wehuberconsultingllc.com

At my new place of employment we had some firewall/network problems over the last couple of weeks. Eventually I figured out that the firewall was rebooting at random intervals during the day. Hint: Turn on email notifications. So I started scouring the market for an inexpensive firewall that could share two WAN connections without screwing up the SSL sessions. One of the first firewalls I found was pfSense. Awhile back I had been interested in trying m0n0wall but pfSense made more sense for me since it has several features I want to investigate, multiple WAN connections, IDS, and packet capture.

Setup

My plan was to use pfSense on my home network. I have an existing PC with two network adapters that is running VMServer. The plan was simple, replace my Netgear firewall with pfSense. Here is how I set up the network. For those of you not familiar with the underlying operating system of pfSense(BSD), le0 and le1, are the designations for the network adapters. On the Linux side they are known as eth0 and eth1. Under VMServer they are known as Ethernet 1 and Ethernet 2.

1. le0 is connected to Ethernet 1. VMServer calls this network /dev/vmnet0 and it is bridged to motherboard network adapter(eth0). This will be my LAN network. It uses a private network address(e.g. 192.168.x.x) and will be a DHCP server for this network in the final configuration. Until I finished setup and testing, DHCP was turned off.
2. le1 is connected to Ethernet 2. VMServer calls this network /dev/vmnet2 and it is bridged to a network adapter card(eth1) I installed. This will be my WAN network. In my case I will be using the static IP address assigned to me by my ISP in pfSense. One of my problems was that I was not sure what IP address to use for the VMServer side. In my testing I concluded that VMServer provides a “true” bridged network. I decided to use a private network address(192.168.x.x) on a different sub-network for eth1. I am pretty sure that this address is inaccessible from the outside world but I am going to lock it down anyway.

Before I started configuring pfSense I printed a copy of my Netgear configuration. While I was at it, I did a copy and paste routine to create a Netgear configuration document for my records. This document might save you a lot of time some day when your network has a really major problem. Once I had settled on a configuration the installation and configuration of pfSense was pretty easy.

1. I moved my WAN cable from the Netgear firewall to the WAN network adapter on my VMServer PC and booted pfSense. During my initial pfSense setup, I used my static IP address for the WAN adapter and an unused static IP address in my existing network for the LAN adapter.
2. Next I logged into the pfSense console via a web browser and confirmed that the LAN and WAN were working properly. Using my Netgear configuration document I completed setting up pfSense(i.e. port forwarding).
3. At this point the firewall is fully functioning but no one is using it. So I logged into my Netgear firewall and turned off the DHCP server. I went back to the pfSense console and turned on its DHCP server. The pfSense firewall is now ready and able to accept new connections. It has new network addresses for the gateway and the DNS servers but my computers will not connect to the Internet until they start using these new addresses.
4. To configure the computers that use DHCP for their network configuration, I went to each PC and forced them to renew the IP information. There are several ways to do this including rebooting. I used: ipconfig /renew
5. To configure the computers that use static IP addresses, I manually re-configured the gateway and DNS server addresses on the network adapter.

Performance

The network performance of pfSense was about what I expected. My WAN is the bottleneck so I was pretty sure I would not see a difference. An area of concern was the CPU requirements. I am running Groundwork Open Source in the other virtual machine and GW by itself wanted a more powerful computer than the  2.5 MHz CPU and 1 GB of memory I provided. I was pleasantly surprised to find that the RRD graphs were displayed quickly. This confirmed my suspicion that pfSense has pretty small hardware requirements and that my minimal system was adequate.

Security Philosophy

I have been running the firewall for about a week now and it has been stable and problem free. In today’s world a port blocking firewall like pfSense addresses a fairly limited scope of network threats.   Even though I have a fairly comprehensive security plan that includes robustness and redundancy, it is merely adequate at keeping pace with today’s rapidly evolving threats.  For me the greatest advantage of a firewall like pfSense is its ability to monitor the traffic and probe your defenses via IDS.