Tag: pfsense

I know I haven’t been updating my blog like I usually do, but to my defense, I have been pretty busy. Lately it seems even though I would like to go home on time, I don’t or can’t because of another pressing issue or a deadline at work. Additionally, I have added a few projects to my todo list. One of which includes building a fully functional, failover capable firewall solution that can handle more traffic than I personally can provide content for. The solution I am speaking of is pfSense. I have mentioned the BSD based firewall solution before but that was only my home firewall. The CD-ROM based version of the distribution works perfectly on even some of the oldest (I’m using that term loosly) hardware and still provides enough throughput for the biggest Cable download speeds you can buy.

At work, as a project, I am (with one of my colleagues) building two firewalls that act as one just like an active/passive failover cluster. Currently I am running release 1.2 RC3 that was released just a few days ago. So far the solution has been stellar to say the least. The developers and the community behind pfSense are really awesome, the capabilities that the “FREE” firewall solution has in it’s back pocket beat the crap out of a Cisco PIX 515 or ASA 5510. Sure, you can do most all of the things that pfSense does with a PIX or ASA from Cisco but It’ll cost you extra. Now with the Snort Package available from pfSense as well as Squid and a BGP package, pfSense is starting to grow some muscles. I will say that Cisco has the VPN department OWNED but hopefully the features that they offer will be developed for OpenVPN in the near future. Now on to the build.

Here is a simplified diagram of the design that I have built successfully:

The design is a no brainer, managed switches inside and outside, two firewalls with a CARP sync connection between and 3 VLAN’s internal to the network that are in noway, shape or form able to talk to each other, unless of course, someone does a little VLAN hopping. I’m not going to worry about that at this point however.

The true beauty behind using pfSense for this solution is the simplicity of the installation and configuration to get it up to a production level. Once you figure out how the different facets of NAT can help you achieve your goal, the configuration is very straight forward. If you want your entire segment to send out traffic as a single IP (NAT Overload) you put it in the Outbound NAT table, if you want to provide services on specific ports, you add them to the Port Forward Table, and if you want your single IP address on the inside to have it’s own dedicated outside IP, add it to the 1:1 NAT Table. Very simple stuff. When you add things to the Port Forward NAT table, it has the ability to auto add a firewall entry for you as well, I usually let it do this and then adjust it’s configuration accordingly.

The CARP (sync mechanism) for pfSense is quite easy to configure as well. Their is a very nice tutorial on http://www.pfsense.com that shows you how to accomplish this. Basically on the primary firewall, you put in the IP of the other firewall, tell it what interface to sync through and what to sync, and voila, you are done.

I’ve barely started putting services behind the firewall but will be pushing the project live here very soon. I will keep you posted on how it performs, the battles that I had to fight to get things to work and offer any guidance that I may have that would benefit you. Thanks for reading.

If any one is looking for an alternative firewall for their home, office, small / medium sized business or enterprise, I may have something in store for you. I have been using pfSense, a BSD based firewall at home for about a year and a half. Well, I was using M0n0wall for about 6 months of that but pfSense is based on M0n0wall so maybe I didn’t lie. Oh well. You can check it out at http://www.pfsense.com .

Please take some time to mull over all the features that the BSD based firewall offers for FREE. Unlike a Cisco or Fortigate, you don’t have to pay for the extras that actually make the thing functional. This is one of the best open source firewall solutions on the marked, the best in my opinion but well, thats my opinion. Take a look for yourself. The website has some tutorials of how to set things up and get you going however, any computer savy home user could set this up without too much fuss.

The firewall, hardware wise doesn’t require much of a system to run. I would recommend a PIII 500Mhz with 256Mb of memory and 2 NICs to get started. The server/firewall can actually boot and run from the bootable CD, then store it’s configuration on a floppy if you wish, however, some of the cool additional features can not be installed to make this thing really bad ass. Just install it to a hard disk, something small like a 6Gb drive or something. Could also be installed on a solid state disk if you have the time and money. Anywho, once you get the hardware, pop in the CD and floppy and get the thing to a basic config, you will have to tell it which interface is which NIC. So the outside interface goes to NIC fx0 and the inside interface goes to fx1 or something. You’ll figure it out. After you have an IP address on the box you can web into it and configure the rest from there. A few features that are worth mentioning would be:

Failover/Load Balancing
SNORT
Statefull Packet Filtering
QoS / Traffic Shaping
Captive Portal
Wireless LAN Support
Free Radius
IPSec Tunnel Support
OpenVPN Support
Traffic Graphing with RRD Graphs
Real Time Graphing
and many more…

Please, Please, Please take a look at this package and give it a try. I know pretty much everybody has an extra computer laying around that they could put this on. If not, let me know and I’ll try to source you one. At work, a colleague of mine and I are working to get these into the production network and possibly offer it as a line of service for out clients. More on what I do and this project later. Enjoy.