pfSense Makes Perfect Sense

Intro
I started playing with firewall/router distros recently. I tried IPCop, Smoothwall, and pfSense. I learned that there are others, but I was primarily interested in one I can run on an old PC. I have an access to few old PCs and I liked the idea to build a nice firewall with cool features with a hardware I can get for free. I was almost ready to throw some of these PCs away.


Old Setup
I have been using Linksys router BEFSR41 together with Westell 6100 DSL modem. I use dynamic Verizon Internet connection. I had my Westell 6100 set in Bridge mode with DHCP server off and I had Linksys BEFSR41 set to do MAC address cloning (got the addy from Westell). I believe the only reason I needed to clone MAC address is to avoid 2-hour wait needed for Verizon to release my dynamic IP. From what I read Verizon ties the dynamic IP to your hardware MAC address so if you change it you need to wait around two hours to obtain new IP.

http://tp0x45.blogspot.com/2008/04/westell-6100-and-linksys-befsr41-router.html

New Setup
The idea is to combine my Westell 6100 DSL modem in bridge mode with an older PC that will have three network cards dedicated to following:

1. WAN connection to Verizon via bridged Westell 6100
2. LAN subnet connection to switch hub where most of the PCs will be connected
3. DMZ subnet connection to PCs that will run server applications such as web server, database, or VNC. DMZ subnet will have no (or very limited) access to LAN subnet.

(Click on picture to enlarge)

Preparing the PC
I decided on using a nice old 500MHz Pentium 2 I had laying around. It had 96MB RAM that I expanded to 192MB. It has 10GB hard drive that is more than enough for this setup. It has an on-board Ethernet interface and I added two additional Ethernet cards to make a total of three Ethernet ports. Also, used the opportunity to vacuum clean fans and CPU cooler.

Another thing to consider is to remove all the hardware you do not need such as sound card, modem, floppy drive (unless you need it for backup), even CD ROM drive can be disconnected after the installation. In BIOS setup a good idea is to change power option to "always on" so if after power loss the firewall machine will boot up again.

Installing pfSense
The setup was little bit more involving but very intuitive. It is BSD based but basically to install it and use it you do not need to warry if you are not familiar with BSD. You download pfSense ISO file, then burn a CD. You booth the prepared machine with that CD and it boots BSD with a text based menu screen. Option 99 lets you install pfSense to the hard drive. It has a very cool feature for testing which NIC is which by letting you connect Ethernet cable to each device and pfSense setup would tell you which card is UP or DOWN. That helped me to easily dedicate connections to WAN, LAN, and OPT1 (which I later renamed to DMZ). Part of the setup is also to designate IP addresses to your interfaces. For WAN I selected DHCP, for LAN I selected 192.168.0.1, for OPT1 I put 192.168.2.1 (please refer to private addressing RFC 1918). You can also enable DHCP server for the LAN subnet here. After hard drive install is done, you reboot the PC without the CD, connect to it via LAN interface with your laptop or other desktop PC. Please note that this other PC will need an IP address on the same subnet 192.168.0.xx that can be set as static with 192.168.0.1 as gateway and DNS address or set to obtain the dynamic IP from the pfSense machine (connection is pfSense PC-->switch hub-->that other PC). pfSense configuration and setup web interface is accessed via http://192.168.0.1.

Please check the following link for more info on initial setup:
http://doc.pfsense.org/index.php/Installing_pfSense

Configuring pfSense
The first screen you get when you access http://192.168.0.1 is actually a setup wizard. It will walk you through the the initial setup of your pfSense firewall. A very nice guide is given at:
http://doc.pfsense.org/smiller/Install_Guide.htm

Please follow those instructions. The only difference I made is used name DMZ instead of WiFi as given in the guide. The guide assume OPT1 being used as WiFi subnet to be connected wireless access point. I dedicated OPT1 to my DMZ subnet with the same idea of DMZ PCs (likewise the WiFi PCs in the guide) not being able to access my LAN subnet.

If needed you can restart the setup wizard again by selecting option System->Setup wizard

Please note that in one of the first steps in the wizard you can set the MAC spoofing address. In my case with Verizon that enabled me to connect to Internet immediately after configuration. I connected pfSense box (PC) via WAN port to my Westell DSL modem. My Westell was already configured in bridge mode with DHCP off. LAN port of the pfSense box is now connectoed to a switch hub and all my PCs are now connected to LAN subnet. One of the PCs with Windows XP running Apache and Tomcat I connected to OPT1 (DMZ) port directly. I set its addres to static 192.168.2.99 (please note that DMZ interface addres was previously set to 192.168.2.1) and gateway address I set to 192.168.2.1. Turned everything on and my pfSense box now obtained an IP WAN address directly via Verizon's DHCP. My LAN PCs were all on 192.168.0.xx subnet. Everything worked like charm.

