Training Lab 1: Introduction and Backup Restore
Hands-On Lab: Phase 1, Day 2 — Lab Environment Introduction, Initial Configuration, Backup and Restore. Based on Netgate FUND001-LIVE-Lab1-Intro.
Learning Objectives
By the end of this lab, you will be able to:
- Navigate the virtual lab environment and understand its topology
- Complete the pfSense setup wizard
- Verify basic connectivity through the firewall
- Create manual configuration backups
- Enable and configure AutoConfigBackup
- Restore a previous configuration from web interface and console
Lab Environment Overview
This lab uses a simulated corporate network with headquarters (HQ) and one branch office.
Network Topology:
- 4 firewalls — fw1-HQ, fw2-HQ (HA pair), fw1-branch, lab-internet-router
- 2 desktops — HQ-client, Branch-client
- 2 servers — server1, server2 (DMZ)
- 1 simulated Internet host — RemoteHost
- 8 total networks — WAN, LAN, DMZ, sync, remote access, branch LAN, etc.
Lab access: In the Netgate original lab, desktops are accessed via NoVNC at http://100.64.0.100/remote. In Comfac's virtual lab, you will access your student sandbox through the NoVNC portal.
IP Addressing Scheme
Public/"Internet" IPs (RFC 5737 documentation ranges):
| Subnet | Assignment |
|---|---|
| 192.0.2.0/24 | HQ WAN |
| 198.51.100.0/24 | HQ WAN2 |
| 203.0.113.0/24 | Branch WAN |
| 100.64.0.0/24 | Remote Internet (CGNAT range) |
Private Internal IPs (RFC 1918):
| Subnet | Assignment |
|---|---|
| 172.17.1.0/24 | HQ LAN |
| 172.17.2.0/24 | HQ DMZ |
| 172.17.3.0/24 | HQ Sync (HA) |
| 172.17.4.0/24 | HQ Remote Access OpenVPN |
| 172.17.5.0/24 | HQ Remote Access IPsec |
| 172.17.6.0/24 | OpenVPN Site-to-Site tunnel |
| 172.18.1.0/24 | Branch LAN |
Why use obscure subnets? Using 172.17.x.x instead of common 192.168.1.x minimizes VPN conflicts when remote users connect from home networks.
Firewall VM Details
Default credentials for all firewalls:
- Username: admin
- Password: netgate
fw1-HQ (Primary HQ Firewall)
| Interface | Assignment | Initial IP | HA IP (later) |
|---|---|---|---|
| vtnet0 | WAN | 192.0.2.2 | no change |
| vtnet1 | LAN | 172.17.1.1 | 172.17.1.2 |
| vtnet2 | DMZ | 172.17.2.1 | 172.17.2.2 |
| vtnet3 | WAN2 | 198.51.100.2 | no change |
| vtnet4 | Sync | 172.17.3.2 | no change |
fw2-HQ (Secondary HQ Firewall)
Initially inactive; configured in Advanced/HA lab later.
- WAN: 192.0.2.3
- LAN: 172.17.1.3
- DMZ: 172.17.2.3
- WAN2: 198.51.100.3
- Sync: 172.17.3.3
fw1-branch (Branch Office Firewall)
- WAN: 203.0.113.10
- LAN: 172.18.1.1
lab-internet-router (Simulated ISP)
Represents 4 ISP routers + Internet. Pre-configured; no lab changes needed.
- HQ-WAN1: 192.0.2.1
- HQ-WAN2: 198.51.100.1
- Branch-WAN: 203.0.113.1
- Remote Internet: 100.64.0.1
Client & Server VMs
HQ-client (Xubuntu Linux desktop):
- IP: 172.17.1.100
- Credentials: training / password
- Purpose: Primary management workstation
Branch-client (Xubuntu Linux desktop):
- IP: 172.18.1.100
- Credentials: training / password
Internet host / RemoteHost (Xubuntu):
- IP: 100.64.0.50
- Credentials: training / password
- Purpose: Simulated external client + web server for testing
server1 & server2 (FreeBSD):
- server1: 172.17.2.10
- server2: 172.17.2.20
- Credentials: training / password (root: password)
- Pre-configured with nginx/PHP and BIND DNS
Exercise 1: Initial Setup Wizard
Prerequisites: Your student environment should have fw1-HQ and HQ-client running.
