Protectli Vault

Proctectli Vault is a great option for both network security and privacy, I personally think everyone should own a physical firewall as it hardens your Wi-Fi and in my case, made my network much faster. I run ProtonVPN with secure core and my download still reach more than 300 MB/s. An important thing to notice is that you VPN configuration should not do any blocking by itself if you want to use a custom DNS as it will overwrite the custom DNS. Now, I assume that you are here because you have a Protectli Vault ready to set up. 

Flashing pfSense

First and foremost we must get a USB drive and download a copy of pfSense:

          • First go to https://atxfiles.netgate.com/mirror/downloads/
          • Make sure to pick “pfSense-CE-memstick-2.7.2-RELEASE-amd64.img.gz”.
          • Download the “.gz” file and decompress it (if you can’t decompress it use 7-zip).
          • Now we need to get balenaEtcher from https://etcher.balena.io.
          • Open balenaEtcher and select “Flash from file” then select the .img file.
          • Then select the target USB drive.
          • Then execute the process by clicking “Flash”.
          • Wait until it’s done and then remove the USB drive.

Initial Setup

The first things you need to do is to get a Keyboard, HDMI cable, a USB-C cable and a power brick. Plug the Protectli Vault into any screen via HDMI, then plug the keyboard into the Protectli Vault. When thats done you can now plug the Protectli Vault into power. The firewall will beep as it boots. (Note I had a problem when I tried to set it up that I couldn’t boot into pfSense, if this happens change the port where your USB drive is plugged into and try again).

          • Stick the USB drive into the front of the Protectli Vault.
          • Press the start button, it will give you feedback.
          • Keep spamming F11 as it starts up.

You should now be at the installation screen. Press Enter to begin the installation process. Use all default installation options, you may have to press the Enter key several times. During the default “ZFS Configuration” screen, you will need pick the device’s drive, it will look something like “SSD” or “ada”. Use the arrow keys to go up or down to pick the correct drive and press the space bar to select it. Press Enter to continue and select “Yes” to confirm. Pick “No” if asked to open a shell and then “Reboot” when complete. Shutdown the device and remove all the devices from your vault, namely USB drive, keyboard and screen.

Next we’re going to login to our Protectli Vault with our pfSense login. 

Activate Ports On pfSense

Navigate to Interfaces > Assignments and add any pending ports, then click on Save.

Next, go to Interfaces > OPT1 and select Enable interface. Change the IPv4 Configuration Type to Static IPv4 and enter an IPv4 Address of 192.168.2.1. Change /32 to /24, then click Save and Apply Changes.

Proceed to Firewall > Rules and click on OPT1. Click on Add (up arrow) and change the Protocol to Any. Press Display Advanced and change the Gateway to Wan_DHCP…. Click Save and Apply Changes.

Navigate to Services > DHCP Server. Click on OPT1 and enable Enable DHCP Server on the OPT1 interface. Enter the range as From: 192.168.2.10 To: 192.168.2.250. Click Save and Apply Changes.

Now, go to Interfaces > OPT2 and select Enable interface. Set the IPv4 Configuration Type to Static IPv4 and enter an IPv4 Address of 192.168.3.1. Change /32 to /24, click Save and Apply Changes.

Proceed to Firewall > Rules and click OPT2. Click on Add (up arrow) and change the Protocol to Any. Press Display Advanced and set the Gateway to Wan_DHCP…. Click Save and Apply Changes.

Go back to Services > DHCP Server. Click on OPT2 and enable Enable DHCP Server on the OPT2 interface. Enter the range as From: 192.168.3.10 To: 192.168.3.250. Click Save and Apply Changes.

Next, go to Interfaces > OPT3 and select Enable interface. Change the IPv4 Configuration Type to Static IPv4 and enter an IPv4 Address of 192.168.4.1. Change /32 to /24, click Save, then Apply Changes.

Navigate to Firewall > Rules and click on OPT2. Click on Add (up arrow) and change the Protocol to Any. Press Display Advanced and change the Gateway to Wan_DHCP…. Click Save and Apply Changes.

Go to Services > DHCP Server. Click on OPT2 and enable Enable DHCP Server on the OPT2 interface. Enter the range as From: 192.168.4.10 To: 192.168.4.250. Click Save and Apply Changes.

Proceed to Interfaces > OPT4 and select Enable interface. Set the IPv4 Configuration Type to Static IPv4 and enter an IPv4 Address of 192.168.5.1. Change /32 to /24, click Save, then Apply Changes.

Next, navigate to Firewall > Rules and click OPT2. Click on Add (up arrow) and set the Protocol to Any. Press Display Advanced and change the Gateway to Wan_DHCP…. Click Save and Apply Changes.

Finally, go to Services > DHCP Server. Click on OPT2 and enable Enable DHCP Server on the OPT2 interface. Enter the range as From: 192.168.5.10 To: 192.168.5.250. Click Save and Apply Changes.

Configure pfSense

Go to System > Package Manager > Available Packages.

