Differences
This shows you the differences between two versions of the page.
|
sred:milestone_2 [2023/11/10 15:01] horia.stoenescu |
sred:milestone_2 [2025/01/14 17:56] (current) horia.stoenescu |
||
|---|---|---|---|
| Line 6: | Line 6: | ||
| {{:sred:milestone2_fig1.png?700|}} | {{:sred:milestone2_fig1.png?700|}} | ||
| - | 1. Download the iso.gz file: https://www.pfsense.org/download/ (latest version tested ''2.7'') | + | 1. Download the iso.gz file: https://www.pfsense.org/download/ (latest version tested ''2.6'') |
| 2. Copy downloaded archive to eve-ng instance using scp | 2. Copy downloaded archive to eve-ng instance using scp | ||
| - | 3. Go through the steps from eve-ng website: https://www.eve-ng.net/index.php/3380-2/ (use as folder name ''pfsense-2.7.0''). Make sure to power off the instance and save the snapshot as a new base image in path ''/opt/unetlab/addons/qemu'' | + | 3. Go through the steps from eve-ng website: https://www.eve-ng.net/index.php/3380-2/ (use as folder name ''pfsense-2.7.0''). Make sure to power off the node instance (after installation is completed) and save the snapshot as a new base image in path ''/opt/unetlab/addons/qemu'' |
| 4. Power on the instance again, set the ip addresses for ''vtnet0'' (WAN, using DHCP) and ''vtnet1'' (LAN, choose default subnet 192.168.1.0/24). | 4. Power on the instance again, set the ip addresses for ''vtnet0'' (WAN, using DHCP) and ''vtnet1'' (LAN, choose default subnet 192.168.1.0/24). | ||
| Line 16: | Line 16: | ||
| 5. Create a new Linux node (like done previously here: https://ocw.cs.pub.ro/courses/sred/setup_lab_remote#virtual_machine_access) and connect it to e1 from pfsense. | 5. Create a new Linux node (like done previously here: https://ocw.cs.pub.ro/courses/sred/setup_lab_remote#virtual_machine_access) and connect it to e1 from pfsense. | ||
| - | 5. Look over the commands from console menu: https://docs.netgate.com/pfsense/en/latest/config/console-menu.html. Go to shell and find the ip address for interface vtnet0 (it should be in subnet 10.6.0.0/16). | + | 6. Look over the commands from console menu: https://docs.netgate.com/pfsense/en/latest/config/console-menu.html. Go to shell and find the ip address for interface vtnet0 (it should be in subnet configured for Cloud1 - remember step 6 from here: https://ocw.cs.pub.ro/courses/sred/setup_lab_openstack). |
| - | 6. Try to access the webGUI interface using browser. Does it? Why not? (hint: https://advanxer.com/2019/12/pfsense-enabling-administration-via-the-wan-interface/) | + | 7. Change the mac address to a custom one, from cli: |
| + | <code> | ||
| + | # select shell (8 key) | ||
| + | # change mac address based on your eve_ng instance ip | ||
| + | ifconfig vtnet0 link 50:00:00:$SECOND_BYTE:$THIRD_BYTE:$FORTH_BYTE | ||
| + | # example: for 10.6.0.10, use mac address 50:00:00:06:00:10 | ||
| + | </code> | ||
| + | Then, run again ''dhclient vtnet0'' and get the new ip address assigned. | ||
| - | 7. At last, login using default credentials (https://docs.netgate.com/pfsense/en/latest/usermanager/defaults.html) and go through the setup part (do not forget to save the new password!). | + | 8. Try to access the webGUI interface using browser. Does it? Why not? (hint: https://advanxer.com/2019/12/pfsense-enabling-administration-via-the-wan-interface/). |
| + | |||
| + | 9. At last, login using default credentials (https://docs.netgate.com/pfsense/en/latest/usermanager/defaults.html) and go through the setup part (do not forget to save the new password!). | ||
| + | |||
| + | 10. Go to Interfaces > WAN > MAC Address, add also there the mac address from above, then Save and apply changes. This way your mac will be permanently saved. | ||
| + | |||
| + | 11. Add a new rule to permit traffic to WAN interface from your ip address (check eve-ng pnet0). Revert steps done previously, on step 6 (hint: use again shell and same binary). | ||
| + | |||
| + | 12. Start Linux machine and make sure it receives a private ip from range ''192.168.1.0/24''. | ||
| + | |||
| + | 13. At last, add a new NAT rule to have Internet access for that internal computer. | ||
| + | |||
| + | ======= Week 4 ======= | ||
| + | |||
| + | 1. Anti-lockout rule : enable ssh on LAN gateway ip and test connection from client inside LAN. | ||
| + | |||
| + | 2. Change settings to permit access using public key (hint: authorized key for admin user). | ||
| + | |||
| + | 3. Do not permit ping to firewall machine (ip 192.168.1.1) from the internal network (drop icmp echo requests). | ||
| + | |||
| + | 4. Block access to ''facebook.com''. The rest of urls should be permitted (check sites like ''digi24.ro'' or ''x.com''). **Hint**: dns resolver | ||
| + | |||
| + | 5. Create a custom DNS entry in firewall for apache2 service from server (created on milestone 1). Use as subdomain: ''web'' and as domain: ''sred.com''. | ||
| + | |||
| + | 6. Check from the client in LAN that it can access the webserver using: ''web.sred.com'' | ||
| + | |||
| + | 7. Do the same steps from above for ftp service and test in cli the access: ''ftp ftp.sred.com 21'' | ||
| + | |||
| + | 8. Start an additional apache2 service on server (port 81) and block access from network 192.168.1.1 to it. Test using url: ''http://web.sred.com:81'' | ||
| - | 8. Add a new rule to permit traffic to WAN interface from your tunnel ip address (check GlobalProtect). Revert steps done previously, on step 6 (hint: use again shell and same binary). | ||
| - | 9. Start Linux machine and make sure it receives a private ip from ''192.168.1.0/24''. | ||
| - | 10. At last, add a new NAT rule to have Internet access from that computer. | ||
