Repurposing a PC for pfsense

A Core i5 with 16 GB RAM and four network adapters transforms into a firewalling monster.

8680

Background:

I have several local area networks in my lab, each connecting to the Internet. On one of them, the SOHO router I was using failed. It was terminal, so I paid my respects, and then moved on to a better solution: pfsense running on a PC. pfsense is an open-source firewall solution that you can download for free.

If you have some extra hardware lying around, you can build yourself a pretty nice pfsense box. Mine: Core i5 3.1 GHz, 16 GB DDR3, with 4 network adapters, all packed into a desktop case that I built in 2012. I could have purchased an appliance that runs pfsense; for example, the SG-1100 would have suited my needs as it has LAN/WAN/OPT ports. But compare the specs. That device ($159 when this article was published) has a 1.2 GHz ARM-based CPU with 1 GB of RAM (SOC configuration). Now, if you are working for a company that wants a hardware warranty and/or support, then an appliance is the way to go, and the software works the same way. However, if you have a smaller business or a lab, building your own is a great way to recycle an older PC–that perhaps has a tough time running Windows–and save money at the same time.

I like pfsense, as it is open-source, has a solid design, and a lot of features. For a small company who is tired of poorly made SOHO routers from the big manufacturers, this can be a big improvement–whether you use an appliance, or build your own.

Network Design

The figure below shows the interfaces and IP networks I am using with this system:

click to enlarge

 

 

 

 

 

 

 

The firewall is the Core i5 PC with pfsense installed. It has three network interfaces: LAN, WAN, and OPT1.

The LAN interface is a dual RJ45 NIC that I configured to use link aggregation. It connects out to a Cisco switch where I have several servers including a virtualization server with with a bunch of VMs–it is all on the 172.18.0.0 IP network.

The WAN interface is a single RJ45 NIC which is assigned a public IP. (I have a bank of static public IPs that I get from my ISP. If you are obtaining an IP automatically, no configuration is necessary for this interface.)

The OPT1 interface (optional 1) is an integrated RJ45 on the motherboard of the PC. That connects to a separate switch used for management of my servers and devices. Any server with a dedicated management port (IPMI, or otherwise) connects to this switch. This is essentially another local area network, and is on the 172.19.0.0 IP network. I use the OPT1 interface to make configuration changes to the firewall. However, it was not possible to do so until I logged in on the LAN interface, added the OPT1 interface, and added a rule to the firewall that would allow me to remotely connect via that OPT1 interface. Once that was done, I could remotely manage the pfsense box without using any of the bandwidth of the LAN interface. Plus, it made it a lot easier to setup link aggregation on the LAN interface, as I was connecting separately.

Final Thoughts

Data transfer between the LAN and WAN interfaces is substantially faster than with a typical SOHO router, and with less dropped packets. The better the device, the better pfsense runs for the most part. Also, it sees hardware like a champ. It didn’t miss anything in this PC.

After I test the firewall more–and if I like it enough–I might make it my main firewalling device for all of my networks. There are two more PCIe slots available. Potentially, I’ll install a quality wireless card in one for WLAN access, and a 4-port NIC in the other. Each RJ45 port on a multi-port NIC can be used for a separate LAN, so that (in addition to what I already have) would be enough for all of my networks. I’d keep one SOHO router as a backup for my main business network, but otherwise rely 99.9% on pfsense. We’ll see how it goes. If and when I do upgrade the box, I’ll upload a new post/video.

In summary, I like pfsense. Do your self a favor and check it out.

Links:

pfsense website

reddit page

pfsense interfaces documentation