Building a pfSense Firewall

Today I would like to share some of my experiences with you in regards to firewalls, as this is an area of computing that is often overlooked. Far too many people rely simply on the Windows firewall and whatever filtering is done by your router. You’re being left in the dark about what is actually being filtered or done, can you even trust this? I hope after today I can help you take more control over your own network and its security.

Why Use a Custom Firewall

Not being able to set up my own options with Windows and a router’s basic firewall doesn’t work for me as I require more control. I require a solution that allows me to turn the knobs and push the buttons. Any solution that I don’t have the final say over just doesn’t work for me. Hopefully today you will see why I feel that way, for those of you who feel the same or would just like to have improved security over the basic router/Windows firewall. This might just be the solution you are looking for.

Firewall Requirements: Hardware and Software

What I plan to show is the basic hardware required to run your own Personal Firewall along with how simple this is to actually set up. The OS of choice is FreeBSD. Now, before I scare anyone off: don’t panic. If you have never stepped outside of the Windows world before, or live in your walled fruit garden, that is okay. We are going to be using a project that has dedicated itself to this cause, and unlike some people in the *NIX world they make a product that is easy to use and just works.

This project is called pfSense. The developers for the project have done an excellent job: gone are the days of fighting with the shell and manually editing iptables. With the recent release of version 2.0-RC1 they have even cut the install time down to answering a few simple questions so you can be up and running in minutes.

Click the links for a pfSense List of Features and whats new with pfSense 2.0RC.

My main focus and what I will be setting up / touching on is :

  • Firewall
  • DCHP server
  • DNS forwarder
  • Network monitoring / management
  • Port Forwarding
  • Proxy Server
  • Spam Block
  • Whitelist and blacklist filtering
  • Web content filtering
  • Probably do a lot more for you too

To carry on forward, I will be breaking this down into:

  • Hardware I used for this build / ideas for what you should be using.
  • Installation of the OS and preparing for remote management
  • Basic configuration
  • Expanding the firewall’s capabilities through packages

Hardware

The actual hardware requirements are not all that high and many of you will be able to setup your own pfSense firewall with some of the hardware that has been collecting dust for years. In fact, this is something I do recommend if you are on the fence about a project like this. It allows you to get your feet wet without spending a nickel. But, do check to ensure FreeBSD 8.1 support for your hardware if you have something rare. In my case, I did need a hardware upgrade since my ISP just increased my speeds. I have been using an 8 year old VIA C3 Nehemiah core at 1 GHz. Do not let this clock speed fool you: VIA C3′s have a very low IPC and this was, performance wise, somewhere between a 500 MHz Celeron and 500 MHz Pentium III.

That little low power VIA C3 worked great for years, but I have to move on as 15Mbps/1Mbps internet is now a thing of the past. With my new 25Mbps/2.5Mbps connection the VIA setup just couldn’t handle the load if I used the full potential of my connection under certain conditions. The biggest example would be P2P while moving more than 20Mbps; the internet would grind to a halt for everyone else and I could not even connect to the box.  This worries me, as my ISP will be moving the 25/2.5 package to a 50/5 this Fall. This is not to mention that 250/15 is becoming available and looking like an attractive upgrade.  So with that said, I went out and bought some new hardware.

Motherboard

What I ended up picking up was a Super Micro X7SPA-H-D525. In plain English, it’s an Intel Atom D525 (1.8 GHz dual core) board, with two integrated Intel Network Interface Cards (NICs). Another great feature is that it is passively cooled; silent computing is good computing. Feel free to check out the specs on your own, but for this project the dual NICs and that fact they are Intel makes this board a killer product. If I had to buy a NIC, a server Intel is the way to go.

You should note that I did consider an AMD E-350 and I also waited to see what the new VIA Nano x2 would look like before I pulled the trigger on this Atom board.  AMD, if you are listening, you need some more dual NIC’s on the market or you are not an option at all. VIA, what happened to you and low power? Oh how times have changed.

The first thing I noticed when I received this board is the box it came in. Can you see below how it’s for a completely differently product? SuperMicro’s target audience is servers and high end workstations, so I guess they are not concerned about what they look like on the store shelf unlike the Taiwanese motherboard makes.

Opening up the box, there isn’t all that much to see: I/O back plate, 2 SATA cables, manual, driver CD (Windows and Linux), checklist of parts, and finally an unsecured motherboard. I didn’t get upset that the motherboard was in the wrong box, but I don’t like how this board was left to flop around. Thankfully mine was not damaged in transit.

