pfSense

Posted on Fri 23 December 2016 in pfSense

pfSense. Not a clue. No idea. Kinda have an idea. Let's build one!

What is pfSense?

It's a firewall, its a router. It's open source and pretty easy to get on with.

Why pfSense?

I've toyed with the idea of making my own combo router. Never had the hardware. I've set up a vm with a few different distros, never really got futher than the initial config.

At work a few months back I was faced with a pfSense (and and angry customer). The thing was pretty easy to work around. Without any background knowledge specific to pfSense I got the job done.

Less than a few months ago I started hosting a website, from home. I was slightly nervous about doing so, fully understanding the risks (and how the internet works) but decided to anyway. (dont do it)

It got to me. Everything at home's sitting on the edge of the internet screaming HELLO?

I found an Intel Pro 1000 MT quad on ebay for £30. I have an old PC. Done.

pfSense is pretty easy to install. I tried, several times, for several hours, from CD, because I'm old school. It didnt work. USB had it done in 5 mins. I also had to fiddle the BIOS a little but once I was booted off USB it was "quick install" easy.

Build

As soon as you get the console open you'll most likely need to configure your interfaces, WAN and LAN. Forget the OPS for now.

Once you have your LAN all set and you're logged in to the GUI - skies the limit!

DMZ

I needed a DMZ. Somewhere to throw my external devices away from my laptop, SAN, PC, Alexa .. everything. A DMZ allows traffic to the WAN but not to the LAN, however the LAN can talk to the DMC. Rules do this.

        WAN <---> DMZ <--- LAN
     -> WAN <---> DMZ <---> WAN ---> LAN --

If the DMZ wants to communicate with the LAN it has to go "out" via the WAN port and back in, thus bing treated as external traffic that is sent through the firewall.

I decided to set up two DMZ's. One physical, that I can plug into, one within the virtual enviroment. Just cuz.

vDMZ

My hypervisor has two NIC's in it. One for LAN one DMZ. I created a vSwitch for the DMZ. Used a x-over cable to go to a port on the pfSense. I can create a VM and throw it on either network. That's handy.

DMZ

I have an 8 port gigabit switch that supports VLANS. On the switch I split the ports 4/4. LAN/DMZ. V1 - default for LAN. V200 for DMZ. Using another port on the pfSense I created another DMZ (these are the OPT interfaces) with a new IP address range. Second DMZ done.

So port 1 is the "access port" for 2-4 and port 8 is the "access port" for 5-7. I quote access port as it's not an access port, its a just a LAN node. But in my head it makes it easier to understand. Ports 1 and 8 are providing DHCP and access to the pfSense. Other ports are on the ajoining network. This also means should I need to extend a network, I just need to drop an L2 switch in on the right side.

DHCP

This is very simple. Tick the enable box, set an IP range. Done. You'll want to do this on each interface.

Firweall Rules

With the LAN you'll want to allow everything. Any internal networks should be able to communicate. VLAN's or interfaces should seperate LAN clients. The DMZ(s) you'll want to set hard reject rules to any internal networks. Set an allow all rule but make sure it's at the bottom of the list. Deny Deny Alow.

NAT and Port Forwarding

This took me a bit to get my head around. Set up an Alias. Assign the Alias to a port. Create a port forward. Use the Alias. That'll auto create a firewall rule.

I found if I didn't set up the Alias the port forward wouldn't work. No idea why.

WIFI

My brand new Archer C3200 which was damnd expensive and supposed to run DD-WRT (hence now using pfSense) is now running as an access point on its own LAN. pfSense static interface IP to C3200, also static. pfSense is giving out a .2 range to C3200 which in turn is giving out DHCP on .3

Bad: A £180 router is running as a lowly access point.

Good: Said lowly AP is now able to move around the house providing AC3200 N to all of the house, the garden and most of next door.

WNICs aren't widely supported on BSD. I'm not sure AC or N are either.

alt text

Troubles I had:

I broke my modem. Superhub wont modem mode. New one on the way. As a result, the WAN port is an extension of the superhubs 0.1 range. Not ideal. Port forwading has to be set on both routers. superhub's pointing at the pfSense. pfSense is pointing at the correct IP.

I did something initially that made me have to format and restart. Actually I've re-installed and set it up so many times I dont need a refrence anymore.

Everythings now back up and running as it was before, just behind a firewall, VLAN'd off where it needs to be and I sleep a little better at night.

pfSense, rocks!