Port Forwarding
To do proper port forwarding one should consult pfSense documentation. For forwarding ports such as 80 (HTTP) or 5900 (VNC) the best way is to go through Firewall->NAT menu:

When you are there select the button with "+" sign to add Port Forward. This opens a detailed form:

Here you can select external port range (in this case VNC port 5900), NAT IP, which is the PC where you are forwarding, and local port address on the destination IP. Another important thing is to keep selected option for Auto-add firewall rule to permit traffic as defined.

Click on Save button and in the new screen click on "Apply changes"


Displayed sequence enabled port forwarding of VNC to my PC on DMZ. Same steps would be needed for example to forward HTTP (port 80). You can check Firewall->Rules menu to erify newly added rule:


Now if you locally try forwarding from a PC on your LAN subnet. It will not work. You need to go to System->Advanced menu and then uncheck "Disable NAT Reflection"

That would let you test your port forwarding from a machine that resides on your pfSense LAN subnet.

DNS Forwarding

Very cool feature. In this example I used it to block Google Talk.

I basically told it to forward DNS requests to 127.0.0.1 address. This in turn disabled Google Talk without disabling Gmail.

Maintenance
Several system maintenance functions are available.


You can also enable SSH access and use your LAN computers to access pfSense box via SSH terminal. I used this only when I wanted to delete some logs. Generally you do not need that.

UPnP Service
I enabled this since I read it is needed for MSN. I am actually not fully sure if I needed, but my understanding is that it could speed up video and file transfer in MSN. Did not have a good chance to test and confirm this. MSN worked (including video and file transfer) without it. Any comment/feedback on this would be appreciated.


Additional Features (Packages)
Several features are available via packages. Examples are web proxy,IM proxy with logging (IMspector), web filter, etc. You can go to System->Packages and all you need is one click to install certain package/feature. So far, I tried IMspector for IM proxy and IM logging.


Other Firewall Distros
I first tried IPCop. Actually I ran it on even older PC with only 32MB RAM with 8GB hard drive. It is a great Firewall distro with lots of fancy features. Me being a newbie, I did not understand all of the features from the beginning but spending some time on rading and playing with it gave me a pretty good idea on what can be done. Really loved the fact I ran it on a very small and slow PC without any problems. At this time I did not use Westell in bridged mode so I did not need to spoof MAC address with IPCop. I am not sure if it has that option. Later, I realized I needed it. However, I loved the fact it ran on that old PC with only 32MB RAM. Will definitively play with IPCop more.

I tried Smoothwall, which is older or younger cousin (forked project) to IPCop. Very nice interface and lots of cool features. Drawback was the fact that I needed to "hack" it to clone MAC address. Had to login to the machine and edit "/etc/rc.d/rc.netaddress.up" script to include an ifconfig line that would change MAC address. It worked with no problems, but I believe that should be accessible through that nice web interface. This distro I ran on the PC I prepared (P2 500MHz 192MB RAM and 10G HDD). Another issue besides missing MAC "spoofing" is that my MSN video did not work. It could be related to squid web proxy, but I did not spend too much time on it.

Conclusion
Definitively a good experience. My network setup is now much better organized for having a secure LAN subnet and my web server on DMZ. Another thing is that my Internet connection appears to be much faster than with Linksys BEFSR41. Have lots of features to try and play with.
A very good use for an old PC you might have laying around. I actually got few machines like this that are in very good condition, just not usable for everyday desktop use.

References
http://www.pfsense.org
http://www.distrowatch.com
http://doc.pfsense.org/index.php/Installing_pfSense
http://doc.pfsense.org/smiller/Install_Guide.htm
http://doc.pfsense.org/index.php/How_can_I_forward_ports_with_pfSense%3F
http://www.ipcop.org
http://www.smoothwall.org
http://tp0x45.blogspot.com/2008/04/westell-6100-and-linksys-befsr41-router.html
http://tp0x45.blogspot.com/2008/11/ipcop-14-linux-based-firewall.html