“BACHKHOA-NPOWER” - HE THONG BAO TAO CHUYEN GIA MANG QUOC TE DE TAI HOAN THANH MON HOC “CompTIA Security + Certification” Tim hiéu Pfsense Firewall Giang vign huéng din: Sinh vién: Lop: Thang 4, 2011Mfc lfc 1. Gidi thigu Firewall pfSense.. IL. Cai dat va cu hinh Pfsense 1. Cai dit PiSense. 2.C4u hinh card mang cho may Pfsense.. 3. Dat IP va thiét lap DHCP cp phat vao bén trong mang LAN..... 4. Cau hinh PfSense qua giao dign web - WebGUI... 5. Cai dit Packages 5. Backup and Recovery... II]. Mét sé wg dung va dich vy co ban cua pfsense. 1, Tinh nang cia pfsense firewall... 1.1 pfSense Aliases... 1.2 NAT. 1.3 Firewall Rules.. 1.4 Firewall Schedules... 1.5 Traffic shaper 1.6 Virtual IPs. 2 .M6t sé dich vy cia p 2.1 Captive portal .. 2.2 DHCP Server... 2.3 Load Balancer... 3. VPN trén Pfense.. 3.1 VPN PPTP 3.2 OpenVPN Site to Site ... IIL, Trién khai mé hinh mang Font-BackEnd.... IV. Nh§n xét ..... vI. Gidi thiéu Firewall pfSense Dé bao v6 cho hé théng mang bén trong thi chting ta cé nhiéu gidi phdp nhw sir dung Router Cisco, ding tuéng lira cia Microsoft nhu ISA.. Tuy nbién nhiing thanh phan ké trén tong d6i tén kém. Vi vay d6i voi ngudi ding khong mudn tén tién nhung lai muén ¢6 mét tuong lita bao vé hé ig bén trong (mang ngi bd) khi ma chiing ta giao tiép véi hé thong mang Internet) thi PFSENSE li mot giai phap tiét kiém va hiéu qua tuong d6i i voi ngudi ding. pfSense li mét img dung cé chite nang dinh tuyén vao tudng lira manh va mién phi, img dung nay sé cho phép ban mé réng mang cia minh ma khong bj é bao mat. Bat dau vao nam 2004, khi mOnOwall moi bat dau chap chitng- day 1 mét dy an bao mat tp trung vao cdc hé théng nhing — pfSense da c6 hon 1 trigu download va duge sir dung dé bao vé cic mang 6 tt ca kich c6, tir cdc mang gia dinh dén cde mang lon ciia ciia cde cng ty. Ung dung nay ¢6 mot cng déng phat trign rit tich ce va nhiéu tinh nang dang duge bé sung trong mdi phat hanh nhim cai thign hon nifa tinh bao mat, sy 6n dinh va kha ning linh hoat ciia nd Sense Pfsense bao gom nhiéu tinh ning ma ban van thay trén cdc thiét bi tuéng Kira hoc router throng mai, ching han nhu GUI trén nén Web tao sy quan ly mot cach dé dang. Trong khi dé phan mém mién phi nay cén cé nhiéu tinh nang an tuong 46i voi firewallrouter mién phi, tuy nhién cing e6 mot s6 han ché. Pfiense hé try loc béi dia chi nguén va dia chi dich, cong ngudn hofe céng dich hay dja chi IP. Né cing hé trg chinh séch dinh tuyén va cé thé hoat dng trong cic ché d§ bridge hoge transparent, cho phép ban chi can dat pfSense 6 gitta cdc thiét bi mang ma khéng cin doi hei vige cau hinh bé sung. pfSense cung cap network address translation (NAT) va tinh nang chuyén tiép céng, tuy nhién tng dung nay van con mét sé han ché voi Point-to-Point Tunneling Protocol (PPTP), Generic Routing Encapsulation (GRE) va Session Initiation Protocol (SIP) khi sir dung NAT.pfSense duge dya trén FreeBSD va giao thite Common Address Redundancy Protocol (CARP) ciia FreeBSD, cung cp kha nang dur phong bing cach cho phép ede quan tri vién nhém hai hoe nhidu tuéng lira vao mot nhém tyr dong chuyén ddi dy phong, Vi né hé tro nhiéu két ndi mang dign rong (WAN) nén cn bing tai, Tuy nhién c6 mot han ché voi né & chd chi cd Iu Iugng phan phdi gitta hai ket ndi WAN va ban kh6ng WAN Internet — LAN Switch aIL. Cai dat va cau hinh Pfsense 1. Cai dat Pfsense tinh Trén mé CD/DVD di Pfsense chting ta bé dia pfSense LiveCD Installer.. vao 6 anh cai dat. . Man hinh Welcom to FreeBSD! . Chon 99 dé bat ddu qué trinh cai dat Pfsense lén my tinhChon Accept these settings dé chdp nhan viéc cai dat Pfsense. . Chon Quick/Eas Install hogec