Thats not what I ordered

That's not what I ordered

Wrong Box, Right Guts

Wrong Box, Right Guts

Having a closer look at the board you will see that they are not kidding about aiming their products at servers and not the end users. We have a simple I/O setup that has the basics and nothing more: exactly what we want for our new firewall. Now if, for some reason, you require more USB connections, the board does have some headers that are located next to the PCI-E x16 slot (x4 electrically). Or, if you want to install your OS straight from a USB drive, or possibly run it from a USB drive, have a look by the 6 SATA ports. Yes, that is in fact a USB port. The final thing that I wanted to point out is that this board does use jumpers. The way the system ships, you don’t need to touch them, but it does allow you to disable things such as LAN ports on the board itself. Other than that its a very simple board.

Super Micro X7SPA-H-D525

Super Micro X7SPA-H-D525

Super Micro X7SPA-H-D525

Super Micro X7SPA-H-D525

Super Micro X7SPA-H-D525

Super Micro X7SPA-H-D525

Super Micro X7SPA-H-D525 Back Pannel

Super Micro X7SPA-H-D525 Back Panel

RAM

I will admit this is overkill, but for $12.99 per stick how could I not buy 4 GB of memory!? My old firewall has 512 MB of RAM and memory usage hovers around 30%.  So if you are salvaging parts, there is no need to worry too much about RAM. If you’re buying new, a 2 GB stick is, I think, the most you will need, allowing ample growth.

2x2GB OCZ SODIMMs I got for $12.99 a Stick

2x2GB OCZ SODIMMs I got for $12.99 per stick

Close Up of DDR3 SODIM

Close Up of DDR3 SODIMM

To house the board, I wanted something small and silent. I have the small part spot on right now with my VIA system, but the SFX PSU that the case uses is painful. With a 40 mm fan used in the PSU, it was either get just a PSU that was silent, or grab a new case/PSU combo. I went with a combo and picked up a Antec ISK300-65.  It comes in a boring box, but the case is protected, so that is really all i can ask for. The interesting thing about this case is that it comes with a proprietary PSU.

Boring Brown Box

Boring Brown Box

Opening up the Box

Opening up the Box

Everything is well packed

Everything is well packed

Brick / Screws / Stand

Brick / Screws / Stand

Power Brick + extras with less plastic

Power Brick + extras with less plastic

Close up of Power Brick

Close up of Power Brick

The Case

Normally proprietary turns me right off. But with a Pico PSU even smaller and available at a high wattage, I am not worried about this. As a spare part, should I ever need it, it’s not an issue to get a hold of.  Another thing I really like, and wish more mini ITX cases had, is the provision for an expansion slot. Antec does not let down here.  Also, on the back you can see a switch to set the exhaust fan from High – Medium – Low. I am currently running it in my closet on medium, and the noise is barely audible. If you do require dead silence setting it to low will provide that for you. At the top left there is a socket to plug the power brick into. The interior of the case is the usual Antec quality. No sharp angles, nothing to cut you.

 

Antec ISK300 Case, a nice flat black

Antec ISK300 Case, a nice flat black

Antec ISK300 Front View

Antec ISK300 Front View

Antec ISK300 Side View of Exhaust Fan

Antec ISK300 Side View of Exhaust Fan

Antec ISK300 Back of Case w/ Fan speed (H/M/L)

Antec ISK300 Back of Case w/ Fan speed (H/M/L)

Antec ISK300, no sharp edges

Antec ISK300, no sharp edges

Antec ISK300 side profile, room for a second fan

Antec ISK300 side profile, room for a second fan

Antec ISK300 side profile

Antec ISK300 side profile

Antec ISK300 2.5" HDD / Slim Optical cage

Antec ISK300 2.5" HDD / Slim Optical cage

Antec ISK300 Proprietary 65Watt PSU

Antec ISK300 Proprietary 65Watt PSU

Antec ISK300 Proprietary 65W PSU Close Up

Antec ISK300 Proprietary 65W PSU Close Up

Overall, this case is well built but not without its flaws. The provision for only 2.5” HDDs might be a deal breaker for some,  along with the requirement for a slim optical drive. Luckily for me I had an old 250 GB HDD from when I upgraded my laptop. To get around the slim optical drive requirement, I simply installed the OS from a drive outside the case. I wont be using one once I am up and running, just like with the system it is replacing.

