Articles taggués ‘PFsense’

Tutorial: Using VMWare ESXi and PFsense as a network firewall/router

12/05/2016 Comments off

vmware esxi

Using VMWare ESXi and PFsense as a network firewall/router

In most networks, you will have dedicated hardware to function as your “edge” (firewall/router). This is typically for the best, but there are always cases where you can’t put out that dedicated hardware. Sometimes it’s for cost reasons and sometimes it’s for complexity. In my particular case, I was installing an ESXi server in a datacenter and only had 2 amps of power to work with, of which my server took up ~1.8amps at peak load. So cost came into play and we simply couldn’t afford to put in dedicated hardware that could push enough bits. In such cases, it is possible the setup ESXi on the network edge, in a reasonably secure fashion, with PFSense acting as a firewall.

vmware_vsphereThe most important requirement to this project is that your VMWare ESXi server has at least two network ports on it. One will be the WAN port, one will be the LAN port. Also throughout this tutorial I will use PFSense as my firewall/router OS of choice, however it is just an example that can be easily swapped out with any other virtualized firewall product. Some options include Palo Alto Networks, Fortinet, and even generic *NIX operating systems with the right forwarding/firewall setup.

Section 1 – VMWare Setup

Step 1 – Install & Connect to ESXi

  • You should already have ESXi setup and connected via the VSphere client on Windows.
  • It’s recommended that you static the IP address of the VMWare Management interface, if you’ve not done so already.
  • Go to Configuration > Networking
  • Rename the vSwitch interface you’re using to “LAN”
Step 2 – Add new interface
You want “Virtual Machine” type
Step 3 – Select NIC
You want to select your unused NIC (assuming you only have two)
Step 4 – Name it
This is your “WAN” interface
Step 5 – Confirm you’ve got two networks
You’ll notice that we’ve got two vSwitches now. The “LAN” switch has the Management network and is connected currently. The “WAN” switch has nothing, and the adapter is disconnected.

Section 2 – Virtual Machine Setup

Step 1 – New VM 2015-08-25-18_29_17-New-VM
Step 2 – Typical Setup 2015-08-25-18_29_31-Create-New-Virtual-Machine
Step 3 – Name your VM 2015-08-25-18_29_39-Create-New-Virtual-Machine
Step 4 – Select Datastore 2015-08-25-18_29_46-Create-New-Virtual-Machine
Step 5 – OS Type
If you’re using PFSense, select “Other” and “FreeBSD 64bit”
Step 6 – Two NICs
Unlike most VMs with 1 NIC, add 2 NICs to this VM.
Make sure one adapter is on “WAN” network and one adapter is on “LAN” network.
Step 7 – Allocated HD
PFSense doesn’t need much space, but it should be allocated a 2:1 for swap (e.g. 4096 MB swap file for 2048 MB of RAM), plus some extra space for packages and logs may be useful.
Step 8 – Edit before completion 2015-08-25-18_30_46-Create-New-Virtual-Machine
Step 9 – Final settings
As this is my firewall, I want to make sure it is plenty fast. So I opted for 4 cores and 2 GB RAM. Also attach the CD drive to PFSense installer (be it datastore ISO or real USB/Optical drive).
Step 8 – Verify Network
Hop back to Configuration > Networking and you should see something like this. Note: various VMs are all attached to the LAN vSwitch, however only PFsense VM is attached to both WAN & LAN (just like a real firewall).
Step 9 – VM Startup
Go to Configuration > VM Startup/Shutdown
Click Properties
Step 10 – Set PFSense to first boot order
You may have other VMs that you want to auto-start, but as this is your firewall, it should be the first to start.

Section 3 – PFSense

Step 1 – Install PFSense
Once you’ve installed PFSense, it will automatically configure its local interface to
Step 2 (Optional) – Change local network
You can reconfigure the local network either via web interface (at the aforementioned IP: or command line
Step 3 – Configure WAN
Again, this can be configured either via the web, or command line.
Step 4 – Plug in WAN cable 2015-08-19-13.59.53
Step 5 – Test
If you’ve got the ports configured properly (i.e. WAN hardware is WAN in VMWare and WAN in PFSense), you should be able to connect to the internet.

There are two big questions after building a setup like this, the first is security. Since PFSense is the host to provide an interface on the WAN, it should be the only method of ingress into your network. With no VMware management interface on the WAN, there should be no way for an outside party to access ESXi directly. I’ve used this setup successfully (and safely) before, as have others. However, you always need to balance your particular security concerns with the cost of dedicated devices.