Custom Install dé cai dat vao 6 cting2.C4u hinh card mang cho may Pfsense Enter an Option : 1 va Chon sé 1 dé bat dau thiét lap cae Interface Do you want to setup VLANs now -> Chon N Dya vio dia chi MAC & phan bigt card mang Internal va External Go le0 dé thiét 1ap Interface LAN , lel dé thiét lap Interface WAN .Néu my c6 2 card mang WAN thi chon thém le2 dé thiét lap Interface WAN2 Sau khi thi Enter khi duge hoi “Enter the Optional .... lap dui Interface thi ban dé tréng va Chon Y dé tién hanh qué trinh thiét veer Welcome to pfSense 1.2, 3-RELEASE-pfSense ail eg > sees ri Théng tin card mang cia pfsense sau khi duge thiét lp3. Dat IP va thiét lip DHCP cap phat vao bén trong mang LAN Thiét ap IP cho card mang LAN chon 2 Nhap IP ma ban muén dat va Enter the new LAN subnet bit count ; 24 va Enter Chon “¥” dé thiét lip DHCP cap phat IP cho cdc may Client (Network Internal), Tao dai IP cp phat cho Client (Nhu trong hinh tir 10.0.0.10 > 10.0.0.100 ) 4. C4u hinh Pfsense qua giao dign web - WebGUI Tai may Client -> Vao trinh duyét va go vao IP internal cia pfsense va dang nhdp bang tdi kho’in va mat khdu mic dinh : admin - pfsenseGQ Enesvecy a ea em Bo: ‘sites joanae= The server 10.0.0.1 a8 rogues 2 eernarn and paseword, ee eee So Sane cones Leer names | easoworet 7 wag noi aw Cos) Ca) raePeace enter the time, date and time zone. [o.prsense.pootrtp.org Enter the name of he ‘ne eee Chon mii gié cho pfsense > Next(On this screen we will configure the Wide Area Network information. SelectedT ype: [ssc MAC Address; Thiefeld con bo used to mochy (spoof) the MAC acdress of the WAN Interface (rey be tequied whn some cable conmachons) Entera MAE address in the following ferme: sasocecmcaoo oF leave blank Iyou enter a value n ths Feld, then NES damong for TCP connection to the vale entered above minus 40 (TEP/P hasder se) wi be hr affect. Iryou ave ‘this fed Dank, an NT oF 1462 bytes for PPPOE and 1800 bytes for al other ‘connection foes wil be assum IP Address: 192.168.1.100 i [2sise) Gateway: 192.168-L-1 Trong giao digén WAN, cé thé chon gitta nhiéu két néi khdc nhau nhu Static, Dynamic Host Configuration Protocol (DHCP), Point-to-Point Protocol vi PPPoE. Chon két néi thich hop nhw duge cdu hinh béi ISP cia ban. (on this screon wa will configure the Local Area Network information. 30.0.0. LAW IP address: Type dhco f ths neace uses DHCP to obtan ks I adds, ‘Subnet Mask Next Cau hinh LAN hoan toan rat don gin. Néu ban chu thye hign thi truéc khi cai dt, ban chi cn thiét lap dia chi IP.‘Thiét lap lai mat khdu admin truy cap vao pfsense A raload is now in progress. Please wait. “The system will automaticaly try to acceas http://20.0.0.1/ in 120 seconds You can click om the icon above to access the site more quickly.Giao dign cau hinh Pfsense trén nén web. 5. Cai dit Packages Ngudi ding c6 nhu cdu thém cde chite nang mé rong cia chuong trinh cai dat pfSense ,ban cé thé thém cae géi tir mt Iya chon cdc phin mém [System: Package Manager Aaansease paaages ESTEE G6i c6 thé duge cai dat bang céch sir dung Package Manager, nim tai menu System, Package Manager sé hién thj tat ca cdc géi e6 sin bao gom mét mé tangin gon vé chite nding ciia né, Dé cai dat mot goi phan mém, hay nh4p vao "Add" biéu tugng trén bén phai ca trang. ‘Syste Package Manager? Install Package ERATE te state Sau khi hodn thinh cai dat , g6i mdi sé hién thj trong "Installed packages" cia Sense Package Manager. ISystem: Package Manager SEE testated peckeues chon "Hy bs" bigu twang tir phin bén phi cita trang. Vige nay sé khdi chay trinh cai dit g6i, ma s€ hién thi su tién loai bé géi. 5, Backup and