(3.4.12 – This post has been amended to reflect changes in pfSense version 2.0.1 — iceflatline)
Awhile back I had the opportunity to deploy pfSense for a work-related project. Impressed with its features, performance and usability, I incorporated it into my own home network. This post will describe the basics of how to install and configure pfSense version 2.0.1 (x32) in a home network and offer some recommendations based on my experiences using it.
pfSense (i.e., “making sense of packet filtering”) is a customized version of FreeBSD tailored specifically for use as a perimeter firewall and router, and managed almost entirely from a web-based GUI. In addition to being a firewall and routing platform, pfSense includes a long list of other features, as well as a package system allowing its capabilities to be expanded even further. pfSense is free and open source and its source code is released under the BSD license.
- Minimum requirements
The minimum hardware requirements for pfSense include a 100 MHz CPU, 128 MB of system RAM, and a minimum of two Network Interface Controllers (NIC). Depending on how you decide to install pfSense, you may also need a hard drive with ~1 GB of free space as well as a CD-ROM drive or bootable USB drive in order to install pfSense to the hard drive (or to run the pfSense Live CD directly), or a 512 MB (minimum) Compact Flash (CF) card to install an embedded image of pfSense. These requirements are extremely modest, but unless your data throughput requirements are fairly small, you’re likely going to want to use hardware offering a little better performance. Since a major contributor to throughput performance is the system’s CPU, let’s start there. pfSense published guidelines for CPU sizing recommends the following:
Your choice of NICs will also have a significant impact on reliability and throughput performance. Low cost NICs, notwithstanding the potential long term reliability concerns, tend to rely much more on the system CPU to process segments and packets compared to their higher priced counterparts. Consequently, the better the NIC, the better the throughput performance you can expect from of a given CPU. In short, don’t be too frugal when it comes to the NICs you use. Intel NICs are well supported under *BSD and always a good choice. If possible use discreet NICs rather than the on-board ones featured on many motherboards.
You should also ensure you have enough system memory. How much you’ll need depends largely on how you decide to install and operate pfSense. You can elect to run pfSense directly from a Live CD, for example; but doing so will require more RAM than installing it on a hard drive. Some of the add-on packages will increase RAM requirements significantly as well. Snort and ntop, for example, are two packages that should not be installed on a system with less than 512 MB RAM cautions the pfSense development team.
Another factor to keep in mind when considering memory requirements is the number of active network connections. pfSense keeps track of active connections using a state table. The default state table size is 10,000 entries, each requiring ~1 KB of RAM or ~10 MB in total – likely more than adequate for handling most home networks. But, if you require a significantly larger state table, keep system memory requirements in mind.
pfSense is purportedly compatible with any hardware supported by the FreeBSD version a particular pfSense build is based upon. pfSense version 2.0.1 for example is based upon FreeBSD 8.1-RELEASE. It’s always a good idea, however, to check the hardware you’re planning to use against the information contained in the FreeBSD 8.1-RELEASE Hardware Notes and the hardware compatibility section of the Frequently Asked Questions for FreeBSD 7.x, 8.x and 9.x. The pfSense forums are another good resource, useful for gleaning the hardware compatibility experiences of others.
- My components
If you’re anything like me, you’ve likely managed (through no fault of your own of course) to build up quite a cache of “spare parts” as a result of upgrading various computers around the home or office. I was able to dig up the following parts to build my pfSense box:
As you can see, based on pfSense’s minimum requirements and the hardware considerations discussed above, these parts were more than adequate for my project. This particular Intel motherboard turned out to be a good choice because it includes on-board graphics, removing the requirement to install a discreet graphics card to a system that will operate headless 99% of the time. I also used a CD ROM drive, but only for the amount of time needed to install pfSense from the Live CD, after that it was no longer be needed.
In addition to the relatively low hardware requirements, pfSense also provides a number of options for installation.
First, you can simply run it directly from a Live CD or bootable USB drive. Any configuration changes you make can be saved on a floppy drive or USB flash drive. The downside to this approach, however, is that you won’t be able to install any of the add-on packages available to extend the capabilities of pfSense – and there are some really nice ones.
