Pfsense Notes

Hello,

Je n’utilise plus Pfsense mais j’ai encore pas mal de notes ici et la. Je vais essayer de tout centraliser ici dans le cas où j’en ai besoin un jour, où si ça peut servir à quelqu’un.

Articles pertinents

• Sauvegarder automatiquement son firewall avec un script
• Routage d’une machine à travers un VPN avec killswitch
• création d’un cluster
• Certificate Authority avec EasyRSA sous pfSense
• Reverse proxy HTTPS avec HAProxy et ACME
• La puissance de ZFS pour des mises à jour et des retours arrière en toute sérénité

Divers

Backup

scp ${machine}:/cf/conf/config.xml ${backupdir}/${machine}-config-${DATE_BKP}.xml

Template Zabbix

Mon template Zabbix pour Pfsense: https://git.spartan.noxinmortus.fr/noxinmortus/zabbix-templates

Configure a Gateway outside interface subnet in cli

OVH networking setup:

1. Add a failover IP in OVH console (y.y.y.y)
2. Create a virtual mac in OVH console for failover IP

VMWare setup

1. Edit the vm guest nic settings
2. On the network adapter in vmware, change it to manual and give it the virtual mac assigned from ovh neworking setup

PFsense setup

1. The failover ip from step 1 is the nic ip (y.y.y.y). The gateway is the primary OVH server IP with 254 for last Octet (x.x.x.254). Subnet mask is 32. Pfsense will complain in command line setup of networking. Just set this up in GUI later.
2. The following lines can be added from the shell (option 8 from command prompt in Pfsense) - the first time you setup pfsense. They are needed to make the default gateway work because it is not on the same subnet.
3. route add -host x.x.x254 -iface vmx0 (or whatever interface you have) route add default x.x.x.254. You are now using your gateway outside your interface subnet

Ansible

Collection: https://github.com/chris-cyliu/ansible-pfsense.git

playbook example:

---
- hosts: pfsense
  collections:
    - pfsensible.core
  vars:
    ansible_python_interpreter: /usr/local/bin/python3.8
  pre_tasks:
    - name: "Install packages"
      package:
        name:
          - pfSense-pkg-sudo
          - pfSense-pkg-Open-VM-Tools
          - pfSense-pkg-arping
          - pfSense-pkg-iperf
          - pfSense-pkg-Shellcmd
          - pfSense-pkg-zabbix-agent54
  tasks:
    - name: timezone and language
      pfsense_setup:
        timezone: 'Etc/UTC'
        language: 'en_US'
        loginshowhost: 'true'
        dnsallowoverride: 'true'
        webguifixedmenu: 'true'
        webguihostnamemenu: 'fqdn'

    - name: Add alias
      pfsense_alias:
        name: ''
        address: ''
        detail: ''
        type: ''
      with_items:
        - { name: 'PORTS_APT', address: '80 443 11371', detail: 'HTTP || HTTPS || HKP/GPG', type: 'port' }
        - { name: 'PORTS_HTTP_HTTPS', address: '80 443', detail: 'HTTP || HTTPS', type: 'port' }
        - { name: 'PORTS_ZBX', address: '10050 10051', detail: 'ZBX AGENT || ZBX PROXY', type: 'port' }
        - { name: 'PORTS_EMAIL_INCOMING', address: '110 995 143 993', detail: 'POP3 || POP3S || IMAP || IMAPS', type: 'port' }
        - { name: 'PORTS_SMTP_OUTGOING', address: '25 465 587', detail: 'SMTP || SMTP Auth || SMTPS secured', type: 'port' }

    - name: "Allow some IP to this firewall"
      pfsense_rule:
        name: 'Allow from  for '
        action: pass
        interface: IF_WAN
        ipprotocol: inet
        protocol: tcp
        source: ''
        destination: ''
        destination_port: ''
        state: present
      with_items:
        - { source: 'IP_1', port: 'PORTS_ZBX' }
        - { source: 'IP_2', port: 'PORTS_EMAIL_INCOMING' }
        - { source: 'IP_3', port: 'PORTS_SMTP_OUTGOING' }