Category: Network administration
Keywords: pfSense, Network administration, Firewall, OpenVPN, X41, FreeBSD
This article is a work-in-progess
As part of migrating this website from my hosting provider zone.ee over to my basement datacenter, I decided I needed a firewall solution to fight against the attackers on the internet. I have heard a lot of positive feedback from others regadring the FreeBSD-based solution, pfSense.
I am pretty new to network administration, so I decided to share my journey with you.
I ordered open ports from my ISP so that I could access my network from outside of my house. A lot of internet service providers in Estonia disable access to your router from the internet for obvious security reasons, as regular home users are...regular users. Opening the ports up usually means an extra monthly fee, which is egregious. I was lucky, because Telia (formerly Elion), my service provider, requires just a call their support and doesn't charge you anything.
My inventoty is as follows:
I have a router that sits on the edge of the network running custom Telia firmware (for IPTV, I suppose), so I cannot upgrade it to OpenWRT, unfortunately.
I have an old IBM X41 laptop with the following specs:
CPU: TBA RAM: TBA Storage: 8 GB CF card that replaces the original dead HDD Network: Intel? wired, Atheros wireless
Replacing it with an OpenWRT router is on the roadmap. Electricity is expensive here, because we are not one of the countries that used to practice slavery in the past, nor do we bring democracy to other countries in exchange for oil.
- RaspberryPi running Apache and SSH servers
So the things I want to achieve are:
Forward all traffic from the internet to pfSense through my ISP router on ports 80, 443 and 1194.
Forward all traffic on ports 80 and 443 to the RaspberryPi.
Setup an OpenVPN server on pfSense to allow myself to login remotely to pfSense or any other devices connected to it.
All devices connected to pfSense will have ad-blocking on the network level, no need to install any browser plugins.
The network diagram will be posted here in the nearest future.
Initial pfSense setup
I won't cover the pfSense installation process, please refer to pfSense website for that.
The installation is pretty straightforward, although there is one thing to mention for novice users (so that you don't repeat my mistakes).
In my initial lab setup I connected to the upstream network using a cable and pfSense was broadcasting a Wifi signal for clients to connect. So during the initial installation, I selected em0 as my WAN interface and ath0 as the LAN interface. It took me quite some time to learn that once the LAN interface has been configured, pfSense automatically blocks incoming connections through the WAN interface. This seems obvious at first, but also means that you have no way of accessing the web interface, because all you wireless network parameters are not yet configured. Maybe it's possible to set all the properties through the console interface, but I didn't want to mess around with it as I was fairly new to the system.
So, in other words: if you are looking for a setup similar to mine, just add the WAN interface at first and stop there. This way, you'll be able to access the web interface using the WAN interface's IP address that will be displayed in the pfSense console.
To be continued...Back Home