Newbie migrating from PFSense to NS

Yeah I think I can edit my notes and throw something together. Most of it is pretty specific to my application but I will try and generalize it and clean it up as best as I can.

PFSense Migration guide

First thing you will need to do is get into your PFSense and document EVERYTHING you want to keep/replicate on NS.

  • LAN subnet(s)

  • Guest subnet(s)

  • Special interfaces like tunnels or VLANs

  • WAN IP(s) if static and/or PPPoE credentials

  • Firewall rules in any direction between network subnets

  • Port forwarding rules

  • VPN details/credentials

  • Local network services such as DHCP/DNS IP reservations and domain names

  • Note any aliases that have been defined for port ranges or hosts

Once you are confident you have all your needed info documented in Word or some other format that is available offline you can start.

IF USING HARDWARE I STRONGLY SUGGEST USING A NEW HARD DRIVE! SET THE PFSENSE DRIVE ASIDE SO YOU CAN USE IT IF THINGS DO NOT WORK OUT.

NethServer install

Configure time zone

Hard Drive config may require you to delete the content on it by selecting “I will configure” then removing all the partitions listed and then clicking the link telling the installer to “create them automatically”

Networking My server has only 2 physical interfaces. I statically set both interfaces to private /24 networks that I do not use and connected my laptop to the port I intend to be external(red). Be sure to set both network interfaces to AUTOSTART and on the general tab “automatically connect to this network when available".

Begin Install

I only set up the root user

Post Install

Statically assign an IP from one of the private networks you setup on the interfaces to a laptop connected via ethernet to the WAN port.

Try to connect to the IP for the firewall in a web browser, for example https://192.168.1.1:9090/. If this fails change the static IP on the laptop to the other /24 and try to reach the server on that IP, for example https://192.168.2.1:9090/.

It is important to connect to the port that I wanted to be the WAN port because the LAN port in my setup uses tagged VLANs and configuring the router through the port you intend to setup for VLANs didn’t seem straight forward.

Once you are able to connect to the web interface, log in with the root user and the password created at setup.

Go to System - Network and configure your VLANs/subnets for the LAN port.

Below Network you will find DHCP. Setup the DHCP server for your VLANS all your address reservations.

At this point I could disconnect the laptop and plug the WAN cable back into my ISP fiber network terminal and continue setup from my desktop PC connecting through the VLAN interface.

Back at the System - Networking area, setup PPPoE using your ISP provided credentials and telling it to use the WAN ethernet port. At this point PPPoE will not work because you have to tell it to connect via a tagged VLAN, in my case that is VLAN 201.

Open the terminal into the firewall and issue the following commands:

db networks setprop eth? role ‘’

db networks set eth?.201 vlan role pppoe

db networks settype ppp0 xdsl

db networks setprop ppp0 linux_plugin /usr/lib64/pppd/2.4.5/rp-pppoe.so

db networks setprop ppp0 role red user ISPUSERNAME Password ISPPASSWORD

signal-event interface-update

*where the eth? is replaced with the name of your wan adapter, mine is enp2s0

The PPPoE connection should be up now.

Go to Software Center Install packages Basic Firewall and OpenVPN then update system.

Head over to Applications - Firewall - Objects and get any port ranges or subnet aliases entered.
Go to Port Forward right below Objects and input all your port forwarding settings.

At this point the firewall should be passing traffic in both directions.

Go to System - DNS and add all your custom DNS entries.

While you are on the subject of DNS you may subscribe to a dynamic DNS provider and would like to use that.
Open terminal and enter the commands below:

yum install http://mirror.de-labrusse.fr/NethServer/7/x86_64/nethserver-stephdl-1.1.7-1.ns7.sdl.noarch.rpm

yum install nethserver-ddclient –enablerepo=stephdl

Go to Applications – Dynamic DNS to setup your account.

I setup NTP at this point.
Go to System – Dashboard and click on the date and time to gain access to NTP upstream server settings.

Now that I have accurate system time I setup OpenVPN.
Applications – VPN – OVPN tunnels – Tunnel clients – Add client tunnel

My tunnel uses certificate authentication and the one “gotcha” I found was NethServer expects 3 certs in the certificate box in a particular order. The order I found works is client certificate followed by client key followed by the CA certificate.

The final step was setting up SNMP for my network monitoring application. I found out the only good way to set this up is to install the old server manager.
Head back to Software Center and install the old server manager.
Once it is installed point your browser to your firewalls IP at port 980 using HTTPS.

On the left side bar scroll down to SNMP and fill out the requested info.

FIN

1 Like

Thank you for reporting the bug on PPPoE @G_B!

The fix is now under work: https://github.com/NethServer/dev/issues/6500

The issue is ready for testing, would you give it a try @G_B?

To test it:

yum --enablerepo=nethserver-testing update nethserver-firewall-base\*
signal-event interface-update

Thank you for the quick turn around on this, I will test when I get home from work today.

1 Like

Patch looks like it works, I don’t have 2 lines with ‘/usr/lib64/pppd/2.4.5/rp-pppoe.so’ in my ifcfg-ppp0 anymore.

1 Like

Hi Greg,

Thanks for this looks great.

Just out of curiosity, is there way to expand the number of zones, Red, Green, Blue, & Orange, add another one like Yellow.
The reason I am asking is that my firewall has 6 networks (ZONES) on it.

If there is a way or you know of a way to add more zone that would be great.

Thanks

Which is the role of this “yellow” zone?

Not that I know of, but I believe you can have multiple subnets in each security zone. If your network has several subnets that are considered to be safe you should be able to add them all to the green zone.

Hi,

The “Yellow” one is a new I want/would like to create, if that is possible.
The real questions was can more zones be created then just the 4 standard one’s.