Another option is to install an embedded image of pfSense on a CompactFlash (CF) card rather than perform a full install on a hard drive. CF cards can handle a limited number of writes, so the embedded version runs as read only, while the file system runs as read/write from system memory. You’ll want to chose an embedded image that is sized less than or equal to the size of the CF card your planning to use. The newer embedded versions of pfSense based on NanoBSD have the ability to support some packages.
Finally, the pfSense Live CD includes an option to perform a full install to a hard drive. All add-on packages are fully supported using this method. Be aware though that the entire drive or slice will be overwritten. This is the install method I chose, primarily because pfSense was going to more or less take up permanent residency in my home network and I wanted the freedom to install and try any of the add-on packages.
Performing a full installation of pfSense on a hard drive is a straight forward. Having gone through the process a number of times though I would recommend a couple of preliminary steps. First, make a note of the Media Access Control (“MAC”) address for each NIC you’re installing in the system as well as its physical location in the motherboard. If your memory is as bad as mine, this will save you from wondering later “damn, now which NIC did I assign as the LAN interface?…” Second, disconnect the NICs from any LAN and WAN components until you have the box up and running and configured to your requirements. Finally, if you have other hard drives in the system I recommend disconnecting them until the installation is complete so as to not accidentally install to the wrong drive.
Download a copy of the pfSense installer and burn it to a CD or place it on a bootable USB drive. After booting the system using the disk, you’ll arrive at a screen listing the valid interfaces and a request to setup V-LANs (See Figure 1). If don’t plan to use V-LANs in your network, or perhaps have no immediate need for them, you can decline to configure them now and elect instead to configure them later using pfSense’s “webConfigurator” (webGUI) interface. Following the V-LAN option you’re asked to assign each of your interfaces to the role of either “LAN,” “WAN,” or “OPT” (Optional). Make a note as to which NIC you assigned to each interface. This will come in handy later when you physically connect them to the LAN, WAN, etc.
After configuring V-LANs, if desired, and assigning NICs to interfaces, the installation continues, eventually arriving at the pfSense console menu. Note that pfSense initially configures the WAN interface to use DHCP and so you will not see an IP address assigned to that interface if it was left disconnected during installation or you use a static IP address. The LAN interface will be assigned the default address of 192.168.1.1. It’s also worth pointing out here that should you desire to forego a full installation to the hard drive and instead run pfSense from the LiveCD (not recommended), you essentially have only to reconfigure your LAN IP address, if desired, by selecting “Set interface(s) IP Address” (menu option 2), then point your browser to the LAN IP address you assigned and complete further setup and configuration using pfSense’s “webConfigurator” interface (See Figure 2).
To proceed with installing pfSense to the hard drive, select “Install pfSense to a hard drive, etc.” (menu option 99). The first screen to appear after this selection allows you to change a number of console settings (video font, screen map, and keymap) before continuing. Next, you’re presented with a list of installation options. If you have only one hard drive connected to the system and no need for any custom options, select “Quick/Easy Install.” If you have more than one hard drive connected to the system, selecting this option will result in pfSense being installed to the first hard drive recognized by the system BIOS. Selecting “Custom Install” presents a choice of which hard drive to install to, along with a number of options related to drive formatting, geometry, partitioning, and bootblocks (See Figure 3).
The final install screen offers a choice of custom kernel configurations. The processor in my system, for example, is an Intel dual core processor, so I chose the “Symmetric Multiprocessing Kernel” option. Note that if you plan to use an Intel processor supporting “Hyper-Threading,” you should be safe using this option. When the installation finishes you’re prompted to reboot the system.
After pfSense is installed to the hard drive, it’s ready for further setup and configuration. I started by returning to the console menu and selecting “Set interface(s) IP address” (menu option 2) so that I could configure pfSense’s LAN interface IP address to one that would fall within the subnet used within my network. This menu option also allowed me to activate pfSense’s DHCP server and define a range of IP addresses the server could use. Once the LAN IP address and DHCP server was configured, I was asked if I wanted to revert to HTTP as the webConfigurator protocol (as opposed to using to using HTTPS), which I chose to decline for improved login security. After these steps were completed, the LAN IP address was confirmed and I was returned to the console menu. I connected to the LAN interface, fired up the web browser, and navigated to pfSense’s webGUI. The webGUI login is password protected – the default login is admin and the password is pfsense. Since this was my first time logging in to this installation of pfSense, I was greeted with the pfSense status dashboard (See Figure 4).
