These past few months I have been looking at firewalls and intrusion prevention systems that are open source and can run on commodity hardware. I have been wanting to add an extra layer of protection to my home network and that led me to write this article. The most popular IPS by far is Snort since it is open source and free. While looking at open source firewalls, I came across pfSense which supports Snort and it was the best choice for what I was looking to do. In this article I will detail the installation, configuration, and integration of pfSense with Snort. Since this article is going to be long, I will be splitting it into two parts.

Before starting on the installation you need to figure out what hardware you will run pfSense on. The minimum requirements for running pfSense which can be found here should be satisfied by all modern computers. The next thing that you want to focus on is the throughput of your network and how much traffic you expect to have. Most modern multicore processors should be able to handle large amounts of network traffic so this shouldn’t be a problem either. If you will be running VPN services on top of pfSense then your processor will be taxed more since it has to encrypt and decrypt the network traffic that it is receiving and sending. Once you start adding packages like Snort and Ntop on top of the pfSense firewall then your memory usage will also increase. Based on the above requirements and what I am planning on doing, I decided on the following system for my home firewall.

Motherboard: Intel DQ77KB

CPU: Intel Core i5-3470S

Memory: Corsair Vengeance 2x4GB (CMSX8GX3M2A1600C9)

Hard drive: Intel 330 Series SSD 60GB (SSDSC2CT060A3K5)

Heatsink: Intel BXHTS1155LP

Case: Lian Li PC-Q05A

It seems like the above system is overkill for what we are trying to do here. This is true, but eventually my pfSense firewall will be migrated to a virtual machine running on the ESXi hypervisor. The system above will be running pfSense along with 5-6 other VMs for my home lab. That’s why I decided to go a little higher end with the hardware that I used for the box. For now though, this box will be dedicated to pfSense only.

From the above parts you will also notice that the motherboard is Thin Mini ITX form factor. My firewall will be resting inside a closet with not much space or airflow so I decided to go for a small system that did not have a high power consumption and has a low heat output. Here is a picture of the system when it is completely assemble.

Device-1

Let’s go ahead and get started on the installation

1. You want to start off by downloading the latest live CD release of pfSense(2.0.2 during the time of writing this article) and burning the ISO to a CD:

Install-1

2. With your .iso file burned to a CD, you want to Boot from the CD and choose option 1 or option 3(if you are using a USB external disc drive like I was).

Install-2

3. You will then be prompted to make a selection. Hit the letter I to install pfSense on your current hard drive or USB thumb drive if that is what you are going to be using to boot pfSense.

Install-3

4. Once the installer finishes loading, go ahead and choose the option to accept the settings.

Install-4

5. You will then be able to select the hard drive where you will install pfSense on.

Install-5

Sorry for the bad image quality. My phone had trouble focusing on the computer screen for some of these.

6. You will be asked to format the disk that you selected:

Install-6

7. If your hard drive has a specific geometry and you want to modify the default values you can do so on this screen. If you are not familiar with cylinder, heads, and sectors then you should choose the default and don’t mess with the settings here.

Install-7

8. You will be prompted to format the hard drive:

Install-8

9. The next step allows you to create partitions on the hard drive. I skipped the partitioning step as I want pfSense to use my entire SSD:

Install-9

10. pfSense will then prompt you to install the boot sector onto the hard drive:

Install-10

11. Lastly, you will choose the partition for where pfSense should reside:

Install-11

12. Hit ok after it finishes formatting the selected partition:

Install-12

13. Let pfSense setup and create the sub partitions:

Install-13

14. Wait for it to finish executing the commands:

Install-14

15. Choose the custom kernel configuration and Select the “symmetric multiprocessing kernel” which supports one or more cores.

Install-15

16. Go ahead and reboot when done:

Install-16

17. Upon rebooting you will be asked whether you want to setup VLANs and to identify the LAN and WAN interfaces:

Install-17

Install-18

The system where pfSense is installed on should have more than one network interface. The LAN interface is where you will connect your home switch/router. Note that pfSense will be able to do NAT as well as run a DHCP server and if your router is currently performing these two functions then it is a good idea to disable it before plugging it into the LAN interface. On the interface that you designated to be the WAN, you should connect your modem or the connection from your ISP.

18. Hit yes when you are done making your selection. At this point in time you should be able to plug into the LAN interface or into the switch that is connected to that interface and get an IP address via DHCP. You can then access the web GUI by using the default gateway IP address.

Configuration-1

The default username and password should be “admin” and “pfSense”

19. After login in for the first time you will be presented with the dashboard:

Configuration-2

Note: Your dashboard might look a little bit different as I have customized mine to have relevant info that I need.

