pfSense Hardware: A Scrounger’s Guide (Part One)

pfSense hardware

The Pentium P-233 that served as my m0n0wall firewall/router

When I started using pfSense as my primary firewall, it replaced my previous firewall solution: a Pentium P-233 running m0n0-wall. I eventually switched to a Neoware thin client running pfSense, which I ultimately upgraded to version 2.1.3. The Neoware thin client meets the pfSense hardware requirements for running pfSense on an embedded system, and offered pretty good value for the money – one would be hard-pressed to put together a system more cheaply than these pfSense appliances which has the same features and functionality. Yet while running pfSense from a thin client may be the best option for some users, if you have an old computer that meets the pfSense hardware requirements, this may be the better option. For that reason, I thought it would be an interesting exercise to see how easy (or how hard) it is to turn an old PC into a pfSense firewall.

Indeed, the system I used to run m0n0wall had been scrounged from spare parts. The case and power supply had come from an old barebones system I had bought in the late 1990s. The motherboard/CPU was one of a lot of three I had bought on eBay a few years later, and the CD-ROM was from a group of spare CD-ROM drives I had, as was the floppy drive. I only had 32 MB of RAM initially. I found that with only 32 MB of RAM installed, m0n0wall’s web-based configurator would eventually crash (although the firewall itself would continue to function). I found another 32 MB of RAM on eBay for a few dollars, and my system was complete. The NICs had also been taken from old computers, although I eventually bought a lot of 10 Intel Pro 100 cards for $35. As underpowered as this system might seem, it served ably as my firewall for several years. Thus, I began to wonder if I had any old hardware that could run pfSense, and decided that for my next mini-project, I would take an old computer and turn it into a serviceable pfSense router.


pfSense Hardware: The Guidelines

For this project, I set out some basic guidelines:

  1. The hardware had to meet the general requirements for pfSense hardware. These requirements are listed on the official pfSense web site. For any installation, a Pentium II or better with at least 256 MB of RAM is recommended. For hard drive installations, a 1 GB hard drive is required (and a CD-ROM drive for installation).
  2. When possible, I would scrounge from existing resources to put together a system that would serve as my new pfSense box. If necessary, I would buy new hardware, but only as a last resort.
  3. I was not completely sure what the final system would have installed on it, but I knew at a minimum I wanted to have the most recent pfSense version (2.1.3 at this writing), and probably Squid, SquidGuard, and probably some other packages.
  4. To the fullest extent possible, I would document the process, so I would have a record of what worked (and what didn’t work).

These guidelines should provide a rough road map for this project. In the next article, I will cover the selection of hardware, putting together my pfSense box, and installing pfSense onto it.


External Links:

Hardware for pfSense at pfsense.org – pfSense hardware requirements guide

Open Source Software: Costs and Benefits

Some of those accessing this blog are undoubtedly considering deploying pfSense on their home network, or perhaps in a small office/home office (SOHO) environment. For that reason, I thought it might be useful to devote an article to the costs and benefits of using free and open source software (FOSS) versus commercial software and hardware when deploying a firewall/router.

Open Source Software: Factors to Consider

open source software

The Linksys WRT54G, an example of a consumer grade router.

The most obvious factor to consider is the monetary cost. Initially, this would seem to weigh heavily in favor of pfSense and other free firewall software. For $20 to $50, however, you can purchase a small Linksys, Netgear or Asus router, which uses almost no power and supports port forwarding, performs Network Address Translation (NAT), acts as a Dynamic Host Configuration Protocol (DHCP) server, and provides stateful packet filters. If you use Linux and netfilter, or for that matter m0n0wall or pfsense, even if you have an old PC on which to run the software, it will cost you at least a few dollars a month in electricity. Unless you are familiar with the software you are using, you will find it more difficult to configure than one of the cheap consumer-grade routers, so there is an additional investment of time. If you are setting it up for a small business, it will cost more to pay for the employee’s time to set up a Linux or pfSense firewall than the Linksys would cost to buy. If all you require is a router/firewall than can do port forwarding and DHCP, then there are readily available commercial solutions that are affordable.

If you require additional functionality, however, the situation may change. Commercial VPN solutions can be staggeringly expensive. Yet free solutions such as pfSense and m0n0wall will also work. Even taking into account the fact that the free solutions may not have the same features and capabilities of the commercial version, if you need to implement a virtual private network and there is open source software that meets your requirements, then you can achieve substantial savings.


There are additional factors, some of which are related to cost. For example, support: what does it cost, is it available, and how timely is the support? Moreover, what format does support take: phone, e-mail, online forums, service calls, and so on?

open source software

If installing and configuring netfilter, pfSense or another open source solution doesn’t sound intimidating, an old PC may be suitable.

Time is another factor, and this can cut both for and against open source software. Take the case where a business is considering entering into a partnership with another company. This other company is concerned because the partnership requires sending sensitive data, and the business only has a consumer-grade firewall. The IT department could recommend the purchase of an enterprise-level firewall. This will require contacting vendors, getting quotes, passing a quote on to a manager for approval, and then submitting a purchasing order to the accounting department. Or the IT department can just find an old PC, load Linux and netfilter onto it (or m0n0wall or pfSense or IPCop or any one of a number of open source software solutions), and be done with it, especially if time is of the essence. On the other hand, if your IT department is not familiar with Linux or BSD, deploying an open source solution may actually cost you time, so you would be better off seeking a commercial product.

Another related factor is performance. Speed, efficiency, and reliability are important indices of performance. A fast solution that crashes all the time isn’t very useful. Conversely, a reliable software package that runs slowly may not be the best option.

