Building a home firewall router with pfSense

Most people buy a wireless router like this Linksys and move on. Of course you can hack that Linksys, but sometimes you either want to play or have an old computer you can put back into service as a router/firewall/NAT box.

Let’s take a look at pfSense, a FreeBSD-based project for our firewall, and learn how to set it up.

Related

pfSense is a free, open source customized distribution of FreeBSD tailored for use as a firewall and router. In addition to being a powerful, flexible firewalling and routing platform, it includes a long list of related features and a package system allowing further expandability without adding bloat and potential security vulnerabilities to the base distribution. pfSense includes most all the features in expensive commercial firewalls, and more in many cases.

Several years ago I was heavily into running FreeBSD as a desktop and server. I found an old 233 MHz Packard Bell computer that someone in my neighborhood was throwing away. I put an Adaptec SCSI card into it, an old 250MB SCSI hard drive from a defunct Macintosh and loaded FreeBSD. I turned this machine into my Firewall/Router. It ran flawlessly for several years.

A power outage killed the power supply in the box. Being a Packard Bell it had a power supply that I could not replace. The hard drive booted on another PC but the FreeBSD kernel was not configured to run on the AMD chip-based computers I had sitting around.

Even though I had documented my firewall settings I could not get a spare box already running FreeBSD to work. After Googling for answers I came across M0n0wall and pfSense.

M0n0wall is meant for embedded devices and runs on an older version of FreeBSD. pfSense is meant for regular PC’s, though it will work on embedded devices. It require mores horsepower to run.

Before we get to the nitty gritty, I am assuming you have an old PC with PCI slots, and a working CD-ROM. You will also need two network cards.

First step is to download an ISO image of pfSense. Next we need to burn a copy to a CD.

On your Mac open a terminal window and type this command:

hdiutil burn image.iso

Below is how this looked on my Mac:

G5 11:40 AM ~>hdiutil burn ~/Downloads/pfSense-1.2-LiveCD-Installer.iso
Preparing data for burn
Opening session
Opening track
Writing track
……………………………………
Closing track
………………………………..
Closing session
……………………………..
Finishing burn
Verifying burn…
Verifying
………………………………………
Burn completed successfully
……………………………………..
hdiutil: burn: completed

Make certain the bios in your PC is set to boot from CD’s. When set correctly your PC will boot from the disc and load the system into RAM.

Once that is loaded you will have the option to write everything to a hard drive or even a compactflash memory card. More on that later.

When you write the system to a hard drive you will be prompted to format the disk. Basically the defaults are fine, except you will want to delete the swap partition and install only a root file system. We are going to make an “embedded” system in the end and a lack of a swap partition will cause the log files to be written to a memory-based file system.

This is a good tutorial on installing pfSense with screen shots.

Ditch that hard drive!

Once pfSense was working with a hard drive I decided that running this system off a compactflash card would be pretty interesting. It would eliminate one source of weakness in any system, the hard drive, and reduce the power needed to run the box.

This IDE to Compact Flash adapter is going to set you back around $7 shipped.

I had a 1GB SanDisk Ultra II CF card that worked perfectly. An old 512MB Viking CF card would not work. Once you plug this adapter into the motherboard the system will see it as regular hard drive. One GB is more than enough. My system takes up a whopping 118MB of the 1GB card.

In my dmesg I was seeing something about ACPI being disabled. It didn’t seem to cause any problems but adding this:

hint.acpi.0.disabled=”1″

to /boot/device.hints made the message go away.

Switching to “Embedded”

Edit /etc/platform and change pfSense to embedded. Reboot the computer. Once you are in embedded mode your system will be a read-only. Since we don’t have a swap partition your logs will be written to memory. The goal here is to avoid writes to the CF card which could, theoretically, wear it out over a period of time.

My new, improved firewall is a 333MHz Intel processor with 256MB of RAM, an Intel 82559 Pro/100 Ethernet card (fxp0) for the WAN and an Intel(R) PRO/1000 card (em0) for the LAN. My Kill A Watt meter reports that the box takes 26 watts of power to run. That translates to four cents a day, $1.30 a month or $15.65 a year to power this computer running 24×365.

This setup is running in my basement. If I had this running in another part of the house I would use an embedded device like this unit from Netgate. They are low power and quiet.

With pfSense you have many tools on your hands to configure and control your network. It’s easy to open ports for Bittorrent or configure a captive portal, for example.

Upgrading pfSense

This is my step-by-step method of upgrading the system. Back up the settings before you upgrade the system!!!

1. run /etc/rc.conf_mount_rw

2. edit /etc/platform and replace “embedded” with “pfSense”

3. reboot the firewall.

4. Upgrade via web interface or via shell and URL download option. The last time I used the shell option. The web interface option has also worked in the past.

5. Let the system auto reboot after upgrade

6. See if you need to upload your old settings.

7. edit /etc/platform and replace “pfSense” with “embedded”

8. reboot the firewall for embedded changes to take effect.

Enabling iChat video in pfSense

See Static Port

“By default, pfSense rewrites the source port on all outgoing packets. Many OS’s do a poor job of source port randomization, if they do it at all. This makes IP spoofing easier, and makes it possible to fingerprint hosts behind your firewall from their outbound traffic. Rewriting the source port eliminates these potential (but unlikely) security vulnerabilities.

But, this breaks some applications. There are built in rules when Advanced Outbound NAT is disabled that don’t do this for UDP 500 (IKE for VPN traffic) and 5060 (SIP) because these types of traffic will almost always be broken by rewriting the source port. Though a small minority of VoIP systems are actually broken by not rewriting the source port, in which cases you will not want to use static port.

You may use other protocols, like some games amongst other things, that do not work properly when the source port gets rewritten. To disable this functionality, you need to use the static port option. Click Firewall -> NAT, and the Outbound tab. Click “Manual Outbound NAT rule generation (Advanced Outbound NAT (AON))” and click Save. You will then see a rule at the bottom of the page labeled “Auto created rule for LAN”. Click the “e” button to the right of that rule to edit it. Check the “static port” box on that page, and click Save. Apply changes and this behavior will be disabled.”

Leave a Reply

Your email address will not be published. Required fields are marked *