An inexperienced exploration pfSense CE

By Nulltek

As an electronic engineer with a strong base in software development, I’ve had peripheral exposure to networking, but I had never delved deeply into routing. Among growing fears surrounding Huawei hardware, I felt like it was a bit of a blemish on whatever engineering credentials I do have to be running gateway hardware which I only understand on the surface level.

So with zero knowledge on the subject, I bought a bare-bones passively cooled PC containing 5 gigabit NICs. My intention was to set this up as a router, using a opensource operating system. I settled on pfSense, while there were some compelling arguments for opnsense, the stability and resources available for pfsense swayed me.

WAN-Lan configuration was very straightforward, as it’s almost entirely guided by wizards. So within an hour or so of installing pfSense I was running it as a firewall for my network, isolating it from the Huawei router. However this was hardly ideal as double NATs are almost never a good idea in practice. Fortunately pfSense also made the process of directly configuring PPoE fairly painless, and so I boxed up that old router and sent it straight back to my ISP.

At this point I had a fully configurable x86 system running openWRT, as the gateway and firewall for my network, even this ‘hello-world’ level of accomplishment was an amazing feeling. I wasn’t even getting started yet, I had begun delving into the depths of youtube where networking gurus taught me more intricate topics from the comfort of their mother’s basements. I soon had a segmented DHCP server, several VPN routes for different IP ranges, Netflix whitelisting for chromecast, local DNS resolver, Snort intrusion detection, VLANs, guest APs ect.

pfBlockerNg was one of the more game-changing plugins. Maintaining Level 1, 2 and 3 blocklists on a firewall is easy when you have the ability to link it up to community IP blocklist repos, and have those list self update frequently using the cron. In addition the DNSDBL feature allow blacklisting of spam, phishing and cyber-crime domain, similar to what a pi-hole will do. It’s surprising how much of an impact this makes on general browsing experience, you will be reminded every-time you leave the safety of your network.

Even once loading the box full of all this plugin goodness, it still easily routes 100Mb/s internet without even breaking a sweat on system resources. I am currently investigating local Gb/s options, and I am fairly confident it will hold-up. (Feb-2020 edit: On ‘gigabit’ It pulls up to 850mb/s down, admittedly running a little hot, but that’s still lightning fast for NZ standards).

It’s amazing how much I have managed to set up, and I’ve barely even scratched the surface of what this operating system is capable of doing. I am learning new possibilities daily, and I am finding the whole networking space very interesting. There are so many layers to routing (pun intended), and I am sure the skills I am developing here will also be useful in some aspect of my professional life.