DIY pfSense firewall system

[Nod]

Source: Techrepublic

With the prevalence of “black box” appliance firewalls available for $50 or less, one might wonder why you would look for a do-it-yourself solution. Linksys and D-Link, among other vendors, create simple and easy to configure firewall solutions for cheap. And let’s face it, a firewall isn’t something you can choose to use anymore; a firewall is your first line of defense, and a critical one at that.

So where is the appeal of creating your own firewall system? Take a look at some of the many extra features available in a do-it-yourself firewall. While such a firewall system would be self-contained, require a fair amount of storage, run on over-powered hardware, and consume more electricity than a simple appliance, the benefits still far outweigh the drawbacks.

For one, there is a higher degree of reliability. Running on a full computer system makes it infinitely upgradeable. It can be extended to do more than just shuffle packets back and forth. You can turn a simple firewall into a full intrusion detection system. You can analyze and track bandwidth usage. It can be a VPN end point, a Web proxy, DHCP and DNS server, load balancer, handle automatic failover, and provide great diagnostic tools.

pfSense, a firewall system based on the FreeBSD kernel, can handle all of this and more. All wrapped up in a slick Web interface, it can also be controlled via the command line directly, via SSH or even over a serial port. Have some old hardware kicking around? pfSense can run on anything over a 100MHz Pentium system with 128MB of RAM. It can run without a hard drive: via an install-less Live CD with a USB or floppy drive to hold its configuration, or even run entirely on a 128MB compact flash card. This makes pfSense extremely versatile.

Lots more info at the link.

Personally speaking, I’ve used Linksys, D-Link, and other consumer firewalls in the past. All of those devices have died within months. The pfSense box I built, however, has been running for two years without a hiccup. It is a 1.8GHz Athlon64 processor with 512MB RAM and an old 80GB HDD (which is a lot of overkill, as even with retained logs, it is using less than 300MB of space).

There is so much that pfSense can do that it’s not possible to cover it all, and with the expandability of extra packages, the number of features you can put into a pfSense firewall is amazing. Software (aka firmware) upgrades aren’t frequent, but they are easy to do, and with the Web interface, pfSense is simple to configure. Once it’s configured, pfSense is completely reliable, regardless of the traffic you push at it.

If you want a high-availability and highly reliable firewall, pfSense is definitely something to seriously consider. It is a mature product with an amazing feature set, and the security it brings to a network environment is worth the extra up-front cost in hardware, compared to consumer-level firewall appliances. I cannot recommend it enough, it’s that good.

 

[Grep]

"Personally speaking, I’ve used Linksys, D-Link, and other consumer firewalls in the past. All of those devices have died within months."

Personally replying, you must be on crack.

 

[The_Unbeliever]

Smoothwall works fine for me.

Personally I feel it doesn't matter which firewall you're using, as long as :

1. You can configure it easily
2. It protects your network from the nasties
3. Is free, and can run on a wide range of hardware, from a 386 to the latest Pentium.
4. And last, but not least, is easy and quick to recover from a hard drive crash.

 

[RonSwanson]

**************
NECRO ALERT!
**************
I have been using an Intel PC as a firewall for the past few years,, running Sophos UTM home
I want to move to a fanless appliance to decrease electricity consumption. Checked out a IONN-N device, available from CME and Takealot. Initially I was concerned at the lack of AES-NI instructions in the Celeron N2940 CPU, but then again, I don't do too much VPN connectivity. On my current box (3rd gen Core i3) the CPU is mostly under 5% (using IPS, web-filtering and AV).

So it's an opportunity for me to try pfSense, or Sophos XG vs the standard Sophos UTM.

Anyone upgraded a UTM box to XG recently? Or pfSense? What do I need to watch for?

 

[Genisys]

**************
NECRO ALERT!
**************
I have been using an Intel PC as a firewall for the past few years,, running Sophos UTM home
I want to move to a fanless appliance to decrease electricity consumption. Checked out a IONN-N device, available from CME and Takealot. Initially I was concerned at the lack of AES-NI instructions in the Celeron N2940 CPU, but then again, I don't do too much VPN connectivity. On my current box (3rd gen Core i3) the CPU is mostly under 5% (using IPS, web-filtering and AV).

So it's an opportunity for me to try pfSense, or Sophos XG vs the standard Sophos UTM.

Anyone upgraded a UTM box to XG recently? Or pfSense? What do I need to watch for?

Have you considered an APU2? Only issue you will have is that PPPoE has issues with the NIC, so never goes above a certain threshold.

 

[RonSwanson]

Have you considered an APU2? Only issue you will have is that PPPoE has issues with the NIC, so never goes above a certain threshold.

Thanks for this, no, I didn't know about it. Looks pretty cool, but doesn't seem to have local support, and all the bits and pieces could end up costing a lot more.

 

[Genisys]

Thanks for this, no, I didn't know about it. Looks pretty cool, but doesn't seem to have local support, and all the bits and pieces could end up costing a lot more.

Shipping is a major issue at the moment, shipping use to be expensive, now its even more expensive. I have one of them, I still have not tested the performance on it. By the time I got it I got bored of PFsense and got a USG Pro, added two quieter fans and using that as my "Firewall" for the time being. But you are right, the APU2 price is good, but adding the SSD, PSU, Serial connector and if you want WiFi, WiFi equipment it gets expensive very quickly.

 

[RonSwanson]

Shipping is a major issue at the moment, shipping use to be expensive, now its even more expensive. I have one of them, I still have not tested the performance on it. By the time I got it I got bored of PFsense and got a USG Pro, added two quieter fans and using that as my "Firewall" for the time being. But you are right, the APU2 price is good, but adding the SSD, PSU, Serial connector and if you want WiFi, WiFi equipment it gets expensive very quickly.

Yes, I did consider a USG Pro because I am already in the Unifi ecosystem, and it was very tempting, lots of pretty pixels on the Unifi interface, and performance-wise it looks like quite a beasty.
But my overall objective was to reduce power consumption, and to also simplify / rationalise DC power needs. I don't need 4Gbps forwarding speed, I have a 25/25Mbps fibre line. The Unifi stuff that I want (not need) all have different DC power requirements -- the USG Pro needs 24 volts, and some of the PoE switches need 24/48/54 volts. I realised that PoE presents some interesting problems to those who want to simplify home DC power consumption, and I will cross that bridge when I come to it (maybe design my own UPS with 24, 12 and 5 volts?).

So I decided on the IONN-N device from CME, because all it needs is 12volt at 2.5-3 amps, literally half that of the USG Pro. Whilst its performance will probably not even be close to that of the USG Pro, if it turns out to be a dog, I can easily turn it into something else. Plus I have the flexibility to run PfSense, Sophos UTM or Sophos XG, amongst others. Will test it and let everyone know, I am having fun with pfSense right now

I must say that the service experience with CME was exceptional, they bent over backwards for me, even opening on a Saturday to allow me to collect. I will be looking at some of their other interesting hardware for future tinkering projects.