Motherboard mounted in the Case

Motherboard mounted in the Case

2.5" HDD on the right

2.5" HDD on the right

Side View

Side View

BackPlate I/O

BackPlate I/O

 

Installation of the OS

I will say this straight from the start: Yes, the screen shots of the actual install are taken from a VM, and not the actual installation. There is no difference in the end result. I did this as it yields much higher quality images than using my camera to take a picture of the LCD, and I don’t have a serial cable. Had I still my box of old cables, I could have used PuTTy and did the install over a serial connection.

Here we are going to do a walk through of a CD installation as it’s the least complicated and the most common. We are also going to be doing a 32 bit installation of the OS. Yes, 64 bit operating systems are supported by my setup, along with pfSense, and I know that I won’t be able to address all of my memory (4 GB) with a 32 bit OS. At this time it is recommended to install the 32 bit version of the OS, so that is what I am doing here.

If you haven’t done so already, go and download the OS we will be installing (pfSense download link). Go to: New Installs -> here on the mirrors -> (pick a mirror)  ->download -> pfSense-2.0-RC1-i386-20110226-1530.iso.gz. Once the file is downloaded, you need to extract it. WinRAR or 7zip should do the job. Now, burn that ISO you just downloaded to a bootable disk. If you are unsure how to do that, grab ImgBurn. With ImgBurn Select -> Write Image file to disk

Once you have your bootable disk ready, it’s time to boot the computer to the disk and you will be greeted with this screen:

pfSense booted from CD

pfSense booted from CD

Push 1 or simply wait for the timer to reach 0. The OS will continue to load and you will then see this:

pfSense Loading

pfSense Loading

You can go straight to the installer, but I prefer to boot from the CD 1st so we know all of the hardware works with the OS. So either push “C” or wait for this one to time out too. Then what we see here is a list of our network cards.

Network Cards Seen by pfSense

Network Cards Seen by pfSense

You are going to want to remember the name in the left most portion of the screen. So in our example above we see, em0 and em1. The names will depend on what network cards you have installed in your system and the driver that they are using. In our example, I have the VM using Intel cards, just like my actual system. Also during this time you are going to want to decide: what card is going to connect to the Internet, your WAN card? What card will be connected to your intranet, your LAN card? You need to know this so you know which ethernet cable to plug into your Cable modem or DSL modem and what cable to plug into your network switch. For this example, I will use em0 for my WAN card and em1 for my LAN card. Select “n” for setting up VLANs as we wont be touching on them in this guide.

No VLANs for this setup

No VLANs for this setup

Confirm your NIC selection. Now we are being asked to enter the WAN card, or select “a” for auto detection. If you have already plugged you Ethernet cables in, you can try auto. But, I recommend manually specifying what card. So like we decided earlier on, we will enter em0 as out WAN card.

Picking out WAN and LAN card

Picking out WAN and LAN card

Simply enter the LAN card name : em1. Then push enter for the optional 1 interface name as we wont be using that.

Confirm your NIC selection

Confirm your NIC selection

You will then see a confirmation screen. Just ensure you have selected the correct card for LAN and WAN and push “y” to proceed.

Nice Text Menu, no need for bash skills

Nice Text Menu, no need for bash skills

Now we are ready to install this setup to our HDD. Yes, it will remember what we just configured so we wont have to do that again. Once installed we will no longer require the optical drive, so my example system, actual system does run without. Let’s get that started by entering 99.

pfSense installer

pfSense installer

The FreeBSD / pfSense< developers have done a great job at making this a painless installation, so we are more or less going to be picking the default options all the way through.Click accept and proceed to the next page.

Installing BSD is easy

Installing BSD is easy

Quick/Easy Install is perfect for your 1st time installation, so lets use that.

BSD installing is easy

BSD installing is easy

Yes, installation is this easy, just select OK.

SMP or not?

SMP or not?

