Secure Your Network With pfSense

by Ostatic Staff - Sep. 11, 2012

One of my first experiences with network security was building firewalls for small offices and Internet cafés. Our boss at the time was adamant that we use open source, and directed us to OpenBSD and “pf”, their packet filtering firewall. It was a good call. OpenBSD proved to be rock solid, and pf was easy to configure and easy to maintain. Fast-forward a little over a decade and I’ve just finished installing a new pf-based firewall, this time as an entire FreeBSD distribution called pfSense.

According to their website:

pfSense is a free, open source customized distribution of FreeBSD tailored for use as a firewall and router. In addition to being a powerful, flexible firewalling and routing platform, it includes a long list of related features and a package system allowing further expandability without adding bloat and potential security vulnerabilities to the base distribution.

That’s a good high level summary, but the project’s list of common use cases illustrates pfSense’s flexibility:

  • Perimeter Firewall
  • LAN or WAN Router
  • LAN Router
  • WAN Router
  • Wireless Access Point
  • Special Purpose Appliances
  • VPN Appliance
  • Sniffer Appliance
  • DHCP Server Appliance
  • DNS Server Appliance
  • Voice over IP (VoIP) Appliance

I recently setup my home network with pfSense as a perimeter firewall, a VPN concentrator, and a router. Our setup is fairly simple, we have three network interfaces on the firewall, one for the public IP address, one for our home wireless network, and one for our my home office network. Installing and configuring pfSense was fairly easy, with one small gotcha.

The hardware requirements for pfSense are understandably very low. FreeBSD is a low overhead system to begin with, and most commercial firewall and router hardware is actually just low power computer equipment. It doesn’t take much to route packets, but the speed you need to push the traffic through could make a difference on the CPU speed you need. The pfSense website has a chart with their recommendations based off of desired network throughput.

  • 10–20 Mbps - No less than 266 MHz CPU
  • 21–50 Mbps - No less than 500 MHz CPU
  • 51–200 Mbps - No less than 1.0 GHz CPU
  • 201–500 Mbps - server class hardware with PCI-X or PCI-e network * adapters, or newer desktop hardware with PCI-e network adapters.
    • No less than 2.0 GHz CPU.
  • 501+ Mbps - server class hardware with PCI-X or PCI-e network adapters.
    • No less than 3.0 GHz CPU.

My network throughput needs were fairly low, and I had an old Dell not being used, so I chose a 2.66 Intel Core Duo (not the Core 2 Duo) with 4GB RAM and two hard drives. So far I have seen no performance degradation on our Internet connection, and in fact, it may have sped it up some. It feels faster at least.

pfSense installation is fairly painless. I was able to build a software RAID mirror on the two drives without issue, and after booting was given a command line wizard that walked me through the initial configuration of the firewall. Here is where the gotcha comes in. As I stated above, I had three network cards, but the wizard seemed intent on my only having two. It assigned one to the WAN, one to the LAN, and the third it named OPT, for optional. The wizard setup the WAN and LAN interfaces for basic firewall rules and NAT, which allowed my servers to access the Internet, but it left the configuration of the OPT interface blank. Since my server runs headless and I had no access to a browser on that interface, I needed to swap the cables to get to the pfSense management interface.

If you are familiar with networking the management interface is fairly straightforward. I do recommend using the “pfsense” theme, found under General Setup -> Theme at the bottom of the page. I found the drop down menus in the default theme sometimes did not behave as expected.

pfSense supports many enterprise grade features as well, most notably high availability using OpenBSD’s CARP. CARP stands for Common Address Redundancy Protocol, and automates the failover process. Coupled with pfsync, which synchronizes the state of pf between the two machines, pfSense provides a highly available firewall solution.

So far I’m very happy with pfSense. Soon I’ll be building the HA setup in a more complex environment. If you have deployed pfSense in your organization, I’d love to hear about it in the comments.