Building A Killer pfSense Home Router / Firewall

Hacking and information theft has become a booming business in recent years. Countless stories of large, well-known corporations being compromised have made everyone aware of just how vulnerable one becomes when connected to the Internet. One of the largest pools of computing resources used by nefarious hackers consists of compromised home computers and vulnerable devices connecting to home user networks. Many of these devices can be exploited and remotely controlled to carry out synchronized attacks against an unsuspecting target at a moment’s notice. Protecting home computing resources from unwanted infiltration and exploitation requires much more than an antivirus program. Today’s wireless routers and cable modems do not have the security features necessary to secure anything.

In order to provide a greater level of security for a home network (or a small business for that matter),  a more robust solution is needed. There are a number of open source firewall /router distributions available. You can research those on your own. My distribution of choice is pfSense (Click to Visit pfSense Web site). This distribution is based upon FreeBSD, is quite robust, well-documented and very stable.

Here I discuss building and configuring a very robust firewall / router with built-in Wi-Fi, Snort IPS, Unbound DNS, DHCP Server, IPSEC tunnels and pfBlockerNG IP blocklist management. Once you hook up this device and start looking at your logs, you will wonder why you didn’t put this in place sooner.

So first the hardware . . .

1. Zotac ZBOX-ID91-U     –    $289.99 This unit has an Intel i3 Dual Core processor and it about 4 times faster than any Atom processor. The unit has 2 x 10/100/1000 Mbps NIC, mSATA with built-in Wi-Fi (we will change this out), accepts up to 16 GB RAM and support 1 2.5″ SATA3 drive at 6 Gbps.
2. Mushkin Enhnaced ECO2 120 GB SSD     –    $54.95
3. Crucial 8 GB (2 x 4GB) DDR3 SO-DIMM     –     $54.99
4. 2 x Rosewill RNX-AD7 High Power / True Gain 7dBi Dual Band Antenna     –     $9.99 x 2
5. Compex WLE200NX 802.11n, 802.11a, 802.11g 100mW 2×2 MIMO Atheros AR9280 Wireless Mini PCIe 2.4/5 Ghz Dual Band     –     $27.50

The total hardware cost not including shipping is $447.41. Most of the hardware was obtained from NewEgg.

This may seem a bit steep compared to even the most expensive home router but this device is smoking fast and gives you all the power you need to run even the most aggressive packet filtering and shaping. Initially, I obtained a converted HP Thin Client with pfSense installed. The device worked fine but it was old, extremely bulky and hummed like a 747 when the room got warm. The new device is quiet as a mouse and about 10 times faster.

Once your hardware arrives, it should take less than 30 minutes to install pfSense, configure and be up and running. Future posts will discuss configuring additional security features on your pfSense install. While you are waiting for your order to arrive, you can prepare the pfSense installer.

Prepare the pfSense Installer

1. Go to https://www.pfsense.org/download/mirror.php?section=downloads
2. ChooseComputer Architecture: AMD64 (64-bit)
   Platform: Live CD with Installer (on USB Memstick)
   Console: VGA
3. Select a Mirror site and download the g-zip image file
4. Extract the download using 7-Zip or similar
5. Download and install the Win32 Disk Imager program from SourceForge
6. Use a newer USB stick that has been completely formatted and plug into PC
7. Open the Win32 Disk Imager
8. Browse to the extracted pfSense image that you downloaded
9. Choose the USB Device from the Win32 Disk Imager Device drop-down list
10. Click the “Write” button
11. Wait until the image has been written to the USB stick

You should now be ready to install once you assemble your hardware.

Assemble the Hardware

Once all your components arrive, you can assemble the device. We will wait until after we are 100% sure the device runs properly before we swap out the mini-PCI Wi-Fi card as the card slot is located below the processor fan housing which must be removed to perform the swap. According to Zotac, removal of the screws securing the housing voids their warranty so we want to be 100% sure there are no issues with the device BEFORE we do that! We need to change out the Wi-Fi card as pfSense (based on FreeBSD) does not have the correct drivers for the card that was included.

1. Unbox your Zotac. Make sure it is complete and not missing any components.
2. Find the User’s Manual
3. Follow the instructions for installing the RAM and Hard Drive
4. Don’t worry about installing the antennas included with the Zotac. We will be using the Rosewill antennas once we are ready to move forward with the Wi-Fi configuration.
5. After you have re-assembled your Zotac, connect the power supply, plug in a monitor and keyboard and we are ready to install.

Installing pfSense

There are plenty of step by step install guides for installing pfSense. Check out their documentation here.

1. Without your USB Installer plugged in, power on your Zotac and make sure it boots to the point where is indicates that it has no boot device. Power it off.
2. Plug your USB Installer Image into the Zotac
3. Power it on
4. As soon as the USB image starts to boot, you will be prompted to “Press I” to start the installer. Do it!
5. Follow the on-screen instructions. You can choose the Quick and Easy option. Just be sure to choose the “Standard Kernel” when prompted
6. Reboot the device when the installer finishes and remove the USB Installer

Configuring pfSense

There are many possible configurations that once can employ but the simplest it to designate 1 interface as your WAN interface and connect it directly to your cable or DSL modem. Leave that interface in DHCP mode. Unless you use IPv6, disabled it on that interface. The remaining interface is configured as the LAN gateway and provided an IP that is used by all connected devices inside the LAN. It is possible to connect Wi-Fi routers to the LAN side if those routers are configure with something like DD-WRT and forward all traffic to the LAN interface of the pfSense router.

Once you configure your device and can connect to the Internet, it is suggested that you allow the device to run for several days to be absolutely sure everything is working properly.

Installing and Configuring Wi-Fi

pfSense is based upon FreeBSD and is a little behind the times when it comes to WLAN or wireless support. There is a list of supported devices that is found here. The device that I list in the hardware components is the recommended device for pfSense. We will install that device and configure your pfSense device as a wireless access point.

I finally got around to installing the recommended wlan card. The installation of the physical device was trivial but did require me to break a “seal” that lets Zotac know that the device has been altered. After configuring the wireless network and setting up an SSID, I did some testing with a variety of devices. I found that many would not reliably connect to the wireless network. I did not have a ton of time to devote to this so I simply disabled the wireless network. I’ll leave experimenting with that for another day.

Aside from the issues I encountered with the wireless  networking, this device has proven to be a worthy security device. It is blazing fast, has a variety of usable tools for securing your LAN and is very intuitive to configure. Try one and see what is really happening with your network!.