Whether you’re running a small home network or working in an enterprise environment, it’s easy to find fault with consumer grade routers and enterprise routers/firewalls alike. On the consumer side of things you may be dealing with insecure routers with limited functionality. On the enterprise side of things, you may end up struggling against increasing licensing costs or limited functionality licensing. Utilizing Pfsense will solve these problems and provide you with a fully featured firewall/router with no additional cost over the price of the hardware you put it on.
In this post, I provide an introduction to Pfsense and explain how to get the most out of it.
- Benefits of using Pfsense
- Setting up Pfsense
- Explaining firewall rules
- Explaining NAT rules
Benefits of using Pfsense
- Free and Open Source
- Stateful firewall
- High Availability
- Multi-Wan Capability
- VPN (OpenVPN, IPsec, PPTP, etc)
- Extensive monitoring graphs
- Plugin system (easily deploy Snort, ntop, and many other applications)
- For full list of features, see here: https://www.pfsense.org/about-pfsense/features.html
Setting up Pfsense
The requirements for Pfsense are very low. It should work on most old hardware that you have lying around and would like to repurpose. However, these days I tend to run Pfsense within a Virtual Machine as it allows me to scale easily and take snapshots before making any major changes.
For the purposes of this article, I’m using Proxmox to deploy a new Pfsense Virtual Machine. You can grab hold of the latest ISO from here: https://www.pfsense.org/download/
Once you’ve booted from the ISO, you can either choose to boot the image as a live CD or jump straight to the installation when prompted by pressing I:
I usually accept the default settings and then opt for a Quick/Easy Install which will automatically partition your hard drive and install Pfsense:
Once the installation has finished and the system has been rebooted, you will be asked if you’d like to configure any VLANs. You’ll also be asked to select which interface to use for your WAN and which to use for your LAN. Choose whichever is relevant in your setup, but bear in mind you can change this later if required.
After you have completed this step, you will be presented with the following screen:
You can now browse to the LAN IP of your Pfsense firewall, where you’ll be asked to go through the initial configuration. This is all fairly straightforward stuff, so go ahead and configure the relevant information for your environment.
Once you’ve completed the initial configuration, you’ll have a working Pfsense firewall. Depending on your Internet connection, you may have configured a PPPoE connection, utilised DHCP or set a static IP address, but you should be able to use your Pfsense firewall as a router to browse the Internet.
Explaining firewall rules
By default, Pfsense allows all IPv4 and IPv6 traffic outbound and blocks everything inbound. You can see this by clicking on Firewall → Rules and clicking on the LAN tab:
Likewise, if you click on the WAN tab, you’ll note that there are currently no allow rules in place, thus blocking all traffic inbound to your network.
If you’d like to restrict outbound traffic to a handful of services for security (e.g. http/https/dns/ftp), then you could configure a Ports group under the Firewall → Aliases section like so:
Now you’re ready to create a new rule under the LAN tab with this alias by clicking Add and doing the following:
Don’t forget to remove your default rules! Once you’ve done this, your outbound rules should look similar to the following:
Explaining NAT rules
By default, outbound NAT is configured for your local networks, but if you’re running services internally (e.g. web server) then you will probably want to set up port forwarding. To do this, navigate to Firewall → NAT and select the Port Forward tab. Then click the Add button. In the example shown below we’re adding a Port Forward rule to redirect any traffic on port 80 destined for your WAN interface to be sent to one of your internal hosts instead. An internal host is regarded as any server or client computer within the LAN subnet.
Great! You’re all set up and good to go 🙂
We’ve barely touched the surface of what Pfsense is capable of doing, but the slick interface provides a powerful interface to PF, running on FreeBSD, and allows you to leverage the advanced features it provides without having to remember complex syntax and command line parameters. In addition to this, Pfsense offers a rich community forum to use for advice along with a ton of plugins to install to fulfill pretty much any need you may have going forward.