To perform an initial configuration I decided to use PfSense’s built in setup wizard, which can be accessed by navigating to System -> Setup Wizard. The setup wizard starts by asking you to define the hostname for your pfSense box, the domain where it will reside, and primary and secondary DNS servers. You can use any hostname you’d like but be aware of the following constraints: the hostname you chose must start with a letter, and after that contain only letters, numbers or a hyphen (e.g., “firewall” or “firewall-1″). The “Domain” field can be filled in with any fully qualified domain (e.g., “mysite.org”) or a name of your choice (e.g., “homenet”). The hostname and domain fields are combined to create the fully qualified domain name of your pfSense box (e.g., “firewall.mysite.org” or “firewall.homenet”). If your service provider provisions your service using DHCP, then the DNS fields will be likely be filled in automatically when you connect to your provider. If you plan to use a static WAN IP address, or simply prefer to use alternative DNS providers, then you should provide at least a primary DNS address at this point.
The next wizard screen is where a time server hostname and timezone are defined. Unless you have a specific reason to do otherwise, I recommend using the default host 0.pfsense.pool.ntp.org, which will automatically chose a random server from a pool of known good NTP servers.
Next, you’ll be taken to the WAN section of the setup wizard (See Figure 5). If your service provider provisions your service using DHCP, then you simply need to select “DHCP” from drop-down list, otherwise chose the appropriate service type. The “MAC Address” field under “General configuration” can be used to enter a MAC address that will pose as the MAC address of your WAN interface NIC. This feature came in quite handy in my case. My cable service provider in essence “binds” the WAN IP address to the MAC address of the device connected to the cable modem when it provisions service. Since my pfSense box would eventually replace an existing firewall, I simply copied the existing firewall’s MAC address in order to avoid the downtime that would otherwise occur as I sat on the phone with the service provider explaining the reason for the MAC address change. The “Block RFC1918 Private Networks” and “Block bogon networks” sections are selected by default in order to block invalid traffic from entering your network. The remaining sections in this portion of the setup wizard are specific to WAN service type chosen.
After the WAN section, you’ll encounter the final two sections of the setup wizard. These provide the opportunity to change, if desired, the LAN IP address as well as the default password for the admin user account. Note that this password also serves as the password for SSH access as well as the console menu (should you decide to password protect it).
At the conclusion of the setup wizard, you’ll select “Reload” and after a few moments be returned to the webGUI. At this point basic connection options are configured enough to allow the pfSense box to be safely connected to the service provider and LAN. However, before bringing pfSense online in my network, I made several other optional changes to its configuration.
- Disable webConfigurator login autocomplete
By default login credentials for the webConfigurator may be saved by the browser. Navigate to System -> Advanced and select “Disable webConfigurator login autocomplete” this Check this box to disable autocomplete on the login form so that browsers will not prompt to save credentials (Note that some browsers do not respect this option).
- Password protect the console menu
While pfSense is managed almost entirely from its webGUI, it does allow some configuration management through its console menu (See Figure 2). By default, pfSense does not secure this menu, therefore, anyone who can physically connect a monitor to the pfsense machine will have root level shell access. To prevent this (or at least make it more difficult), navigate to System -> Advanced and select “Password protect the console menu.” You’ll need to reboot the box for this change to take effect. Note that the user name for the console menu is always admin or root and the password will be “pfsense” by default, or the one you chose if you elected to change the default admin password when running the setup wizard. It’s also worth noting here that if you create a new user, this new user will only be allowed access to a command line prompt at the terminal, not the console menu itself, even if you add them to the system’s admins group (see System -> User Manager).
- NAT reflection
By default pfSense prevents hosts within the LAN from accessing your public IP addresses. This can be inconvenient at times, particular when testing port forwarding from within the LAN. To change this, navigate to System -> Advanced -> Firewall and NAT and unselect “Disable NAT Reflection.” Note the NAT reflection only works on ports you have built forwarding rules for, nor will it work for large port ranges (greater than ~500 ports). A reboot is not needed when selecting this option so you can use it on an as-needed basis if desired.
