The firewall is that piece of technology that must be part of every network. When we talk about firewalls, we immediately think of the large number of commercial solutions on the market, but we are unaware of the existence of a robust, secure and reliable platform such as PfSense.
What is pfSense?
The pfSense project is a free open source custom distribution of FreeBSD designed for use as a firewall and router fully managed by an easy to use web interface, so no advanced knowledge of linux or bsd is required to manage it.
Where can I install pfSense?
- Almost anywhere ajaja and yes basically it is that, with 512MB of RAM, a 600MHz base processor, 2 network ports and 4GB of disk is more than enough for its basic functions (Router, Firewall for small networks).
- In virtual environments (Vmware, Proxmox, VirtualBox, Hyper-v, etc.)
- In hardware appliance (Recommended)
- In cloud environments (AWS, Azure)
pFsense features
pfSense includes almost all the features of expensive commercial firewalls and in many cases includes more. We will now take a look at the functions currently available. All functions managed with web interface, without the help of the console.
- Filtering by source and destination IP
- You can limit simultaneous connections per rule
- Aliases allow grouping and naming of IP addresses
- Package standardization
- Multi WAN
- Automated integration for Site2Site VPN creation with AWS Amazon
- Graphical and log monitoring
- VPN
- Vlans Support
- Load Balancing
- IDS/IPS
- Cluster
- Captive Portal
- NAT/PAT
- and much much more…
PfSense and its multiple roles
As VPN
A virtual private network (VPN) is an extension of our internal network through the Internet to access services that would otherwise be inaccessible. pfSense supports multiple VPN types, however we will focus on 3 of them in this article:
- IPSec: Enables connectivity with all devices that support the IPsec standard.
- OpenVPN: A flexible, powerful SSL VPN solution that supports a wide range of client operating systems.
- WireGuard: is a new Layer 3 VPN protocol designed for speed and simplicity. It works almost as fast as hardware-accelerated IPsec and has only a small number of options in its configuration.
As Certification Authority
Pfsense natively allows you to generate in a very simple way self-signed certificates, mainly used for VPN configurations, web services for development or internal tools.
Ah, but I don’t like getting those alerts that the certificate is not secure!
No problem, pfSense within its long list of packages has one called ACMEThis module is responsible for communicating with letsencrypt and generate the certificates you need 100% valid for browsers, and the best thing is that you can configure it to automatically renew the certificates and you don’t have to cancel your service.
As a Proxy
Proxies are intermediaries that sit between clients and servers. A client connects to a proxy and then the proxy decides whether the client can receive content from a server. If so, the proxy makes its own connection to the server and then returns the data to the client.
- Forwarding proxy: usually located between local clients and remote Internet servers. It can be used to control which websites clients can load, or to log servers and URLs that clients visit. Mostly, they work with HTTP, but in special cases they can also work with HTTPS.
- Squid is primarily a forward proxy used for client access control.
- Reverse proxy: usually located between remote clients and local servers. These enable load balancing, failover or other intelligent connection routing for public services such as web servers.
- HAProxy is a free, very fast and reliable solution that offers high availability, load balancing and proxying for TCP, HTTP and HTTPS based applications.
As a captive portal
The captive portal in pfSense® software forces users at an interface to authenticate themselves before granting access to the Internet.
The firewall automatically presents a login web page where the user must enter credentials such as a username/password, coupon code or a simple click.
This feature is commonly used in the hospitality industry (hotels, restaurants, airports and more), as well as in corporate and even domestic environments. It is mainly used for wireless access points or for additional authentication before allowing access to internal networks from wireless clients.
As DNS Server
DNS, or domain name system, is the mechanism by which a network device resolves a name such as www.example.com to an IP address such as 198.51.100.25, or vice versa. Clients must have a functional DNS if they are to reach other devices, such as servers, using their host names or fully qualified domain names.
PfSense can be configured as a DNS Resolver or Forwarder with just a couple of clicks. In addition to protection methods for DNS rebind attacks.
As Router
PfSense natively can be used as a router within your network, remember that a firewall can only analyze and filter all traffic passing through it, so who better to take care not only of traffic filtering but also routing within the network.
We can also use packets to configure dynamic routing to communicate with other routers in our internal network or with a service provider.
Protocols supported:
- RIP: The Routing Information Protocol (RIP) daemon is a dynamic routing protocol that, when combined with other routers that also have RIP enabled, will allow automatic route updates between them.
- BGP: The OpenBGPD package can be used in combination with CARP. Generally, it is best to have two BGP sessions with each provider, one from each firewall, and configure the next hop in the BGP network statement to a CARP IP on the interconnect subnet with that upstream provider.
- OSPF: An OSPF packet using the Quagga routing daemon is also available.
As a Next Generation Firewall
pfSense through the pfblocker-ng packeteer allows you to filter network traffic by geographic location of an IP address, block online advertisements and malicious content. PfblockerNG has many options to choose from that allow you to specify what to block and how to block.
As IDS/IPS
The pfSense® software can act in an Intrusion Detection System (IDS) / Intrusion Prevention System (IPS) role with add-on packages such as Snort and Suricata.
- Snort is an intrusion prevention and detection system. It can be configured to simply log detected network events for logging and blocking. Thanks to the OpenAppID detectors and rules, the Snort package enables the detection and filtering of applications.
- Suricata is a mature, fast and robust network threat detection engine that is free and open source. The Suricata engine is capable of real-time intrusion detection (IDS), inline intrusion prevention (IPS), network security monitoring (NSM) and offline pcap processing.
Advantages of using pfSense
- Affordable hardware (https://store.netgear.com/)
- No license fee
- Commercial and Community Support (https://www.pfsense.org/get-support/)
- Easy installation and management
- Extensive list of Modules and Functionalities
- OpenSource
- Simple and intuitive design
- Available in Cloud, Virtual Appliance, Hardware and Software modes.
Disadvantages
- The lack of an API makes it difficult to integrate with other commercial solutions in a simple way. Makes automation difficult.
- Support with the manufacturer only available in English (At Gudix Security we provide English and Spanish support for pfSense).
- Poor reporting system.
Conclusions
Choosing a firewall is not a decision to take lightly, we must be clear about our requirements, the amount of traffic to be processed and the functionalities we wish to have from the solution we choose.
PfSense Firewall is an opensource enterprise solution used by many companies around the world, as well as universities and government entities that rely on the technology and robustness at a very low cost.
Do you want to implement or change your current firewall solution and don’t know where to start? Contact us at [email protected]