Recovery Dé Sao hru hay khéi phyc cau hinh pfsense vao Diagnostics/Backup/restoreDiagnostics: Backup/restore conten, a hc is buten cence hess cavigratin nM, rt Sesue wes [EZ] To rot basis pactage nornaton Download configuration SEES W ST REEDS Cr ea |(renee Restore configuration The fenel merrend tbe banter eat the convaton Vige sao Iuu hay khdi phuc edu hinh pfSense cing twong d6i d8 ding. Ban chi cin chon khu vye edn sao uu hay khéi phye edu hinh cia Aliases, NAT, traffic shaper,PPTP Server,system.. IIL M6t sé ing dung va dich vu co’ ban cia pfsense 1. Tinh nang ciia pfsense firewall 1.1 pfSense Aliases Firewall: Aliases fee 3 = woos. aa or 10.00. 2000.0, 90.0.30 aay ay Aliases cé thé gitp ban tiét kiém m6t Ivgng 1én théi gian néu ban st dung ching m6t cach chinh xacM6t Aliases ngin cho phép ban sir dung cho mét host ,céng hodc mang 6 thé duge sit dung khi tao cdc rules trong pfSense .Sir dung Aliases sé gitip ban cho phép ban lu tri nhigu muc trong mét noi duy nhat cé nghia la ban khéng cén tao ra nhiéu rules cho nhém cdc may hoc céng Vige sita déi rules tré nén dé ding hon 1.2 NAT PfSense cung cp network address translation (NAT) va tinh nang chuyén tiép céng, tuy nhién img dung nay vin con mét sé han ché véi Point-to-Point Tunneling Protocol (PPTP), Generic Routing Encapsulation (GRE) va Session Initiation Protocol (SIP) khi sit dung NAT. Trong Firewall ban cing 6 t sir dung cong chuyén tiép cho cde dich vu hoe cdu hinh NAT tinh (1:1) cho cdc host cu thé. Thiét lip mac dinh cia NAT cho cdc két néi outbound la automatic/dynamic, tuy nhién ban cé thé thay déi kiéu manual néu can, 1.3 Firewall Rules Noi luu cdc rules (Luat) cia Firewall. Dé vao Rules ciia pfsense vio Firewall Rules. Mac dinh pfsense cho phép moi trafic ra/vao hé thong .Ban phai tao ra cac rules dé quan li mang bén trong firewall Firewall: Rules « Ce Proto Source Port | Destination Port Gateway Schelule Description ae — — a aiUbe the enton to nverthe sense pet [Single hast ovals © Show source ot one souren 05 Destination Destmnation port range Vi dy: Tao rules Cm truy cp web sir dung céng 80 cho cée may LAN trong 46 MayLan Ia tén Aliases .Sau khi tao xong nhdn Save va Apply Changes 1.4 Firewall Schedules Cac Firewall rules c6 thé duge sip xép dé né c6 chi hoat dong vio céc théi diém nhat dinh trong ngay hodc vio nhimg ngay nhat dinh cy thé hoc céc ngay trong tuan. Firewall: schedules ome “Time Rane) Deserption ‘SShcides ac a placebniers-or bine ranges tobe uses Dé tao mét Schedules méi vao Firewall > Schedules : Nhan dau +saedule name (Uchiomviec rent of me nt na) OW cOORREGFRE Aen 2A 0 Desuion (rare dses reso feat |eed Pmt [eine [ee ma — cad one Varin) sore, Asay 20.98 2358 Tenarpsteerpton aT oars i yaurateene it sreed ‘AdaTime | [clear serecton Vi du:Tao lich tén GioLamViee cia thang 12 Tir thir hai dén thir bay va thdi gian tir 8 gid dén 17 gio ‘Sau khi tao xong nhin Add Time Configured Ranger Bén dudi sé hign ra lich chi tiét via thiét lap Xong nhan Save 1.5 Traffic shaper Traffic Sharper gidp ban theo d6i va quan li bang thong mang d@ dang va higu qua hon Traffic Shaping la phuong phap t6i wu héa két néi Internet. N6 ting t6i da téc d6 trong khi dam bao t6i thiéu thdi gian tré .Khi sir dyng nhiing géi dir ligu ACK dugesip xép thir tu wu tién trong dudng truyén tai lén, diéu nay cho phép tién trinh tai vé duge tiép tuc voi téc dé ti da. C4u hinh Traffic Sharper dé quan ly bang thong . Mé giao dign Web cia Pfsense -> chon Firewall -> Traffic Sharper ‘Going ay turthes wit wipe your existing shaper confi 1! you do nok wis te continte, please cick the prSense logo at the top to