How to build your own firewall with pfSense
Create your own physical or virtual appliance with this open source software
Having migrated your IT infrastructure and services to the cloud, you need a decent enterprise firewall to handle your internet connection and any site-to-site or site-to-cloud VPN requirements.
The licensing costs for devices from Cisco, Juniper, Sonicwall et al are often extremely high, however. Many admins live in fear of the yearly license renewal invoice turning up, knowing that it’ll take a significant chunk out of their yearly IT budget, especially if some bright spark in senior management suddenly decides that the firm needs to roll out a costly extra feature.
pfSense is an open source enterprise firewall based on FreeBSD, with comparable features to many of the most expensive enterprise firewall devices and a huge range of packages available to extend its capabilities. As an open source solution, the software is free, and all the features are available without any commercial licensing requirements. Support for pfSense is provided by Netgate, which also manufactures network appliances that use the operating system.
This tutorial will take you through the installation and basic setup of a pfSense device. We will be using the scenario of a business with no on-premises servers, using cloud services or hosting for their IT requirements.
The minimum requirements to run pfSense are an x86 or x64 compatible device with 1GB or more of memory, two or more network interfaces and at least 4GB of storage (this can be a hard disk or a flash device such as an SD card).
How fast a processor you need, and how much memory, will depend on the number of rules, VPNs, and so on that you will have on your device, and the amount of data flowing through it. VPN performance, in particular, is dependent on how much processor power your endpoint has. Depending on the size and complexity of your local network layout, you may want a device with more than two network interfaces.
Purpose-built pfSense devices are available from many manufacturers, including the makers of pfSense themselves. However, you can also set it up on a virtual machine running on your choice of hypervisor, or build your own using a standard desktop PC or server.
Whatever hardware you’re using, the setup process is the same. Hook up a monitor and keyboard to your device or use the virtual console if you are installing on a virtual machine. Do not connect any of the network interfaces to a network yet: we’ll get to that later in the installation and setup process.
Step 1: Install pfSense on your device
Download the installer from the pfSense website, taking care to get the version that matches your environment and preferred installation method. Burn the CD or write the image to a USB drive as required.
Boot your device from the installation media you created and wait until it has completed booting, and displays the software license screen. Go through and accept the license terms and move on to the installation. Select “Install” from the menu, choose the correct keyboard layout for your region, then select continue.
From the next menu, select automatic partitioning and hit enter to continue.
pfSense will partition the disk, and move straight on to the installation. Now’s a good time to make some coffee whilst you wait for the installation to complete. When the installation has finished, say no to opening a shell to edit the system. Finally, remove the installation media and hit enter on the next screen to reboot into your new pfSense system.
Step 2: Console configuration
After the system has rebooted, you’ll be prompted to set up basic networking. Answer no when asked if VLANs should be set up now. Next, move on to the network interface setup. Hit “a” to start auto-detection of the WAN interface and follow the instructions on screen, connecting the cable when required, in order to correctly identify the interface. Repeat the process for the LAN interface. Don’t forget to physically label the interfaces on the device as well.
Once you have both the LAN and WAN interfaces identified correctly, hit “y” to continue. pfSense will carry on booting, then display the status of the network interfaces and present you with the console admin menu.
The LAN interface defaults to an IPv4 address of 192.168.1.1/24. If you need to change this to match your existing network, select option 2 (set interface IP address) from the menu, then option 2 again to edit the LAN interface. Enter the desired LAN IPv4 address and subnet mask for the device when prompted. Don’t enable IPv6 or DHCP right now; we’ll do that later from the web admin interface.
Step 3: Initial configuration wizard
Configure a computer with a static IPv4 address in the same range as the IPv4 address you assigned to the LAN interface on the firewall. You can connect this computer directly to the LAN port on the firewall (using a crossover cable if you’re working with older hardware that doesn’t support Auto-MDIX) or connect via a switch.
Using your web browser, go to the LAN IPv4 address that we configured in the previous step. Log in using the username “admin” and the default password “pfsense”. You will be presented with the initial setup wizard. Click on next, then next again at the following screen to begin the setup of your new firewall.
Enter the name you want to give your firewall, and the domain associated with your internal office network. We’re going to be boring and use “firewall” for the name, and “local” for the domain, but you should probably come up with something more distinctive.
Click on next to move on to step 3 of the wizard. The time server can be left on the default, or set to a different one if you have a preferred NTP server for devices on your network. Set your time zone, and then click next to move on to step 4.
Now you need to set up your WAN interface. We’re using DHCP, so can leave everything on the defaults, but if you are connecting this device to an ADSL line via a DSL modem in bridge mode, you should select PPPoE here and enter the details provided by your ISP in the PPPoE section of this page. Once you’ve completed WAN configuration, scroll to the bottom of the page and click next to move on to step 5, where we can review the LAN IPv4 address we configured earlier, and change it if necessary. Click next to keep the address the same and move on to step 6.
Set a new admin password, not forgetting to make a note of it somewhere, and then click next to move on to step 7.
Click on reload to apply these changes to the device. If you changed the LAN IPv4 address in step 5, you will need to enter that address in your browser after this to access the device. Wait for the reload to complete, then click Finish on the last screen to exit the wizard and go to the device dashboard. Read and accept the license for the software again when prompted, then click close to clear the “Thank you” popup.
Step 4: IPv6
If your ISP offers IPv6 (as almost all do now) this is the time to set up the WAN interface IPv6 options to match those provided by your ISP. Select the Interfaces pull-down menu from the top menu bar, and select the WAN interface.
You will also need to set up IPv6 on your LAN interface. pfSense supports a range of different IPv6 configurations, from static IPv6 and DHCPv6 to stateless address autoconfiguration (SLAAC), 6to4 tunnelling and upstream interface tracking. Exactly which one you need will depend on the IPv6 provision from your ISP, who should provide you with adequate setup information to correctly configure your connection.
Step 5: Setting up local network services
From the menu bar across the top of the pfSense admin page, open the Services pull-down menu and select DHCP server. Tick the “Enable” box to turn on the DHCP server for your LAN interface, then enter the range of IPv4 addresses that will be allocated to devices on your LAN. We’ll set up a range of 200 addresses in this instance. Leave the DNS and WINS server options unset, as the firewall will use those allocated by the ISP on the WAN interface.
Scroll down to the bottom of the page and hit save. The DHCP service will start automatically. The setup wizard will have automatically created a single outbound NAT rule for you, so you should be able to access the internet from devices behind your new firewall.
If you require VPN links to your cloud provider, or to other offices, you can now set them up. We will not go into detail about that here as there are too many different types of VPN to cover, and the process is largely the same with any enterprise firewall device.
Additional services such as traffic prioritization, web filtering, load balancing multiple internet connections and so on are all available, either already built in or via add-on packages. These can be installed from the package manager, found on the System menu pull-down at the left of the top menu bar.
Take some time to explore the various menus and services to familiarize yourself with your new firewall and discover its many features.
Staying ahead of the game in the world of data
Create successful marketing campaigns by understanding your customers betterDownload now
Remote working 2020: Advantages and challenges
Discover how to overcome remote working challengesDownload now
Keep your data available with snapshot technology
Synology’s solution to your data protection problemDownload now
After the lockdown - reinventing the way your business works
Your guide to ensuring business continuity, no matter the crisisDownload now