Thread: PFSense
View Single Post
Old 04-01-11, 09:58 PM   #1
Registered User
Join Date: Jan 2006
Posts: 6,726
Default PFSense

I've been wanting to upgrade my firewall for some time now and have thought about a few different options. I really wanted something a little bit beefer than a typical SOHO router and at the same time configurable, flexible, and has a nice UI. Things that I've considered are a Cisco ASA, untangle, pfsense, LinksysRVS4000 or a newer SOHO device with more features. I've played with a few of those and decided upon PFSense.

What I was seeking that I couldn't do before is better blacklisting of IPs, traffic logging, wan failover. PFsense can provide all of these after adding a few packages.

Installation of this box is relatively simple, you just need a pc with 2 network cards in it. There are a few versions of the software as you can use it on either a disk or diskless system. It is possible to load PFSense onto a thumb drive and have it run in memory and only write changes when needed. Since I'm using an old Althon X2 system I grabbed the pfSense-2.0-RC1-amd64 iso. The requirements for a typical setup only require a 1GHZ cpu at most so this rig is way overkill. If I had an old P4 system I could have used that instead. If you're interested in seeing what you might need check out the sizing list:

The first thing I would have to suggest after you install it is let it do the update. Since this is a RC build there are going to be lots of updates yet. When you are on the first page you'll see a link saying updates are available. In order to use the auto update you'll have to check a box to allow unsigned images since the images are not signed in beta. This is located under System > Firmware > updater settings. After that's out of the way then you can move on to other things.

One of the best features of PFSense would be the packages. There are several options to add more functionality to your firewall depending upon your needs. I've loaded Country Block, vnstat2, and widescreen.

Country Block:

Does exactly what it says on the label. What it does for you is give you an easy way to check which countries you want to block, and it has a listing of all of the IP ranges assigned to that country. They even include a Top spammers list to make it easier to block the worst offenders.

I really like this option as I've seen plenty of port scans all originating from China on my old router. Most of the scanning was on blocked ports but before I had no way to even block more than 1 subnet for a specific rule. Now I can block entire countries from being able to find open ports on my firewall. By default it just blocks inbound attempt but you can also block outbound traffic. This could prove to be very useful if you get a virus on a machine and it tries to phone home.

There are a few quirks with using this package however. Everytime you make a change it will stop the service, so you will need to enable it again. It doesn't auto start upon reboot and when you do a firmware update it loses the settings. You could manually backup the file on your system so you don't have to set it up again. It will take a bit of time to figure out which countries you'll want to allow. You can either do it by adding a whitelist entry to just a particular IP, or uncheck the country. One thing I might do in the future is try to get a better breakdown for the US as I can't turn that setting on, but I read that US is right up there with China with the amount of spam it produces.


What this package does for me is give really nice summaries of wan and lan usage on a daily, weekly, and monthly timeframe. I tried using bandwithd, and ntop but neither one worked right. If you want a realtime traffic graph PFSense provides this with RRD graph, so this is nice to have for totals.


This package is pretty simple, it's just there to allow the web interface to resize to fit a widescreen resolution.

Other Packages:

I can think of a few things that other people might use include: Squid, Free Radius, TFTP. By default PFSense already has support for VPNs using IPsec L2TP, OpenVPN and PPTP. I already have squid running on another box and would highly suggest using it if you were to setup a server. It's a web proxy that you can use to speed up your internet access. It will cache web pages and host them locally for your client to download. The difference is noticable using a decent connection and it can take a slow connection like a phone and make it seem incredibly faster.

Configuration for your PAT or NAT rules is quite simple. Here is a screenshot of the page:

You simply put in a starting port, the IP you want it forwarded to, and the internal port. If you want a single port just put in the starting port, if you want multiple then include an ending port. For the target port you just put in the lowest port number and PFSense will setup the range. By default this will also make a firewall rule. For those who are not familar with this type of setup I will explain it a bit.

