How to Configure PfSense with an Open Source Firewall (pfBlockerNG)

 

Prerequisites

In this example we are going to install and configure PfSense in virtual environment. Hypervisor I am going to use is "Virtual Box". Basically you need two virtual machines.

• Virtual machine 1 - PfSense
• Memory 1G
• Virtual Disk 5G
• Two Interface Cards
• Virtual machine 2 - Host VM

PfSense virtual PC should have two interface card. One for WAN network. Other one is for LAN. You have to download PfSense ISO image from PfSense official site.

When you create Virtual Machine for PfSense, You have to select Type as BSD and Version as FreeBDS 64-bit version.

Once you completed with Virtual Machine creation, go to settings of the virtual machine and go to Network. Change the network configurations as follow.

Network Diagram 

This is the network digram of our setup. IP details can be different according to your router IP.

PfSense Installation

Power-up the virtual machine and follow these steps.

• Press "Enter"

• Select Install pfSense and Press OK

• Select default Keymap

• Select Auto (UFS) and Press OK

• Once the installation finished, remove the ISO image and reboot the VM

• After reboot, you will get below interface

PfSense Interface Configurations

• Select Assign Interface

• Type "n" and Press Enter

• Enter WAN Interface name

• Enter LAN Interface name

• Enter y to confirm the changers

• Assign IP address for WAN interface. Select Option 2 and Press Enter

• Select WAN interface and Press Enter

• Disable DHCP on WAN interface

• Enter Static IP address for WAN interface

• Enter subnet Mask

• Enter default gateway for WAN

• Disable DHCP6 on WAN interface

• Keep blank for IPv6 address

• Configure web interface protocol HTTP

• Assign IP address for LAN interface. Select Option 2 and Press Enter

• Select LAN Interface

• Enter static IP address for LAN interface

• Enter subnet mask

• Keep LAN default gateway empty

• Keep IPv6 address empty and Press Enter

• Enable DHCP for IPv4 address

• Enter starting address as 192.168.2.100. End address as 192.168.2.200

• Press Enter to continue

Now go to your second VM settings -> network. Under “Adapter 1” attached network interface to “internal Network”. Then select Name from drop down as “em1” 

Now power up your second VM and check whether you have received proper IP address from PfSense DNCP service.

Now access PfSense web interface with LAN IP or PfSense. (http://192.168.2.5). User: admin. Password: pfsense.

Configure "pfBlockerNG"

Install required packages

Install “pfBlockerNG” from PfSense package manager. Go to System->Package Manager->Available Packages. Search the package and install.

General settings

Go to Firewall -> pfBlockNG->General. Set below highlighted options and save.

• In General Settings section, fill the following fields:
• Enable pfBlockerNG: Checked
• Keep Settings: Checked
• Cron Settings: Select Every hour, select 0 as minute, hour and Daily/Weekly
• De-Duplication: Checked
• Suppression: Not checked
• Global Logging: Not checked
• MaxMind Localized Language: Select English
• In Interface/Rules Configuration section, fill the following fields:
• Inbound Firewall Rules: Select WAN and Block
• Outbound Firewall Rules: Select LAN and Reject
• If you have more than one internal interface, press CTRL or CMD (for Mac users) and click on interfaces
• OpenVPN Interface: checked
• IPSec Interface: checked
• Floating Rules: checked
• Rule Order: Select | pfB_Block/Reject | All other Rules | (original format)
• Auto Rule Suffix: Select Null (no suffix)
• Kill States: Not checked
• Click on the Save button once all field are filling

Configure DNS Blocking (DNSBL)

Go to Firewall->pfBlockNG->DNSBL->DNSBL. Select below highlighted options and save.

