Control your network k with pfSense
YOU’LL NEED THIS
PFSENSE Download it from www.pfsense.org. SERVER HARDWARE
Any 64-bit machine will do. MANY OF US TRUST OUR HOME NETWORKS to sub-standard hardware we rent from our ISPs. We’re not about to shoo that modem out of your front door—you’ll still, most likely, need the right digitally signed hardware to get that broadband bitstream flowing—but the management portion is probably much better served by something that really knows what it’s doing. What better than pfSense? It’s primarily a firewall, but capable of much more, from routing to traffic management; run your Internet connection through it, and it takes care of everything. Many businesses rely on pfSense for their security but, if you’re willing to roll up your sleeves, you can download and run it for free.
Intimidatingly, pfSense is actually a FreeBSD distro—a Unix-like architecture similar to and, in many ways, compatible with Linux. But don’t let that worry you. Once pfSense is installed, you can configure and monitor everything through a simple web-based interface. All you need is some server hardware running a 64-bit processor (or an older version of pfSense that supports 32-bit hardware), the software itself, and some way of routing Ethernet traffic through that machine. A USB 3.0 Ethernet dongle should set you back no more than around $20.– ALEX COX 1 THE RIGHT MEDIUM First of all, head over to www.pfsense.org. Wade through the corporate stuff—as so many of these things are, pfSense is propped up by business implementation and support sales, but it’s still free software—and head to the “Download” link, top-right. You’re given a number of choices, which cover the architecture of the machine you’ll be installing to, which in our case is AMD64, and the format, or platform, you would like to use. Whether you choose the CD or USB installation media is up to you, but it’s worth bearing in mind that whichever one you use, pfSense installs itself to your hard drive, and you lose anything that’s there already. 2 WRITE IT If you select the USB installer, you can use Rufus ( https:// rufus.akeo.ie) to write it to a stick; for the disc ISO, use ImgBurn or the tool of your choice. Because the downloads come in gzip format, you do need to extract them using a tool such as 7-Zip ( www.7-zip.org) before you can fill up your media. The machine you install it on obviously has to be able to boot from whatever media you choose, but other than that, there’s not an awful lot that you need to consider. Around 1GB of RAM and a 1GHz processor is recommended, so your only real concern is putting decent Ethernet interfaces on the input and output. Don’t cheap out on them, though, because a poor interface could hit your overall network throughput hard. 3 INITIAL INSTALLATION Boot your hardware from your pfSense disc or USB stick. On the initial menu [ Image A], select “Multi User” mode, then hit I to begin installation when prompted. You can safely ignore the console configuration screen, unless you’re using an odd keyboard; if so, use the arrow keys to select it via the third option down [ Image B], then choose “Accept These Settings” to move on.
>> While there’s an option to perform a quick install, the more granular action of a custom install is what we’re after, so select that. Pick your target hard drive, formatting it when prompted, and sticking to the default geometry. You’ll see an option to partition your drive, which would be handy if you were planning to put other operating systems on there—but you’re absolutely not, since your pfSense server will be running 24/7/365, so don’t bother with this. Install the bootblock on your primary drive (and your secondary disk, if that’s where you’ve chosen to install
pfSense), then stick with the default subpartition configuration [ Image C], which reserves a slice of drive space for swap (handy on low-RAM devices), and gives the rest up to the OS. 4 KERNEL PANIC You can now select one of two kernel options, the kernel being the main controlling layer of the operating system. One gives you access to pfSense locally through a keyboard and VGA monitor, as well as through its web browser interface. The other, the embedded kernel, does away with these niceties in favor of slightly more efficiency. The only way you’ll be able to control an embedded pfSense box is via its web interface and, if you want access to its BSD shell, by using an SSH client such as Putty ( www.putty.org) on your desktop machine. If you’re unsure of which you’ll use, select the former. 5 CONNECTING Remove your installation media when prompted, and reboot your pfSense box. If you’ve elected for the full kernel, you’ll now see a list of options [ Image D], which includes, just above, information on your IP addresses—one for the WAN, or your Internet connection, and one, which you should note down, for your LAN. pfSense should sort these automatically, but you may need to assign them manually before you go any further; if you fumble on this step and select the wrong card for the wrong job, just switch your Ethernet cables. We won’t tell anyone. Initial setup is done through pfSense’s web interface so, for now, simply plug a machine directly into its LAN port. Fire up a web browser, and head to the address you noted earlier—probably 192.168.1.1—to begin configuration. If you get an alert about an invalid certificate, you need to bypass it for now. 6 CONFIGURING Log in with the default username “admin” and password “pfsense,” and the setup wizard begins. Sidestep the pleas to sign up for a gold subscription (you can do this later if you find you really love pfSense), and head to a bit of general configuration. Your hostname can be whatever you like, and set the domain, if you’re already
using one on your home network, to the same value. You can also set your preferred network DNS servers here. Keep the bottom box checked if you would like pfSense to pull these from your ISP, or fill in the boxes and uncheck the box if you would prefer to use, for example, Google’s super-fast public DNS servers, which are located at 220.127.116.11 and 18.104.22.168. Hit “Next” to select a time server for your network (although the default is just fine), and set your time zone.