return fo the webconngurater ‘This wizard will uide you through setting up the pfSense traffic shaper. . Chon Next Rania LaN_o| Ths s usualy the LAN interfece é Inside nterface for shaping your download speeds pownload: ‘The counisad spead of you: WAH Ink m RBIS/eacord, Nose: PPPOE users should aN 3B] This 6 usualy the WAN nterfoce Oubsde netdoce for sheng pouruploed speeds 512) Upload: the upload speed of your walt ine oursiae: [Sond Wate: PPPOE users should take But 3 wer speed here. . Chon Inside la Lan > nhap vio t6c d6 download cia dug truyén Outside chon Wan va nhap vao téc 49 Upload cia dung truyén Chon Nextene ) Promise Wace aver IP tratte “This wil alsa the priority oF WOIB frame a5ave al ochar tram, — a choote Genare # your provder n't stad. ‘Address: (Options) I thie chocen, the prove falc wil Be ovarriddan. Thie slows you to 4k oreviee tre IP acaress of she Vole aztoter to Sremae. NOTE: You can 329 ise 2 Prewal Alas mens lation. Bandwidth: 3aibisjsee__W¥] Total bandwidth quarantes for VOIP phonets) . Hé trg Voice IP > Next Penalty Box mae 1 penize 3 or Ales ‘This willlower the prority of traffic from ths IP or elas. Address: ‘This allows you to just proveie the TP adcrass of the computar(s) to Penalze, NOTE: You cen ao use a Frewal Alas n this batan. Banduvidthi J a ‘The upload lint in Kats/second. BandwidthDown: The dovnload limit Kbits/second. . Chon NextPaar to Peer networking Sed D1 Lower priorty of Pear-to-Peer traffic Enable: Ths wil lower the pnorky o° P2P trafic below al aver taffic, Please check the IRems that you woule ike to ariortae lower than normal trafic. p2pCatchall; \When enabled, all uncategorized tre |s fed to the pzp queue, Bandwidthup: ‘The Upload lit in Kbis/s@cond. BandwidthDown: ‘The Cownload Ime Kbit/secand Enable/Disable specific P2P protocols I Aimster: Aimster and other P2P usng the Aimster protocol end ports I BitTorrent: Bittorrent and other P2P using the Torrent protocol and sorts BuddyShare: Buddyshare and other P2P usnig the Buddyshare protocol and ports Cutertx: Cutelix and other P2P usng the CutelIX protocol and ports * HO try mang ngang hang nhu BitTorent , CuteMX, iMesh. ae aes Cl Prirtze netwark gaming traf ‘This wi raise the ononty of gaming traffic ta higher than mast traffic. Battle.net - virtualy every game from Blzzzrd pubigning should BattleNET: match this. Ths incides the folowing game senes: Starcraft, Dable, Warcraft. Gull! Wars a&o uses ths port. * HG tro mang choi game nhu BattleNET , Xbox360 ,vi m@t s6 game tryc tuyénRaise or lower other Applications piSense Traffic Shaper Wizard © other networkng protocols Enable: This wil help rase or lowar tha priorty of ather prataca hgher than mast traffic Default ony | MlrosaF® Remate Deskton Protaca vnc: [per ty (| Virtual Network Computing Apple Rerate Deskton ae : © Quan If bang théng ciia mét s6 img dung khac nhu Remote Service ,.VPN, Messengers, Web,Mail , Miscellaneous After pressing Finish the system will load the new profile. Please note that this may take a moment. Also note that the traffic shaper is stateful meaning that only new connections will be shaped. Tf this is an issue please reset the state table after loading the profile. 