Table of Contents
What if you could manage routing, DNS, DHCP, NAT, IPSEC VPN, SSL VPN, deploy IDS/IPS, Firewall the network. Configure forward and reverse proxy, authenticate users via Radius or Mobile OTP, integrate AD / LDAP user accounts, manage SSL certificates and using single platform and dashboard. PFsense brings power of varied networking services under one hood.
FreeBSD based open source pfSense, is an excellent combination of network and security features. 14 years of continuous development and deployment in production networks, pfSense is now shaped into a swiss army knife of routing, security and other networking services such as DNS, DHCP, packet capturing, VPN services and much more. The ‘much more’ part is coming from the ease of adding other well-known, opensource network tools into pfSense platform as packages. PfSense comes in hardware, software and cloud deployment modes. Current company behind development and maintenance of pfSense is Netgate, which offers hardware and official support. Let’s have look on some of the capabilities of pfsense which can support a fully functional, secure and flexible network.
pfSense as Virtual Appliance
Software based pfsense solution is easy to deploy and configure, cost effective, opensource, suitable for small to medium offices or home network. Ofcourse when deployed on powerful hardware it can handle much more. pfSense can be deployed on VMware workstation, ESXi, Microsoft Hyper-V, proxmox and perhaps on any other virtualization platform. pfSense maintains extensive wiki documentation and discussion forum, which I find very useful for installation, configuration and troubleshooting. ISO file for installing pFsense could be downloaded from here.
During vmware installation the OS platform to be chosen is FreeBSD 64 Bit, ofcourse underlying platform has to support 64 bit as well. Hardware resources could be as low as 512 MB RAM, 1x vCPU, 20 GB HDD, but I am using 1 GB RAM, 30 GB HDD, 2x vCPU for managing a small lab environment. I am also using another pFsense virtual appliance on amazon cloud which serves the purpose of VPN, Firewall and NAT for my single test EC2 instance.
Advantages of pfSense virtual appliance :
- Free, cost effective
- CPU, RAM, HDD can be increased as demand increases
- Minimum resources, maximum utilization
- Increase number of interfaces as needed
- Can be deployed on cloud platform
Some of Great In-built features :
- Routing – Static routing is supported built-in, packages such as FRR, Quagga_OSPF, OpenBGPD could be used for enabling dynamic protocols such as BGP, OSPF, OSPFv6.
- Firewall – Stateful firewall, supporting rules based on interface. It is one of the easiest to use interface to manage inbound, outbound traffic. You can add comments and sections to give interface organized and easy to manage look.
- NAT – NAT rules can be created in NAT section, it supports port forwarding, one-to-one NAT, each time you create a regular NAT rule, Firewall rules are created / updated automatically, this is one of the useful function, otherwise if you create only NAT rule and miss the firewall rule, traffic still can’t pass.
- Multi WAN HA – Multi-WAN high availability feature could be configured by creating group of gateways and assigning priority to them.
- VPN – pFsense has 5 different types of VPN options, the regular IPsec could be used for site-2-site vpn or client-2-site vpn, OpenVPN is well known tool for SSL vpn, there are options for L2TP vpn, Apple IPsec vpn, AWS VPC VPN (for amazon AMI images).
- DHCP Server and Relay Agent – In built DHCP server and relay, each interface / network can be configured to have scopes for IP assignment to end devices.
- Traffic Shaping – Certain level of traffic shaping is possible with pFsense as well on per interface basis.
- Load Balancing – Pools, Virtual servers and monitors could be be created for load balancing with backend servers.