I had read about pfSense a while ago, but only recently did I decide to test it out on an old Thinkpad I had.

I found it to be awesome, and it has now replaced my Buffalo WZR-HP-G300NH as my home router/firewall. So why is it great? It's loaded with features, fully customizable, and simple to use.

I've added the Unbound DNS and the Snort Intrusion Detection packages to it for added awesome. Plus it has charts!


24hr traffic graph


Live traffic (while streaming Netflix)


Status Dashboard (heavily redacted)


Anyhow, I thought I'd share this in case anyone else out there was hungry for something more in a home firewall. Cheers!

Reply

What is this? An alternative router firmware? Do you need to set up a separate firewall computer/server for this?
It certainly doesn't look like a windows executable that could replace avira or so.

Reply

pfSense is an operating system based on freeBSD. So you'd install it on a computer and that computer would take the place of your router/firewall appliance(Linksys, Netgear, DLink, whatever). It offers features, customization and security options that exceed just about anything short of enterprise-level firewalls... and it's free.

Typically, you'd want to run it on a PC that has 2 network cards in it. One for your outside connection to your ISP and one for your internal LAN. That was my original plan, but the desktop I was going to use draws about 75Watts of electricity when idling. I tried an old thinkpad instead, and found it only uses about 24W. The problem was, it only had one ethernet port built in. I got around that by buying a cheap managed switch that supports 802.1q VLANs. I'd been wanting one anyhow, so this provided the justification I needed to finally get it. So, I configured the network interface on the laptop with 3 VLANs, Inside (LAN), Outside (ISP), and a guest network, and then I setup the switch with the same corresponding VLANs. I'm using a dedicated access point for wireless right now, but I also tested out using the laptop's wireless as an access point and it seemed to work well too.

It may sound complicated, but I actually found it to be pretty intuitive. The most time I've spent trying to get something working has been for its DNS server to correctly resolve LAN hosts (which seems to be working great now), but that's something that's entirely optional. I think anyone with a reasonable amount of networking experience could use and benefit from this.

Reply

Just an another example of the kind of visibility and control you can get into your networks when you're using something like this....

My wireless access point is an Aruba RAP3, that I got to keep after a training I took a while back. Very feature rich for a 2.4Ghz AP- I've been pretty happy with it. But, yesterday(thanks to pfSense), I noticed that it's making encrypted connections back to Aruba HQ and sending who knows what data to them. It's probably not that big a deal, but there's no reason for an AP to be connected directly to anything on the Internet. So... I made a new firewall rule on the LAN interface and *BAM*, no more Internet access for the RAP3.

Similarly, I learned that, by default, Roku boxes perform frequent trace routes to monitor your Internet connection. A quick Google search later, and I've disabled that function on my home Roku's. Again, definitely not a big deal- but it doesn't need to be doing it, so I stopped it.

Reply

Stopping their glorious marketing efforts is certainly not going to help the economy.

It does sound interesting but I don't think I want to run an extra machine just for that, especially since my router also includes the modem and splitter and everything anyway.

Reply

Thought I'd mention, it also has a LiveCD so you can try it out by booting to CD without actually having to install it anywhere.

Reply