Installing Webmin On Pfsense
This video explains the installation procedure of Squid on Webmin. Squid is the most popular proxy server for UNIX/ Linux system and Webmin is a web-based sy. In addition to the packages available in the pfSense package system, thousands of additional FreeBSD packages are available. If strong security is desired for a pfSense firewall then do not install additional FreeBSD packages, or ensure to properly maintain these packages by always keeping them up to date. SOLVED PBX Behind Pfsense Takes Long Time. To do with PFSense & Webmin. Computer and couldn't connect to Webmin on a new install from my PiaF.
The Internet is a scary place these days. Almost daily, a new zero day, security breach, or ransomware occurs leaving many people wondering if it is possible to secure their systems.
Many organizations spends hundreds of thousands, if not millions, of dollars trying to install the latest and greatest security solutions to protect their infrastructure and data. Home user’s though are at a monetary disadvantage. Investing even a hundred dollars into a dedicated firewall is often beyond the scope of most home networks.
Thankfully, there are dedicated projects in the open source community that are making great strides in the home user security solutions arena. Projects like IPfire, Snort, Squid, and pfSense all provide enterprise level security at commodity prices!
PfSense is a FreeBSD based open source firewall solution. The distribution is free to install on one’s own equipment or the company behind pfSense, NetGate, sells pre-configured firewall appliances.
The required hardware for pfSense is very minimal and typically an older home tower can easily be re-purposed into a dedicated pfSense Firewall. For those looking to build or purchase a more capable system to run more of pfSense’s advanced features, there are some suggested hardware minimums:
Hardware Minimums
- 500 mhz CPU
- 1 GB of RAM
- 4GB of storage
- 2 network interface cards
Suggested Hardware
- 1GHz CPU
- 1 GB of RAM
- 4GB of storage
- 2 or more PCI-e network interface cards.
Serious Home User Hardware Suggestions (and Enterprises)
In the event that a home user would like to enable many of the extra features and functions of pfSense such as Snort, Anti-Virus scanning, DNS blacklisting, web content filtering, etc the recommended hardware becomes a little more involved.
To support the extra software packages on the pfSense firewall, it is recommended that the following hardware be provided to pfSense:
- Modern multi-core CPU running at least 2.0 GHz
- 4GB+ of RAM
- 10GB+ of HD space
- 2 or more Intel PCI-e network interface cards
Installation of pfSense 2.4.4
In this section, we will see the installation of pfSense 2.4.4 (latest version at the time of writing this article).
The Lab Setup
pfSense is often frustrating for users new to firewalls. The default behavior for many firewalls is to block everything, good or bad. This is great from a security standpoint but not from a usability standpoint. Before starting into the installation, it is important to conceptualize the end goal before beginning the configurations.
Downloading pfSense
Regardless of which hardware is chosen, installing pfSense to the hardware is a straightforward process but does require the user to pay close attention to which network interface ports will be used for which purpose (LAN, WAN, Wireless, etc).
Part of the installation process will involve prompting the user to begin configuring LAN and WAN interfaces. The author suggests only plugging in the WAN interface until pfSense has been configured and then proceed to finish the installation by plugging in the LAN interface.
The first step is to obtain the pfSense software from https://www.pfsense.org/download/. There are a couple of different options available depending on the device and installation method but this guide will utilize the ‘AMD64 CD (ISO) Installer’.
Using the drop down menu’s on the link provided earlier, select an appropriate mirror to download the file.
Once the installer has been downloaded, it can either be burned to a CD or it can be copied to a USB drive with the ‘dd’ tool included in most Linux distributions.
The next process is to write the ISO to a USB drive to boot the installer. To accomplish this, use the ‘dd’ tool within Linux. First, the disk name needs to be located with ‘lsblk’ though.
Find Device Name in Linux
With the name of the USB drive determined as ‘/dev/sdc’, the pfSense ISO can be written to the drive with the ‘dd’ tool.
Important: The above command requires root privileges so utilize ‘sudo’ or login as the root user to run the command. Also this command will REMOVE EVERYTHING on the USB drive. Be sure to backup needed data.
Installation of pfSense
Once ‘dd’ has finished writing to the USB drive or the CD has been burnt, place the media into the computer that will be setup as the pfSense firewall. Boot that computer to that media and the following screen will be presented.
At this screen, either allow the timer to run out or select 1
to proceed booting into the installer environment. Once the installer finishes booting, the system will prompt for any changes desired in the keyboard layout. If everything shows in a native language, simply click on ‘Accept these Settings’.
pfSense Configure Console
The next screen will provide the user with the option of a ‘Quick/Easy Install’ or more advanced install options. For the purposes of this guide, it is suggested to simply use the ‘Quick/Easy Install’ option.
The next screen will simply confirm that the user desires to use the ‘Quick/Easy Install’ method which won’t ask as many questions during the installation.
