What if you can manage routing, DNS, DHCP, NAT, IPSEC VPN, SSL VPN, deploy IDS/IPS, firewall networks? Configure forward and reverse proxy, authenticate users with Radius or Mobile OTP, integrate AD / LDAP user accounts, manage SSL certificates, and use a single platform and dashboard. PFsense brings powerful power to various network services in one fell swoop.
FreeBSD based open source pfSense is the perfect combination of networking and security features. With 14 years of continuous development and deployment in the production network, pfSense has become a Swiss Army knife for routing, security and other network services (such as DNS, DHCP, packet capture, VPN services, etc.). The “more” part comes from the easy addition of other well-known open source web tools as software packages to the pfSense platform. PfSense uses hardware, software, and cloud deployment models. The company behind the development and maintenance of pfSense is Netgate, which provides hardware and official support. Let’s take a look at some of the features of pfsense that can support a full-featured, secure, and flexible network.
pfSense as a virtual device
The software-based pfsense solution is easy to deploy and configure, cost-effective, open source, and suitable for small and medium-sized offices or home networks. Of course, if it is deployed on powerful hardware, it can handle more things. pfSense can be deployed on VMware workstations, ESXi, Microsoft Hyper-V, proxmox and any other virtualization platform. pfSense maintains a large number of wiki documents and forums, and I found it very useful for installation, configuration, and troubleshooting. The ISO file for installing pFsense can be downloaded from here.
During the installation of vmware, the operating system platform to be selected is FreeBSD 64 Bit, of course, the underlying platform must also support 64-bit. The hardware resources can be as low as 512 MB RAM, 1x vCPU, 20 GB hard drive, but I use 1 GB RAM, 30 GB hard drive, 2x vCPU to manage the small lab environment. I also use another pFsense virtual appliance on the Amazon Cloud, which provides VPN, firewall, and NAT capabilities for my single test EC2 instance.
The advantages of pfSense virtual appliances:
- Free, cost-effective
- CPU, RAM, HDD may increase as demand increases
- Lowest resources, maximum utilization
- Increase the number of interfaces as needed
- Can be deployed on cloud platforms
Some great built-in features:
- Routing – Static routing support is built in. Packages such as FRR, Quagga_OSPF, OpenBGPD, etc. can be used to enable dynamic protocols such as BGP, OSPF, OSPFv6.
- Firewall – Stateful firewall that supports interface-based rules. It is the easiest interface to use to manage inbound and outbound traffic. You can add notes and sections to make the interface organized and easy to manage.
- NAT – NAT rules can be created in the NAT section. It supports port forwarding, one-to-one NAT. Each time a regular NAT rule is created, the firewall rules are created/updated automatically. This is one of the useful features. Otherwise, only NAT is created. Rules and missed firewall rules, traffic still fails.
- Multiple WAN HA – Multi-WAN high availability features can be configured by creating a set of gateways and assigning them a priority.
- VPN – pFsense has 5 different types of VPN options, regular IPsec can be used for site 2 site vpn or client 2 site vpn, OpenVPN is a well-known SSL vpn tool with L2TP vpn, Apple IPsec vpn, AWS VPC VPN (Applies to Amazon AMI Images).
- DHCP server and relay agent – In the built-in DHCP server and repeater, each interface/network can be configured to assign IP to the range of end devices.
- Traffic adjustment – Use pFsense and each interface to achieve certain traffic adjustments.
- Load Balancing – You can create pools, virtual servers, and monitors for load balancing back-end servers.
Other powerful packages
- Forward and Reverse Proxies (Squid) – Squid is a well-known Linux-based forward and reverse proxy solution that has been in use for more than a decade. The proxy server can be used to control Internet traffic from internal users, or can be used as a redirection rule for internal servers in reverse mode.
- SSL Certificate Management (ACME) – An automated certificate management environment is a great tool for leveraging the global free LetsEncrypt SSL certificate.
- Bandwidth Monitoring (Bandwidth) – This service tracks network bandwidth usage and builds useful IP address based graphs based on bandwidth utilization.
DNS Binding – Another well-known open source DNS solution, pFsense allows the graphical user interface to configure all the details of DNS binding settings. If you have all the information at hand, you can set up a complete DNS server in minutes.
Snort IDS / IPS – A powerful open source intrusion prevention and detection system that can monitor and analyze real-time traffic, content search, and protocol analysis are some of Snort’s other useful features. It can be deployed as an additional package on pFsense.
- Suricata IPS
- FreeRadius authentication
- Port Scan/Security Audit (NMAP)
This is not all, there are more software packages that can be integrated into pfsense installations to increase availability.
Some use cases where pfSense can be deployed:
- Small office/home network using a small amount of pc, wifi
- Amazon cloud v space vpn
- Laboratory environment
- Medium-sized companies
- Large enterprises (with professional support and dedicated hardware devices)
If you have trouble deploying pfsense on a virtual appliance, please feel free to leave a comment on Forum, and you may receive answers from people who have been tested.