Pick option 1 or 2 depending on your system. In my case, I have a dual core system, so I should pick the 1st option like I have highlighted. If you have a single core CPU, option 2 is what you want. Then, simply select reboot when prompted. Once your system is back up it should look something like this:

pfSense installed to the HDD

pfSense installed to the HDD

I recommend turning on SSHd, which is option 14. During the setup it’s always nice to have shell access via SSH. If you need a Telnet client, grab PuTTY. It’s nice not having to walk to the closet to change settings if you need the shell for something. At this point in time your box is ready to protect you from the outside world, but that doesn’t mean the fun is over already. Even though almost everything can be done with the browser GUI, that doesn’t mean the shell is useless to you. There are a few times I can think of when you will need access. From here, you can always re-setup you LAN /WAN cards (option 1). If you mess your configuration right up, option 4 and you’re back to a clean installation. If you forget your password, you will need to physically walk to the box. By default the system is unlocked with physical access. Yes, it can be locked down too. I do leave it unlocked, and if you want in without a password, you need to break into my house and bring your own monitor and keyboard, as nothing is attached to the box other than Ethernet once it’s up and running. I trust that is good enough for home use. Anyhow to get back on track, you can now SSH into your box. The default Login / Password is: “admin” / “pfsense” without the quotes. Now it’s time to setup your firewall.

Who doesnt love putty?

Who doesn't love PuTTY?

Basic Configuration

I have now moved my firewall into my computer closet and wired up my firewall to the cable modem and switch. I also have my cable modem turned off as I get an IP for the new MAC address that this firewall has once the modem is turned back on. After all is said and done, you simply open your browser of choice, go to https://192.168.1.1 with a default login/pass of admin/pfsense (same as SSH) and you should see a screen that looks like this:

Web GUI Wizard

Web GUI Wizard

Since this is the first time you are installing the firewall we are going to use the setup wizard to help get us started. The pfSense developers were kind enough to make that the first thing you see, but in case it doesn’t come up, or you need to revisit the wizard again the the future you can find it from the menu bar at the top (will show up after the wizard is done). System -> Setup Wizard. When ready, select next to continue.  You will now see this screen:

General Information

General Information

Under Hostname enter the network name you would like your firewall to have. Under Domain enter your domain if you have one; if not, enter your windows network name or simply leave it at its default name. DNS servers allow you to enter other DNS servers other than the ISP default servers. For example, Google provides some with IPs 8.8.8.8 and 8.8.4.4. Open DNS also provides some along with a few others. If you are unsure what to do, the default setting will work fine. Next to continue and you will now see this screen:

Network Time Setup

Network Time Setup

Here we can change the time server that you want the firewall to sync its time with. The default works great and you really only need to set the time zone to your local area. Once you have done that, it’s time to move on.

WAN Setup (top half)

WAN Setup (top half)

WAN Setup (bottom half)

WAN Setup (bottom half)

This next page sets up your WAN connection. If you simply set up via DHCP you don’t have much to do here. Otherwise, you should have some information provided from your ISP and will have to set this up as per your ISP’s requirements. For example: I will change my MAC Address, as some ISP’s expect to see a specific MAC, but in my case I am just leasing a different IP than I normally would for this walk through. Your can change your MAC if required under “General Configuration -> Mac Address”. Be sure to use only lower case values: it should look something like this : 00:25:90:38:2e:1d. Once this page matches the settings your ISP has provided (if any) scroll down to the bottom and click next

LAN Setup

LAN Setup

Setting up your LAN connection is much simpler. Unless you have any special requirements the default settings should work perfectly. If you do change your LAN IP, don’t forget to reboot the rest of your network equipment as they may not be accessible until the lease time they have expires and the devices go to renew an IP.

Change the defualt password of "pfsense" to your own

Change the default password of "pfsense" to your own

Next we enter in a proper password, changing it from the default password of pfSense. Then we move right along.

Almost done

Almost done

Click reload and you will see this screen while the system makes all the changes you have done.

Waiting for changes to come into effect

Waiting for changes to come into effect

Once you have done that and the system comes back up you should see the dashboard looking something like this:

Your Dashboard

Your Dashboard

As you can see from the system name I have used the default name for the server and changed my network name to be “burn”. I have also configured the DNS servers to use Google ones as opposed to the ones my ISP supplied. You can also notice that my WAN is down as I have yet to turn on my cable modem; for my LAN IP settings I kept the same for simplicity.

