How To Build A pfSense Firewall Appliance
pfSense, currently developed by Netgate, is an open-source firewall solution for small-office
and enterprise environments alike. Although hardware and vendor support isn’t free, the software itself is and can be spun up in a VM with no cost to you. Its ability to run a large variety of third party packages, such as NMAP and Snort, makes it quite versatile and a strong candidate for any environment. This article will discuss installing and configuring the firewall on a dedicated hardware appliance.
Netgate offers a number of appliances for purchase, but you may find your needs require something else entirely. pfSense minimum requirements indicate it can be run on just about anything, including an old PC collecting dust in your basement. Please be aware though that, to take full advantage of newer features, it is advised your CPU of choice supports AES-NI. To avoid the Frankenstein aesthetics of most pfSense builds out on the internet, I chose the barebones Qotom Q330G4 mini-PC and filled it with a 4GB stick of Kingston SODIMM RAM and a 64 GB Dogfish mini SATA SSD. This setup gave me a total of four network interfaces, quite a bit more power and cost about $100 less than Netgate’s SG-3100 appliance. For the installation process, you’ll also need a flash drive, mouse, keyboard, display cable and monitor.
Assuming your hardware is all built, head over to the pfSense distribution page and download the appropriate file to a flash drive. Using a tool like Rufus, convert your newly downloaded pfSense file to bootable media. Hook up your hardware, get into the BIOS, and boot from the drive.
After a few moments it will boot directly into setup
ZFS is currently an experimental build. If you feel inclined to tinker with this, feel free to do some additional research and load this partition. I chose UFS. Once the installation completes, reboot and pull your USB drive from the appliance. Once the machine boots back up, we will want to select option 1 to assign our LAN and WAN interfaces.
pfSense can attempt to autodetect your LAN and WAN interfaces, but if you have more than two you may need to do some troubleshooting with a laptop to determine which interface is assigned each role. The basic methodology here is that you want to set your WAN interface to use DHCP unless you have a static IP from your ISP, and your LAN interface with your desired subnet settings.
Unless you have a dedicated DHCP server in your environment go ahead and enable DHCP on the LAN interface. At this point, you can go ahead and install your hardware and log into the web GUI using the IP address assigned to LAN in the previous step. The default credentials will be admin/pfsense.
Once you’re logged in you can navigate to System > Setup Wizard to complete your setup. If you wish to perform the remaining setup manually, complete the following steps:
Configure your DNS settings under System > General Setup. I have traditionally used OpenDNS (220.127.116.11 and 18.104.22.168).
Change the default admin credentials under System > User Manager > Users
Reboot the appliance under Diagnostics
Create a backup of your pfSense config under Diagnostics. Keep this in a safe place, and regularly create backups anytime you make alterations to the device.
At this point the firewall should be fully operable. You may have to reboot the other devices in your network or flush their DNS settings before everything communicates properly. Keep in mind that, out of the box, pfSense is already protecting your network from external traffic. If you navigate to Firewall > Rules you will notice that nothing is configured for the WAN. pfSense employs whitelist filtering, and therefore will, by default, block all traffic not explicitly allowed. In future articles we will dig deeper into pfSense’s vast array of features, including third party plugins and configuring VLANs.