The pfSense Firewall

The pfSense firewall for home use is probably overkill but anything that is worth doing is potentially worth overdoing. There are a few implementation strategies that can be taken when introducing a pfSense router to your home network. You could run pfSense on a standalone box at the edge of your home network, between your ISP’s modem (set in bridged mode of course) though it is possible to do away with the ISP’s modem entirely. In my case the strategy was going to be a little bit different due to a different set of goals.

I decided to install pfSense on my Dell R720 running virtually on Hyper-V partly because I’m trying to get better utilization from the server and partly because I didn’t want to buy a separate machine to run pfSense on due to additional cost. I will note however that the ideal setup for pfSense is definitely to have it running on a separate machine. The firewall itself is an attack surface and running that attack surface on a server running other services can introduce various forms of security risk. There is also an operation risk where if you need to reboot the server you’ll lose internet in the process, granted my home network won’t suffer greatly from a short outage every once in a while it’s good to know what the potential risks are.

Install pfSense is a pretty straight forward process where the most complicated part for me was actually figuring out which NIC on my R720 correlated to each virtual NIC. I initially wrongly assumed that the first NIC would be considered the first NIC in Hyper-V however that wasn’t the case. This information was especially important due to the fact that a firewall needs 2 NICs instead of 1. A typical firewall requires a WAN facing NIC and a LAN facing NIC and will treat traffic appropriately. You don’t want to mix up the links, as the default settings would block all incoming packets on the WAN by default when a connection wasn’t already being established from the LAN it isn’t hard to see how getting them reversed would cause significant connectivity and security problems.

pfSense doesn’t just provide basic firewall services however. It also has the ability to install many other packages to add additional functionality. You do have to be careful which packages you install as it can greatly increase the hardware requirements for keeping the firewall running smoothly. I personally installed only a few basic packages. The first package being squid.

Squid

Squid is a high performance proxy cache that can significantly increase browsing speed of frequently visited websites. Unfortunately it can also have a large impact on hardware as the cached information needs to be saved somewhere. Obviously the larger the cache you allocate to squid the more effective the program becomes as more data is able to be saved and thus recalled in the future from frequently visited sites. However due to internet speeds increasing and the ever growing widespread use of https the usefulness of squid has been reduced over the years and won’t have the same dramatic improvement of browsing performance that it used to provide compared to when slower connections were more widespread. I personally didn’t see much of a performance improvement (running a 150/15 cable connection) but I did see an increase in CPU, memory, and storage usage on the firewall and deemed it unneeded for my purposes. That doesn’t mean it won’t work for someone else effectively of course.

pfBlockerNG

This particular package definitely had a large impact on my browsing. pfBlockerNG has the ability to block advertisements from websites. Going to a website such as Yahoo (oh how the might have fallen) will show just how effective that package can be. Where there are normally ads you’ll generally just have a grayed out box, which I personally think is a great improvement. Websites will probably load a little bit faster and there will be bandwidth savings from not loading all the ads which are normally present. There are plenty of configuration options you can take advantage of, particularly the ability to add to your lists of banned IP’s or find other website sources which maintain the lists for you which you can pull from. In hindsight entire guides could be written for many of the individual packages within pfSense.

Snort

Snort is an intrusion prevention and detection package which I highly recommend adding. You will have to signup to snort.org in order to get an Oinkcode to get started, which is luckily a free process. 

Conclusion

Overall I’d say that in the vast majority of cases using a standard firewall that comes built in a typical ISP’s router is probably good enough for the general user, but that would really suck the fun out of things. I recommend installing a copy of pfSense if you have the means to do it, be it dedicated hardware or virtualized on a server if only for the learning experience and increased visibility that it can provide for your network. The ability to block ads is just the icing on the cake. If you want to learn more about pfSense you’re in luck as there are entire books written about just this single piece of software. However I found the blow youtube series to be especially insightful for the thorough amounts of knowledge made available.


Thanks for reading.

Leave a Reply

Your email address will not be published.