1.6 Virtual IPs MOt Virtual IPs c6 thé sir dung bat ky dia chi IP cia pfSense, dé kh6ng phai la mot dia chi IP chinh. Trong cdc tinh huéng khdc nhau, méi trong sé dé cé cdc tinh nang riéng cia né, Virtual IP duge sit dung dé cho phép pfSense ding cach chuyén tiép luu lugng cho nhimg viéc nhu chuyén tiép cong NAT, NAT Outbound, va NAT 1:1. Ho ciing cho phép cdc tinh nang nh failover, va c6 thé cho phép cdc dich vu trén router dé gin két véi dia chi IP khac nhau.CARP C6 thé duge sit dung boi cdc bite tuéng lira chinh né dé chay cdc dich vu ho§c duge chuyén tiép Tao ra lép 2 traffic cho céc VIP Cé thé duge sir dung cho clustering (tuéng lira va tuéng lira chi failover ché 6 chd) Cac VIP di duge trong cing mét subnet IP ciia giao dign thyc Sé tra 16i ICMP ping néu duge phép theo cdc quy tac trong lita. Proxy ARP Khac Khéng thé duge sir dung bei cac bite tuémg lira chinh né, nhung cé6 thé duge chuyén tiép Tao ra lép 2 giao théng cho cdc VIP Cée VIP cé thé duge trong mét subnet khdc véi IP ciia giao dign thy Khéng tra loi géi tin ICMP ping. Cé thé duge sir dung néu cdc tuyén duéng cung cdp cho ban VIP ciia ban div sao ma khéng can théng bao lép 2 Khong thé duge sit dung béi cdc bite tuéng lira chinh n6, nhung cé thé duge chuyén tiép Ce VIP cé thé duge trong mét subnet khdc véi cdc giao dién IP Khong tra loi ICMP Ping2 .M6t sé dich vu cita pfsense 2.1 Captive portal Captive portal 14 1 tinh nang thude dang flexible, chi cé trén cdc firewall thuong mai In. Tinh nang nay gidp redirect trinh duyét cia ngudi ding vao | trang web dinh sin, tir d6 gidp ching ta cé thé quan ly duge ngwéi ding . Tinh nang nay tién én hon cdc kiéu dang nhip nh WPA, WPA2 6 ch ngudi ding sé thao tae tryc véi | trang web (http, https) chir khong phai lA bang ding nhap khé khan nhw kiéu authentication WPA, WPA2. Tinh nang captive portal nim & muc Services/captive portal Services:Captive portal Captive portal (EEE eM ee 1 Enable captive portal Captive portal: Tinh chinh cdc chite nang cia Pass-though MAC: Cac MAC address duge cf qua,khéng authentication. Allowed IP address: Cac IP address duge cdu hinh sé khéng authentication. Users: Tao local user dé ding kiéu authentication: local user File Manager: Upload trang quan ly ctia Captive portal lén pfsense. iptive Portal. hinh trong myc nay sé duge b6 able captive portal nterfoce fe [Sree ch tease trun he artis pct on le tnoutanh ddu chon néu muén sit dung captive portal. Enable captive portal: Maximum concurrent connections:Giéi han cc connection trén méi ip/user/mac Idle timeout:Néu mdi ip khéng con truy cp mang trong | thisi gian xdc dinh thi sé ngat két ndi cia ip/user/mac. Hard timeout: Gidi han thdi gian két néi cia mai ip/users/mac. Logout popup windows: Xuit hién 1 popup théng bdo cho ip/user/mac Redirect URL: Dia chi URL ma ngudi ding sé duge direct t6i sau khi ding nhap aa Dnable HAE fering sis te sereuhle bevie eet logsin tothe meofed defetberdncth, ACIS i ni need o erate Ne ate ape for = S MAC filtering: Danh dau vao néu pfsense nam truéc router. Béi vi pfsense quan Iy két n6i theo MAC (mic dinh). Ma khi dit ligu qua Router sé bj thay d6i mac address nén néu timeout thi toan bé ngudi ding sé mat két ndi. Authentication: Chon kiéu chimg thyc. Pfsense hé try 3 kiéu: No authentication: pfsense sé diéu huéng ngudi ding t6i 1 trang nhat dinh ma khong chimg thy. Local user manager: pfsense hé trg tao user dé chimg thyc. Radius authentication: Chimg thyc bing radius server (Can chi ra dia chi ip ca radius, port, ...)sumentaten (Goma) ners ‘poate ate dlared when an utencson ena gu You m3 be eee by Oe rat el asses Fm te RATS oe ey Tao trang index.htm c6 ndi dung: '$PORTAL_ACTIONS"> 'auth_user" type="text">