Search for WireGuard, click Install next to it, and then confirm the installation. Wait for the installation process to finish.

Next, navigate to VPN > WireGuard and click the +Add Tunnel button. Set the Description to ProtonTunnel and the Listen Port to 51820.

Copy the PrivateKey data from the Proton file you downloaded and paste it into the Interface Keys field. Click on the Public Key field to generate the public key automatically. Press Save Tunnel, then select Peers from the top menu.

Click the +Add Peer button. Set the Tunnel to your previously created ProtonTunnel. Apply a Description of ProtonPeer. Disable the Dynamic Endpoint option.

Enter the endpoint address and port from your downloaded file. Set the Keep Alive value to 25. Copy the PublicKey data from the Proton file and paste it into the Public Key field. Set Allowed IPs to 0.0.0.0 and change 128 to 0.24. Click Save Peer, then click Settings in the upper menu.

Enable WireGuard and click Save, then Apply Changes. Go to Status in the upper menu and verify that the connection shows as green Up.

Select Interfaces and then Assignments. Click Add next to tun_wg0 at the bottom, then click Save. Select the new option, like OPT5. Enable the Interface and provide a Description of ProtonInterface.

Change the IPv4 Configuration Type to Static IPv4 and enter 10.2.0.2 in the IPv4 Address field, then click Save and Apply Changes.

Navigate to System > Routing and click Add. Set the Interface to ProtonInterface, change the name to ProtonGateway, and set the Gateway to 10.2.0.1. Disable Gateway Monitoring Action and select Kill states using this gateway….

Click on Display Advanced and check Use non-local gateway. Click Save and Apply Changes.

Now, go to Interfaces > ProtonInterface, change the IPv4 Upstream Gateway to ProtonGateway, enable Block private networks and loopback addresses, and enable Block Bogon Networks. Click Save and then Apply Changes.

Navigate to System > Advanced > Miscellaneous. Set State Killing on Gateway Failure to Kill states for all gateways…, and enable the option to Skip rules when gateway is down. Click Save.

To apply the VPN to LAN, go to Firewall > NAT > Outbound. Choose Manual Outbound NAT rule generation, then click Save and Apply Changes.

Select the checkbox for all entries that have ProtonInterface as the interface to delete them.

Next, click the pencil icon next to the entry labeled similarly to Auto created rule LAN to WAN with the IP address 192.168.1.0/24. Change the interface to ProtonInterface and click Save.

Then, click the pencil icon next to the entry labeled similarly to Auto created rule for ISAKMP – LAN to WAN with the same IP address 192.168.1.0/24. Update the interface to ProtonInterface and click Save, followed by Apply Changes.

Now, navigate to Firewall > Rules > LAN.

Click the pencil icon (edit) next to the Default allow LAN to any rule. Choose the Display Advanced option located at the bottom. Change the gateway to ProtonGateway and click Save.

Lastly, click the disable icon next to the Default allow LAN IPv6 to any rule.
Click Apply Changes

Adding a VPN On pfSense

Navigate to Firewall > Rules > OPT1.
 
Click the pencil icon to edit the settings. If necessary, click the Display Advanced button. Change the Gateway to ProtonGateway, then click Save and Apply Changes.
 
Next, go to Firewall > NAT > Outbound. Click the pencil icon (edit) next to the entry labeled similarly to Auto created rule – OPT1 to WAN. Change the Interface option from WAN to ProtonInterface. Set the Address Family to IPv4, then click Save.
 
Click the pencil icon (edit) next to the entry labeled similarly to Auto created rule for ISAKMP – OPT1 to WAN with the Source IP address of your target port. Change the Interface option from WAN to ProtonInterface. Click Save and then Apply Changes.
 
You can replicate these steps on all ports so if you got 4 ports OPT1 would be replaced with OPT2 and if you have 6 then OPT3 and OPT4.
 

DNS Configuration Instructions

Navigate to System > General Setup.
Add 45.90.28.0 as the first DNS server. (Replace the IP with your own).
Input nextdns.io as the first DNS hostname.
Select ProtonGateway.
Click on “Add DNS Server.”
Add 45.90.30.0 as the second DNS server. (replace the IP with your own).
Input nextdns.io as the second DNS hostname.
Select ProtonGateway.
Disable DNS server override.
Change DNS Resolution Behavior to “Use local DNS (127.0.0.1), ignore remote DNS,” and click on Save.
Navigate to Services > DNS Resolver.
In Outgoing Network Interfaces, select ProtonInterface.
Enable “Strict Outgoing Network Interface Binding”, “DNSSEC”, “DNS Query Forwarding”, “Use SSL/TLS for outgoing DNS Queries to Forwarding Servers.”
Click on “Save” and Apply Changes.
 

And done!

After you have done your setup on pfSense, you are now done and ready to setup your slate router as an access point. If you don’t have a Slate router you can proceed to one of the other articles.

Return To Home

Nullvoided.com