A piece of hardware that is often overlooked in many homes and businesses is the the “edge device” or often just called a router. Many Internet providers will supply their own edge device. This is the first line of defense from those that would do you harm from the Internet to your home or business. I look at it as your first line of security to protect yet give you access to the machines or devices on your network.
I have two reasons for setting up a pfSense box. Since I have heard great things about it, I wanted to try it for myself on my own network to give me confidence to set it up for use in a small office setting. Nothing too large, just a moderate size.
I had to start with an adequate piece of hardware to run pfSense. Since it requires a 64 bit system, I am using one of my newly inherited Dell Optiplex 745 machines. As far as specifications go, it is at the bottom end of the recommended specifications to run pfSense but the plan for this isn’t anything real intense.
Specs That Matter
- CPU Intel Core 2 Duo 6300 @ 1.86Ghz
- 2.0 GB of DDR2 SDRAM
- 160 GiB HDD
Since this machine only comes equipped with a single Ethernet port, I had to purchase a half-height Gigabit Ethernet adapter to put in the one available PCI slot in this machine. The slot will only accept a PCI or PCI-X card which was actually more difficult to find than I originally anticipated. Full height, easy, half height, not so much.
This particular unit came with two plate options. Changing out the plate consisted of removing two screw, separating the plate from the card and replacing it with the other plate. There wasn’t a bit of complexity to it.
The machine has one PCI slot in it but there was a card with a COM port and PS/2 port on a card attached via ribbon cable to the main board that had to be removed first. I inserted the card, started it up and jumped in the BIOS to make sure it was recognized.
Since it was recognized, I was ready to move on to the software portion of this little tech adventure.
There really wasn’t much to do in configuring the hardware. The only major change I made to the configuration, outside of adding the second Ethernet card was to ensure that the machine would boot upon being powered. This is assuming that should the machine loses power due to power failure, it will boot upon power being restored.
Downloading the Software
From the pfSense download page I chose the AMD64 memstick version to put on a Dell Optiplex 745. It should be noted that the memstick version cannot be written using SUSE Studio Imagewriter. For more information on writing images:
Conduct Checksum on the Downloaded Image
Since the the time of installation, the version I downloaded to install was: pfSense-CE-memstick-2.4.4-RELEASE-p1-amd64.img.gz. The key point here is it is the amd64 version to correspond with my hardware.
Next I downloaded the corresponding sha256 file from here so that I could do the appropriate checksum action and ensure that it is a good download. I have noticed on most sites, it seems as though that is just an expected understanding without much explanation, outside of the openSUSE download page, that is.
I Put the downloads in the same folder and ran this:
sha246sum -c pfSense-CE-memstick-2.4.4-RELEASE-p1-amd64.img.gz.sha256
The response was:
Which means that it was good to go. I haven’t seen anything other than OK so I couldn’t tell you what it’s like to not have an OK. Then either your image or the sha256 is not right and need to be downloaded again.
Writing to USB Drive
The instructions recommended erasing the disk partition table before writing. I haven’t done this step before writing to a flash drive but who am I to argue with the developers?
sudo dd if=/dev/zero of=/dev/sdX bs=1M count=1
In my case, the drive is sdd, be very, VERY careful to not wipe out any of your other drives so pay close attention to what you are doing. To find out what the device name is of your USB drive, insert the drive into a USB port and run in terminal
Look for the latest entry corresponding to the USB device you just plugged in. It should read /dev/sdb or something of that nature. If you are unsure, ask somebody. There are plenty of helpful folks out there. Feel free to contact me directly and I’ll do my best to help you out.
The next thing to do is to install the image onto the USB drive.
sudo gzip -dc ./pfSense-CE-memstick-2.4.4-RELEASE-p1-amd64.img.gz | sudo dd of=/dev/sdX bs=1M
Replace /dev/sdX with the appropriate drive identification. Also note the version of pfSense is a moving target, so an exact copy from above is probably not going to be valid for long.
The installation is very straight forward on pfSense. Just like any Linux distribution, once you have it on the USB media, and the machine boots from the drive, follow the directions. In this case, I am getting a warning about my system battery voltage which I will address later. Once it boots into a nice ASCII art menu, select 1 to Boot Multi User, which is default.
On a kind of funny note, the legal notice, pfSense is a federally registered trademark of Electric Sheep Fencing LLC.” I’d like the background story on that LLC name. After you accept you are given 3 options. Install being the key option here.