@gpapaiko

Hi

Sure more Zones than 4 can be created


Your Question is more like: “Can a new Type of Zone be created?”.

Is there any “real” need for this?
I don’t see any reasonable use case for this
 Any real need can be covered by one of the existing zone types


Or is the question more of the case like in Gender discussions:
“I feel like a squid, I need a toilet suitable for squids
”.?
(I don’t have anything against gender, but one can take a discussion ad absurdum)

If there is only one with that problem - it’s a personal problem, not a human one

I’m using this example as the discussion seems focused on the colors of the rainbow
 :slight_smile:

But if you really NEED a new zone for details sofar unmentionned, you might need to buy a more expensive router / firewall
 (Cisco/Sophos/whatever?).

My 2 cents
Andy

Again
 why a zone? Why not a interface and/or subnet?
Zone concept is quite bigger than the single interface and or subnet. You can have multiple green ports and/or subnets, mutiple Blue zones and/or subnets, and so on, creating proper rules for differentiating, if necessary, the subnets part of the same zone.

Green is the place you can/should trust (and no Wireless device should be here by common sense)
Blue is the place you can trust a little less, because could be composed only by devices that might be not under your control
Orange is the place when devices under your control will be connected and accessed by devices, persons and so on which you could not control
Red is all the rest. The evil, wild, fierce internet.

IMVHO, a PBX should be into Orange, even email and application/web server. But is considered typical have PBX into a Green segment, among the phones, into a different subnet than computers (mostly because of particularity of DHCP/provisioning/TFTP settings.

It’s far easier to put everything on the same zone (IP phones, Switches, APs, Servers, computers, wireless tiles, IoT cr4p, connected devices, smart TVs) but this means giving up of any kind of structure and control So “firewall” and “zones” become useless


Hi All,

Thanks your comments.
@Andy_Wismer if had enough MONEY I might consider a Sopho/Cyberroam/Watchguard firewall, but I like to support Opensource as mush as I can, I would rather spend the money on upgrading my hardware.

I am looking at Nethserver or Opnsense to replace my current Pfsense firewall and to see which one has the features and function I need. These are all virtual machines.

So yes I will be make the switch away from pfsense, but at the moment evaluating to which one I go to.
In my current setup pfsense has 8 NICs (2*4 port NIC Cards), this was a physical box but recently when it crashed about 3 weeks, I rebuilt as a VM on my exsi server.

But I was just curious to know if this was easy to create new ZONE.

I have the RED, GREEN and BLUE setup all with a single interface, they way I need them to be.
RED, GREEN and BLUE are attached to their own virtual switches (VS) and each VS has two nics associated to them for redundancy.

The ORANGE Zone (DMZ) has has 3 interface and thereby 3 subnets each attached to a VS with NO nics associated to them. Hence each vm on the orange zone is isolated from the other vms depending on what subnet they are linked to.

At the moment I am rebuilding all my aliases and firewall rules on Nethserver to see what it can do and how it reports on what is passed/rejected/blocked, intrusion detection etc


I have tried Opnsence but that seems to fail on some of the rules not processing the firewall rules correctly.

The reason I want to know if it was simple take to create a new zone say yellow, was to keep the email and web server separated, but this is a nice to have no big deal it can’t be done.

@gpapaiko

Hi

A new Zone eg for Mail, and an additional one for Web is not a problem

You just have to allocate one of the existing ZONE types to your two new ZONES


Btw.:
I use a seperate OPNsense box for all of my clients

This seems to be a client side preference here (seperate box as firewall/gw), but it’s OK with me.
OPNsense does all I need, even in difficult situations

It does have advantages too: if you need to do maintenence on any server (Nethserver, Proxmox) you still have Internet to research / solve the problems.

I am an advocate of open source, all my clients have a NethServer as AD.
Sure some use Windows, but only as clients - or as “application servers” under NethServer’s AD!

But give a plausible reason for a somewhat unusual request, and I’m the most reasonable to talk to! :slight_smile:

-> Even if I had the money / won Euro-Billions (They’re still at Euro-Millions!), I would prefer - in most cases - open source. That’s not a bad strategy in the last 35 years for me, and if it’s not broken, why fix it?

My 2 cents
Andy

PS:
Watchguard is just an overpriced Linux with less options, IMHO

I would not touch it, even if given one free

Had to use one years back, even then (and now): no way!

In the docs you can find some notes about zones, firewall policies and were to create a firewall zone object:

If I understand you correctly you are looking to keep two different subnets(email servers and webservers) in the same zone(orange) from talking? I have not tried this, but I would think that adding a pair reject or drop rules into the firewall one for each direction email > webserver webserver > email would prevent this communication.

hi

@Andy_Wismer, thanks. At to WatchGuard, I agree with you on those comments. In the past I was given a couple of them with 16 ports. One thing I did find with them was that is was easy to replace the OS, added a 2.5" drive, and installed pfsense, got the LCD to display stats. they worked great, but the downside was their power supplies just would not operate for a long time burned out after about 12-18month, hence assume faulty psu’s.

Greg you are right that is what I am trying to do. and setting up a VPN zone as well, that will specific rules.

As I mention I am still evaluating my options between Nethserver and Opnsense.
So at the moment I am setting up Nethserver with the firewall rule, OpenSense is done then just adjusting the DHCP server and the Router (to send all traffic to a firewall red interface, later they will be on a seperate vlan) as to which ever I want to test.

@dnutan thanks for the links to the doc I will go through those as well.

Thanks to all your your comments.

2 Likes

If you test the firewalling between subnets in the same zone, I would be curious to hear how it works/if it works.