my cheat sheet on pfsense
1 pfsense
These are just some very basic notes on my pfsense setup. The keys are not real, for obvious reasons.
1.1 Protectli
I am running on a Protectli VP2420 - 4x 2.5G Port Intel ® Celeron J6412 server.
Hardware | Option |
---|---|
CPU | Intel Celeron J6412 |
Memory | Crucial DDR4-3200 SO-DIMM 16 GB |
Storage (m.2 SATA SSD) | 240 GB Protectli M.2 SSD |
Storage (2.5" SSD) | Samsung (no additional storage) |
WiFi Module | No WiFi Module |
4G LTE Modem | No 4G LTE External Modem |
BIOS | coreboot |
2 Check certificate with openssl
You can use openssl to display and verify details of keys, certs, csr etc.
openssl x509 -in kr_management_cert.req -text -noout results in: verify OK Certificate Request: Data: Version: 0 (0x0) Subject: CN=kriksis.home.arpa, C=CA, ST=Ontario, L=Toronto, O=Thunder Consulting Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public-Key: (4096 bit) Modulus: 00:c3:b2:4e:61:5a:c8:3a:e5:7f:6e:f9:52:86:8f: 50:64:20:dd:bb:da:24:16:8e:d2:88:98:63:c5:50: 6f:ae:01:3a:77:38:95:5d:14:42:36:8d:b5:63:78: d0:78:5e:a5:74:f7:94:59:a4:9f:b3:6e:df:7b:a6: ce:43:fe:25:99:b2:7b:9c:3c:3f:6e:ea:50:05:6d: 30:01:23:4d:0e:4f:7c:2e:39:ce:35:a1:f6:e2:5c: bc:c1:85:a2:1a:96:bb:70:75:38:0e:49:c5:3b:ac: a7:fc:88:f5:5b:a6:92:a1:b7:34:f7:68:7a:de:09: 39:9c:d0:d4:4e:a4:fd:7f:88:81:7a:fb:56:67:9c: 8d:d5:92:2f:25:5f:4a:1a:be:2f:1f:d9:8e:52:b6: f6:b9:87:c8:a8:1c:1b:c3:f2:28:bb:1b:73:71:f5: 16:71:e9:77:3f:ff:02:98:1e:90:0d:e2:d7:da:f5: 5a:7b:43:d6:0a:dc:c0:3c:7f:2d:73:43:89:92:05: 2b:bd:fc:eb:99:f2:67:53:00:fa:16:18:16:0c:93: 7e:92:8d:57:1b:22:8d:cf:23:48:40:2d:9d:65:33: d1:30:a8:43:cc:ef:68:35:a7:b7:5a:b8:47:fa:a0: cf:e9:fe:2c:b3:52:57:7f:cc:13:ec:65:34:10:01: 88:c4:a8:8d:35:cb:15:b1:34:4a:64:c9:4d:75:81: a0:bb:be:35:28:d9:16:c9:f3:af:73:b7:de:28:10: df:71:41:b0:01:26:94:11:ba:bc:50:65:b1:07:df: 5c:13:8d:8a:c4:45:a2:08:8a:7a:69:78:09:c3:57: d9:dc:24:2d:b7:1b:c5:47:04:6b:b4:8d:c6:44:7d: 54:af:be:9f:0a:b2:16:52:15:f2:8e:a6:66:ad:c4: cd:f0:65:1d:1a:2a:c5:4d:61:55:af:54:4a:9a:25: 9f:d5:10:1e:8a:5e:45:91:04:9a:49:b9:38:07:2d: f8:2b:8b:91:7e:9d:4f:ef:a2:81:d4:0f:c5:c0:bb: 1f:d4:9b:cc:e2:52:f6:52:b7:21:c6:a4:9f:71:f9: 6a:77:57:9c:60:80:83:a4:68:95:7f:42:b0:4d:5f: 1d:c8:99:e0:f7:c1:74:c0:60:3b:13:18:c9:fa:df: 42:ca:f6:e1:90:31:86:f4:4e:44:d0:78:7f:ba:de: c4:cb:56:13:84:08:47:3d:39:e2:56:6c:39:ee:b8: