If you follow this guide you will be able to set up the Open Source (free) firewall pfSense. You will be able to have a separate WiFi LAN subnet with access to the internet that cannot access the internal and seperate LAN.
This guide is intended for users who are from the Linksys, Netgear, D-link etc. firewall/router background. No experience is needed with FreeBSD or Linux to install and run pfSense. When you are finished, management of pfSense will be from a web interface just like any of the SOHO firewall/router appliances. The pf in pfSense stands for 'Packet Filter'.
pfSense is a very powerful and stable project with advanced features. It has been reported by pfSense users that it performs well with hundreds of Computers operating behind the firewall. pfSense has all the features of the SOHO (small office home office) units and much more. Have multiple network subnets separate from each other using firewall rules. Example: have one protected/unprotected wireless access-point for friends and neighbors to access your internet connection. Split the cost of your internet connection with your neighbor and prevent them from accessing your private LAN . If you are an experienced FreeBSD, Linux or Unix user you may wish to add applications from the FreeBSD repository at FreeBSD.org.
While running additional applications on a firewall can increase your exposure to potential risk of being hacked, it can still be extremely useful to add a few apps to pfSense. Once you get pfSense installed you can find a list of authorized ports under the System Packages tab. These can be installed with one click. The FreeBSD.org packages are added by the user via the shell the way it has been done for years.
This guide is divided into three sections.
Download, ISO preparation and interface selection.
Here is the link to the pfSense download area. http://www.pfsense.com/index.php?id=22 Near the top of the page there is a link 'LiveCD'. This will take you to a mirror near you. This CD we will install from is a Live CD. A Live CD will allow you to test your hardware and pfSense without actually installing onto the hard drive. You will need to change your BIOS to boot from the cdrom and then boot from the cd image that we create from the .iso image. This CD is also an installer CD, more on this later. (An unofficial USB Key installer is available via the forums.)
The .iso image for this guide will be pfSense-1.2-RC3-LiveCD-Installer.iso.gz You will first need to decompress this file using gzip to get to the ISO. Then create the bootable CD. A good program to use is 'cdrecord' via the Linux comand line.
sudo cdrecord -v speed=20 dev=/dev/sr0 pfSense-1.2-RC3-LiveCD-Installer.iso
If your burner is a DVD and supports dao and not tao use the following command
cdrecord -v -dao speed=8 dev=/dev/dvdwriter -milti pfSense-1.2-RC3-LiveCD-Installer.iso
If you use Linux your device 'dev' may vary . There is also a good utility for Windows for creating ISO's called Deep Burner. Here is the link http://www.deepburner.com/?r=download Deep Burner is free.
Now that you have set your bios to boot from cdrom and you have created your bootable CD we can boot into pfSense on your PC. You will need to have at least two network cards installed in the PC, I recommend 3. The third is necessary for the Wifi subnet. One for the WAN (your ISP), one for your private LAN and one for your WiFi internet access only subnet.
Check the FreeBSD hardware compatibility list first to make sure your hardware is supported.
Now we boot into pfSense. As the bootloader comes into the Free BSD screen 7 options are listed you can wait for the default option (1) to boot up. Take a sheet of paper and write down the initials for the Valid interfaces, you will need them in a moment. Mine are fxp0, fxp1, and fxp2. The next choice you will be asked to make is
“Do you want to set up VLAN's now [y|n]?” select no or 'n'.
Then you are asked to
“Enter your LAN interface name”,
enter one from the sheet of notes you just created. I enter 'fxp1'. Next I am asked to
“Enter your WAN interface name”
I enter 'fxp2'. The next option
“Enter the Optional 1 interface name”,
here I enter my last 'fxp0'.
Then we see “The interfaces will be assigned as follows:” LAN -> fxp1 WAN -> fxp2 OPT1 -> fxp0
Do you want to proceed [y|n]? (make sure you enter 'y' here).
pfSense is now running in RAM and almost fully functional. If you wish you may plug your LAN interface into a hub or switch and connect via the web interface. pfSense is by default assigned an ip of 192.168.1.1. Open your browser and check it out, or proceed to the Hard Drive install. To run from ram you can skip to the Web Interface Configuration section of this guide.
Hard Drive Install.
We will now transition to the console where we will begin the Hard Drive installation. This section is “pfsense console setup” We select 99) Install pfSense to a hard drive/memory drive, etc.
This is a curses based install. The install works best if you use an entire hard disk. If there is any data on the disk make sure that you have copied it to another location. Now you can as a rule of thumb accept the default settings that are presented during the curses based install.
Pictures of this process are available for download here.
Remember to remove the cdrom from the drive when you reboot.
Now we have rebooted and are presented with the “pfsense console setup” for a second time. At this moment you can unplug your monitor cable and manage this firewall via a browser or you could select option 8 and explore via a Shell.
Make sure your computers interface is in the 192.168.1.0 subnet, because 'pfSenses' LAN interface is by default 192.168.1.1.
The defualt username password for the web GUI is 'admin' 'pfsense'.
Now we are going to select System > Setup Wizard.
At this point you can switch to the Wink tutorial. This will walk you through the rest of the configuration. Click on the link for the Initial Install. This is a shockwave animation open it in your browser to view.
Setting up your Wi-Fi for the Opt1-Wi-Fi Interface
Run a cat 5 cable from the Opt1-Wifi interface that we set up in the Wink Graphical Tutorial to the access point you plan to have on its own subnet. This subnet is separated from your LAN via firewall rules. This AP will connect directly to the internet and have no access to your LAN. Many of the SOHO firewall/routers have a default IP address of 192.168.0.1 or 192.168.1.1. Change this to a different IP address so it will work on this install and not have the same IP address as your new pfSense box. I selected 192.168.2.5. Then disable the DHCP server on this appliance so your pfsense box can now hand out the addresses. This way when you are looking under Diagnostic - > ARP tables you can easily see who is on your connection. Enable the DHCP server under the Services - > DHCP server tab click on the Opt 1 interface and on the top check the box enable DHCP Server. You will need to set the Range of the DHCP server this will regulate how many IP addresses you will give out.
This Wink Graphical Tutorial shows how to create the firewall rule to allow open wifi traffic from the 192.168.2.1 subnet out to the internet but not access the 192.168.1.1 subnet.
You can use this same process outlined above on your LAN for a second access point with an ip address on the same LAN subnet that is encrypted. This wireless network connection is for your use only not your neighbors. Disable the dhcp server on the second Access Point and let pfsense handle that function.
You can regulate access by using the built in captive portal capability found under Services - > Captive Portal. An equally effective way for an encrypted network is to only give your network key passphrase to select people.
If you encounter difficulty you can post questions related to pfSense on the forums here:
Install with one click
and much much more.
pfSense will also allow you to add packages from the standard freebsd repository. Any unofficial packages are not supported by pfsense.
You can skip this tutorial if you are planning on adding an external Access Point as outlined above. This tutorial is for those who want an internal wifi interface.
If you found this tutorial helpful the above link contains other helpful tutorials on this wiki.
This link contains a similar tutorial for FreeNAS a Network Attached Storage cousin pfSense check it out. http://computerpro.bz/os/content/howto-guides-1