Build your own pro-grade firewall
Learn how to create a powerful multi-network hardware firewall with little more than pfSense and a redundant computer
This in-depth tutorial covers setting up a hardware-based firewall and configuring it to make it hacker resistant and business class. It will cover the configuration up of a basic two- network setup consisting of an internal network for all your test setups and a second LAN that can be used for normal everyday usage. We will include a DHCP setup on your second LAN to make your life that little bit easier.
The networks are to be configured in such a way that any breakages on your test network won’t affect your normal network. This guide will also cover creating a sensible rule base to which you can add extra rules if you wish. Additionally, you’ll find tips and tricks to make everything more secure than a simple default setup. Finally, we will cover how to back up and restore your firewall configuration, should the worst happen.
If you want to just experiment with this without going the whole hog, you can do it within a virtual machine, two virtual networks and a bridged adaptor to your local network. The scope of this setup is outside the bounds of this article, but our walkthrough should still work perfectly.
Step by step
Install pfSense on your redundant PC
Boot from the pFSense live CD you downloaded and burnt in the prerequisites (see Resources). Allow it to boot up with defaults until you get to the screen that mentions recovery and installer. Press the I key to invoke the installer. Accept the defaults presented on screen by selecting ‘Accept these defaults’. The only possible change you might want to make is to your keyboard layout if you have a non-US/UK-type keyboard. Now simply select Quick/Easy Install. Read the warning – the installation will totally destroy any information on the disk, so back up first if you want to preserve your data. When you’re ready, select OK. Once the installation is done, select Standard Kernel and once that’s configured, navigate to Reboot and press Enter. Make a note of the default username and password (admin/ pfsense). Remove the CD and the machine should reboot into the network configuration menu where all the good stuff starts to happen.
At this point, make sure your network cables are not plugged in. After booting into pfSense you will see a basic text configuration screen and a list of the network cards installed. When asked if you wish to configure the VLANs, select no (by pressing N). Next we are going to auto-detect the network. To set up the WAN connection, press A. Now insert the WAN cable from your router into the first network port. You will see it change status to UP, then press Enter to continue. We have now configured the WAN port to the internet – repeat the same process for your first and second LAN cards in the same fashion. Once complete, press Enter to continue.
This finishes the installation and lets the firewall know there are no more network connections to be configured. Answer Yes when asked ‘Do you wish to proceed?’. It will now commit the settings to disk. It will also give you a list of networks to match up again your network cables. It is a good idea to label them up now to save confusion later.
Introducing the pfSense setup
After configuring the network connections and rebooting, you will still see the CLI with a series of menu options. Since the other networks need to be configured and you can do this by pressing 2 on the console. You will now see that you can configure IP address setup for all the networks. Select the NIC that corresponds to your wireless or basic internal network. This is our (WIRELESS) LAN so let’s give it 192.168.1.1 with 254 addresses. Enter the IP 192.168.1.1 – this will become our gateway. This tutorial is using a /24 network, so type in 24 followed by Enter. It will now ask if this network needs a DHCP server – select Yes. The configuration program will then ask about the start of the DHCP range. It’s best to start at 192.168.1.2 . Follow this with the end of the range, 192.168.1.32. This is up to you and depends on your needs, but 30 DHCP leases is more than enough in most cases. Press N on the HTTP protocol question. Repeat the process with the other network and select 10.0.0.1 as the interface address, 24 as the network mask and use the range 10.0.0.2 – 10.0.0.32.
Using the pfSense GUI
In this section we’ll set up the basic GUI. Connect a laptop to the network of the WIRELESS LAN and open a web browser and enter https://192.168.1.1 in your browser. You may receive a warning about an untrusted network connection, but that is fine to ignore for our purposes. This address and webpage is the network address (gateway) you configured earlier in the tutorial. It may be necessary to add an exception and hit Continue on your web GUI page.
You will be greeted with the setup wizard. Select Next to get started. At this point you can leave the hostname and network name alone, unless you want to put your own DNS servers in. If you leave the override DNS feature, you will get your DNS for your DHCP servers from your ISP.
Configure the time servers (ETC/UTC is usually what you need) as required and click Next. On the next page you can configure any extra setup information if your ISP requires it. Usually all this can be left as is. Click Next to go to the LAN page. Lastly, change the admin password to a secure one of your choice. At this point the firewall will reload its rules. Enable the third network, click Interfaces>OPT1 and select ‘enable interface’ and click Save. Rename OPT1 to LAN by clicking on Interfaces>OPT1 and renaming it LAN.
How to create a basic rule
All rules are added in the same way; just add and modify each rule to fit the requirements. Click the bottom left ‘+’ symbol from the Firewall Rules page to start creating one. Now we can add web browsing.