fc:d9:8b:bf:c4:f4:b0:e9:e9:50:c0:fb:ae:19:d2: 62:40:42:e9:d2:20:27:5c:6f:3d:27:47:f4:89:78: a5:94:b7:40:5e:e1:72:1c:45:a7:b8:87:23:91:ac: 46:80:cf Exponent: 65537 (0x10001) Attributes: Requested Extensions: X509v3 Basic Constraints: CA:FALSE Netscape Cert Type: SSL Server X509v3 Key Usage: Digital Signature, Key Encipherment Netscape Comment: OpenSSL Generated Server Certificate X509v3 Subject Key Identifier: 4E:F6:32:DE:53:3B:C6:90:72:F7:8A:C2:24:04:1A:B8:DC:42:1A:0D X509v3 Extended Key Usage: TLS Web Server Authentication, TLS Web Client Authentication, 1.3.6.1.5.5.8.2.2 X509v3 Subject Alternative Name: DNS:kriksis.home.arpa Signature Algorithm: sha256WithRSAEncryption 48:71:4c:a2:74:c2:d1:52:20:6b:52:c5:f7:0f:ce:e9:6a:f1: 97:7b:c7:b4:03:ac:02:5d:32:04:b1:cd:3b:87:ab:93:6f:ff: 91:a4:32:fc:e6:1d:65:82:47:c2:14:a8:c6:6e:3d:2f:70:03: 37:59:e4:ff:67:10:7b:c6:cf:f2:7f:bf:4a:5f:f2:d1:43:b8: c7:80:59:9d:e6:c5:52:d2:31:f3:52:b5:63:28:3d:97:cb:6c: bd:19:77:79:6c:61:fa:80:a6:06:2c:4b:d4:3c:c9:58:9e:01: 9c:2d:1c:49:4c:41:6c:4f:f4:7a:b7:45:af:38:ab:04:dd:28: c0:3c:36:6b:56:9a:d6:86:e7:3a:5e:2a:22:09:21:9d:8e:86: 28:da:07:3c:df:5a:0e:c0:1d:19:97:0f:0c:05:af:15:c3:69: 37:6c:06:98:ae:81:cc:0d:c4:08:fe:26:20:77:71:63:39:d3: 42:d7:ce:7f:27:5c:d3:4e:64:53:a4:6b:10:1f:ac:20:ec:c4: b4:cf:4b:95:97:62:af:b2:d2:53:b3:d1:68:9f:8c:cb:b4:e2: d7:77:89:8b:7c:f7:10:ae:01:77:ff:46:2d:b1:bf:79:0a:47: 85:0c:c0:0f:9d:b4:e9:20:a5:5b:0e:81:24:d0:eb:a5:e3:a5: 80:2e:f9:b8:f4:37:d9:50:1f:e5:c6:3d:2c:a9:2d:89:a9:f4: 57:5c:d0:d7:0a:5c:8d:81:05:48:a3:d4:23:e8:30:1e:1c:96: ee:c6:0e:8b:20:5f:6c:81:a2:6e:12:51:d5:0d:db:52:53:f9: f6:1f:05:1e:f1:bf:a7:e6:d1:cb:80:fa:7f:d7:a7:56:1c:03: 10:75:55:5f:62:fd:fc:02:ca:3e:2d:a0:68:06:8b:6c:58:63: 74:84:ec:56:39:b4:79:86:82:0a:e6:f4:d3:85:11:bc:63:bd: 2f:00:07:d6:5d:3b:4a:33:c6:b2:ac:b1:48:32:4a:b4:3b:f7: 3a:35:3b:20:39:ae:0f:b8:97:10:bc:3f:08:34:1e:80:68:66: 9f:f5:d3:cc:95:dc:d2:a9:88:f6:09:02:09:55:44:fc:b5:52: d6:80:a4:26:6e:7d:8d:91:37:b5:bd:45:2b:17:f2:c3:f1:28: ee:c0:f9:fb:f7:be:34:94:71:02:d7:01:c5:93:ed:42:2f:b3: e2:78:7c:af:7c:05:c4:5f:4a:63:af:70:9a:cf:be:c5:8f:ca: 0a:60:44:ca:73:a8:3f:d2:7c:1a:ae:3a:3e:d0:35:61:ce:41: 2c:d7:b3:06:5d:9f:3d:89:00:9d:8e:54:df:1b:a2:2f:cf:a5: a3:88:f4:87:9a:b7:32:05
With this CSR
, we upload that to a CA
to have it signed
. The CA signs this
CSR, which turns it into an actual certificate and returns that to you.