As mentioned, pfSense offers a fairly extensive package system allowing you to extend its capabilities. To find a list of packages that can be added, navigate to System -> Packages. Two packages I particularly like are RRD Summary, which will give a total amount of traffic passed in/out during the current and previous month (See Figure 6), and iperf, a tool for testing network throughput, loss, and jitter.
Setting up NAT port forwarding and firewall rules in pfSense can be a bit daunting at first. Once you get the hang of it though you’ll realize just how flexible and powerful the system is. Options for configuring port forwarding and firewall rules can be found under Firewall -> NAT and Firewall -> Rules respectively. I recommend setting up any port forwarding rules you may have first. Then, for each port forwarding rule, you’ll need to set up an associated firewall rule.
Options for configuring the DHCP server on the LAN interface can be found under Services -> DHCP server. If you’re deploying pfSense in a typical home network where the availability of IP addresses is not a concern, one option you may want to consider changing is the default lease time of 7200 seconds (two hours). In order to pare down the number of lease requests in my network, for example, I increased lease time to 604860 seconds (seven days). This is also the section where you can assign static IP addresses to hosts if desired. I typically assign static IP addresses to servers and network devices (managed switches, network printers, etc.), as well as to any hosts I intend to build long-term port forwarding rules for.
If you use Microsoft’s Xbox Live service in conjunction with your Xbox 360, you know what a pain in the ass it can be at times to get it to work reliability through your home network gateway/firewall. A common solution is to forward the necessary ports to the device, but what if you have two Xbox 360s? If you want one or more Xbox 360s to have reliable access to/from Xbox Live, the only real solution is to use Universal Plug and Play (UPnP). Fortunately, pfSense’s UPnP service works remarkable well. To activate it, navigate to Services -> UPnP & NAT PMP and select “Enable UPnP & NAT PMP,” and “Allow UPnP Port Mapping” then make sure the LAN interface is selected. That’s it. Your Xbox 360’s will discover pfSense’s UPnP server and the necessary port forwarding rules will be built automatically as needed. You can check which ports have been forwarded by navigating to Status -> UPnP & NAT PMP.
- Wake on LAN
Say I’m at the office and need to grab a file from a host on my home network. But what if that host is a laptop or desktop that isn’t normally powered on? With Wake on Lan implemented in the firewall, I can remotely instruct it to send the Wake on LAN “magic packet” to the host I need powered up. To setup Wake on LAN, navigate to Services -> Wake on LAN and enter the MAC addresses for the host or hosts you’d like to send magic packets to.
- System Logs
I like having my logs arranged so that the newest entries appear first. To do that, navigate to Status -> System logs -> Settings and select “Show log entries in reverse order (newest entries on top).”
With my pfSense box configured, it was time to move on and setup remote access to it. pfSense’s webGUI uses https and port 443 by default, and accessing it remotely is simply a matter of navigating to your WAN address. Unfortunately, many ISPs block incoming port 443 traffic. You can chose an alternate incoming TCP port by navigating to System -> Advanced -> Admin Access. You will also need to create a new firewall rule under Firewall -> Rules that will allow a connection on the WAN interface to pass through to pfSense’s webGUI server (lighttpd) on the port you specify. At a minimum, this rule should define following parameters:
Destination: WAN address
Destination port range: your alternate webGUI port selection
Description: web admin
pfSense’s SSH server may also be enabled to allow remote access to the console menu via an SSH client. To enable the SSH server, navigate to System -> Advanced and select “Enable Secure Shell.” For security reasons, I recommend using an incoming port other than 22, and a key-based login instead of a password. To use a key-based login, select “Disable Password login for Secure Shell (RSA key only)” and then navigate to System -> User Manager. Select the “e” icon next to the admin account, then “Click to paste an authorized key” and paste your public key into the “Authorized keys” field. When complete, select “Save.” Note: your public ssh key is stored in /root/.ssh/authorized_keys. Should you need help generating a public/private key pair, please see my previous post. Don’t forget to create a new firewall rule under Firewall -> Rules that will allow a connection on the WAN interface to pass through to pfSense’s SSH server should you decide to use an alternate ssh incoming port.
This concludes the post on how to install and configure pfSense on your home network. pfSense isn’t hard to configure nor complicated to manage, and proves to be a nice open source package for implementing a robust and scalable perimeter firewall and router.