The first question that is likely to be presented will ask about which kernel to install. Again, it is suggested that the ‘Standard Kernel’ be installed for most users.
pfSense Standard Kernel
When the installer has finished this stage, it will prompt for a reboot. Be sure to remove the installation media as well so the machine doesn’t boot back into the installer.
pfSense Configuration
After the reboot, and the removal of the CD/USB media, pfSense will reboot into the newly installed operating system. By default, pfSense will pick an interface to set-up as the WAN interface with DHCP and leave the LAN interface unconfigured.
pfSense Interface Configuration
While pfSense does have a web based graphical configuration system, it is only running on the LAN side of the firewall but at the moment, the LAN side will be unconfigured. The first thing to do would be to set an IP address on the LAN interface.
To do this follow these steps:
- Take note of which interface name is the WAN interface (em0 above).
- Enter ‘1’ and press the ‘Enter’ key.
- Type ‘n’ and press the ‘Enter’ key when asked about VLANs.
- Type in the interface name recorded in step one when prompted for the WAN interface or change to the proper interface now. Again this example, ‘em0’ is the WAN interface as it will be the interface facing the Internet.
- The next prompt will ask for the LAN interface, again type the proper interface name and hit the ‘Enter’ key. In this install, ‘em1’ is the LAN interface.
- pfSense will continue to ask for more interfaces if they are available but if all interfaces have been assigned, simply hit the ‘Enter’ key again.
- pfSense will now prompt to ensure that the interfaces are assigned properly.
Pfsense Install Guide
- If the interfaces are correct, type ‘y’ and hit the ‘Enter’ key.
The next step will be to assign the interfaces the proper IP configuration. After pfSense returns to the main screen, type ‘2’ and hit the ‘Enter’ key. (Be sure to keep track of the interface names assigned to the WAN and LAN interfaces).
*NOTE* For this install the WAN interface can use DHCP without any problems but there may be instances where a static address would be required. The process for configuring a static interface on the WAN would be the same as the LAN interface that is about to be configured.
Type ‘2’ again when prompted for which interface to set IP information. Again 2 is the LAN interface in this walk through.
pfSense Available Interfaces
When prompted, type the IPv4 address desired for this interface and hit the ‘Enter’ key. This address should not be in use anywhere else on the network and will likely become the default gateway for the hosts that will be plugged into this interface.
The next prompt will ask for the subnet mask in what is known as prefix mask format. For this example network a simple /24 or 255.255.255.0 will be used. Hit the ‘Enter’ key when done.
pfSense Network Subnet Mask
The next question will ask about an ‘Upstream IPv4 Gateway’. Since the LAN interface is currently be configured, simply hit the ‘Enter’ key.
The next prompt will ask to configure IPv6 on the LAN interface. This guide is simply using IPv4 but should the environment require IPv6, it can be configured now. Otherwise, simply hitting the ‘Enter’ key will continue.
pfSense IPv6 Address
The next question will ask about starting the DHCP server on the LAN interface. Most home users will need to enable this feature. Again this may need to be adjusted depending on the environment.
This guide assumes that the user will want the firewall to provide DHCP services and will allocate 51 addresses for other computers to obtain an IP address from the pfSense device.
The next question will ask to revert pfSense’s web tool to the HTTP protocol. It is strongly encouraged NOT to do this as the HTTPS protocol will provide some level of security to prevent disclosure of the admin password for the web configuration tool.
pfSense HTTP Protocol
Once the user hits ‘Enter’, pfSense will save the interface changes and start the DHCP services on the LAN interface.
Notice that pfSense will provide the web address to access the web configuration tool via a computer plugged in on the LAN side of the firewall device. This concludes the basic configuration steps to make the firewall device ready for more configurations and rules.
The web interface is accessed through a web browser by navigating to the LAN interface’s IP address.
pfSense Login Interface
The default information for pfSense at the time of this writing is as follows:
After a successful login through the web interface for the first time, pfSense will run through an initial setup to reset the admin password.
The first prompt is for a registration to pfSense Gold Subscription which has benefits such as automatic configuration backup, access to the pfSense training materials, and periodic virtual meetings with pfSense developers. Purchasing of a Gold subscription isn’t required and the step can be skipped if desired.
The following step will prompt the user for more configuration information for the firewall such as hostname, domain name (if applicable), and DNS servers.
pfSense General Information
The next prompt will be to configured Network Time Protocol, NTP. The default options can be left unless different time servers are desired.
After setting up NTP, the pfSense installation wizard will prompt the user to configure the WAN interface. pfSense supports multiple methods for configuring the WAN interface.
The default for most home users is to use DHCP. DHCP from the user’s internet service provider is the most common method for obtaining the necessary IP configuration.
pfSense WAN Configuration
The next step will prompt for configuration of the LAN interface. If the user is connected to the web interface, the LAN interface has likely already been configured.
However, if the LAN interface needs to be changed, this step would allow for changes to be made. Make sure to remember what the LAN IP address is set to as this is how the
administrator will access the web interface!
As with all things in the security world, default passwords represent an extreme security risk. The next page will prompt the administrator to change the default password for the ‘admin’ user to the pfSense web interface.
pfSense Admin Setup
The final step involves restarting pfSense with the new configurations. Simply click the ‘Reload’ button.