The second question is remote management/maintenance/failure. Managing ESXi remotely is easy, if you setup a VPN on your PFSense VM. Without that (or similar) you will not be able to remotely manage the box (by design). But what happens if there is a failure either in the VMWare hardware or the PFSense virtual machine? That’s the big failing point of this setup – you’re down. If, for whatever reason, PFsense dies – your network is offline and you cannot remotely manage it. If this hardware is installed in a dateacenter, you’d need to either get in there yourself or remote hands reboot. Something to keep in mind when balancing the cost issue. OF course, if it’s local (say you use this at home), then it’s not such a big deal.
IMG_07121I will note that this is the setup I use in my home network, which doubles as my homelab. Having a VM for a firewall gives me a lot of flexibility, like adding an entirely separate vSwitched network for experimental VMs. I can also swap out the firewall VM for another one with next to no downtime. It also allows me to skip one more piece of hardware at home which would add to my otherwise hefty powerbill.


Punching holes into firewalls

28/01/2014 Comments off

5b3f38bb3b78c6acd6bbfe3dfb33a470-pearlsquareFirewalls are heavily used to secure private networks (home or corporate). Usually, they are used to protect the network from:

  • intrusions from outsiders
  • misuse from insiders

In a TCP/IP environment, the typical corporate firewall configuration is to block everything (both incoming and outgoing), and give access to the internet only through a HTTP proxy. The proxy usually has filtering capabilities (censors URLs and file types), and access to the proxy often requires credentials (login/password). This gives greater contol to the network administrator over what and who is going in and out of the network.

Still, this should not considered a ultimate weapon, and network administrators should not rely on the firewalls only.

Encapsulation is the basis of networking. For example, HTTP is encapsulated by TCP, TCP is encapsulated by IP, and IP is often encapsulated in PPP or Ethernet.
Encapsulating protocols in an unsual way is often reffered as tunnelling.

As soon as you let a single protocol out, tunelling allows to let anything go through this protocol, and thus through the firewall.

This paper demonstrates how to encapsulate any TCP-based protocol (SMTP, POP3, NNTP, telnet…) into HTTP, thus bypassing the firewall protection/censorship (depending on your point of view)

A word of warning:

In many countries and corporate environments, bypassing a firewall is forbidden and exposes you to sanctions, redundancy, legal proceedings and – in some countries – death penalty.
You are warned.

Nevertheless, in some countries this kind of firewall/proxy bypassing is the only way to ensure free speech (such as China or United Arab Emirates where the government severly censors the internet and where firewall bypassing is a national sport.)

Now you known what you’re doing, let’s move on.

The problem

Say you want to fetch your mail from your ISP mail server. You usually simply connect to port 110 on the POP server of your ISP.



Trouble: there is a Big Bad firewall which blocks everything.


Well… it does not exactly block everything: it lets HTTP out through a proxy.
Let’s encapsulate our POP3 connection into HTTP.

The tools

We need:

  • A computer on the internet which has unrestricted access to the internet, such as a home ADSL computer.
  • GNU HTTP Tunnel ( It encapsulates TCP into HTTP requests.
  • SSH is a secure shell ( It provides secure (and compressed) channels between two hosts using SSL. Besides providing a shell (like telnet), it also provides file copy (scp) and TCP port forwarding (tunnelling). We will use the port forwarding feature.


Why not use GNU HTTP Tunnel alone ?

In principle, only HTTP Tunnel is necessary. But this is not desirable:

  • the tunnel is public: anyone can use your tunnel. Your could be held liable for what anybody has done with your tunnel.
  • the tunnel is cleartext: anyone can spy on your connection. Your passwords (SMTP, POP3, telnet…) are transmitted in clear text.
  • the tunnel is not protected: anyone can alter the datastream.
  • you have to run a new instance of the HTTP Tunnel client and the server for each new tunnel you want to set up.

This is where ssh come in. ssh provides:

  • authentication (only authorised users can use the tunnel)
  • privacy (no one can spy on what’s going through the tunnel)
  • integrity (no one can tamper data going through the tunnel)
  • easy tunnel set-up (you can create a new tunnel with a single ssh command on the client side).

These tools are available on Unix/Linux and Windows environments.


The whole chain

Let’s see how this works. Here is the full chain:


Technically speaking, once this chain is established, connecting to OfficeComputer:800 is identical to connecting to pop3server:110.
The mail client will not see the difference.

  • On the office computer:
    • TCP data sent to port 800 is encrypted by ssh, which forwards data to port 900.
    • ssh stream sent to port 900 is chunked in individual HTTP requests by the HTTP Tunnel client and sent to the home computer through the proxy.
  • On the home computer:
    • the HTTP Tunnel server receives HTTP requests, decapsulates and re-assembles the ssh stream and forwards it to port 22 (to the ssh server).
    • the ssh server decrypts the datastream and forwards it to the pop3server on port 110.

As TCP is a bi-directionnaly datastream, once established, the TCP connection can pass data back and forth through the HTTP proxy.

Lire la suite…