If you managed to reach this point, you are fine to start using the system now, once you plug in your modem if you have not done so already. However, I like to make a few more changes:

Cool Stuff to add to your Dashboard

Cool Stuff to add to your Dashboard

You can see you can have a few more bits of information displayed on the dashboard by clicking the little plus sign at the top left. Once I have mine set up the way I like it, it looks like this:

Dashboard showing more useful information

Dashboard showing more useful information

So now that the dashboard is all set up how I like it, I am going to have a look at the DCHP server. I will look at what settings it has by default and tweak it to my liking. To do that we go to the menu. Services -> DHCP Server:

Tweak your DCHP server

Tweak your DHCP server

I am going to change my range now from the default of 192.168.1.10 – 192.168.1.245 to the new setting of 192.168.1.100 – 192.168.1.245. This still allows my DHCP server to lease out 145 IP’s, which is more than enough for my home network. The reason I am doing this is that you cannot have static IP mappings in the same scope your DHCP server is able to lease IP’s in. I like the lower numbers for DCHP reservation, but it’s all personal preference. Now with that done, what I like to do is set up DCHP Static Mappings for some of the computers / equipment on my network. You might want to do this for any number of reasons, a few of mine are: I like network equipment on a static IP (e.g. printers and switches) and find it quicker to do it all from once interface, so Static Mappings are great for that. Servers also need to be on a static mapping if you need to forward any ports to it; a server could be as simple as you hosting a game, for example. To set a Static DCHP mapping you can use the same screen if you scroll down. If you don’t have a list of MAC addresses handy, it’s much easier to do it from here: Status -> DHCP Leases. You should now see something like this:

View IP leases

View IP leases

Simply click the “ + “ on the right of the computer you want to assign a static mapping to and this window opens:

Add a Static Mapping

Add a Static Mapping

Enter the IP address you want the computers DHCP Reservation to be and fill in any of the blanks you require, clicking save when done. This will then move you to the DHCP server page on its own. Go back to the DHCP Lease Page to add any more that you want/need to add. To view your static mappings and make changes go to Services -> DHCP Server like you have done in the past, scroll down to the bottom and you should now see all the DHCP Static Mappings. They should look something like this:

View your Static Mappings

View your Static Mappings

To connect to the internet, I get an IP from the cable modem I now plugged in. To do so, click on status -> interfaces, then click on renew for your WAN.  You should now lease an IP.

ifconfig made easy

ifconfig made easy

If you have any issues doing this, a simple reboot may help. You can telnet in through PuTTY if you turned that option on during setup, or you can use the web interface by going to Diagnostics -> Reboot -> Yes. Upon logging back in you may notice your dashboard claims an update is ready. Click on the update and lets see what is actually happening:

pfSense says updates are available

pfSense says updates are available

Stable Updates Only

Stable Updates Only

We will go to the updater setting tab, and change the default value from nothing to “pfSense Stable Release Updates” and save that setting. By default it shows nightly builds, but unless you are specifically looking for them, you are better off staying with the stable release.

Current Stable Version of pfSense

Current Stable Version of pfSense

Now that the system is back online and only reporting stable updates,  I will be forwarding a few ports. The reasons you would want to do this include: you could be running a web server, FTP server, or that some game just doesn’t want to behave without opening some ports for it. Whatever reason you have, it’s very simple to do. Once again from the menu: Firewall -> NAT. This will show you any rules you may have. Click on the PLUS at the far right as we are going to create a new one.

pfSense Port Forward

pfSense Port Forward

Let’s say we are going to want to run a web server on one of our computers. You would set it up like so:

Forwarding Standard ports in pfSense

Forwarding Standard ports in pfSense

Now let’s say some game needs some ports open so you can host a match. You will notice that I also changed the Protocol to to include UDP along with TCP as this program requires both over the same port. If you require UDP but only have TCP being forwarded, you will have issues as the firewall will not pass that traffic. So do ensure you know what kind of traffic will be coming through your port as you are forwarding it.

Forwarding Custom Ports in pfSense

Forwarding Custom Ports in pfSense

Now that you have that all set up, you might find accessing that web server on your local system is a bit of a challenge. You might notice when typing in the domain name your firewall is preventing you from accessing it, but we can resolve this with DNS name resolution. To do so, goto Services -> DNS forwarder.

pfSense DNS Forwarder

pfSense DNS Forwarder

We are going to add an entry under Hosts.

DNS Forwording in pfSense

DNS Forwarding in pfSense

That’s it: we can now type www.mysitename.com in our browser and have it work. pfSense also supports Dynamic DNS, so if your IP address has the potential to change, but you need an updated record, you might want to set this up. Services -> Dynamic DNS Clients -> click the plus.

pfSense Supports many Dynamic DNS Services

pfSense Supports many Dynamic DNS Services

You can see that pfSense supports a wide range of options for you. Everyone has a slightly different set up. But once you sign up for a service you now know where to input the provided values. This feature is a lot more elegant that running some no-ip.com app on your desktop.

