like verbose logging on a specific rule There's also easy rule add to blacklist An easy rule add to pass this traffic So let's say you're trying to troubleshoot A connection that someone's trying to make externally into your system For some reason it's just not coming through go through rules Look for the ip address and go. Whoops. I forgot to open up traffic for that You can actually just hit that rule and it will start allowing traffic to pass just like that If you're not sure which rule you just clicked on accidentally and created the easy rule It will go through here and tell you easy rule passed from firewall log to view So it actually names that it came from the easy rule creation The interfaces if you have dgp you just need to release and refresh It tells you the status is up the mac the ip address on there Some little details packets in and out collision errors Same thing once on the land You have your standard rd grass built in here so you can take a look at things like processor usage And they're all standard rd grass are broke down for you know Eight hours one day one week and so on and so forth 30 days one year Same here with the traffic, you know, look at the WAN land or multiple option interfaces Uh inverse has some of the details broke out down here You can look at the overall bandwidth for example using this to figure out how much bandwidth the network is used over time You can also look at it from a packet standpoint instead of a traffic standpoint to see how many packets have gone through You can also do custom so I can say show me only land traffic style inverse And then choose a date range By which I want to know so I can actually grab and create the graph based on the data and the logs in the system And look at a specific time period On a specific network Back to the dhcp leases shows them all which ones are active and online which ones are offline Pre-built hardware Where to buy these so if you're looking for a solid system for pf cents They do sell them on there they with the each one of these systems are including support So you can buy some of these firewalls. They got the wattage and recommendations based on network traffic for which one you'd want The basic units is this vk t 40 e at 4 49 Uh, it comes with eight gigs Assembly you have some other details each one like I said comes with warranty and support If you wanted to build the systems yourself It is built using standard white box hardware Or you can buy these netgate boxes. These netgate boxes are the same boxes that pf cents themselves use So you can get these systems here and load your own and are a lot less expensive Of course, you're not getting the support contract with them, but honestly, I've never needed it It's well documented system And it's nice if you want to save a few dollars and just build it yourself And if you do need support, you can always pay for it separately Or you can get intel adam boards for example are really popular build these on There are bandwidth information But a This has no problem as I understand routing over a 100 megabit circuit with a standard adam d 2500 board Including running some of the services the big bandwidth or processor hogs on pf cents become when you have a lot of EPN that's when you start needing horsepower to handle all the encryption And thank you very much. You have any questions. I'm tom lorence and my contact organization is below