Usability is another factor, and it relates to cost. If the learning curve is very high, then your training costs will rise. You may want to consider whether a product is customizable if it does not do exactly what you want it to do.

It is often important to consider how well-established the product is. The more well-established the software is, the more likely its creators will be around in the future. A larger and more well-established project will also likely have better community support and reliability. You do not want to invest a lot of time into a product that is likely to go away. In this regard, open source software does well. The netfilter project started in 1998; m0n0wall has been around since 2004, and PF, the packet filtering software on top of which pfSense is built, has been part of OpenBSD since 2001.

Even a security product like a firewall involves security implications, which should be an important factor in your choice. Is the product secure, and will it be handling secure data? You want to consider whether it will be opening any security risks, as well as what type of auditing and logging it can produce.

Finally, you will want to review the license agreement closely. Often the free software is not free if you are a business, or there are special restrictions on the number of installations or other criteria. If your company has a legal department or if you have legal counsel, it might not be a bad idea to have them review the license agreement.

Conclusion

It may just be my bias as the owner of a blog devoted to a particular piece of open source software, but I am inclined to think that in many if not most circumstances, you will find open source software to be the more cost-effective and efficient solution. At one end of the spectrum, commercial consumer-grade routers provide a lot of functionality at a low price. At the other end of the spectrum, enterprise-level firewalls often provide a greater level of management control and logging capabilities, which a mid-sized or large company may require. These capabilities often justify the higher cost. But for those who fall in between these two extremes, often open source software provides the better alternative.


External Links:

The True Cost of Open Source – web site devoted to explaining how you can cut development costs and improve performance with open source software.

Open Source Applications: Benefits and Risks at www.networksolutions.com

10 Reasons Open Source Is Good for Business at www.pcworld.com

pfSense Setup: Part One

pfSense setup

Initial pfSense menu when pfSense is booted from the CD.

For purposes of this article on pfSense setup, we will assume that you already have a system that meets the minimum specifications to run pfsense (if you have not acquired the components yet or if you’re not sure if your equipment meets the specs, you may want to check this document on pfsense requirements). In a nutshell, however, the minimum hardware requirements are:

  • 100 MHz Pentium CPU
  • 128 MB RAM
  • CD-ROM (for installation or for the LIve CD if you run it off the CD)
  • 1 GB hard drive (if you install it onto a hard drive)
  • Two network interface cards

You can run pfsense from a Live CD or a bootable USB drive.

Download the latest version of pfSense. You can find it at: this FTP site. You probably want to verify the integrity of the download with the MD5 checksum as well. Once this is done, burn the pfSense ISO to a CD or to the media of your choice. You can burn the ISO with the program of your choice; you can do it at the Linux command line with this command:

sudo cdrecord -v speed=20 dev=/dev/sr0 pfSense-LiveCD-2.0.3-RELEASE-i386-20130412-1022.iso

Boot your PC with the pfSense CD. You will be presented with a “Welcome to pfSense!” menu with several options. For this screen, you can choose the default option (Boot pfSense). At this point, you can press “I” to invoke the installer, or continue the LiveCD bootup. If you want to boot the LiveCD, either do nothing or hit “C”, and you can skip the following section. [In this case, continue with pfSense setup here.

pfSense Setup: Installation Onto a Hard Drive

If you hit “I”, then the next screen will be the “Configure Console” menu. Most likely you can choose the “Accept these Settings” option and press [Enter].


The next menu is the “Select Task” menu. There are several options: “Quick/Easy Install”, “Custom Install”, “Rescue config.xml”, “Reboot”, and “Exit”. If you just want to install onto the first hard drive, you can select “Quick/Easy Install” and press [Enter].

The next dialog box is the “Are you SURE” dialog box, which will ask you to confirm your decision to install pfSense by highlighting “OK” and pressing [Enter]. Any data on the first hard drive will be erased in order to install pfSense.

Installation will take a few minutes, as pfSense formats your drive and copies the software to it. Next is the “Install Kernel(s)” screen. Select “Symmetric multiprocessing kernel” and press [Enter].

At the “Reboot” screen, remove the pfSense CD from the CD/DVD drive, highlight “Reboot” and press [Enter].

After the system reboots, you will see the initial “Welcome to pfSense!” menu. Press [Enter] to select the default, or just wait for the pause timer to run out.

pfSense Setup: Further Configuration

[Resume here if you are booting from the LiveCD.]

As pfSense boots, the detected network interface cards will be listed. If all your network cards are not listed, you will want to exit out of the install by hitting [CTRL-C] and selecting “6” on the menu. Otherwise, the next choice will be:

Do you want to set up VLAN’s now [y|n]?

Assuming that this is a basic pfSense setup, you can type [n] and continue.

The next option is:

Enter your LAN interface name

Here, type the name of the network interface card that will be directly connected to your internal network. The next option is:

Enter your WAN interface name

Here, type the name of the network interface card that will be be connected to the internet.

If you installed more than two network cards, then pfSense will prompt you to enter the names of them. For the third card it will prompt:

Enter the Optional 1 interface name

When there are no more network cards to name, you will get the prompt:

Do you want to proceed [y|n]?

Be sure to type [y]. You have completed the first phase of pfSense setup. Now pfSense will be running and fully functional. If you wish, you can connect via the web interface, which pfSense by default assigned an IP address of 192.168.1.1.

Part Two of this article on pfSense setup will go step-by-step through configuring pfSense via the web interface.


The Rest of the Guide:

Part Three (WAN and LAN Settings)

Part Four (Setting Up a DMZ)

Ad Links:


© 2013 David Zientara. All rights reserved. Privacy Policy