Each eFolder Continuity Cloud node is provisioned with a virtual firewall to handle internet traffic for your restored virtual machines and provide secure access to your servers.
In this article, you will learn how to:
- Access your assigned pfSense virtual firewall.
- Configure the LAN interface of the firewall.
- Set up the DHCP server
- Setup required access rules or NAT translations to support your restored environment.
- OpenVPN configuration for user access
- Setup remote user accounts
ACCESS THE VIRTUAL FIREWALL
Use the information provided by eFolder to gain access to the pfSense virtual firewall running on your assigned Continuity Cloud (CC) Node.
Hyper-V/VirtualBox Continuity Cloud Nodes
1. To access the console of your pfSense virtual firewall, first log in to your CC Node using RDP, then open a web browser and go to the WAN Alias IP address of your virtual firewall.
(It will look similar to the example shown below.) https://10.x.x.x:37038
This is a locally accessible private IP address. There is also a shortcut on the desktop of the CC Node.
2. Next, enter the credentials you received from eFolder for your virtual firewall and click Login. Please note that the username and password are case sensitive.
VMware Continuity Cloud Nodes
1. To access the console of your pfSense virtual firewall, open a web browser and go to the link provided by eFolder. It will look similar to the link below. This is a publicly accessible IP address, so you can access this URL from any computer with an internet connection. https://CCNodeName.cc.sc.efscloud.net:37038
2. Next, enter the credentials you received from eFolder for your virtual firewall and click Login. Please note that the username and password are case sensitive.
CONFIGURE THE LAN INTERFACE
Configure the LAN interface of the pfSense virtual firewall with the proper IP address and subnet mask required for the virtual machines you are restoring. This IP address will serve as the default gateway for all virtual machines you restore to the Continuity Cloud node.
1. From the menu, click on Interfaces and then select LAN from the drop-down list:
2. In the Static IP Configuration section of the page, enter the IP address for the virtual firewall:
This IP address will become the default gateway IP for virtual machines on your LAN.
In the example shown above, the VM used to be on the network 192.168.1.0/24 (netmask 255.255.255.0) with the default gateway having an IP of 192.168.1.1.
3. Make sure that the IP Upstream gateway is set to None.
IMPORTANT: Do not check the Block private networks and loopback addresses option. This would block traffic from the WAN-DMZ. Leave this box unchecked.
Click Save when you’re finished.
CONFIGURE THE DHCP SERVER
Next, enable and configure the DHCP server (or leave it disabled within your environment.)
1. In the menu at the top of the page, choose Services> DHCP Server.
2. Click the LAN tab.
• If you do not want the firewall to act as a DHCP server, uncheck the Enable option.
• If you need a DHCP server on the LAN network, click the Enable box and then enter the Range of IPs the DHCP server should use in its pool.
Note: Typically, you can leave the DNS servers entry blank, and eFolder’s DNS infrastructure will automatically be used.
3. Click the Save button.
CONFIGURE FIREWALL RULES & NAT
Now, configure required firewall rules to allow external access to services running on your restored virtual machines.
Set outbound traffic
By default, all outbound traffic is allowed.
1. To disable all outbound traffic, browse to the Firewall menu and select Rules.
2. Click the LAN tab.
3. Find the rule(s) from the Source LAN net to any destination.
4. Click the green check mark on the left to disable the rule:
5. Finally, remember to click the Save button.
Port forwarding
Next, set up any ports to be forwarded from your assigned public IPs to internal IPs.
1. Click on Firewall in the main menu and select NAT.
2. Under the Port Forward tab, click the Add icon to add a new rule.
Normally, you should leave the Interface set to WAN and Protocol set to TCP:
3. For Destination, choose the proper IP address that corresponds to your desired public IP.
Note: The WAN address entry (shown) is your primary public IP.
If you have additional public IP addresses assigned, they will be present at the bottom of the drop-down list.
In this example, we have selected the WAN IP as our Destination:
4. Using the two Destination port range drop-down lists, select the protocol you want to forward from and to. You can also manually enter a range of ports. In this example, we are forwarding remote desktop:
5. For the Redirect target IP and Redirect target port, enter the virtual LAN IP address of the server that should receive the forwarded traffic.
Note: The Redirect target port is normally the same as the destination port. (In this example, remote desktop):
6. Typically, NAT reflection should be enabled with the Use system default setting.
This allows servers in your internal LAN to connect to forwarded ports using your assigned public IPs. (This is sometimes called NAT loopback.) Note that this may not work in all scenarios.
7. The Filter rule association setting determines whether to automatically add a firewall rule allowing port-forwarded traffic. Select Add associated filter rule.
8. After configuring the port forward rule, click Save. Then click Apply Changes.
Repeat this for all ports that you want to forward. Note: You can also setup 1:1 NAT if desired. Normally you do not need to customize Outbound NAT.
CONFIGURE THE OPENVPN SERVER
Configuring an OpenVPN Server allows remote users to access resources on the LAN side of the virtual firewall.
1. To access the OpenVPN configuration, go to the VPN drop-down menu on the main navigation bar and select OpenVPN.
2. Any configured OpenVPN servers will be displayed. If none are present (as in the screenshot below), click on the Wizards tab on top to begin configuring a new server.
