Home Firewall with pfSense

Today’s post is about my pfSense installation. It’s not the usual pfSense setup. First of all, instead of running in a standalone PC or some sort of embedded computer, my pfSense runs in a virtual machine. Then, it has multi-WAN (i.e. Internet) links. I know most people will probably not quite have the same type of setup, but I hope some parts of it will be useful, or at least be interesting to read about.

If you haven’t heard yet, pfSense is an open source firewall/router distribution based on FreeBSD. It boasts a bunch of features that you’d expect only in commercial firewall solutions. Designed to work as an appliance, it’s a lot easier to manage a pfSense firewall than trying to muck around with all the bits and pieces of stuffs that need to be put together had I decided to go with a standard Linux distribution.

Before we get started, let’s talk about the network setup, so that you know how things fit together. Being a network engineering person, let’s do with with a network diagram.

It’s not really as complex as it looks. At the centre of the network is the Linux PC running Ubuntu 12.04, and in there runs a virtualized pfSense firewall. There are 4 network interfaces to the PC, so that I can connect the three WAN connections and one LAN connection to pfSense. My PC, like most others, has just one ethernet port. So all the extra network ports were made possible with an Intel PRO/1000 quad-port network adapter.

All the four network ports connected to the PC are virtually bridged to the pfSense VM. The bridge that serves as the “LAN” is also terminated on the host, so that the host has Internet access as a LAN client, and is protected from direct Internet access by the pfSense firewall.

The “LAN” exits the PC and connects to a switch nearby, so that another desktop PC can get network access. Then, a Linksys E3200 wireless access point is connected further away. (The Linksys E3200 is configured in bridged mode, so it is no longer a broadband router.)

Virtual Machine Configuration

The pfSense VM is configured via virt-manager. It’s pretty straight-forward. Just a few things to note:

• Four NICs are configured in bridged mode.
• The NICs were configured to emulate the “e1000” device. The default would have been Realtek 8139, which is a 100Mbps card. While it works, there are endless log errors. I’m not sure, but perhaps the actual bandwidth would have been capped at 100Mbps too.
• I manually chose the emulated processor to match the host processor, although only made one logical CPU available to the VM. This is configured under the Processor section, expand the Configuration, and click on “Copy host CPU configuration”.
• The VM was given 1GB of RAM and 4GB of disk. It has to be an IDE disk to work with FreeBSD.
• I’m not sure if it helps, but when you create the VM in virt-manager, remember to choose UNIX for OS type, then FreeBSD 8.x for Version. (It’s probably about picking sane defaults of the rest of the VM configuration.)

I downloaded the pfSense ISO image and used that for installation. For some strange reason, the pfSense installation would appear to “hang” midway (progress indicator just remains at the same spot for 10 minutes or more). During one of the installation attempts it was stuck at 39%, at another time it was 45%. But anyhow, if you just leave it, it eventually moves past that and completes the installation. Before I knew about it, I wasted quite a lot of time and effort restarting my pfSense install.

pfSense Setup

It’s funny sometimes how a simple thing can somehow escape someone who ought to have enough experience to figure out how to get it done. For me, I just wasn’t reading thoroughly what the on-screen prompts were telling me, and I couldn’t figure out how to configure the LAN interface in pfSense.

Anyway, in case you’re not reading instructions properly like I am, when you are asked to configure pfSense’s interfaces, and decide to do it manually (probably the easier way when in a virtualized environment), remember that after assigning the WAN port (e.g. em1), it automatically continues to ask for the LAN port next (e.g. em0). I had oddly enough assumed it was asking for more WAN ports and since I hadn’t want to configure more WAN ports at that time, I simply pressed ENTER to end the port assignments.

I’m sure you can figure out most of this, but I’ll just run this through for the convenience of those who have not seen pfSense’s web UI before.

1. Change your admin password. Go to System, User Manager. Click on the Edit button against the admin user entry. There’s probably only one user at this point anyway.
2. Go to System, General Setup. Set your hostname, domain name, etc as needed. Don’t forget the time zone too. By default, DNS servers are configured through DHCP over your WAN links. You can add more DNS servers if you wish (e.g. Google’s 8.8.8.8 and 8.8.4.4).
3. Go to System, Advanced. You should be in the Admin Access tab. Set the webConfigurator protocol to HTTPS. You may also want to set the Alternate Hostnames if you’re going to be accessing webConfigurator by hostname.
4. For the additional WAN interfaces, note that they need to be assigned either in the console menu, or via Interfaces, (assign) in the webConfigurator. By default the additional interfaces are going to be called OPT1, OPT2, etc.
5. Go to Interfaces, and select the additional WAN interfaces. You need to enable them. You can rename them to more appropriate names too. You can also rename the default WAN and LAN interfaces also if you wish. Best to enable blocking of BOGON and private networks.
6. Go to System, Routing, and click on the Groups tab. Create a new group to contain WAN ports that will participate in a load-balancing configuration. (I only use two of my WAN links for primary network access.)
7. Then, go to Firewall, Rules, and click on the LAN tab. Click on the current default route entry. Click the Advanced button in the Gateway row. Select the new route group that you created above. Save, and click Apply Changes at the top of the page. Now, your LAN’s outgoing Internet access will be load-balanced. (You have to watch out that some configuration changes in pfSense require a separate “Apply Changes” step to actually effect the changes.)
8. Go to Interfaces, (assign), and click on the Interface Groups tab. Add a new group and put all WAN ports in it. Interface Groups allow you to more conveniently add rules in the firewall. Unfortunately, Interface Groups doesn’t seem to be used everywhere, such as NAT setup.
9. Go to Firewall, Rules. Click on the tab for the new interface group. Add a new rule to pass (i.e. allow) access to port 443. This will enable access to your webConfigurator from the Internet.
10. If you want to port-forward WAN traffic to an internal server, you need to configure NAT port-forward rules. Go to Firewall, NAT. You’ll be on the Port Forward tab. Create a NAT rule.
11. If you want to setup Dynamic DNS, go to Services, Dynamic DNS. Create as needed. The entries track specific WAN interfaces.
12. To check for software updates, go to System, Firmware, and click on the Updater Settings tab. You can choose to follow the snapshot updates.
13. If you have a SSL cert to use with the pfSense webConfigurator, go to System, Cert Manager, click on the Certificates tab, and install it there. Most certs are chained nowadays. The intermediate CA cert should be installed in the CA tab. Then, go to System, Advanced, and in the Admin Access tab, under webConfigurator section, remember to choose the new certificate in the SSL Certificate selector.

That should pretty much get pfSense working.

Note in my configuration, I’m only using two WAN links for load-balancing outgoing traffic. My intent is for the third WAN link to be used for incoming administrative access, as well as a failover outgoing backup (not described above).

There’re still a couple more things I am planning to do with pfSense. OpenVPN server setup, for example. Also, in case you’re wondering about the SSL certificates, apparently someone does, nowadays, really provide free one-year SSL certificates. No strings, it seems. Check out www.startssl.com. The enrolment and setup of this CA is quite different from what I’m used to, but hey, it’s free, I think it’s worth your while check them out.

So that’s it for pfSense for now!