Whether you’re running a small home network or working in an enterprise environment, it’s easy to find fault with consumer grade routers and enterprise routers/firewalls alike. On the consumer side of things you may be dealing with insecure routers with limited functionality. On the enterprise side of things, you may end up struggling against increasing licensing costs or limited functionality licensing. Utilizing Pfsense will solve these problems and provide you with a fully featured firewall/router with no additional cost over the price of the hardware you put it on.
In this post, I provide an introduction to Pfsense and explain how to get the most out of it.
Objectives
- Benefits of using Pfsense
- Setting up Pfsense
- Explaining firewall rules
- Explaining NAT rules
Benefits of using Pfsense
- Free and Open Source
- Stateful firewall
- NAT
- High Availability
- Multi-Wan Capability
- VPN (OpenVPN, IPsec, PPTP, etc)
- Extensive monitoring graphs
- Plugin system (easily deploy Snort, ntop, and many other applications)
- For full list of features, see here: https://www.pfsense.org/about-pfsense/features.html
Setting up Pfsense
The requirements for Pfsense are very low. It should work on most old hardware that you have lying around and would like to repurpose. However, these days I tend to run Pfsense within a Virtual Machine as it allows me to scale easily and take snapshots before making any major changes.
For the purposes of this article, I’m using Proxmox to deploy a new Pfsense Virtual Machine. You can grab hold of the latest ISO from here: https://www.pfsense.org/download/
Once you’ve booted from the ISO, you can either choose to boot the image as a live CD or jump straight to the installation when prompted by pressing I:
I usually accept the default settings and then opt for a Quick/Easy Install which will automatically partition your hard drive and install Pfsense:
After you have completed this step, you will be presented with the following screen:
Once you’ve completed the initial configuration, you’ll have a working Pfsense firewall. Depending on your Internet connection, you may have configured a PPPoE connection, utilised DHCP or set a static IP address, but you should be able to use your Pfsense firewall as a router to browse the Internet.
Explaining firewall rules
By default, Pfsense allows all IPv4 and IPv6 traffic outbound and blocks everything inbound. You can see this by clicking on Firewall → Rules and clicking on the LAN tab:
If you’d like to restrict outbound traffic to a handful of services for security (e.g. http/https/dns/ftp), then you could configure a Ports group under the Firewall → Aliases section like so:
Explaining NAT rules
By default, outbound NAT is configured for your local networks, but if you’re running services internally (e.g. web server) then you will probably want to set up port forwarding. To do this, navigate to Firewall → NAT and select the Port Forward tab. Then click the Add button. In the example shown below we’re adding a Port Forward rule to redirect any traffic on port 80 destined for your WAN interface to be sent to one of your internal hosts instead. An internal host is regarded as any server or client computer within the LAN subnet.
Closing Thoughts
We’ve barely touched the surface of what Pfsense is capable of doing, but the slick interface provides a powerful interface to PF, running on FreeBSD, and allows you to leverage the advanced features it provides without having to remember complex syntax and command line parameters. In addition to this, Pfsense offers a rich community forum to use for advice along with a ton of plugins to install to fulfill pretty much any need you may have going forward.
Resources
- Pfsense forum: https://forum.pfsense.org/index.php
- Some basic getting started guides: https://www.pfsense.org/getting-started/
- Professional Pfsense services: https://www.pfsense.org/our-services/
- Pfsense training: https://www.pfsense.org/university/
- Downloads area: https://www.pfsense.org/download/