" value="Continue"> R6i chon browse trong portal page content rdi up file nay Ién. Réi bam SAVE dé hula Usemame j= id Password Fulrame Leer fulrane, ryou" em nformeten ny Expeston date e Spe BaEIT Te axnurtstaudhtexoe, obese ene the cxoraten cate the lowing ma mmtlyyys save 2.2 DHCP Server DHCP Server chinh cau hinh cho mang TCP/IP bang IP cho khéch hang khi ho vao mang.Services: DHCP server 1S enable DH server on LA interface srtpans er eae oe Hostname Desciton a Ss a 2.3 Load Balancer Chite nang can bang tai ca pfSense cé nhig dic diém Uudiém - Mién phi. - C6 kha nang bé sung thém tinh nang bang géi dich vu céng thém. - Dé cai dat, cau hinh. Han ché - Phai trang bi thém modem néu khéng cé sin. - Khong duge hé trg tir nha san xudt nhu céc thiét bj cn bang tai khac. - Vin chua cé tinh nang loc URL nhw cdc thiét bj throng mai. - Doi hoi nguéi sir dung phai c6 kién thite co ban vé mang dé cdu hinh.é cdu hinh load balancing vao Services -> Load Balancer Load Balancer: Pool oe tame Type Servers/Geteways Port Honitor Description Ge An vao nit (at dé thém Pool Cau hinh nhu sau: Name: LoadBalancer Type: Gateway Behavior : Load Balancing Monitor IP: Chon monitor IP cia gateway interface nio thi phan chon Interface name tuong img , n vao add to pool . Save lai va 4n Apply ChangeGatevay ‘ Lit’ to use the system routing table. or choose a gateway to utilze poly based Bescioton "ayia ri #sioshae r your eens ate Sang tab LAN, An vao dau + dé thém rule Action chon Pass Protocol chon any Gateway: chon LoadBalancer Save va Apply Rule Dé kiém tra vao Status / Load Balancer [Status: Load Balancer: Poo! coe CEE tame pe [anaer | BES Hai duéng truyén déu Online (Status: Load Balancer: Pool Khi mt duong truyén Offline 3. VPN trén Pfsense VPN la mét mang riéng sir dung hé thong mang cong cng (thudng la Internet) dé két néi cdc dia diém hodc ngudi sir dung tir xa voi mot mang LAN 6 tru sé trung tam, Thay vi ding két néi that kh phitc tap nhu duéng day thué bao sé, VPN tao ra cdc lin két do duge truyén qua Internet gitta mang riéng ciia mt té chitc véi diadiém hoac ngwdi sir dung 6 xa 3.1 VPN PPTP Dé sir dung chite nang nay ban vio VPN / PPTP VPN PPTP Sener address Tse a RADIUS server for autnentiation Chon Enable PPTP server dé bat tinh nang VPN Server address : Dia chi server ma client sé két ni vao Remote address range :Dai dia chi IP sé cdp khi VPN Client két néi RADIUS : Ching thytc qua RADIUS Chon Save va chuyén qua tab User dé tao tai khoan VPN: PPTP: Users Useraame IPaddress a [> au a Sau khi tao xong user ban vao Firewall Rules Firewall: Rules cae weenTao Rules cho phép VPN client truy c4p vao mang ‘Trén VPN Client ,trong Network Connections chon Create a new connection Welcome to the New Connection Wizard neon. ch sour once Nt Cerecce Deseret cine he ont CGratnte nites sroo lipoma Gene ethene ny ge Cavan abaren nk ing tao Poco okfonhn, Hien so Cemsiome amatuirgavnalmaermct (serene pete (OS she am ti ete Cesena argh eee ak twaran 8 Ostupan area cman (lent eth aaron argc So rucomurnb reopens Chon Conect to the network at my workplace > Next Chon Virtual Provate Network connection > NextTpeerretshacoe neler Corsytene i ean xitiete aed eves wherare tee wise “pobre nen Pan Mado ln crpuee a cere Houari ae fs noe 1575101) Dien tén cho két noi VPN > Next Dién dia chi IP cia VPN Server > Next Oveony Oawonewneuanameconiaee eS Ss Dién tai khoan va mat khdu va nhdn ConnectEUs ae 3.2 OpenVPN Site to Site 192 1630.12 Pfsense 1 200.000 70128 Internet 200 0.020728 > q ‘ 192.168.1108 pfeense 2 OpenVPN Site to Site 192.168.0.10/24 Tao Share key cho pfsense Vio Diagnostics > Command: ‘ai Execute Shell command chay Ignh ; openvpn ~genkey --secret /dev/stdout va nhin ExecuteDiagnostics: Execute command it QpenvEN stavio Key Dé tao két ndi Site to site vio VPN / OpenVPN Tai Tab Server nhdn Ll (OpenVPN: Server: Edit ~~ Disable ts toned W arnal idea remayreit on delet Protocol Dene o local oort fries] Te ports Cpa