The top will be much the same, but the bottom will have additional data
that
is the signature of the CA.
2.1 CA that can sign your CSR
You could try an external CA, such as letsencrypt.org, or, you can let the pfsense firewall also run a local CA, and have it sign the CSR.
2.1.1 pfsense local CA
First you have to tell pfsense to be a CA. Select that under:
system
Certificate Manager
CA
I created a CA certificate, called it
Internal pfsense CA
2.1.2 pfsense Certificates
Once you have a local CA
, you can create certificates that are then signed
by the local CA
.
system
Certificate Manager
Certificates
Make a new certificateAdd/Sign+
with the following options:- Method:
Create an internal Certificate
- Certificate Authority:
Internal pfsense CA
created earlier (you could use letsencrypt or the like, but then the method should have beenCreate a Certificate Signing Request
first, followed by getting letsencrypt to sign it, thus converting it to a certificate, then finallyimport an existing certificate
- For mgt, I choose RSA 4096, with sha256 digest
- Common Name: I used the
FQDN
for my pfsense - filled in remaining fields
- Certificate Type:
Server Certificate
is what you want so that pfsense webgui can be accessed using https rather than http. - Alternative Names: make this match the
FQDN
from above
- Method:
Once you have this certificate you need to tell pfsense to use it rather than use the default webgui certificate that comes by default.
2.1.3 telling pfsense to use the certificate
Once the above is done, configure:
System
Advanced
Admin Access
webConfigurator
SSL/TLS Certificate
:the mgt certificate created above
Alternative Hostnames
: make it match theFQDN
in the mgt certificate
2.2 Secure Shell
For SSHd Key Only, (under:
System
Advanced
Admin Access
Secure Shell
SSHd Key Only
When set to Public Key Only, SSH access requires authorized keys and these keys must be configured for each user that has been granted secure shell access. If set to Require Both Password and Public Key, the SSH daemon requires both authorized keys and valid passwords to gain access. The default Password or Public Key setting allows either a valid password or a valid authorized key to login.- SSH port:
override to something less obvious than *22*
3 Diagnostics
3.1 CommandLine
3.1.1 speedtest
You can use the command-line prompt to run speedtests directly from the pfsense
router. You will have to install the package
using the commnd
pkg search speedtest pkg install py311-speedtest-cli.2.1.3 speedtest speedtest -h speedtest --list speedtest --server
speedtest –server output will look something like this:
Retrieving speedtest.net configuration... 46148) Rogers (Brampton, ON, Canada) [2.95 km] 46144) Rogers (Etobicoke, ON, Canada) [21.65 km] 52346) Bell Mobility (York, ON, Canada) [22.75 km] 17568) Bell Canada (North York, ON, Canada) [25.51 km] 46811) Rogers (North York, ON, Canada) [25.51 km] 13238) Frontier Networks Inc (Toronto, ON, Canada) [27.85 km] 23748) Fibernetics (Toronto, ON, Canada) [27.85 km] 46810) Rogers (Markham, ON, Canada) [33.92 km] 46699) Netcrawler.ca Internet (Markham, ON, Canada) [33.92 km] 46431) Rogers (Scarborough, ON, Canada) [40.00 km]
The numbers in the first column are used in the –server parameter,
so for example if you want to run the speedtest to Frontier Networks in Toronto,
you would run speedtest --server 13238
Interesting fact, ip addresses are typically written for humans as a quadruple of 8 bit values in decimal form, so
4 pfsense 3rd party packages
These are installed on a pfsense firewall from the pfsense repository.
System/Package Manager/Installed Packages
to see what is installedSystem/Package Manager/Available Packages
to list packages in repositorySystem/Package Manager/Available Packages/+Install
to install one