Set action to pass (unless you wish to set up a rule to drop traffic). Choose your source interface (LAN/WIRELESS). Follow this by selecting your protocol to use (usually TCP, but things like DNS require UDP port 53), On the next item, select the destination. Usually this will be the any address for external traffic and WIRELESS or LAN subnet or address, depending on requirements.
Destination port is straightforward enough: you can select a range of ports by either using the drop-down menus or entering your own ranges (for now, just select HTTP). Using multiple ports is covered later in the article.
One set of rules definitely needed for both networks is basic HTTP and HTTPS rules for browsing. You will also want to implement a ‘drop all’ rule. As the name implies, this drops all traffic. This makes sure no traffic escapes out of your network that you intended. To do this, just set up a rule that has drop for the action, networks and port ranges set to any TCP/UDP on the protocol. Do this for both networks.
Aliases make life easier
Aliases enable you to group ports together. As the name suggests, they allow you to use an alias in your rules that can refer to groups of items. An example would be combining HTTP and HTTPS together in one alias. No need for multiple rules – just one alias can be used to ensure correct ports are opened!
From the Firewall menu, select Aliases. Use the ‘+’ on the right. To implement HTTP and HTTP together, give it a name like Web_browsing_ports – ensure it is descriptive. Select ports from the Type drop-down. Hit the ‘+’ button below the ports and add 80 in the port and HTTP in description. To add HTTPS, click the ‘+’ button, but use port 443. Save and apply changes. Aliases are not limited to ports, but can also be used for hosts and networks. To implement an alias in a rule (assuming the alias has been created beforehand) go to the Rules Port drop-down, select Other and begin to type the name of the alias. It should pop up a list. Just click on the alias needed and accept. Apply the changes once the rule is created. Similar rules can be created between networks. An example would be SSH. Implement this rule the same way as before, except select the WIRELESS as the source and the LAN network as the destination.
07 Enhanced rule sets
Now that you understand how basic
rules work, it is time to group together a more enhanced rule set. As a minimum, set up both networks to have the following flowing out the internet. HTTP and HTTPS (remember to use an alias here!), include FTP, DNS (using UDP) as well as SSH if needed. However, box clever here. If you only use SSH to talk to a specific number of hosts, use an alias with the Hosts drop-down and enter the IP addresses into the alias. That way, should a machine be compromised, it will not be
able to talk SSH on port 22 to anything but those boxes defined in the alias. The more specific the rules, the more secure they are. You will also need to repeat the process on the LAN, assuming you want the same rights. To prevent a network talking to another on a certain port and protocol, use the NOT option in the rule base. An example would be to change the web browser rule to say destination NOT LAN – you will then find you can no longer browse any web server on the test network, but can browse the internet.
08 Managing the bandwidth
Now that the basics are covered, we can
look at some other features such as bandwidth management. PfSense makes it easy to block file-sharing platforms such as BitTorrent, WinMX and similar. It can also split the bandwidth between the two networks. Do this by going to Firewall>Traffic Shaper. Click the Wizards tab. There are a number of different scenarios; select the ‘Single WAN, Multi LAN’ option. Enter number of LANs (two in this case) and press Next. Fill in your available download and upload speeds. Leave the other components and click Next. Unless you use SIP, click Next. Penalty box can be used to restrict specific groups or alias groups of machines to a percentage of the capacity if needed. Click Next. Use this page to lower the priority or even block P2P traffic completely.
Click Enable on the Traffic Shaper wizard and then select any protocols to allow/block. Edit to the preferred setup and then click Next. On this page, configure traffic shaping for games, with preconfigured optimal setups if needed. Finally you can do exactly the same for applications if you wish to, such as RDP, VNC etc. Click Finish. To remove the shaping, go back to the Firewall Traffic Shaper menu and select ‘Remove shaper’.
Turn on logging
Sometimes, rules don’t actually do what you planned, but there are a number of tools for logging and manipulating rules. It’s wise to be able to review the logs to see exactly what’s going on. To turn logs on, simply go back into the Rules menu, find the rule that you think may be problematic, and tick the ‘Log this rule’ box. Don’t forget that rules are evaluated on a first-match basis; so, for example, having the drop all rule before the rule trying to be tested would mean the rule would never get evaluated.
Backing up is also a very important exercise and very simple to execute. Go to the menu, select Diagnostics>Backup/Restore. The options on this page are simple enough. It is recommended to tick the box to encrypt the backups. Give it a good password that you will remember. We also suggest you leave the box ‘Do not backup RRD data’ selected. This is just performance data and isn’t really needed day-to-day.
Should the firewall ever need rebuilding from scratch, you will have to redo the steps right up until you have the GUI. The Restore menu, found in the Diagnostics menu, has the tickbox to restore from backup, but also the option to only restore parts, such as the rule base.