pfSense, my next router/firewall

For about 10 years now my home Internet router/firewall was a Zeos Pentium 166 box running Linux I built entirely from source code.  Sooner or later that machine was going to die and I wanted some extra features like traffic shaping and more friendly administration.  I was considering custom firmware for some of the consumer routers as well as firewall distributions on x86 hardware, but was having a hard time satisfying my requirements:

  • Multiple static IPs on the WAN interface
  • Port fowarding with the ability to remap port numbers (external port 80 maps to port 8080 in an internal machine would be an example)
  • Traffic Shaping
  • Easier administration interface than I had before

I'll admit that the bar was set pretty low on the user interface because my old setup was editing config files with vi, but the other requirements were much harder.  Most of the firmware distros would allow port forwarding only to the same port number, and none supported multiple WAN IPs.  The firewall distros I was finding didn't support multiple WAN IPs either at all or not until you bought their non-free version.  I was getting frustrated.

Then one day I was browsing newegg.com's basrebones server product reviews and saw mention of how well some of them ran pfSense.  I had never heard of pfSense before, but found out that it was a router/firewall distro based on FreeBSD and m0n0wall, but with extra features including all of my requirements.  In fact it has more features than I think should be running on a secure firewall box, but the extra stuff can easily be disabled.  After doing a trial install on an extra computer I ended up ordering a Supermicro barebones server from newegg, adding a hard drive and memory, and I'm off an running with pfSense.  Someday I'll make use of the VPN feature, but after getting familiar with it the administration UI is quite friendly, I like the realtime traffic graphs and logging, and was able to set up all my NAT and port forwarding rules pretty easily.  The rules are made much more readable by using aliases for machine IP addresses, port numbers, and sets of ports to block without logging.  I also like that pfSense tracks the configuration changes you make so you can roll back a change easily.  pfSense keeps all your configuration information (including ethernet card assignments) in a single XML file, so if I lost the hard drive in the firewall box I could simply pop in a new one, install pfSense from memory stick, restore my XML config file and I'd be fully functional again.

If you're looking for a firewall setup which starts off easy to setup and then can keep up with anything any geek in his house (or a medium to large business) would throw at it, then I recommend taking a good look at pfSense.

And that Zeos box is built like a truck and never did die - it was running up to the minute it was scrapped.

Facebook Comments Box