After pfSense reloads, it will present the user with a final screen before logging into the full web interface. Simply click the second ‘Click Here’ to log into the full web interface.
pfSense Wizard Completed
At last pfSense is up and ready to have rules configured!
Now that pfSense is up and running, the administrator will need to go through and create rules to allow the appropriate traffic through the firewall. It should be noted that pfSense has a default allow all rule. For security sake, this should be changed but this is again an administrator’s decision.
Read Also : Install and Configure pfBlockerNg for DNS Black Listing in pfSense Firewall
Thank you for reading through this TecMint article on pfSense installation! Stay tuned for future articles on configuring some of the more advanced options available in pfSense.
A proxy server can prevent employees from visiting certain sites, help reduce the load on your network by caching pages for clients, and make use of SSL to secure connections between clients and servers. Many smaller companies assume they don't have the time or the money to put into setting up a proxy server. Thanks to Webmin, that is not the case.
With the Webmin administration portal, you can easily set up a Squid proxy server and manage that proxy with the user friendly web-based administration tool. I will walk you through the steps of setting up a Squid proxy server through the Webmin tool. I will demonstrate this on a Ubuntu 12.10 platform and do everything through the web-based GUI (no command-line necessary). Because Squid is designed to run on UNIX-like systems (there was a Windows port for a brief period, but it was abandoned), you need to have Webmin running on a UNIX-based system. Once you have Webmin up and running, you are very close to having Squid installed.
Installing Squid
In order to be able to enable the Squid module, Squid needs to be installed; fortunately, Webmin is smart enough to handle this task for you. After you log in to Webmin as an administrator, you can have Webmin install Squid and then enable the module for you. Here's how:
- Log in to Webmin as your administrative user.
- Scroll down until you see in the left navigation, the Unused Modules section.
- Expand Unused Modules and scroll down until you see the entry for Squid.
- Click the Squid proxy server entry.
- In this new window (Figure A) click the Click Here link to have Webmin run the install. You can watch the progress of the installation fly by in the same screen.
Click the image to enlarge.
When the installation completes, refresh the view of your Webmin portal and then expand the Servers section. You should now see a listing for Squid Proxy Server (Figure B). Click the Squid Proxy Server, and you're ready to start setting it up.Figure BInstalling Webmin On Linux Mint
Click the image to enlarge.
Setting up Squid
The first thing you will see is the error 'Your Squid cache directory /var/spool/squid3 has not been initialized. This must be done before Squid can be run.' In order to initialize this, click the Initialize Cache button (with either an existing user, or you can create a new user/group 'proxy'). At this point you will see the 'Stopping Squid' warning. Once the system has been initialized, you will be prompted with the Return To Squid Index link. If you continue seeing this error, here's what you need to do:
- Open a terminal window.
- Open the file /etc/squid3/squid.conf.
- Search for the line #cache_dir ufs /var/spool/squid3 100 16 256 (around line 2245).
- Remove the '#' character.
- Save the file.
- Go back to Webmin and click the Initialize Cache button again.
Your plan for using the proxy will dictate how you configure it. Regardless of how you use it, you will want to define the ports used by the proxy first. By default, Squid uses 3128. You can stick with the default, or if you need to go with a non-standard port, here's how to change it:
- From the Webmin Squid page, click Ports And Networking.
- In the Ports And Networking page (Figure C), configure the port.
- Once you have the port set, click Save.
Installing Webmin On Ubuntu
Click the image to enlarge.
By default, Squid will listen to requests coming from all addresses. You can set this on a per-address or per-hostname basis by entering the IP address or hostname under the Hostname/IP Address column in the table.
Let's say you want to block Facebook using Squid. You must first create a new Access Control List (ACL), which you can do by following these steps:
- From the module index, click Access Control.
- Below the listing, select Webserver Hostname from the drop-down and click Create New ACL.
- In the Create ACL window (Figure D) enter a name for the ACL (Like Facebook) and then enter the domain (facebook.com). (You could even create a single ACL for a group of related domains.)
- In the Failure Redirect, enter the page you would like this to be redirected to.
- Click Save.
Click the image to enlarge.
Now you have to create a Proxy Restriction. Here's how:
- Click the Proxy Restriction tab in the ACL window.
- Click Add Proxy Restriction.
- Select Deny.
- Select the new ACL from the list on the left (Figure E).
- Click Save.
- In the restrictions listing, you can move the restriction up or down (using the arrows) according to your needs. Also, you can allow an ACL by selecting Allow instead of Deny.
Click the image to enlarge.
Back at the module index, click Apply Changes to restart Squid with the newly created restrictions.
You should now have a proxy set up to block all access to Facebook (I'm not advocating this practice, just using it as an example). You can apply this same idea to nearly anything you'd like to block. And remember, Squid can be used for a lot more than blocking domains.
Next Big Thing Newsletter
Be in the know about smart cities, AI, Internet of Things, VR, autonomous driving, drones, robotics, and more of the coolest tech innovations. Delivered Wednesdays and Fridays
Sign up today Sign up today