Hacking and information theft has become a booming business in recent years. Countless stories of large, well-known corporations being compromised have made everyone aware of just how vulnerable one becomes when connected to the Internet. One of the largest pools of computing resources used by nefarious hackers consists of compromised home computers and vulnerable devices connecting to home user networks. Many of these devices can be exploited and remotely controlled to carry out synchronized attacks against an unsuspecting target at a moment’s notice. Protecting home computing resources from unwanted infiltration and exploitation requires much more than an antivirus program. Today’s wireless routers and cable modems do not have the security features necessary to secure anything.
In order to provide a greater level of security for a home network (or a small business for that matter), a more robust solution is needed. There are a number of open source firewall /router distributions available. You can research those on your own. My distribution of choice is pfSense (Click to Visit pfSense Web site). This distribution is based upon FreeBSD, is quite robust, well-documented and very stable.
Here I discuss building and configuring a very robust firewall / router with built-in Wi-Fi, Snort IPS, Unbound DNS, DHCP Server, IPSEC tunnels and pfBlockerNG IP blocklist management. Once you hook up this device and start looking at your logs, you will wonder why you didn’t put this in place sooner.
So first the hardware . . .
The total hardware cost not including shipping is $447.41. Most of the hardware was obtained from NewEgg.
This may seem a bit steep compared to even the most expensive home router but this device is smoking fast and gives you all the power you need to run even the most aggressive packet filtering and shaping. Initially, I obtained a converted HP Thin Client with pfSense installed. The device worked fine but it was old, extremely bulky and hummed like a 747 when the room got warm. The new device is quiet as a mouse and about 10 times faster.
Once your hardware arrives, it should take less than 30 minutes to install pfSense, configure and be up and running. Future posts will discuss configuring additional security features on your pfSense install. While you are waiting for your order to arrive, you can prepare the pfSense installer.
Prepare the pfSense Installer
You should now be ready to install once you assemble your hardware.
Assemble the Hardware
Once all your components arrive, you can assemble the device. We will wait until after we are 100% sure the device runs properly before we swap out the mini-PCI Wi-Fi card as the card slot is located below the processor fan housing which must be removed to perform the swap. According to Zotac, removal of the screws securing the housing voids their warranty so we want to be 100% sure there are no issues with the device BEFORE we do that! We need to change out the Wi-Fi card as pfSense (based on FreeBSD) does not have the correct drivers for the card that was included.
There are plenty of step by step install guides for installing pfSense. Check out their documentation here.
There are many possible configurations that once can employ but the simplest it to designate 1 interface as your WAN interface and connect it directly to your cable or DSL modem. Leave that interface in DHCP mode. Unless you use IPv6, disabled it on that interface. The remaining interface is configured as the LAN gateway and provided an IP that is used by all connected devices inside the LAN. It is possible to connect Wi-Fi routers to the LAN side if those routers are configure with something like DD-WRT and forward all traffic to the LAN interface of the pfSense router.
Once you configure your device and can connect to the Internet, it is suggested that you allow the device to run for several days to be absolutely sure everything is working properly.
Installing and Configuring Wi-Fi
pfSense is based upon FreeBSD and is a little behind the times when it comes to WLAN or wireless support. There is a list of supported devices that is found here. The device that I list in the hardware components is the recommended device for pfSense. We will install that device and configure your pfSense device as a wireless access point.
I finally got around to installing the recommended wlan card. The installation of the physical device was trivial but did require me to break a “seal” that lets Zotac know that the device has been altered. After configuring the wireless network and setting up an SSID, I did some testing with a variety of devices. I found that many would not reliably connect to the wireless network. I did not have a ton of time to devote to this so I simply disabled the wireless network. I’ll leave experimenting with that for another day.
Aside from the issues I encountered with the wireless networking, this device has proven to be a worthy security device. It is blazing fast, has a variety of usable tools for securing your LAN and is very intuitive to configure. Try one and see what is really happening with your network!.