The last thing i want to show off is the RRD Graphs. Status -> RRD Graphs.

RRD Traffic Graph

RRD Traffic Graph

This shows off some potential useful information about your system. You can get Memory and CPU loads from here along with many other statistics that you may find interesting or could help you troubleshoot a network problem. Also, let’s be clear I have only touched the tip of the iceberg with the stock features, but for now that should get you started. Even if a feature that comes stock is missing, you probably still can get it when using pfSense.  That is the beauty of the Package Manager.

Package Manager

Another great feature of pfSense is its support of add-on packages. Basically, in a nutshell, these are easy to install add-on modules to add features to the firewall that are not in the stock build. So if this firewall is missing something right off the bat that you require, check to see if a package has been created that suits your needs. If not and you still need it, the pfSense forum has a section called Post a Bounty. What you do here is place a Bounty for the feature you want with a cash reward and the Developers / Contributors will write a package for you to claim that bounty. You can view and install them from: System -> Package Manager -> Available Packages

pfSense has packages in case you need even more!

pfSense has packages in case you need even more!

I strongly recommend that you read through these packages and see what works and is required for you. I will walk through the installation of Squid and squidGuard as they are very popular. To install a package simply click the + sign on the right of the package and you will see a confirmation screen and then get to watch it install.

pfSense Package Installing

pfSense Package Installing

So once you have both installed you can now access Squid from Services -> Proxy Server and squidGuard from Services -> Proxy Filter. The way I like to setup my Proxy for use at home is:

  • Proxy Interface : LAN
  • Allow Users on Interface: checked
  • Transparent Proxy: checked (This one is so you don’t have to manually set up any systems to use the proxy)
  • Log Store Directory: /tmp
  • Proxy Port:3128
  • Custom Options : refresh_pattern ([^.]+.|)(download|(windows|)update|).(microsoft.|)com/.*.(cab|exe|msi|msp) 4320 100% 43200 reload-into-ims; range_offset_limit -1;

Then click save; all other default settings work great. We added that string into the Custom Options so that we can cache Windows Update.

Squid Setup

Squid Setup

Squid Setup & Caching Windows Update

Squid Setup & Caching Windows Update

Next we move over to the Cache Management tab. The settings you have here really are going to depend on what hardware you have as you can over tax your system. I am going to be using these values bases on my set up.

  • Hard Disk Cache Size : 5000
  • Memory Cache Size : 1024
  • Minimum Object Size : 0
  • Maximum Object Size : 512000

Click save once again when you’re done.

Squid Cache Setup

Squid Cache Setup

Now your Proxy server should be all setup and ready to rock. Now we are going to setup squidGuard. Services->Proxy Filter

squidGuard

squidGuard

 

  • Enabled : Checked
  • Blacklist: Checked
  • Enter your Black list, find them here

 

squidGuard Setup

squidGuard Setup

  • Go to Blacklists tab
  • Click downloaded
  • Then go grab a much needed cup of coffee as this takes a few minutes
squiGuard downloading a Blacklist

squidGuard downloading a Blacklist

Now that you got your coffee, that download should be finished. So we now will go to the “Common ACL” tab.

squidGuard Rules Setup

squidGuard Rules Setup

Now, how you set this up really depends on your situation. If you don’t want anyone to bypass the filter by using an IP, ensure you check Not to allow IP Addresses in URL. Redirect mode is how a page is handled that is blocked. Use Safe Search, check that if you don’t want Porn / drugs and such coming up in your search engine. Also, if you enable safe search, also ensure you blacklist search engines. You should only allow the ones that support safe search. When you have that basic information set up for your network needs, click the green plus next to “Target rules”. Then simply pick what content you want to allow to enter your network. Even if you don’t want to block access to protect kids for example, you can still use squidGuard to block ads and spyware sites for example. Also ensure you go to the very bottom and change the default access from deny to allow if you don’t want the Internet to be white list only browsing. Now at this time you can enjoy your proxy.

squidGuard Blacklist Categories

squidGuard Blacklist Categories

So, what I do like to do at the very end is give the system one last reboot, and that will most likely be the last time you touch the system until you upgrade the OS Version or the hardware. Also, I would ensure your keyboard is disconnected at this point also, as having to reboot it, or power back on from a power failure, etc. and wondering why it doesn’t come back online can be painful and even more so when you release it’s a keyboard error. Many BIOSes will hang with no keyboard, so make sure you disable that in yours – now is a good time to ensure you double checked that one. I had well over a year uptime on my last system before this one. My current plans are to not turn this box off until I upgrade the OS.

