What if you could manage routing, DNS, DHCP, NAT, IPSEC VPN, SSL VPN, deploy IDS/IPS, Firewall the network. Configure forward and reverse proxy, authenticate users via Radius or Mobile OTP, integrate AD / LDAP user accounts, manage SSL certificates and using single platform and dashboard. PFsense brings power of varied networking services under one hood.
FreeBSD based open source pfSense, is an excellent combination of network and security features. 14 years of continuous development and deployment in production networks, pfSense is now shaped into a swiss army knife of routing, security and other networking services such as DNS, DHCP, packet capturing, VPN services and much more. The ‘much more’ part is coming from the ease of adding other well-known, opensource network tools into pfSense platform as packages. PfSense comes in hardware, software and cloud deployment modes. Current company behind development and maintenance of pfSense is Netgate, which offers hardware and official support. Let’s have look on some of the capabilities of pfsense which can support a fully functional, secure and flexible network.
pfSense as Virtual Appliance
Software based pfsense solution is easy to deploy and configure, cost effective, opensource, suitable for small to medium offices or home network. Ofcourse when deployed on powerful hardware it can handle much more. pfSense can be deployed on VMware workstation, ESXi, Microsoft Hyper-V, proxmox and perhaps on any other virtualization platform. pfSense maintains extensive wiki documentation and discussion forum, which I find very useful for installation, configuration and troubleshooting. ISO file for installing pFsense could be downloaded from here.
During vmware installation the OS platform to be chosen is FreeBSD 64 Bit, ofcourse underlying platform has to support 64 bit as well. Hardware resources could be as low as 512 MB RAM, 1x vCPU, 20 GB HDD, but I am using 1 GB RAM, 30 GB HDD, 2x vCPU for managing a small lab environment. I am also using another pFsense virtual appliance on amazon cloud which serves the purpose of VPN, Firewall and NAT for my single test EC2 instance.
Advantages of pfSense virtual appliance :
- Free, cost effective
- CPU, RAM, HDD can be increased as demand increases
- Minimum resources, maximum utilization
- Increase number of interfaces as needed
- Can be deployed on cloud platform
Some of Great In-built features :
- Routing – Static routing is supported built-in, packages such as FRR, Quagga_OSPF, OpenBGPD could be used for enabling dynamic protocols such as BGP, OSPF, OSPFv6.
- Firewall – Stateful firewall, supporting rules based on interface. It is one of the easiest to use interface to manage inbound, outbound traffic. You can add comments and sections to give interface organized and easy to manage look.
- NAT – NAT rules can be created in NAT section, it supports port forwarding, one-to-one NAT, each time you create a regular NAT rule, Firewall rules are created / updated automatically, this is one of the useful function, otherwise if you create only NAT rule and miss the firewall rule, traffic still can’t pass.
- Multi WAN HA – Multi-WAN high availability feature could be configured by creating group of gateways and assigning priority to them.
- VPN – pFsense has 5 different types of VPN options, the regular IPsec could be used for site-2-site vpn or client-2-site vpn, OpenVPN is well known tool for SSL vpn, there are options for L2TP vpn, Apple IPsec vpn, AWS VPC VPN (for amazon AMI images).
- DHCP Server and Relay Agent – In built DHCP server and relay, each interface / network can be configured to have scopes for IP assignment to end devices.
- Traffic Shaping – Certain level of traffic shaping is possible with pFsense as well on per interface basis.
- Load Balancing – Pools, Virtual servers and monitors could be be created for load balancing with backend servers.
Additional powerful Packages
- Forward and Reverse proxy (Squid) – Squid is well know Linux based forward and reverse proxy solution, and is in use for more than a decade. Proxy can be used to control internet traffic from internal users or can be used for redirection rules for internal servers in reverse mode.
- SSL Certificate Management (ACME) – Automated Certificate Management Environment is awesome tool to leverage global, free LetsEncrypt SSL certificates.
- BW Monitoring (bandwidthd) – This service tracks bandwidth usage of networks, and builds useful IP address based graphs on BW utilization.
- DNS Bind – Another very well known, open source DNS solution, pFsense allows graphical user interface to configure all the details of a DNS Bind setup. If all info is available at hand, it is possible to setup complete DNS server in matter of minutes.
- Snort IDS / IPS – A powerful, open source intrusion prevention and detection system, it can monitor and analyze real time traffic, content search, protocol analysis are some of other useful features of Snort. It can be deployed as add-on package on pFsense.
- Suricata IPS
- FreeRadius Auth
- Port Scan / Security Audit (NMAP)
And this is not all, there are even more packages available which can be integrated to pfsense installation to enhance the usability.
Some use cases where pfSense could be Deployed :
- Small office / home network with few pc, wifi
- Amazon cloud to premises vpn
- Lab environment
- Medium sized business
- Large Enterprises (with Professional Support and Dedicated Hardware Appliances)
If you are having difficulties deploying pfsense as virtual appliance feel free to leave comment on the forum and you might have an answer from some one who already went through the ordeal.