• In DNSBL section, fill the following fields:
• Enable DNSBL: Checked
• Enable TLD: Not checked
• DNSBL Virtual IP: Enter an IP address is not in our internal networks,
• like 10.66.66.66
• DNSBL Listening Port: Enter 8081
• DNSBL SSL Listening Port: Enter 8443
• DNSBL Listening Interface: Select LAN or another internal interface
• DNSBL Firewall Rule: Checked
• If you have several internal interfaces, press CTRL or CMD (for Mac users) and click on interface
• In DNSBL IP Firewall Rule Settings section, fill the following fields:
• List Action: Select Deny Both
• Enable Logging: Select Enable
• In Advanced Inbound Firewall Rule Settings, I don't change anything
• In Advanced Outbound Firewall Rule Settings, I don't change anything
• In Alexa Whitelist, I don't change anything
• In Custom Domain Whitelist (this list contains custom domains that you need to allow access),
• I recommend using + button in Alert tab to add custom domains to the whitelist. In fact, pfBlockerNG package uses DNS resolution to find CNAME associated to the domain you want to whitelist
• To begin, enter the following whitelist domains:

.twitter.com

.play.google.com

.drive.google.com

.accounts.google.com

.www.google.com

.github.com

.outlook.live.com

.edge-live.outlook.office.com # CNAME for (outlook.live.com)

.outlook.ha-live.office365.com # CNAME for (outlook.live.com)

.outlook.ha.office365.com # CNAME for (outlook.live.com)

.outlook.ms-acdc.office.com # CNAME for (outlook.live.com)

.amazonaws.com

.login.live.com

.mail.google.com

.googlemail.l.google.com # CNAME for (mail.google.com)

.sites.google.com

.www3.l.google.com # CNAME for (sites.google.com)

.docs.google.com

.plus.google.com

evintl-ocsp.verisign.com

evsecure-ocsp.verisign.com

.digicert.com

• In TLD Exclusion List, I don't change anything
• In TLD Blacklist, I don't change anything
• In TLD Whitelist, I don't change anything
• Click on the Save button once all field are filling

DNSBL feeds contain list of URLs that contain adds, malicious software, etc. Please, note that the following list is not a complete and comprehensive list. To configure DNSBL feeds,

Go to Firewall->pfBlockNG->DNSBL>DNSBL Feeds and click on Add button

• Click on + Add button
• In DNSBL Feeds section, fill the following fields:
• DNS GROUP Name: DNSBlockListGroup
• Description: DNS Block list
• DNSBL: Select Auto and ON, enter the full URL and give a name associated to the particular URL
• Download Feed URLs from GIT repo. (Download)
• List Action: Select Unbound
• Update Frequency: Select Once a day
• Weekly (Day of Week): Select Monday
• Enable Alexa Whitelist: Not checked
• In Custom Block List section, I don't change anything
• Click on the Save button once all field are filling

To configure DNSBL Easy List

Go to Firewall-> pfBlockNG -> DNSBL-> DNSBL EasyList

• In DNSBL - EasyList section, fill the following fields:
• DNS GROUP Name: EasyList
• Description: DNSBL Easy list
• EasyList Feeds:
• Select ON, EasyList w/o Elements, name it EasyListWOElements
• Clicl on + Add button
• Select ON, EasyPrivacy, enter EasyListWOElements
• In DNSBL - EasyList Settings section, fill the following fields:
• Categories: Press CTRL or CMD (for Mac users) + click to select following categories:
• EASYLIST Adservers
• EASYLIST Adservers Popup
• EASYLIST Adult Adservers
• EASYLIST Adult Adservers Popup
• EASYPRIVACY Tracking Servers
• EASYPRIVACY Tracking International
• List Action: Select Unbound
• Update Frequency: Select Once a day
• Weekly (Day of Week): Select Monday
• Enable Alexa Whitelist: Not checked
• Click on the Save button once all field are filling

Verification

Check the "dnsbl" service running properly.

Follow below steps to fetch the feed from feed urls and update local database.

Check DNS Blocking (DNSBL)

To verify the DNS blocking, from your second VM, type following command. 

$ nslookup ads.google.com

If the configurations are working fine, you should get reply from PfSense like this.