I’ve posted before about how I got sick of how much our Linksys router (for our home cable modem) stunk, so I ended up taking an old machine with dual NICs and building an OpenBSD firewall. It worked pretty well, but had a few flaws. Perhaps the biggest is something that’s not technically a flaw: it was a royal pain to configure. I don’t think ease of use was ever (or should ever be?) a design consideration with OpenBSD, but it was sufficiently painful to get it running, and sufficiently complex that I never quite had the amazing ruleset I wanted. Another problem was that it was, at times, too archaically strict. A “default deny” policy is, hands-down, the best way to do things, but ours never spoke the silly little LAN protocols like UPnP, which allow applications (e.g., direct file transfers over AIM) to request a port be opened and temporarily forwarded. Some would argue this is insecure, and, on some level, I’d agree. On the other hand, it was enough of a pain that it became tempting to poke holes all over the place so that these things worked. Plus it was just old: when OpenBSD 4.5 came out, I decided it was time for our OpenBSD 4.2 machine to see some changes, and a simple upgrade wasn’t going to cut it.

I downloaded the pfSense 1.2.3-RC1 beta. I think pfSense has a lot in common with why I love MacOS X so much: it’s a really slick user interface, super-easy-to-use, and yet it sits in front of what’s arguably one of the most rock-solid, full-featured platforms. pfSense is based on FreeBSD, which, while arguably not as “paranoidly” secure as OpenBSD, is still plenty solid and a little more mainstream.

So I said I’d give a mini-review. The installation was terrible. I think I drew the short straw here, as most people don’t seem to complain about the miserable experience I had. The installer was meant to be quick and helpful, but it auto-detected information about the cylinders, heads, and sectors of my hard drive and told me that the information was wrong and that the system wouldn’t boot. After a brief, “Are you serious? Is this 1994?” exchange with the computer, I let FreeBSD use the random values it wanted, and the install continued. Until fdisk blew up with an error that you can’t have 255 sectors; 63 is the max. So then use what the hard drive reported in the first place, which was 63? Oh, right, that won’t boot. After several rounds of this, I ended up just making up numbers to appease the process, and my 60GB hard drive has about 13GB of space visible to the operating system, with the rest vanishing due to the information being completely wrong. 13GB is enormous for a firewall anyway; pfSense can be installed on an SD/CF card.

It also includes a handy auto-detect tool, where you plug in your LAN and WAN and it will set them up. This was problematic for me, since I wanted to set the thing up by hand and then drop it in place. You can set it up manually, which I ended up doing, but I first tried the auto-detect, letting it think our “WAN” was my Ethernet drop, and my “LAN” was a crossover cable to my laptop. This never really worked; it wouldn’t detect a link on the NIC even though the NIC showed that the link was up. So I set the things manually and all was well. This, too, seems fairly atypical, and may have to do with the fact that we’re running two who-knows-what budget NICs.

After the hellish introduction to FreeBSD, though, pfSense suddenly became pleasurable. Almost as soon as it was installed, it was routing LAN over the WAN via NAT. I didn’t have to add rules to pf to make it do this manually. I hurriedly tried to figure out how to add a default deny policy, only to find out that this, too, was the default. It pretty much does what I wanted out of the box, and it does it well. I set up QoS-based packet queues, so that BitTorrent can’t take up more than 2 Mbps down and 1 Mbps up, and so that ssh and Remote Desktop (along with some other latency-sensitive stuff, e.g. IRC) get priority queueing. This took extensive research under OpenBSD and still didn’t ever seem to work right. I had a neat little wizard on pfSense that a 4th grader could have used. It creates “real” pf rules that I can go edit if I wanted to, except that I don’t have any reason to backend it because it just works as it should.

It also does all sorts of graphs, including RRDTool graphs of things like CPU load, but also traffic (kbps/Mbps) both ways per link, latency and packet loss (not entirely sure yet what the latency is to?), packets per second, and the breakdown of traffic in each of the queues. They went the extra mile and has a streaming graph drawn in-browser via Adobe SVG showing real-time bandwidth usage. I’d like a feature that tracked monthly (per calendar-month) bandwidth usage, but the month-wide bandwidth graphs do keep a running total. (And we’ve apparently downloaded 13GB since I set this up over the weekend???)

Port forwarding is dead-simple. It’s actually problematic, because I tried to make it hard going through the firewall setup, but it turns out that I just need to click “Port Forward” and plug in the details. Setting up real firewall rules are done via a pretty easy wizard, too.

The machine is being vastly underutilized. I’m not running a VPN server, though I have multiple options if I want to. I’m not using it as a proxy server (with a transparent proxy server being an option), much less one that scans incoming content for viruses and aborts the transfer of anything malicious.

In short: if you can get past the awful FreeBSD installation (which doesn’t seem to happen to everyone?), pfSense is pretty awesome, and turns an old dual-NIC PC into an enterprise-grade firewall/router/gateway. It’s designed for lower-end or embedded machines, too!