Justinaquino: Convert FUND001 Lab1 to wiki training lab

2026-04-23T06:52:40Z

Convert FUND001 Lab1 to wiki training lab

New page

__NOTOC__
<div style="background:#e8f5e9; border:1px solid #a5d6a7; border-radius:4px; padding:12px 16px; margin-bottom:20px;">
'''Hands-On Lab: Phase 1, Day 2''' — Lab Environment Introduction, Initial Configuration, Backup and Restore. Based on Netgate FUND001-LIVE-Lab1-Intro.
</div>

== Learning Objectives ==
By the end of this lab, you will be able to:
* Navigate the virtual lab environment and understand its topology
* Complete the pfSense setup wizard
* Verify basic connectivity through the firewall
* Create manual configuration backups
* Enable and configure AutoConfigBackup
* Restore a previous configuration from web interface and console

== Lab Environment Overview ==
This lab uses a simulated corporate network with headquarters (HQ) and one branch office.

'''Network Topology:'''
* '''4 firewalls''' — fw1-HQ, fw2-HQ (HA pair), fw1-branch, lab-internet-router
* '''2 desktops''' — HQ-client, Branch-client
* '''2 servers''' — server1, server2 (DMZ)
* '''1 simulated Internet host''' — RemoteHost
* '''8 total networks''' — WAN, LAN, DMZ, sync, remote access, branch LAN, etc.

'''Lab access:'''
In the Netgate original lab, desktops are accessed via NoVNC at http://100.64.0.100/remote. In Comfac's virtual lab, you will access your student sandbox through the NoVNC portal.

== IP Addressing Scheme ==
'''Public/"Internet" IPs (RFC 5737 documentation ranges):'''
{| class="wikitable"
! Subnet !! Assignment
|-
| 192.0.2.0/24 || HQ WAN
|-
| 198.51.100.0/24 || HQ WAN2
|-
| 203.0.113.0/24 || Branch WAN
|-
| 100.64.0.0/24 || Remote Internet (CGNAT range)
|}

'''Private Internal IPs (RFC 1918):'''
{| class="wikitable"
! Subnet !! Assignment
|-
| 172.17.1.0/24 || HQ LAN
|-
| 172.17.2.0/24 || HQ DMZ
|-
| 172.17.3.0/24 || HQ Sync (HA)
|-
| 172.17.4.0/24 || HQ Remote Access OpenVPN
|-
| 172.17.5.0/24 || HQ Remote Access IPsec
|-
| 172.17.6.0/24 || OpenVPN Site-to-Site tunnel
|-
| 172.18.1.0/24 || Branch LAN
|}

'''Why use obscure subnets?''' Using 172.17.x.x instead of common 192.168.1.x minimizes VPN conflicts when remote users connect from home networks.

== Firewall VM Details ==
'''Default credentials for all firewalls:'''
* Username: '''admin'''
* Password: '''netgate'''

=== fw1-HQ (Primary HQ Firewall) ===
{| class="wikitable"
! Interface !! Assignment !! Initial IP !! HA IP (later)
|-
| vtnet0 || WAN || 192.0.2.2 || no change
|-
| vtnet1 || LAN || 172.17.1.1 || 172.17.1.2
|-
| vtnet2 || DMZ || 172.17.2.1 || 172.17.2.2
|-
| vtnet3 || WAN2 || 198.51.100.2 || no change
|-
| vtnet4 || Sync || 172.17.3.2 || no change
|}

=== fw2-HQ (Secondary HQ Firewall) ===
Initially inactive; configured in Advanced/HA lab later.
* WAN: 192.0.2.3
* LAN: 172.17.1.3
* DMZ: 172.17.2.3
* WAN2: 198.51.100.3
* Sync: 172.17.3.3

=== fw1-branch (Branch Office Firewall) ===
* WAN: 203.0.113.10
* LAN: 172.18.1.1

=== lab-internet-router (Simulated ISP) ===
Represents 4 ISP routers + Internet. Pre-configured; no lab changes needed.
* HQ-WAN1: 192.0.2.1
* HQ-WAN2: 198.51.100.1
* Branch-WAN: 203.0.113.1
* Remote Internet: 100.64.0.1

== Client & Server VMs ==
'''HQ-client (Xubuntu Linux desktop):'''
* IP: 172.17.1.100
* Credentials: training / password
* Purpose: Primary management workstation

'''Branch-client (Xubuntu Linux desktop):'''
* IP: 172.18.1.100
* Credentials: training / password

'''Internet host / RemoteHost (Xubuntu):'''
* IP: 100.64.0.50
* Credentials: training / password
* Purpose: Simulated external client + web server for testing

'''server1 & server2 (FreeBSD):'''
* server1: 172.17.2.10
* server2: 172.17.2.20
* Credentials: training / password (root: password)
* Pre-configured with nginx/PHP and BIND DNS

== Exercise 1: Initial Setup Wizard ==
'''Prerequisites:''' Your student environment should have fw1-HQ and HQ-client running.