There are the firewall rules which simply state allow or deny traffic to pass on a specific port on an interface. Then there are NAT rules which say take any traffic from a specific port and pass it to another computer on a specific port. On most SOHO routers when you create a rule it opens the port on the interface and passes the traffic to another comptuer. With PFSense it seperates these so you have the ability to make rules to block traffic on specific ports while still allowing other traffic to pass. For instance you can make a NAT entry to allow web traffic on port 80. On a SOHO router every computer on the internet would then be able to access your web server because all attempts would be passed through. With PFSense I only need a single NAT entry to allow the traffic to be forwarded, but now I can make rules to allow certain IP addresses to connect to it.

Once you setup the NAT entry you will see the associated rule under Firewall > Rules. There you can change who gets access, create another rule to block certain IPs from accessing it, and also turn on logging on a per rule basis. What I could do is setup a lower priority block all rule and enable logging on it. This will log any attempt made to that port that is not authorized. Then I create a higher priority allow rule with logging disabled so I don't fill up my log entries.

By default only the last 50 entries are stored. I have turned this up some and am working on finding a good syslog server to store the logs on. Right now I'm trying splunk but it seems kind of confusing. My other option I might try is Kiwi. Unfortunately logging is something that is kind of difficult to do effectively. It can be hard to sort through all of the logs. If you goto status > system logs you can see logs for the system, firewall, DHCP, and VPNs. What is really handy with the firewall logs is that if you're troubleshooting a blocked connection, there is a 1 click rule function. If you find the blocked attempt you can click on it and PFSense will generate a rule to allow that traffic for you. You can also do this in the opposite manor by creating a block rule for traffic that is passing which shouldn't.

One more thing that might be useful to some is the captive portal. It allows you to use a walled garden approach on your network. Any attempt to get to the internet will redirect the person to a login page. They will have to authenicate before they will be allowed to use your internet connection. This could be useful for setting up a wireless access point that only has internet access. Then when a friend wants to borrow your wireless you don't have to mess with configuring wifi. Just have them connect to your AP and login with a password.

A few random comments... You can enable SSH to your server if you'd like to get to the command line. Knowing a bit of linux will have it's advantage here as you can accidently lock yourself out if you do something wrong. By default there is an anti-lockout rule to allow traffic to pass on 22, 80, and 443 from the lan interface to the server. All inbound WAN traffic is blocked. While trying to create DHCP reservations I checked the box for static ARP. This only allows computers with an entry in the table to connect to the server. I didn't have any computers in the list yet so when I clicked save it locked out all computers from accessing the firewall. I had to goto the console of the server and get on the terminal (shell). From there I did cd /conf to get into the config directory. Then I used vi config.xml to open up the configuration file and remove the line that said <static arp/> Once I saved that change I rebooted the server and was allowed access again. After doing that I would definitely suggest anyone make a backup config file in the config directory in case you really mess something up where you can't restore a config from the web interface. To do this just log into the shell and change to the config directory. "cd /conf" Then run "cp config.xml config.xml.backup" This will make a copy of your config. If you need to restore the backup just do a "cp config.xml.backup config.xml" and that will copy from the backup file over the config. Then reboot the server and it should work again. This will at least save you a bit of hassle over completely resetting the firewall to factory defaults and having to reconfigure the IP addresses so you can get back into the web interface to restore a config.

Also what was a little different for me was when you create a DHCP reservation it needs to be outside of your IP range. On my old router it had to be within the range.

Overall it seems like it will be a nice solution. Honestly once it's setup there shouldn't be much need to login to the firewall and it should provide a little better protection for your network by allowing you to filter traffic more precisely. I haven't gotten a chance to test the load balancing as I don't have a wireless NIC or a usb wireless device. When I get one I'm going to try to set it up so that if the main connection goes down I can use a 3G connection from a phone as failover. I configured the server in a couple of hours and it was so simple it seems like I need to do more. Everything is pretty straight forward and the layout is clean and simple. There is a lot of information about what the box is doing you can look at, and it's really easy to see who's generating traffic.
Bman212121 is offline   Reply With Quote