3. The OpenVPN Remote Access Server Setup Wizard will launch.
Under the Type of Server menu, select Local User Access and then click Next.
Add a new certificate authority (CA)
1. Enter your information in the form to generate a new certificate authority (CA).
Ensure the Key length is set to 4096 bit.
All fields are required.
2. After all fields are complete, click Add new CA.
Add a new server certificate
1. Enter your information in the form to generate a new server certificate.
• Ensure the Key length is set to 4096 bit.
• All fields are required.
2. After all of the fields are complete, click Create new Certificate.
Configure General OpenVPN Server information
1. Set Interface to WAN.
2. Set Protocol to TCP.
3. Make sure the Local Port is set to 1194.
4. Enter a Description for the OpenVPN server.
Configure the Cryptographic Settings for OpenVPN connections
Use the settings as shown in the following screenshot:
1. Check the box by TLS Authentication to enable it.
2. Check the box by Generate TLS Key to enable it.
3. No TLS Shared Key is required. You may leave this field blank.
4. DH Parameters Length should be set to 4096 bit.
5. Set Encryption Algorithm to AES-256-CBC (256-bit).
6. For Auth Digest Algorithm, select SHA1 (160-bit).
7. Select No Hardware Crypto Acceleration for Hardware Crypto.
Configure Tunnel Settings
Use the settings as shown in the following screenshot:
Notes: Set Tunnel Network to the unique private network used for communication between the remote hosts and this OpenVPN server.
• Set Local Network to the LAN subnet of your pfSense firewall. This is the network that will be accessible to your remote hosts that connect to the Open VPN server.
• Ensure that Concurrent Connections is set high enough to accommodate the number of expected remote hosts.
All remaining fields should be left at their defaults, as shown below:
Configure Client Settings
1. Enable Dynamic IP by checking the box.
2. Enable Address Pool by checking the box.
3. Set Topology to Subnet – One IP address per client in a common subnet.
4. Set DNS Default Domain to the domain name you want appended to the connection for remote hosts.
5. Set DNS Server 1 to the IP address of the remote DNS server you want remote hosts to use for name resolution.
6. Enable NetBIOS over TCP/IP to allow for propagation of NetBIOS traffic over the VPN connection.
After all Client Setting fields are configured, click Next.
7. On the Firewall Rule Configuration screen:
a) Check the Traffic from clients to server checkbox.
b) Check the Traffic clients through VPN checkbox.
c) Then click Next.
These settings open all traffic to and from remote hosts connected over the VPN connection.
Next, click Finish on the completion screen.
8. Finally, verify these two settings:
a. OpenVPN server has Server mode set to Remote Access ( SSL/TLS+User Auth )
b. Local Database is selected as Backend for authentication.
SET UP REMOTE USER ACCOUNTS
1. Hover over System in the navigation bar and select User Manager:
2. On the Users tab, select the Add button in the bottom right corner.
3. Set the Username and Password for the new user. Enter a Full name for reference, if needed.
4. Next, check the Certificate box marked Click to create a user certificate.
Configure the follow settings:
a) Enter a Descriptive name.
b) In the drop down menu for Certificate authority, select the Certificate Authority created during the previous "Add a new certificate authority (CA)" step.
c) Set Key length at 4096.
d) Set Lifetime at 3650.
5. Finally, click Save. This will create a user with a corresponding user certificate, allowing the firewall to properly create export packages with the appropriate configuration.
The new user account will now be listed under the Username tab of the User Manager.
DOWNLOAD A CONFIGURED OPEN VPN INSTALLER
1. To download a fully configured OpenVPN Client software installer, browse to the OpenVPN Server manager and click the Client Export tab.
NOTE: This installer will fully install and configure the client software to a remote host. Users will only need to enter their username and password after installation.
2. Under the Client Install Packages section, select the appropriate x86 or x64 client software installer that you want to distribute to your remote users.
IPSEC VPN
If you want to tie your virtual LAN to your actual LAN through an IPSec site-to-site VPN tunnel, please see the detailed instructions at: http://doc.pfsense.org/index.php/VPN_Capability_IPsec
USE STATIC IP ADDRESSES
You can set up pfSense to allow servers with static IP’s access to the internet.
1. Identify the MAC address of the VM you’ll be assigning a static IP address to.
2. Login into pfSense.
3. Click on the Services tab then select DHCP Server.
4. Once the DHCP server screen comes up, click the LAN tab in the upper left.
5. Make note of the DHCP range. (Usually between 192.1681.100 and .199).
IPs that are to be statically assigned to servers must not fall within the DHCP range.
6. Scroll down to DHCP Static Mappings for this Interface.
7. Click Add to add a static IP entry.
8. In the MAC Address field (a) add the MAC address of the computer assigned the static IP address, then (b) add the IP address assigned to the computer on the IP address sections.
9. Click Save
10. Test the server with the static IP assigned to it. At this point, you should have internet access.
Still need help? Submit questions to support@efolder.net
Comments
0 comments
Article is closed for comments.