'''Steps:'''
# From HQ-client, open browser and navigate to https://172.17.1.1
# Accept the self-signed certificate warning
# Log in with admin / netgate
# The setup wizard will launch automatically

'''Wizard configuration:'''
# '''General Information''' — Leave defaults (hostname: fw1-hq.example.com, DNS: lab-internet-router)
# '''Time Information''' — Leave NTP server as 0.pfsense.pool.ntp.org; set timezone as needed (e.g., Asia/Manila)
# '''WAN Configuration''' — Verify static IP: 192.0.2.2/24, gateway 192.0.2.1
#* '''Important:''' Leave "Block bogon networks" and "Block private networks" unchecked (these are documentation IPs, not real public IPs)
# '''LAN Configuration''' — Verify 172.17.1.1/24
# '''Admin Password''' — Change to a secure password (or leave default for lab)
# '''Reload''' — Click Reload to apply settings

'''Verification:'''
* HQ-client should be able to browse the real Internet through NAT
* Try browsing to any external website to confirm

== Exercise 2: Manual Configuration Backup ==
# Browse to Diagnostics -> Backup & Restore
# Click Download configuration as XML
# Save the config.xml file to HQ-client
# '''What this contains:''' Entire system configuration — interfaces, rules, NAT, users, certificates, etc.

== Exercise 3: Config History ==
# Stay on Diagnostics -> Backup & Restore
# Click the Config History tab
# You should see at least one revision (from the setup wizard)
# Click the diff icon to compare two revisions
# This shows exactly what changed between configurations

== Exercise 4: AutoConfigBackup (ACB) ==
AutoConfigBackup is Netgate's encrypted cloud backup service. Every configuration change is automatically backed up offsite.

'''Preparation (lab-specific step):'''
# Go to Diagnostics -> Command Prompt
# Run: rm /etc/ssh/ssh_host_* && /etc/rc.restart_sshd
# This regenerates SSH keys for ACB compatibility in the lab environment
#* ''Note: Not needed in production environments''

'''Enable ACB:'''
# Go to Services -> AutoConfigBackup
# Check Enable ACB
# Enter an encryption password (remember this!)
# Optional: Add a plain-text identifier to help Netgate support locate your backups
# Click Save

'''Verify backup:'''
# Click the Backup Now tab -> Backup
# Go to Restore tab — your backup should appear in the list
# Note your Device ID — save it securely with your encryption password

'''Important:''' If you lose the encryption password, backups are unrecoverable. If you lose the Device ID, Netgate support can help locate it using your identifier.

== Exercise 5: Configuration Restore ==
'''Scenario:''' You misconfigured something and need to roll back.

'''Method A — Web Interface (if you can still reach it):'''
# Diagnostics -> Backup & Restore -> Config History
# Find the revision before your mistake
# Click Restore

'''Method B — AutoConfigBackup (longer history):'''
# Services -> AutoConfigBackup -> Restore tab
# Select a previous backup
# Click Restore

'''Method C — Console (emergency, no web access):'''
# Access console via SSH or physical access
# Choose option 15: "Restore recent configuration"
# Choose option 1 to view recent configs
# Choose option 2 to restore a specific revision
# Enter the revision number
# Confirm with Y
# Reboot (option 5) to ensure clean application

== Troubleshooting ==
{| class="wikitable"
! Problem !! Solution
|-
| Can't reach https://172.17.1.1 || Check HQ-client IP (should be DHCP 172.17.1.x); verify cable/VLAN
|-
| Wizard doesn't start || Already completed; go to System -> Setup Wizard to re-run
|-
| No Internet from HQ-client || Verify WAN IP/gateway; check lab-internet-router is running
|-
| ACB won't enable || Run SSH key regeneration command first
|-
| Restore fails || Ensure restoring to equal or newer version; check encryption password
|}

== Verification Checklist ==
Before finishing this lab, confirm:
* [ ] Setup wizard completed successfully
* [ ] HQ-client can browse Internet
* [ ] Manual config backup downloaded
* [ ] Config History shows revisions
* [ ] AutoConfigBackup enabled and backup completed
* [ ] Device ID recorded
* [ ] Successfully restored a previous configuration (optional practice)

== Key Takeaways ==
* The lab simulates a real multi-site corporate network
* Using RFC 5737 documentation IPs prevents accidentally affecting real networks
* Always backup before making changes
* AutoConfigBackup provides 100 revisions of encrypted offsite backups
* Console restore (option 15) is your emergency recovery method

== Next Module ==
* [[Training: Interfaces and Firewall Rules]] — Phase 1, Day 3
* [[Training Lab 2: Firewall Rules and Aliases]] — Hands-on lab

----
''Source: Netgate FUND001-LIVE-Lab1-Intro.pdf''
''Comfac Virtual Lab Adaptation: VMs provisioned via Ansible; NoVNC access through student portal''

Training Lab 1: Introduction and Backup Restore - Revision history

Justinaquino: Convert FUND001 Lab1 to wiki training lab