So, if I still have anyone still following along after all this, thanks for reading. I hope I helped show you how I set up a simple yet powerful home firewall that is strong enough for corporate use. If anyone is a pfSense user, hopefully this little guide was still some use a a beginners quick reference.

- JaY_III

Tags: , , ,

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

Discussion
  1. Goulmassian


    I thank you in advance for any and all help that comes my way!!!


    I hopefully answered all questions for you in your e-mail you sent me.

    If you need any other help, just reply back or PM me.

    FYI starting a new thread just for your build might also be a good idea as you can use it as a reference in the future.
    I am sorry for asking such simplistic questions, but have never setup a firewall other than what Windows provides. My project is to setup a firewall and content filtering for a small (less than 100 kids) private school. My background is not networking and school has no budget to hire a professional network consultant so I am having to learn everything I can ASAP.

    The school has a 50MB static Internet connection that is connected to a cable modem provided to them by their Internet provider - Charter. CAT5 cable then goes from the cable modem to a Linksys wireless router that has the wireless turned off but is used to provide IP addresses from what I can tell. Then a CAT5 cable goes from the Linksys wireless router to a fully functional Netgear wireless router to supply internet to the wireless laptops and smartphones. One more CAT5 cable from the Linksys wireless router goes to a 24 port switch to supply Internet access to all of the desktop computers.

    That is the hardware setup that they are using and works fine other than the fact that a couple kids have found their way around the plug in browser filter and are going where they shouldn't.

    I have a Lenovo 3ghz dual core desktop computer with 2gb RAM and 80gb drive that I would like to install pfSense onto and use it along with Squidguard - just like you have done in this great article!

    My assumption is that the sequence of hardware should be as such:

    Cable modem -> WAN side of pfSense/Squidguard Lenovo desktop -> LAN side of Lenovo desktop -> 24port switch -> Netgear wireless router. I have removed the Linksys wireless router since I think pfSense should take its place and use DHCP to assign dynamic IP addresses for the network?

    Having said that, I will have to check the pfSense documentation and see if i can figure out exactly how to do that!

    Please let me know if I am on the right track and if not - PLEASE let me know what I should change?!

    Also, I noticed that there are several places that pfSense asks to choose between static and DHCP. Since I have a static line coming in and want pfSense to assign IP addresses, what would the appropriate settings be that I would need to change?

    I thank you in advance for any and all help that comes my way!!!
    Just as a heads up for everyone

    this Guide even being 3 years old works perfectly

    just installed on a semi old HP Compaq

    it has a Pentium 4 HT

    4gb Ram

    30gb IDE HDD

    1 gigabitEthernet port (onboard)

    1 fastEthernet random HP Nic

    Runs Great!

    also why is this not pinned? the is a great guide!
    Finally i can react on this micro crap board, i bought it because i thought i could make a stable "semi hardware firewall ,i have some concerns and i wil lcontact my reseller about it because i had some major problem with it wich will not be fixed soon sinds their are two problems, one is a USB problem in de mobo board itself wich i cannot debug fully because i dont have the right stuff to check it it needs a special mobo debugger and the other problem is,lays probertly in the PFsense kernel itself it simply doenst support the USB drivers and the problem lays probertly much deeper but after 72 hour of fully testing i give up ,than before some winers go shout here are the problems!i will give the outcome now: (this error event even happend without usb wifi installed on (run0)wlan_run0)

    uhub_reattach_port: port 1 reset failed. error=usb_err_timeout (under this line it says same begin as above but with usb_err_timeout disabling port 1 ,ok so this is the error log, before some says try this or that belive me ive tried everything from bios settings to new installs 32/64bits allmost everything ecept for the things like hardware debugging console and testing cause i simply dont have the equipment for it :salute: furthermore i could do two or three things but i decided to if posible try to get my money back ,ask a new mobo because of posible internal failur or i could wait for a distro of pfsense to come out with all things fixed but am affraid i have to wait a very long time and i dont think this can be fixed because their are so many boards and they wont test all of them :shock: when i begun on this project i had good confidence that it would work but now i am really sad and unsatisfied with the outcome ,unless someone could talk me outoff this sadness called pfsense(i dont meen all of pf just the new kernel wich is sad at this moment) and x7spa-d525-h super micro usa crapboards :facepalm: shortly said dont invest in this hardware, and sorry for all my to much :blah: http://www.overclockers.com/building-pfsense-firewall if give me one moment i will make a photo of the error, weirdly enough i am trying to generate it again than i will put the photo here..,







