Build your own pfSense serverMay 20th, 2012 | Posted by in Lab
I am not a security expert, although I have been always familiar with the terminology, despite the fact that I have never had the opportunity to work in so much depth in this field. To achieve my goal, I had to implement a firewall in my lab, like every enterprise company, then I started to look for an enterprise solution, but the price of most of them was too high for my requirements so eventually I found pfSense, an open free source solution which include almost of the features found in more expensive commercial firewalls.
It is based on FreeBSD, which as I’m told is one of the most secure OS, it is a good thing working in a platform to protect your network. A complete package system has also been included which allows further expansibility into the system. Packages like Snort, an IDS/IPS, Squid, a caching proxy and reverse proxy are just examples of the power that you can have in this small machine. I have mentioned Snort and Squid because I am using both of them, but you can find a pretty extensive list for different purposes.
In the official web site, you will find all the information to get started but the best thing is that you don’t need a super machine with a lot of resources, any thin client or an old computer will be able to handle the requirements. Sizing is based mainly on throughput and features.
In my case, I wanted a machine that is completely fanless, silent and with a low power consumption, so I looked for some motherboard with an integrated CPU and a mini-ITX form factor. I chose the Asrock AD2700-ITX, but I don’t recommend it in this moment because the Realtek integrated NIC, is not supported in the pfSense 2.0.1 release so I am working with the 2.1 development version.
Below are the specs of the machine:
– Asrock AD2700-ITX + Intel Atom D2700
– 2 x 2GB RAM
– SSD 16Gb
– Another NIC for the LAN side.
You don’t need this amount of RAM if you just want to implement pfSense, the reason that I got 4Gb was because Snort is a RAM hungry application and RAM is currently cheap.
I chose an SSD because I wanted something completely silent and with no mechanical parts. I believe that I got it because I have to look at the blue led to know if it is powered on.
In the picture you can compare the size of the little server with a Cisco IP phone, the case is not the smallest one but in this model I can mount 3,5″ + 2,5″ hard disks if necessary.
The power consumption is really low considering that this is my router, firewall, VPN access server and my Wi-Fi AP. In the following picture the server was running on a SATA hard disk so I think that with the SSD and maybe doing some under clocking and under voilting to the cpu, I can get a system under 20W.
To deploy pfSense, you need at least a WAN and a LAN interface, I have defined both of them in different physical network cards but you could do it just with one and VLANs. The LAN interface is configured as a 802.1Q trunk to allow the LAN and DMZ networks and to secure the traffic between both sides.
I will not go into too much detail about the pfSense configuration, as habing said that there is a ton of great information on the pfSense website and this is not the purpose of this blog, anyway I think that could be interesting to show you the initial steps to have your own firewall solution to make test.
That’s all for today, I welcome your feedback.
PD: the diagram behind the Cisco IP phone and the pfSense server, is of the great Lync protocol workloads poster, really useful to know the different protocols and ports used with each role. I will talk about that for sure. Here you can download it.