evel an i845 ede peri port ach ae ‘Address pook fisziseto.0e4 | Tae ates oe ngs eine, Sreends2 range os) eee Sein Sipad iano fo poo Gwe $Fouapin Dern sare it.I eal cont re {TERJE TENISIEIAE ne aceeabie So he rte encoony.Esoeeee a CO range. Yury ane me Ure you gor tort weds aut 9 he wsainctwnk fvaupy ve aneson neveveke nacre Tiss foray mowers ee ala ied emp bl fc en it eyProtocol : Giao thite sir dung cho VPN Dynamic IP: Cho phép Client két néi bing IP dong duge cap phat boi DHCP Server Local Port: Céng OpenVPN server sé ling nghe.Mac dinh la céng 1194 Address pool: Dia chi pfsense st cdp phat cho Client. Remote network: Khai bio mang ma pfsense sé két ndi dén Cryptooraohy ‘Autentication method sa shes Pre Cryptography: Lya chon phuong thire ma héa Authentication method: Shared Key Shared key: Nhip Shared Key ciia pfsense 20 capresson| the ol compete re pec veng Lao aortn before LZO compression : Nén géi tin khi chuyén det ligu sit dung LZO Chon Save (OpenVPN: Server Disabled Protoeal Address poo! | pescriction aa] ‘Tao rules cho phép két néi OpenVPN trén WANFirewall: Rules aw oy) ol. REC 198 > ces - 5 Trén pfsense2 Vio VPN/OpenVPN chon Tab Client nhin ‘OpenVPN: Client: Edit Disoble thie tunnel d ‘The ioe yu tn tenia eal tht emayngit ton te et Fratocat ia] re ratoce te bewsed fer te Serveradaress ftoowo10 ‘ig the ates OSETIPN il ry mec et etales hence Set tothe rena enspet Sererport =] “ie pA pen ile ocak he ere, Wawel Weld arto ee APs beta [iszueeanavze Taree 6 ied fini ements aiirnat ns ammsbane/ fuged bere edhe scpal bate ecee Pos corr amdelecens ents setene in or sano Pt cit rnge aur aun eek Protocol : Giao thtrc ma server sit dung cho VPN Server Address : Dia chi cia Server OpenVPN Server port : Céng két néi cho cdc thiét lap VPN trén pfSensel Interface IP : Dia chi IP ma server sé gan cho Client Remote network:Dai IP Internal ciia pfsenselCoyprogenehy ‘Autnentiction eto sheaedher 120 compression a Checng til enores he nthe ng the 20 alien bee ng then Lya chon phuong thite ma héa va dién Shared key cua pfsense1 vao va nhin Save lOpenven: Client [ server RRM clent spect configaration Disabled Server Pratocel DescristionUL. Trién khai m6 hinh mang Font-BackEnd M6 hinh mang Font/BackEnd gitip hé thé hacker gitip bao vé dit ligu trong Local an toan va dé dang quan li cdc traffic trong mang LAN. M6 hinh nay tuy 14 c6 d6 an toan cao nhung bit lai chi phi dau tw cho no rat ton kém. Pfeense 1 Pfeonse2 te2o010028 >> — ie froo0 12s topos woos & wana. Phat 17216.1.124 uz eS ra teana Web Server Yéu cau m6 hinh mang Front-Backend - Cau hinh dich vy Load Balancer cho WAN1 va WAN2 : Public Web Server - Cho phép may XP ra ngoai Internet Cau hinh Trén Pfensel vio Service / Load Balancer Nhan G# dé bat dau cu hinh h vy Load BalancerLoad Balancer: Pool: Edit Name Loadeelancer ae Te = rae nate aa are as em Gate a EEC [eve on post] ‘Name : LoadBalancer Type : Gateway Behavior : Load Balancing Monitor IP va Interface Name phai chon twong ty nhau Vi dy : WAN2’s Gateway thi chon WAN? va nhdn Add to pool Chon Save Vao Status / Load Balancer dé xem trang thai cla dich vu Status: Load Balancer: Pool ‘oe CEE Name, ype, Gateways Status en = getaway wae Onli ao SoPublic WebServer Trén Pfyense | vio Firewall / NAT: Port Forward Nhdn ll dé thém NAT rules Interface Fxtemal address Protocol Extemal port range nate Local port Descoton us 21RD Syne Firewall: NAT: Port Forward: Edit wan 9 hoo ich rete tere soem Thieriaw amex ©) sete tosefe rs P te he aden thn tha ce fh trace hoz en, rtp hate ou me naresingcomrstant rte anywec ne Py You nay ee aeoHEN Fre a HINT: The owe (eee