>> The next screen is, at first glance, quite intimidating, although it’s likely you won’t have to touch much of it, unless your ISP is particularly harsh about its hardware restrictions. You’ll likely be able to leave “DHCP” selected, scroll to the bottom, and move on. Leave the IP address as is, then set your admin password. Hit “Reload,” and pfSense is all set up. 7 ADDING WI-FI If all has gone well, you don’t need to do anything else to pfSense to enjoy its benefits. It’s now working as a firewall, traffic logger, and DHCP server, meaning it takes responsibility for handing out IP addresses to machines on your local network, and batting away traffic from sources that aren’t welcome. The DHCP aspect can cause problems if you want to use Wi-Fi, because your router will likely put up a fight and try to push its own DHCP agenda, so that’s the next step. Switch on your Wi-Fi router (though leave it free of network connections for now), and head to its settings screen.
>> The process is going to be different for every router, but you need to switch off just about everything, from DHCP to firewall. When you’re satisfied that you’ve properly neutered the hardware, you can connect it to your pfSense box, plugging the LAN Ethernet cable into one of its client ports—not the Internet port, as you might presume. Connect to it via Wi-Fi, and you should see that you’re online. 8 SEE IT ALL Open a browser and head back to the pfSense settings screen, via the same IP address we used earlier. The initial dashboard [ Image E] is a good place to see what it’s currently up to, but there’s not a huge amount on display by default, just a profile of your hardware and system resources, and information on its network connections. Click the red plus icon at the top of the screen to add more. We recommend adding the likes of “Services status,” to see which extra services are running on top of
the firewall, and stop or restart them at will; “Interface statistics” for an at-a-glance view of how much traffic has been moving through your network; and “Firewall logs” to quickly see a worrying picture of just how many Chinese IP addresses have attempted to sniff around your network. You can configure each of these modules with the wrench icon, and drag their headers to reorder them on the page [ Image F]. 9 GETTING IN Primarily, while it performs a host of other network functions, pfSense is a firewall. As such, it blocks access to itself from any machine outside of your local network, but we can use a rule, or exception, to ferry traffic to the right place. First, let’s build in a little security, and place pfSense on a different port than the default, to prevent it being sniffed out by unscrupulous network invaders.
>> Open “System / Advanced,” make sure the “HTTPS” radio button is selected, and enter something along the lines of “8080” in the “TCP port” box near the top [ Image G]. Scroll down and select the boxes to disable DNS rebinding checks and HTTP referrer enforcement, hit “Save,” and you’re automatically redirected to the pfSense admin pages via the new port—bear in mind that, from now on, you’ll have to access it via this port, appending “:8080,” for example, to the IP address. 10 OUTSIDE ACCESS With our stealthy port in place, we can head to “Firewall / Rules.” You’ll see a couple of default entries, both of which are designed to prevent WAN access from addresses that really shouldn’t be able to access your network anyway. “RFC 1918” refers to those IP addresses that are reserved for internal networks only (10.x.x.x, 192.168.x.x, and so on), and unassigned addresses are also, logically, banned. In fact, every direct connection to your network is currently verboten until you explicitly say otherwise. So, let’s do that: Click either of the “Add” buttons, leave the default action as “pass,” and set the destination address to “WAN address” with the dropdown menu. Set the port range to be from 8080 to 8080— essentially telling the firewall to only accept connections from that particular port—and you’re now able to connect to pfSense by typing your WAN IP address, followed by a colon, and the appropriate port number, into any web browser. Check your dashboard page to find this address out; your ISP may occasionally change it, but not often. For a touch of extra security, set up a new user with admin rights in “System / User Manager” [ Image H], then delete the original admin account to foil intruders targeting the most common usernames.