20. The first thing that you want to do after the installation is to secure the firewall and change the default password on the admin account. Head over to System –> Advanced –> Admin Access menu option and modify the following settings:

Protocol: HTTPS

WebGUI redirect: Checked

WebGUI Login Autocomplete: Checked

Secure Shell Server: Checked

Console Menu: Checked

Configuration-3

Don’t forget to save your changes at the bottom when done. The above settings will enable HTTPS, disable HTTP, and block autocomplete from working when logging into the firewall. It will also enable SSH should the web server go down for any reason and protect the console menu should anyone have physical access to the machine.

21. On the next tab “System –> Advanced –> Firewall and NAT” I modified:

Firewall Optimizations Options: Conservative

pfSense offers four options for state table optimization:

* Normal – the default algorithm

* High latency – Useful for high latency links, such as satellite connections. Expires idle connections later than normal.

* Aggressive – Expires idle connections more quickly. More efficient use of hardware resources, but can drop legitimate connections.

* Conservative – Tries to avoid dropping legitimate connections at the expense of increased memory usage and CPU utilization.

Configuration-4

Should you notice that you can’t reach certain outside resources from computers in your home network then it is a good idea to check the size of the state table. You can verify the total size and the current number of states from the dash board. The default value has been working fine for me as I have not reach more than 20000 states with all the different clients on my home network being active at the same time.

22. Moving onto the “System –> Advanced –> Notifications” menu section, you need to modify the SMTP E-mail settings should you wish to receive notifications from your firewall:

Configuration-5

In my case, I am using Gmail’s SMTP servers for notification purposes. You have the ability to use Growl if that is your preference. When you hit save you should receive a test email from your firewall.

23. The next settings that you want to modify are under “System –> General Setup”. In here you can change the hostname of the system and define a domain. You can also define the DNS servers that pfSense will use should it not be able to resolve requests. pfSense will serve your clients its LAN IP address as the DNS server via DHCP. In turn, the pfSense DNS forwarder will use the DNS IP addresses defined here for making  queries.

Configuration-6

I am using the free google DNS servers but you can use any DNS servers out there.

24. The last system section that you want to look into is the “System –> User Manager”:

Configuration-7

We can modify the admin account by clicking the letter “e” on the right hand side and then change the default password:

Configuration-8

25. Moving onto your “Interfaces –> WAN” menu section, you want to verify that you are blocking private networks and bogon networks(bogus addresses that should not exist on the public internet) by checking the two boxes at the bottom. Blocking these networks will protect you from receiving traffic from IP address ranges that shouldn’t be used on the public internet. Your ISP should already be blocking these type of network in the inbound direction but there is no protection from the other direction as your ISP itself might be using private addresses within their network.

Configuration-9

26. In the “Interfaces –> LAN” section you have the ability to change static IP address for the LAN interface on your firewall. This will become the default gateway for all of your computers that are plugged into the LAN. Optionally, you can change the subnet mask as well should you require more hosts or less hosts per subnet.

Configuration-10

27. Moving onto the “Services –> DHCP Server” menu section, the last thing that you want to verify is the DHCP server configuration and make sure that it is enabled or otherwise your clients won’t be able to get an address dynamically.

Configuration-11

In here you can adjust your scope options as well as add any other information that the DHCP server should offer to your clients.

This should be a good place to conclude this part. In the next article, I will continue with the configuration of extra packages that should be installed and then go through the Snort configuration step by step. Thank you for taking  your time to read this article. I hope to see you here for part 2.

6 Responses to “pfSense: Installation and Configuration Part 1”

  1. Joaquim says:

    Hi, nice tutorial, good words and nice explanations. Thanks.

  2. Glenn you ARE the wizard!

  3. Glenn, thanks so much for this tutorial. My test install of pfSense on a spare machine is slowly turning into the real deal. Cheers!

  4. I am actually running the pfSense on ESxi. I was wondering if or when you are going to write a tutorial on this as I am experiencing a little trouble. I have a 4 port nic and was also going about having 4 different vpns load balanced.

Trackbacks/Pingbacks

  1. pfSense: Installation and Configuration Part 2 | HIGHLNK - […] is a follow-up article to the part 1 pfSense article that I wrote a while back. In this article…
  2. Configuring OpenVPN on pfSense | HIGHLNK - […] on the pfSense platform. I have talked about the initial configuration of pfSense in this previous article and if…
  3. HAKKI YILGIN BLOG - […] on the pfSense platform. I have talked about the initial configuration of pfSense in this previous article and if…

Leave a Reply

Your email address will not be published. Required fields are marked *