Basic configuration of the pfSense v.2.4.4-p2 operating system in SIM-Cloud

Important

After installing the virtual pfSense OS we recommend that you carry out its basic configuration. This will configure the network interfaces, security settings and other factors that will contribute to correct and trouble-free operation of the OS.

  1. Preliminary actions

    To accurately identify the internal and external network interfaces of the created pfSense instance, define their MAC addresses from the SIM-Cloud side.
    For this, use the instructions available in our documentation

  2. Define the WAN (external) and LAN (internal) interfaces

After the initial launch of pfSense v.2.4.4-p2, go to its console (INSTANCE CONSOLE). Note the correspondence of the interfaces and their MAC addresses.
Next, answer this series of questions:
  • VLANs will not be used
Should VLANs be set up now[y|n]? n
  • On the basis of the information previously noted about the MAC addresses, check which interface is in fact the external (should correspond to the network 172.16.0.0/20) and specify it:
Enter the WAN interface name or 'a' for auto-detection
(vtnet0 vtnet1 or a): vtnet0
  • The other interface remaining can be defined as local:
Enter the LAN interface name or 'a' for auto-detection
NOTE: this enables full Firewalling/NAT mode.
(vtnet1 a or nothing if finished): vtnet1
  • Now a window displays the final details. If everything is correct, save the settings:
WAN  -> vtnet0
LAN  -> vtnet1

Do you want to proceed [y|n]? y
  1. Setting up IP addresses on the interfaces
After applying the settings from the previous step, a welcome message appears that displays the current interface settings - their IP addresses and means of reception.
For the current example this is:
*** Welcome to pfSense 2.4.4-RELEASE-p2 (amd64) on pfsense ***

 WAN (wan)       -> vtnet0       -> v4/DHCP4: 172.16.0.3/20
 LAN (lan)       -> vtnet1       -> v4: 192.168.1.1/24
Here, for the WAN interface the settings are received via the DHCP protocol and match the IP address displayed in the instance configuration information.
For the LAN interface a default IP address is automatically set up, and this needs to be changed.
  • To set the IP address for the interface, use option no. 2 (Set interface(s) IP address):
Enter an option: 2

Available interfaces:

1 - WAN (vtnet0 - dhcp, dhcp6)
2 - LAN (vtnet1 - static)
  • Enter the number of the LAN interface:
Enter the number of the interface you wish to configure: 2
  • Enter the local address shown on the dashboard and the subnet mask:
Enter the new LAN IPv4 address. Press <enter> for none:
> 192.168.1.4

Subnet masks are entered as bit counts (as in CIDR notation) in pfSense.
e.g. 255.255.255.0 = 24
     255.255.0.0   = 16
     255.0.0.0     = 8

Enter the new LAN IPv4 subnet bit count (1 to 31):
> 24
  • In the next two steps simply press ‘Enter’:
For a WAN, enter the new LAN IPv4 upstream gateway address.
For a LAN, press for none:
>

Enter the new LAN IPv6 address. Press for none:
>
  • Answer ‘No’ in the following two steps:
Do you want to enable the DHCP server on LAN? (y/n) n
Disabling IPv4 DHCPD...Disabling IPv6 DHCPD...

Do you want to revert to HTTP as the webConfigurator protocol? (y/n) n
  • After pressing ‘Enter’ it is seen that the LAN interface now has the required IP address:
*** Welcome to pfSense 2.4.4-RELEASE-p2 (amd64) on pfsense ***

 WAN (wan)       -> vtnet0       -> v4/DHCP4: 172.16.0.3/20
 LAN (lan)       -> vtnet1       -> v4: 192.168.1.4/24
  1. Configuring accessibility to the pfSense web interface

To be able to configure the pfSense provider router from the internet, perform the following sequence of actions.

  • Attach a floating IP to the interface with an address from network 172.16.0.0/20. To do this, refer to the article in our documentation <https://docs.sim-cloud.net/ru/develop/about/network/floating-ip.html>_.
  • By default, access to pfSense is permitted only via a LAN interface. To enable access via WAN and via the INSTANCE CONSOLE, temporarily disable the firewall in pfSense. For this, use option no. 8 (Shell) to access a command line interface from which the firewall can be disabled:
Enter an option: 8

[2.4.4-RELEASE][root@pfSense.localdomain]/root: pfctl -d
pf disabled

Now you can access the pfSense web interface using the floating IP and entering the following URL into the browser: “https://floating IP/”, e.g. https://156.67.54.256/.

Warning

If the router is in a unprotected state during this step, the actions from the following step must be completed as quickly as possible.

  1. Final configuration of pfSense via web interface

  • Change of password for user ‘admin’

    Go in the ‘System > User Manager’ section on the ‘Users’ tab.
    Click the button ‘Edit user’ (with pencil icon) for the ‘admin’ user. A window opens with the properties for this user.
    In the ‘Password’ field, enter the new password, confirm it and save changes by clicking the ‘Save’ button at the bottom.

  • Giving access to the pfSense web interface from the defined IP

    To do this, go in the ‘Firewall > Rules’ menu to the ‘WAN’ tab and add the rule according to the table:

    Action Pass  
    Interface WAN  
    Address Family IPv4  
    Protocol TCP  
    Source Single host or alias Here specify the IP address from which access is required to the pfSense web interface
    Destination WAN address  
    Destination Port Range HTTPS Allow access by https only

    Save the rule by clicking Save and adopt it by clicking ‘Apply changes’.

  1. Permitted address pairs

    It now remains to specify the permitted address pair for the LAN interface from the side of SIM-Cloud.
    This is necessary to allow network traffic to pass from the local network via pfSense.
    This process is described in detail in our article.