    The testing was done with the latest PFSense knightly build 64bits and latest update.

    greets vasty)"
    Just in case someone is thinking about one but the Supermicro board looks expensive. You want Intel NICs. No, you don't want any VIA/Broadcom/Realtek NIC. You need Intel for servers. They are the only reliable stuff you will find. Don't cheap out on NICs for a gateway. Believe me. I did. I regret.

    My WAN card (Realtek) gave me headaches, for a long time. Replaced it with an Intel. All the problems disappeared. I no longer drop connection with my PPPoE modem.
    xsuperbgx
    Edit: I see an older thread of yours. Are you still having the same issue or something else?


    I updated the kernel and the Linux Mint version, but also changed some settings. I can't definitely say what caused the lockups, because back then I was experimenting with BIOS and kernel settings quite a lot.

    Currently I'm stable at 4500, experience infrequent freezes for about 10 seconds and I would say 5% of these freeses are permanent and I have to hard reset.

    On the forums they say it's because of the GPU (I'm using the Intel HD 3000 onchip).

    Maybe I could take BIOS screens and you could glance over them?
    I got it set up already. There should be plenty of help around here for overclocking too...

    Edit: I see an older thread of yours. Are you still having the same issue or something else?
    You said "was" as if your issue is a thing of the past. How's your setup right now? Do you still need assistance setting things up? May I can help with pfSense and you can help me with overclocking ;)
    I used a cable modem but this was for the home internet that needs wired and wireless.

    Therefore, it was cable modem-->pfsense firewall-->wireless n router
    Usually you don't plug a "router" in front of pfSense since pfSense does the routing. And as a sidenote, the word "router" is somewhat charming to the retail boxes from Asus, AVM, whatnot and it's more of a marketing term looking at their capabilities.

    What you really need is a modem, either a cablemodem or a DSL modem in front of pfSense. And yes, it would go into the specified WAN port of pfSense, nothing else makes "sense" ;).

    If you still want to use your old "router" as a modem (if it has an internal modem built in), search for bridging mode. That would allow pfSense to establish the conenction on its own through your old "router".
    I have been working on getting one of these in place. I found out that to use router with it, you need to assign a different IP address to the router, also, plug the incoming wire from the firewall into the lan port, not Wan.

    My biggest issue now is getting the filter figured out, so that it keeps the garbage out, without effecting regular browsing and surfing.
    Great stuff! Its really very good written information and it will be helpful for those who utilizes it, including myself. Thanks so much for taking the time to share this valuable information. Keep up the good, excellent job Jay! :)

    vpn p2p
    Great job, I'm just finishing up Hardening down a OS to use as a honeypot for a Lab class we haven't really touched much on the network side of things so it was a handy read!

    We focus more on the software side of things, disabling commands, ports ect.
    xsuperbgx
    I put some hardware together and installed this and seems to work good. I had to take my router out to get it to work though. I am a noob at this kind of thing and don't know how to make this work together with my router.

    If I put the router next in line I cannot access the settings and configuration. I am sure I have to disable the firewall that is built in to the router or set some kind of passthrough things. :shrug:

    Please excuse all of my technical illiteracy.


    You will ahve to disable DHCP on your router and set the router's IP to somethign that is within the range you'll specify withing PF sense, but not in it's DHCP range, and obviously not the same IP as the PFsense machine.

    This article has finally pushed me to upgrade my router from IPCOP, gonna give this a whirl and see how i feel about it.
    I put some hardware together and installed this and seems to work good. I had to take my router out to get it to work though. I am a noob at this kind of thing and don't know how to make this work together with my router.

    If I put the router next in line I cannot access the settings and configuration. I am sure I have to disable the firewall that is built in to the router or set some kind of passthrough things. :shrug:

    Please excuse all of my technical illiteracy.
    what hokie said! This is a fantastic tutorial, I read this the other day at work and was really excited about it. I went home that night and used an old pc to set this up and has been great. A little tricky at first as I've never used a firewall before (besides windows).