Build your own firewall in 30 mins
YOU’LL NEED THIS
PFSENSE FIREWALL
(free) YOU MIGHT NOT THINK you need another firewall. The one built into Windows is working all the time in the background to protect individual computers, and many routers have their own firewalls to protect the whole network. But running your own custom firewall has several benefits: it gives you more flexibility, plus better oversight of what’s going on in the background.
It’s also easier to set up than you might think. You don’t need specialist hardware, and you don’t need to pay for firewall software. The open-source pfSense firewall is free for personal use, with a graphical interface for administration and all the same features as the enterprise version (the difference is that you don’t get commercial support). You can run it in a virtual machine on any PC on your network, or install it natively on a retired PC. Note, though, that you can’t run pfSense on a Raspberry Pi, as it doesn’t support the ARM architecture. –NIK RAWLINSON
1 GET PFSENSE
The pfSense firewall installs as a complete operating system based on FreeBSD. This means you’ll need to allocate at least 512MB of memory and have a 64-bit processor running at more than 500MHz. If you want to support gigabit Ethernet or faster connections, it’s recommended to use a system with multiple cores running at speeds in excess of 2GHz.
» You can download the installer from pfsense.org/download. You’ll want the AMD64 code (which is also compatible with Intel processors)—Netgate ADI is for dedicated firewall hardware. It’s up to you whether you choose a DVD image or a USB memory stick installer—for a virtual machine, the DVD option is easiest, but if you’re devoting a PC to the task of running the firewall, the USB installer will probably be more convenient.
2 CREATE YOUR INSTALLATION MEDIA
If you’ve chosen the USB installer option, you’ll need a tool to write the image onto a flash drive. We used Balena Etcher, which you can download from balena.io/etcher.
» If you want to install to a virtual machine, you’ll need the free 7-Zip tool from 7-zip.org to extract the image to a convenient destination folder. For installation on a virtual machine, you don’t need to do any more at this stage, but if you want to create an installation DVD, right-click the decompressed ISO, click “Burn disk image”, then select your DVD writer. Insert a blank DVD and click Burn.
3 BOOT THE INSTALLER
If you’re using an old PC, this starts with booting it up from your newly imaged DVD or USB flash drive. Go into the BIOS configuration pages after plugging in the USB drive to set it as the top-priority boot device.
» If you’re installing in a virtual machine, create a machine with sufficient resources. We used VirtualBox, with the OS type set to “Linux” and the version set to “Other Linux (64-bit)”. We’d recommend going beyond the minimum requirements and giving the virtual machine at least 1GB of memory, although you’ll have to balance this with the resources you need to reserve for general use.
» Once your machine has been created, select it and click Settings, then Network in the sidebar. Make sure the option to Enable Network Adapter is ticked on each of the tabs for Adapter 1, Adapter 2, and Adapter 3. On the Adapter 1 tab, select NAT from the “Attached to” menu and, on the other two tabs, select Internal Network.
» Finally, “insert” your DVD image into the virtual drive of your new machine. Click Storage in the sidebar, then click the DVD icon under Storage Devices, followed by the smaller DVD icon to the right of the Optical Drive menu in the Attributes section. Select the ISO file you just unpacked, then click OK to close Settings. Now, click Start to boot the virtual machine.
4 INSTALLING PFSENSE
The pfSense firewall uses a text-based installer. Agree to the disclaimers (if you’re happy with them), and choose your keyboard language. You now need to partition the hard drive. With BSD-based installations, the default filing system is ZFS, but you can change this to UFS. We’ll stick with ZFS, so with “Auto (ZFS)” selected, press Return. On the following screen, leave the configuration options in their default state and press Return—assuming that you want your data to be “striped” on a single drive with no redundancy. If you want to set up a RAID array on a physical system, you can set up mirroring and redundancy.
» pfSense will then extract the distribution files and configure the operating system. Once it’s finished, it offers to open the command shell so you can make any final manual modifications; unless you want to do this, leave No highlighted and press Return.
» If you’re using physical hardware, now’s the time to remove your USB flash drive, before pressing Return again to reboot. If you’re installing within a virtual machine, press Return, and when the system has finished rebooting, close the window to power off the machine.
5 CONFIGURE PFSENSE
To configure the firewall, log in to pfSense from another machine on the same network. With a virtual machine, the easiest way to do this is to set up another machine within the same host and set its Adapter 1 network connection to Internal Network, as you did for adapters 2 and 3 when setting up the pfSense host. This machine will need its own operating system: we used Puppy Linux (puppylinux-woof-ce.github.io), as it’s a lightweight distribution, which shouldn’t compete too much with the firewall for resources.
» Open a web browser, navigate to the address of your pfSense installation—normally 192.168.1.1—then log in with the username “admin” and the password “pfsense”.
» You should now see the pfSense setup wizard. Click Next on the first page, and on the second, specify the primary and secondary DNS servers you want to use. You can use your ISP’s servers if you know their addresses, or a free service such as Google Public DNS, at 8.8.8.8 and 8.8.4.4. Step through the rest of the wizard, making sure you change the admin password, then wait for the firewall to restart. When it does, the browser will refresh and pfSense will be ready to use. You also need to make sure there are no competing DHCP servers on your network, so turn off this capability in your router’s settings page.
» Once you’ve configured your computers to connect through pfSense, you can apply rules to their internet access, as well as incoming requests from external servers. For example, to block access to a specific host, pull down the Firewall menu from the top and click Rules, followed by Floating (“floating” rules can apply to either the WAN or LAN interface). Click add to create a new rule, then set the Action menu to Block and tick the box beside “Apply the action immediately on match”.
» Now, in the Destination block, select “Single host or alias” from the dropdown, and in the field to the right type the IP address of the server you want to block. In the screenshot below left, we’re using the Cloudflare DNS service as an example since it’s an easy address to remember, but this is just for testing. When you return to the previous screen, click Apply to enable the rule.
» If you now try to visit 1.1.1.1 from any machine for which pfSense is the DHCP server, you should fail to reach the destination (see image).
6 ADVANCED CONFIGURATION
Visit docs.netgate.com/pfsense/en/latest to learn what else pfSense can do, including notification settings, advanced optimization options, IPv6 settings, and how to handle things such as VPNs and VLANs.