Next you will set the keymap and you will be asked how you would like to partition your disk. I chose to use the Guided Disk Setup because it’s my first time and this is a reasonable course of action.
Since I have no reason to use the disk for anything but pfSense, it was reasonable to select to use the entire disk. Graciously, you are warned that this will erase the disk and wants a confirmation to proceed.
Next you are asked for the partition scheme of which I chose MBR as this is “Bootable on most x86 systems. You are then given another opportunity to review the disk setup and make any modificaitons. Since I have no experience with pfSense and altering any preferences. I left the defaults be.
Once you select Finish you are given one final warning to Commit with a clear warning of your actions.
The installation will proceed, first, “fetching” the distribution files than extracting them.
After the installation is complete you are asked if you want to make any further changes, the selection defaulted to No so I just proceeded from there and rebooted.
I was again reminded about my low voltage system battery before the boot screen to which the default works perfectly.
The boot process is much like what I am used to seeing in Linux so it was interesting to watch and see the slightly different syntax.
On the initial boot, you are given a series of questions to define the interfaces. One which faces the scary internet (WAN), and the other that faces the internal network (LAN). The first question is to set up VLANs, I have no need for such a thing so I entered, N.
Next I selected the interface I wanted to be the WAN. Since I know the hardware I installed, I selected the appropriate NIC. Ultimately, it doesn’t really matter on this setup. If I had more than one NIC for the LAN, that would change things.
Next, I set up the LAN and confirmed the configuration.
When that is complete, it will write the configuration to disk.
When the configuration was completed, I decided I wanted to change the LAN side IP address. This can be done by selecting 2. You are then asked which interface you want to configure, in my case, the LAN is option 2.
I set the IP address then the subnet mask per my network preference.
I didn’t set an IPv6 address because… why? Then the DHCP Range. In my case 192.168.10.51 to 192.168.10.200. 150 DHCP addresses is more than enough for my purposes… for now.
pfSense will ask if you want to reroute the webConfigurator protocol, which YES to that seems like the most reasonable answer. Then you will be dumped back into the main menu.
I reset the Admin password for the webConfigurator, mostly because I didn’t remember setting it to begin with and wanted to get into it.
My first order of business when logging in to the web configuration utility was to change the theme to a dark theme. I just don’t care for how light the default theme is. Of course, this is just my personal preference.
That’s it, you now have a functional pfSense box, but there was one more bit if business in order to be satisfied with the system. Local DNS name resolution.
A feature that is absolutely required for me is the ability to have local hostname resolution within my network. All my machines are named something I can remember so I can easily access them ussing SSH for remote access or file transfer. It is not quite as straight forward to do in pfSense as it is with DD-WRT but here are the resources I used to figure it out:
There was some fiddling to get it to go but here are the take aways:
On the General Setup page, you have to Uncheck Disable DNS Forwarder. Save your changes. Then navigate to Services > DNS Forwarder.
There you need to Enable DNS forwarder and Register DHCP leases in DNS Forwarder. Be sure to save the changes. If not you will have to repeat your steps.
I was able to test that the local DNS name resolution worked as I would expect and was thrilled that something I touched actually worked and without banging my head against the wall.
Adding a Wireless Access Point
A working edge device is great but who wires anything up these days? I had to put in a wireless access point. I took the previous edge device my Linksys E2000 and set the device to DHCP Forward to the IP address of the pfSense box. I plugged the ethernet port from the switch into one of the LAN (not the WAN) port of the E2000 and it worked as expected. You can turn the WAN port to be on the same VLAN within the Linksys E2000 but that is a discussion for another blathering or you can search that one out yourself.
pfSense is a really quite easy to set up and use. I will say,the hardest part of the project is writing the installation media. I have power cycled and added other users as administrators and it all works fantastically well. This truly is a fine BSD based operating system distribution.
If you have home or office networking requirements that a consumer grade edge device cannot handle, this is a low cost way of implementing one. I didn’t end up using this device for my house. After using it, I saw a greater need for this to be at my church and I ended up using IPFire for home, which is also quite good but I think in many ways, pfSense is a more polished and professional product and possibly better suited for a larger environment. I am not a network professional so take that opinion for what it’s worth.
This project has spurred on a few other future projects for the network in which it sits. More to come on that.