Each Axcient Continuity Cloud node is provisioned with a virtual firewall to handle internet traffic for your restored virtual machines and provide secure access to your servers.
In this article, you will learn how to:
- Access your assigned pfSense virtual firewall.
- Configure the LAN interface of the firewall.
- Set up the DHCP server
- Setup required access rules or NAT translations to support your restored environment.
- OpenVPN configuration for user access
- Setup remote user accounts
ACCESS THE VIRTUAL FIREWALL
Use the information provided by Axcient to gain access to the pfSense virtual firewall running on your assigned Continuity Cloud (CC) Node.
Hyper-V/VirtualBox Continuity Cloud Nodes
1. To access the console of your pfSense virtual firewall, first log in to your CC Node using RDP, then open a web browser and go to the WAN Alias IP address of your virtual firewall.
(It will look similar to the example shown below.) https://10.x.x.x:37038
This is a locally accessible private IP address. There is also a shortcut on the desktop of the CC Node.
2. Now, enter admin for the Username. The default Username is always admin.
3. Next, for the Password credential, enter the CCNode password you used to remote into the CCNode.
Please note that both the Username and Password credentials are case sensitive.
4. After both the Username and the Password credentials are entered, click Sign In.
VMware Continuity Cloud Nodes
1. To access the console of your pfSense virtual firewall, open a web browser and go to the link provided by Axcient. It will look similar to the link below. This is a publicly accessible IP address, so you can access this URL from any computer with an internet connection. https://CCNodeName.cc.sc.efscloud.net:37038
2. Next, enter the credentials you received from Axcient for your virtual firewall and click Login. Please note that the username and password are case sensitive.
CONFIGURE THE LAN INTERFACE
Configure the LAN interface of the pfSense virtual firewall with the proper IP address and subnet mask required for the virtual machines you are restoring. This IP address will serve as the default gateway for all virtual machines you restore to the Continuity Cloud node.
1. From the menu, click on Interfaces and then select LAN from the drop-down list:
2. In the Static IP Configuration section of the page, enter the IP address for the virtual firewall:
IMPORTANT: Do not check the block private networks option. This would block traffic from the WAN-DMZ.
This IP address will become the default gateway IP for virtual machines on your LAN.
In the example shown above, the VM used to be on the network 192.168.1.0/24 (netmask 255.255.255.0) with the default gateway having an IP of 192.168.1.1.
3. Make sure that the IP Upstream gateway is set to None.
IMPORTANT: Do not check the Block private networks and loopback addresses option. This would block traffic from the WAN-DMZ. Leave this box unchecked.
Click Save when you’re finished.
CONFIGURE THE DHCP SERVER
Next, enable and configure the DHCP server (or leave it disabled within your environment.)
1. In the menu at the top of the page, choose Services> DHCP Server.
2. Click the LAN tab.
• If you do not want the firewall to act as a DHCP server, uncheck the Enable option.
• If you need a DHCP server on the LAN network, click the Enable box and then enter the Range of IPs the DHCP server should use in its pool.
Note: Typically, you can leave the DNS servers entry blank, and Axcients ’s DNS infrastructure will automatically be used.
3. Click the Save button.
CONFIGURE FIREWALL RULES & NAT
Now, configure any required firewall rules to allow external access to services running on your restored virtual machines.
Set outbound traffic
By default, all outbound traffic is allowed.
1. To disable all outbound traffic, browse to the Firewall menu and select Rules.
2. Click the LAN tab.
3. Find the rule(s) from the Source LAN net to any destination.
4. Click the green check mark on the left to disable the rule:
5. Finally, remember to click the Save button.
Next, set up any ports to be forwarded from your assigned public IPs to internal IPs.
1. Click on Firewall in the main menu and select NAT.
2. Under the Port Forward tab, click the Add icon to add a new rule.
Normally, you should leave the Interface set to WAN and Protocol set to TCP:
3. For Destination, choose the proper IP address that corresponds to your desired public IP.
Note: The WAN address entry (shown) is your primary public IP.
If you have additional public IP addresses assigned, they will be present at the bottom of the drop-down list.
In this example, we have selected the third WAN IP.
4. Using the two Destination port range drop-down lists, select the protocol you want to forward from and to. You can also manually enter a range of ports. In this example, we are forwarding remote desktop:
5. For the Redirect target IP and Redirect target port, enter the virtual LAN IP address of the server that should receive the forwarded traffic.
Note: The Redirect target port is normally the same as the destination port. (In this example, remote desktop):
6. Typically, NAT reflection should be enabled with the Use system default setting.
This allows servers in your internal LAN to connect to forwarded ports using your assigned public IPs. (This is sometimes called NAT loopback.) Note that this may not work in all scenarios.
7. The Filter rule association setting determines whether to automatically add a firewall rule allowing port-forwarded traffic. Select Add associated filter rule.
8. After configuring the port forward rule, click Save. Then click Apply Changes.
Repeat this for all ports that you want to forward. Note: You can also setup 1:1 NAT if desired. Normally you do not need to customize Outbound NAT.