Steps:
- From HQ-client, open browser and navigate to https://172.17.1.1
- Accept the self-signed certificate warning
- Log in with admin / netgate
- The setup wizard will launch automatically
Wizard configuration:
- General Information — Leave defaults (hostname: fw1-hq.example.com, DNS: lab-internet-router)
- Time Information — Leave NTP server as 0.pfsense.pool.ntp.org; set timezone as needed (e.g., Asia/Manila)
- WAN Configuration — Verify static IP: 192.0.2.2/24, gateway 192.0.2.1
- Important: Leave "Block bogon networks" and "Block private networks" unchecked (these are documentation IPs, not real public IPs)
- LAN Configuration — Verify 172.17.1.1/24
- Admin Password — Change to a secure password (or leave default for lab)
- Reload — Click Reload to apply settings
Verification:
- HQ-client should be able to browse the real Internet through NAT
- Try browsing to any external website to confirm
Exercise 2: Manual Configuration Backup
- Browse to Diagnostics -> Backup & Restore
- Click Download configuration as XML
- Save the config.xml file to HQ-client
- What this contains: Entire system configuration — interfaces, rules, NAT, users, certificates, etc.
Exercise 3: Config History
- Stay on Diagnostics -> Backup & Restore
- Click the Config History tab
- You should see at least one revision (from the setup wizard)
- Click the diff icon to compare two revisions
- This shows exactly what changed between configurations
Exercise 4: AutoConfigBackup (ACB)
AutoConfigBackup is Netgate's encrypted cloud backup service. Every configuration change is automatically backed up offsite.
Preparation (lab-specific step):
- Go to Diagnostics -> Command Prompt
- Run: rm /etc/ssh/ssh_host_* && /etc/rc.restart_sshd
- This regenerates SSH keys for ACB compatibility in the lab environment
- Note: Not needed in production environments
Enable ACB:
- Go to Services -> AutoConfigBackup
- Check Enable ACB
- Enter an encryption password (remember this!)
- Optional: Add a plain-text identifier to help Netgate support locate your backups
- Click Save
Verify backup:
- Click the Backup Now tab -> Backup
- Go to Restore tab — your backup should appear in the list
- Note your Device ID — save it securely with your encryption password
Important: If you lose the encryption password, backups are unrecoverable. If you lose the Device ID, Netgate support can help locate it using your identifier.
Exercise 5: Configuration Restore
Scenario: You misconfigured something and need to roll back.
Method A — Web Interface (if you can still reach it):
- Diagnostics -> Backup & Restore -> Config History
- Find the revision before your mistake
- Click Restore
Method B — AutoConfigBackup (longer history):
- Services -> AutoConfigBackup -> Restore tab
- Select a previous backup
- Click Restore
Method C — Console (emergency, no web access):
- Access console via SSH or physical access
- Choose option 15: "Restore recent configuration"
- Choose option 1 to view recent configs
- Choose option 2 to restore a specific revision
- Enter the revision number
- Confirm with Y
- Reboot (option 5) to ensure clean application
Troubleshooting
| Problem | Solution |
|---|---|
| Can't reach https://172.17.1.1 | Check HQ-client IP (should be DHCP 172.17.1.x); verify cable/VLAN |
| Wizard doesn't start | Already completed; go to System -> Setup Wizard to re-run |
| No Internet from HQ-client | Verify WAN IP/gateway; check lab-internet-router is running |
| ACB won't enable | Run SSH key regeneration command first |
| Restore fails | Ensure restoring to equal or newer version; check encryption password |
Verification Checklist
Before finishing this lab, confirm:
- [ ] Setup wizard completed successfully
- [ ] HQ-client can browse Internet
- [ ] Manual config backup downloaded
- [ ] Config History shows revisions
- [ ] AutoConfigBackup enabled and backup completed
- [ ] Device ID recorded
- [ ] Successfully restored a previous configuration (optional practice)
Key Takeaways
- The lab simulates a real multi-site corporate network
- Using RFC 5737 documentation IPs prevents accidentally affecting real networks
- Always backup before making changes
- AutoConfigBackup provides 100 revisions of encrypted offsite backups
- Console restore (option 15) is your emergency recovery method
Next Module
- Training: Interfaces and Firewall Rules — Phase 1, Day 3
- Training Lab 2: Firewall Rules and Aliases — Hands-on lab
Source: Netgate FUND001-LIVE-Lab1-Intro.pdf Comfac Virtual Lab Adaptation: VMs provisioned via Ansible; NoVNC access through student portal