A firewall is usually a sort of black box where only the admins have access. This is what is possible to obtain also during the process to configure pfSense router access. By default the pfSense is configured with the firewall enabled and with the inbound connections blocked and allows for outbound connections. In this article as a follow up from the previous one of the pfSense setup and as part of the series dedicated to pfSense router on VMware, the purpose is to show the very initial steps granting access to the web console, enable the HTTPS and finally install the open vm tools on the pfSense virtual machine for enhanced performance and management.
By far the steps on this guide want to provide a quick overview and show the flexibility to configure pfSense router in a VMware virtual environment. In addition, this article refers to the first configuration steps for the firewall. In particular allowing or blocking access to the pfSense machine itself. Although the principles for creating such rules are very similar to the other ones for applications, VLANs, protocol and services, the idea is to focus on the access to the router first and then dedicate an article to create firewall rules for common applications in a homelab.
Configure pfSense HTTPS for secure access
One of the first and easy things to do to configure pfSense access to the Web Console even more secure is to enable the HTTPS through an SSL certificate. This certificate can be self-created, imported or act as a intermediate certification authority. If public CA are desired, then Let’s Encrypt is a fantastic choice.
From the System > Advanced > Admin Access the main setting for the Web Interface access. By default set on HTTP this can be changed with HTTPS. At this point a SSL certificate needs to be provided. The quickest and easiest way is to let pfSense to create a self signed certificate. this can be accomplished from System > Certificate Manager > CAs. The rest of the options can be set as by default.
In order to make the SSL configuration effective a reboot is required. This will configure pfSense firewall daemon to run again at the start. This can be easily disabled temporarily by executing from the shell “pfctl -d” command. This is shown the previous article.
pfSense virtual router custom access rules
Just after the first pfSense install, some default rules might prevent access to the pfSense as the firewall daemon or service starts at the boot time. Whilst this is great from a security perspective and makes things a lot easier to enforce security, it might take a longer process at the beginning to gather access. This is because by default (and as a best practice) connections from private networks, loop-back addresses and bogon networks are automatically blocked. So if the WAN network falls into any of these categories all the packets are automatically blocked. By default each one of the pfSense network interfaces is automatically configured as a such. This configuration is available under Firewall > Rules > WAN. A good idea is to disable or edit at least the one for private IP addresses.
Creating custom firewall rules is a very simple process. Based on the configured network interface cards, pfSense will automatically create a section for individual rules. The principle is when multiple rules are in a list for a specific interface, the rule that match the criteria wins. So in a chain of 10 rules, starting from the top, the packets will be compared with each rule until they find the proper one, maybe on position 7. If no rule matches the criteria for the network packet then that packet is dropped. This way represents a very flexible management of the network traffic. The “Floating” tab is a special one as rules on this one have precedence over the other tabs and are processed first. So it is a sort of overlay configuration. If no matching rule is found in the floating tab, the rules on the other pertinent tabs for that packet are processed. Again if nothing matches the packet will be dropped. In addition, it is also possible to group the rules in different section using colored line separators.
To allow access to the pfSense Web Console it is necessary to open access either to HTTP/HTTPS depending on which one has been chosen in the previous article on the series. So the rule will look to something like:
- Action = Pass
- Interface = WAN
- Address Family = IPv4
- Protocol = TCP
- Source = Any (this means from any address. Of course a better idea is to restrict this to specific netowrk and even addresses)
The rest of the rule settings will look something like:
- Source = WAN net
- Destination = This firewall (just the pfSense machine. no routing to other networks)
- Destination Port Range = HTTPS (443) From and To
- Description = Highly recommended as it appears in the rule list and also in the logs for troubleshooting
Once ready hit on Save and amend changes.
Similarly another rule to add is the one allowing the PING. This is available in the Protocol > ICMP. As ICMP Subtype it is also possible to choose which responses are allowed / blocked. At the beginning and just for troubleshooting may be handy to leave this set to “any”. For the other Fields for destination the same principles apply. In this case with this rule it is possible to ping the firewall only and not any other network the firewall is attached to.
As soon as the rules are created, these start populating the chain. All the rules are processed from the top. The first rule that matches the packets, is then executed. If none, the packet will be dropped. The sample below shows access to the firewall from the WAN interface on the HTTPS only and for PING responses. As soon as new rules are added, modified or deleted, the Apply Changes button appears to quickly reload the firewall rules. A very quick way to test the changes!
Finally to test the firewall rules are fit for purpose it is a good idea to reboot the pfSense virtual machine. By default on the next boot the pfSense firewall daemon is running blocking access to everything but HTTPS to the Web Console and PING requests through the WAN interface. To restart the pfSense router from the Web GUI is in Diagnostics > Reboot.
Easy Open-VM-Tools install on pfSense
Now that admin access to the console is working as expected and using the Web GUI, it’s time to visit the Package Manager and install the Open VM tools. Such tools improve the pfSense Virtual Machine performance and management from the VMware VCSA console. From System > Package Manager > Available Packages and simply searching for “open” shows the current stable Open-VM-Tools package from the pfSense Community. Next is to press Install.
A further confirmation is required before installing the package.
pfSense will download from the internet the Open-VM-Tools package and pertinent dependencies. In addition, it will also automatically install everything. The process only takes a few moments plus it provides a log for the package installation. Configure pfSense packages couldn’t be any easier!
Now taking a quick look back at the VMware VCSA console it already shows the VMware Tools version running. Plus from the VMware console it also allows to gracefully shutdown and restart the pfSense virtual machine.