CONFIGURE THE OPENVPN SERVER
Configuring an OpenVPN Server allows remote users to access resources on the LAN side of the virtual firewall.
1. To access the OpenVPN configuration, go to the VPN drop-down menu on the main navigation bar and select OpenVPN.
2. Any configured OpenVPN servers will be displayed. If none are present (as in the screenshot below), click on the Wizards tab on top to begin configuring a new server.
3. The OpenVPN Remote Access Server Setup Wizard will launch.
Under the Type of Server menu, select Local User Access and then click Next.
Add a new certificate authority (CA)
1. Enter your information in the form to generate a new certificate authority (CA).
- Ensure the Key length is set to 4096 bit.
- All fields are required.
2. After all fields are complete, click Add new CA.
Add a new server certificate
1. Enter your information in the form to generate a new server certificate.
• Ensure the Key length is set to 4096 bit.
• All fields are required.
2. After all of the fields are complete, click Create new Certificate.
Configure General OpenVPN Server information
1. Set Interface to WAN.
2. Set Protocol to TCP.
3. Make sure the Local Port is set to 1194.
4. Enter a Description for the OpenVPN server.
Configure the Cryptographic Settings for OpenVPN connections
Use the settings as shown in the following screenshot:
1. Check the box by TLS Authentication to enable it.
2. Check the box by Generate TLS Key to enable it.
3. No TLS Shared Key is required. You may leave this field blank.
4. DH Parameters Length should be set to 4096 bit.
5. Set Encryption Algorithm to AES-256-CBC (256-bit).
6. For Auth Digest Algorithm, select SHA1 (160-bit).
7. Select No Hardware Crypto Acceleration for Hardware Crypto.
Configure Tunnel Settings
Use the settings as shown in the following screenshot:
Notes: Set Tunnel Network to the unique private network used for communication between the remote hosts and this OpenVPN server.
• Set Local Network to the LAN subnet of your pfSense firewall. This is the network that will be accessible to your remote hosts that connect to the Open VPN server.
• Ensure that Concurrent Connections is set high enough to accommodate the number of expected remote hosts.
All remaining fields should be left at their defaults, as shown below:
Configure Client Settings
1. Enable Dynamic IP by checking the box.
2. Enable Address Pool by checking the box.
3. Set Topology to Subnet – One IP address per client in a common subnet.
4. Set DNS Default Domain to the domain name you want appended to the connection for remote hosts.
5. Set DNS Server 1 to the IP address of the remote DNS server you want remote hosts to use for name resolution.
6. Enable NetBIOS over TCP/IP to allow for propagation of NetBIOS traffic over the VPN connection.
After all Client Setting fields are configured, click Next.
7. On the Firewall Rule Configuration screen:
a) Check the Traffic from clients to server checkbox.
b) Check the Traffic clients through VPN checkbox.
c) Then click Next.
These settings open all traffic to and from remote hosts connected over the VPN connection.
Next, click Finish on the completion screen.
8. Finally, verify these two settings:
a. OpenVPN server has Server mode set to Remote Access ( SSL/TLS+User Auth )
b. Local Database is selected as Backend for authentication.
SET UP REMOTE USER ACCOUNTS
1. To setup user accounts for remote users, hover over System in the navigation bar on the main screen and select User Manager.
2. On the Users tab, select the Add button in the bottom right corner.
3. Set the Username and Password for the new user. Enter a full name for reference, if needed.
4. Then click Save. The new user account will now be listed on the Users tab of the User Manager.
Download a fully-configured Open VPN client software installer
The following steps, performed on the newly created user accounts, give users access to the OpenVPN client download page.
1. To download a fully configured OpenVPN Client software installer, once a new user is created, scroll down to the Effective Privileges section of the User Configuration page.
2. In the User Privileges section, under Assigned Privileges, scroll down to
WebCfg – OpenVPN: Client Export Utility
and highlight that privilege by clicking on it.
3. Once highlighted, scroll to the bottom of the page and click Save.
Back on the User Priviledges editing screen, the newly effective privilege for the user should look like this:
Create User Certificates
An internal User Certificate is required for each user to access the OpenVPN client.
1. In the User edit screen, scroll down and click Add in the User Certificate section.
2. In the certificate creation section, be sure that the selected Method is Create an Internal Certificate
3. Scroll down to the Common Name field and enter a unique name for the certificate.
This could be any name that is currently not being used by other services.
4. After the Common Name has been entered, scroll to the bottom of the page and click Save.
After the new internal certificate has been created for the user, the User Certificates section of the user edit screen should look like the image below:
Access the OpenVPN Client Export Utility
To access the OpenVPN client export utility of pfsense, login with the newly created user account.
After you log-in, the client export utility page will be available:
To download the client, scroll to the lower section of the page. There you’ll see the different versions of the OpenVPN client currently available in PFsense.
NOTE: This installer will fully install and configure the client software to a remote host. Users will only need to enter their username and password after installation.
If you want to tie your virtual LAN to your actual LAN through an IPSec site-to-site VPN tunnel, please see the detailed instructions at: http://doc.pfsense.org/index.php/VPN_Capability_IPsec
Still need help? Submit questions to firstname.lastname@example.org