Tope. aly srcra t ARP mambo 3 Auto-add a firewall rule to permit traffic through this WAT rule External address : Chon Interface address .néu ban muons vio web trong mang LAN ban cé chon any Protocol : TCP External Port range : HTTP NAT IP : Dia chi ciia Web Server Chon Auto-add a firewall rule to permit traffic through this NAT rule > SaveFirewall: NAT: Port Forward ecient MSR Proto Ext. port range: NAT IP Int. port range Description a owe ce mem io a le ae @ Morita Firefox alee @e-c xa up 292.168 1.100) a ) ee//192.168.1.1007 a Wellcome to my Website {BE Administrator: Command Prompt EoEeeeeaeces A rc PU etree s Cho phép may XP2 ra ngoai Internet Trén pfsense 1 vao Firewall / Aliases a}2 Edit sense “Tre rama ofthe sles nayanveonaatot he dereraas, AZ 0 Desepson ree woe. Hosts) Tao Aliase méi véi tén 1a Pfsense2 Tao rule cho phép Pfsense 2 ra ngoai Internet action Firewall: Rules: Edit cits hat mh ota ofa ba cane ea ce EW paterencace 1026 oe Tr incinr sox, onialoce oo Debled Imerface [hese or ncn meee aces urtane ntoretn iu Protcel edt nih as ese ay To ee source save ofthe mt : a Show suc pat range Source 05 05 Nps ac sO WEE Far TP es Desteation Action : PassInterface: LAN Protocol : any Source : Single host or ailas > PfSense2 Destination : any Gateway : default Firewall: Rules uo (oa roto [source wort | oentnation | art ae oa oi * aa on a : | a aia aa a aw Pay Bc 2 o Bey BS sansa st Seats Trén may Pfsense 2 tao rules cho phép cde may trong mang LAN cé thé duyét web ‘Action Poss fiat odo it cakes tata ta sce Srite ameence oe zai oat ae Disabled 1 picabie this tule Interface Protocol Source source 08 (05 Tye: [any note she ory wor Destination liet UUs TRE anton to nver th a she mach Destination port range fy, (HTTAction : Pass. Interface : LAN TCP Source : Lan subnet Protocol : Destination : any Destination port range : HTTP Chon save va kiém tra ee 5 ~\o x @ oe Web Hn anh Vide niu: Diet GalBep Gmail them ‘Gaogls | Cav dt tim iden | Dang aha Google vVigtNam SU Google com sm hitIV. Nhan xét Dé bao vé cho hé théng mang bén trong thi ching ta cé nhiéu giai phap nhu sir dung Router Cisco, ding tudg lira ciia Microsoft nhu ISA. Tuy nhién nhimg thinh phan ké trén twong d6i ton kém. Vi vay di véi ngudi ding khong mudn t6n tién nhung lai muén o6 mot tudng h théng mang bén trong (mang ngi bd) khi ma ching ta giao tigp véi hé tl bén ngoai (Internet) thi PiSense 1a mot gidi php tiét kigm va higu qua tuong d6i tot nhat déi véi nguéi ding. Dic diém cing khé quan trong la cdu hinh dé cai dat va sit dung phan mém Pfiense kh6ng ddi hoi phai cao nh nhimg phin mém méi hién nay. Ching ta chi cdn mét may tinh P3, Ram 128, HDD 1GB thi ciing di dé dung nén mét tudng Kira Pfsense bao vé mang bén trong. pfSense li mt tmg dung cé chite nang dinh tuyén vao tong lita manh va img dung nay s€ cho phép ban mé rong mang cua minh mi khéng bj théa hiép v sur bao mit. Phin mém duge thiét ké nho gon, dé dang cdu hinh théng qua giao dign web va dic bigt lA cé kha ning cai dat thém géi dich vu dé mé réng tinh ning. Tudng lita pfSense cé thé dap tmg duge mét mang doanh nghigp nhé va né cling dé ding trong quan ly va cung cp nhiéu tinh nang dé nhu trong cdc san phim thong mai, Mac du vay mét s6 tinh nang da dugc sir dung trong céc doanh nghigp én van con nhiéu han ché, chinh vi vay t6i khong khuyén cdc ban sir dung trong méi trudng 1én nu v i cOng déng phat trién tich eye ciia img dung niy, dye dn nén giai quyét céc y dé nhu cdc tinh nang méi duge bé sung. Ban hoan toan cé thé bé sung pfSense vio danh sdch céc giai phap firewall/router mang dang phat trién, gid thinh thdp hoc mign phi.