Mastering pfSense,
David Zientara
- 450 pages
- English
- ePUB (mobile friendly)
- Available on iOS & Android
Mastering pfSense,
David Zientara
About This Book
Install and configure a pfSense router/firewall, and become a pfSense expert in the process.
Key Features
- You can always do more to secure your software â so extend and customize your pfSense firewall
- Build a high availability security system that's fault-tolerant â and capable of blocking potential threats
- Put the principles of better security into practice by implementing examples provided in the text
Book Description
pfSense has the same reliability and stability as even the most popular commercial firewall offerings on the market â but, like the very best open-source software, it doesn't limit you.
You're in control â you can exploit and customize pfSense around your security needs.
Mastering pfSense - Second Edition, covers features that have long been part of pfSense such as captive portal, VLANs, traffic shaping, VPNs, load balancing, Common Address Redundancy Protocol (CARP), multi-WAN, and routing. It also covers features that have been added with the release of 2.4, such as support for ZFS partitions and OpenVPN 2.4. This book takes into account the fact that, in order to support increased cryptographic loads, pfSense version 2.5 will require a CPU that supports AES-NI.
The second edition of this book places more of an emphasis on the practical side of utilizing pfSense than the previous edition, and, as a result, more examples are provided which show in step-by-step fashion how to implement many features.
What you will learn
- Configure pfSense services such as DHCP, Dynamic DNS, captive portal, DNS, NTP and SNMP
- Set up a managed switch to work with VLANs
- Use pfSense to allow, block and deny traffic, and to implement Network Address Translation (NAT)
- Make use of the traffic shaper to lower and raise the priority of certain types of traffic
- Set up and connect to a VPN tunnel with pfSense
- Incorporate redundancy and high availability by utilizing load balancing and the Common Address Redundancy Protocol (CARP)
- Explore diagnostic tools in pfSense to solve network problems
Who this book is for
This book is for those with at least an intermediate understanding of networking. Prior knowledge of pfSense would be helpful but is not required.
Those who have the resources to set up a pfSense firewall, either in a real or virtual environment, will especially benefit, as they will be able to follow along with the examples in the book.
Frequently asked questions
Information
Virtual Private Networks
- VPN fundamentals
- Configuring a VPN tunnel in pfSense (IPsec, L2TP, and OpenVPN)
- Troubleshooting VPNs
Technical requirements
VPN fundamentals
- Client-server: In this scenario, a VPN tunnel is used to connect one or more mobile clients to the local networks. The encryption provided by the VPN guarantees that data privacy is maintained. This is probably the most likely deployment scenario that you will be using if you configure a VPN with pfSense.
- Peer-to-peer: In this scenario, a VPN tunnel is created between two networks; for example, the main corporate office and a satellite office location. The general idea is that setting up a VPN is cheaper than a leased line between the two locations. Instead of having a router on one end and a mobile client on the other end, there is a router on each end of the tunnel. We will demonstrate an example of peer-to-peer by showing how to configure a site-to-site VPN with IPsec.
- Hidden network: This is not as common as a deployment scenario, but is nonetheless worth mentioning. In some cases, data may be too sensitive to place on the main corporate network, and this data may reside on a subnet that is physically disconnected from the rest of the network. If this is the case, a VPN can provide us with a means of connecting to this subnet.
IPsec
- Authentication Headers (AH): This header is 32-bits long and provides authentication and connectionless data integrity.
- Encapsulating Security Payload (ESP): This portion of the IPsec protocol suite provides authentication, as well as encryption and data integrity. It also exists in authentication-only and encryption-only modes, which provide either authentication or encryption, but not both. ESP is responsible for encrypting at least the payload (transport mode), and in some cases, the entire packet (tunnel mode).
- Security Association (SA): The Security Association is the set of security attributes (for example, encryption algorithm, encryption key, and other parameters) that are used in a connection.
- Transport mode: In this mode, the payload of the IPsec packet is encrypted, but not the header. This mode does not support NAT traversal, so if you are configuring an IPsec connection that must traverse more than one router, it is not a good choice.
- Tunnel mode: In this mode, the entire packet is encrypted. This mode supports NAT traversal.