As the internet approaches its fiftieth anniversary, networked computers have essentially become the norm across much of the world. Computer networks are commonplace, even within the home, and it is not uncommon for households to have multiple internet-connected devices—a trend that undoubtedly will only accelerate with the growing popularity of the internet of things (IoT). With networks becoming part of our basic infrastructure, reliable networking equipment has become as essential as telephone exchanges and railways were to prior generations.
Even if you only have a home network, at a minimum, you will need a router to connect your private network with the public internet and a firewall to provide both ingress filtering (filtering for incoming traffic) and possibly egress filtering (for outgoing traffic). pfSense can perform both functions. In this chapter, we will introduce the pfSense project, explain how pfSense can help secure your network, and introduce you to the pfSense community, from which you can find out more about pfSense, and, hopefully, get answers to questions. Finally, we will briefly discuss the objectives of this book.
Reading this chapter should provide the reader with an understanding of the following:
- The pfSense project
- What pfSense can do
- The pfSense community
- The objectives of this book
There are no particular technical requirements for this chapter, as it is simply an overview of pfSense and the book's objectives. Some familiarity with Linux and/or BSD would be helpful, as well as access to a computer that is capable of running pfSense (any modern PC should do); we will discuss the technical specifications in greater depth in the next chapter.
pfSense runs on the FreeBSD operating system. FreeBSD is an offshoot from Berkeley UNIX—the University of California, Berkeley had acquired a license for AT&T UNIX in the 1970s. Students started to improve on this version of UNIX, and Berkeley Software Distribution (BSD) was founded as a project to make modifications to AT&T UNIX, as well as to distribute this modified version. This version, however, had proprietary AT&T source code in it, and BSD users thus had to obtain a license from AT&T to use it legally. In the late 1980s, however, work began on a project to eliminate AT&T code from BSD in order to produce an open source version of it, thus spawning the FreeBSD project. Since then, FreeBSD has gained a following among those seeking a stable and secure open source variant of UNIX that provides good performance.
pfSense is based on pf, which is OpenBSD's packet filter (itself designed as a replacement for Darren Reed's IPFilter, which OpenBSD had been using up to that point). pf was incorporated into OpenBSD distributions in 2001. pf is a command-line utility, and, as a result, several projects were launched to provide a graphical interface for the pf utility. m0n0wall, initially released in 2003, was the first successful attempt at providing a graphical front end for pf. pfSense, which began as a fork of this project, was another such project.
Version 1.0 of pfSense was released on October 4, 2006. Version 2.0 was released on September 17, 2011. Version 2.1 was released on September 15, 2013, and Version 2.2 was released on January 23, 2015. Version 2.3, released on April 12, 2016, phased out support for legacy technologies such as the Point-to-Point Tunneling Protocol (PPTP), Wireless Encryption Protocol (WEP) and single DES, and also provided a facelift for the web GUI.
Version 2.4, released on October 12, 2017, continues this trend of phasing out support for legacy technologies while also adding features and improving the web GUI. Support for 32-bit x86 architectures has been deprecated (however, security updates will continue for 32-bit systems for at least a year after the release of 2.4), while support for Netgate Advanced RISC Machines (ARM) devices has been added. A new pfSense installer (based on FreeBSD's bsdinstall) has been incorporated into pfSense, and there is support for the ZFS filesystem, as well as the Unified Extensible Firmware Interface (UEFI). pfSense now supports OpenVPN 2.4.x, and as a result, features such as AES–GCM ciphers can be utilized. In addition, pfSense now supports multiple languages; the web GUI has been translated into 13 different languages. At the time of writing, version 2.4.3, released on May 14, 2018, is the most recent version.
pfSense is not the only option if you are looking for open source firewall/router software—it is not even the only software making use of FreeBSD and pf. The m0n0wall project was discontinued in 2015, but there have been several m0n0wall forks since its end of life, including t1n1wall and SmallWall. Manuel Kasper, the developer behind m0n0wall, supports OPNsense, a project that forked from pfSense in 2015. There are also projects such as Shorewall, an open source firewall tool for Linux that builds on Netfilter.
Nevertheless, pfSense is currently the most popular open source firewall/router, and the developer community contributing to the project is strong. It is fairly easy to install and configure, and is useful in a variety of deployment scenarios.
To provide a general idea of the versatility of pfSense, consider the following use cases:
You have a home network, and need a means of connecting the wireless devices in your house (such as computers, laptops, and tablets) to the internet. Therefore, you need a router (to connect your home network to the internet), a firewall (to perform ingress and egress filtering at the boundary between your private network and the internet), and a wireless access point (to enable wireless devices to connect to your home network). You will likely also want to have a DHCP server to assign IP addresses to devices on the network, and possibly dynamic DNS (DDNS) capabilities, so that you don't have to remember your public IP address when accessing your home network from the outside world. pfSense can perform all these functions.
You have a small office/home office (SOHO) network, and you need to connect several computers in your company to the internet. You also want to provide a means of allowing customers to connect to the internet on the same connection, but you want to have some means of controlling their access to the network so they don't use up the bulk of available bandwidth. You also want to keep them from accessing the internal company network. Therefore, you need to have separate subnets for your internal network and for customers, a captive portal to control customers' access to your network, and possibly traffic shaping capabilities to limit the amount of bandwidth used by customers. Again, pfSense can perform all these functions.
You are an administrator at a corporation that has an office in another city. You want to provide access to your local corporate network to workers in the remote facility, but you are concerned about confidential corporate information traveling over the public internet. A private WAN circuit is one possible option to allow remote users to connect securely to your network, but private WAN circuits are expensive. Therefore, you decide that the best option is to set up a peer-to-peer VPN connection between your local network and the remote site. You also want to have more than one internet connection, to provide redundancy when one of the connections goes down. As you might have guessed, pfSense allows you to set up VPN connections between networks, and to set up multiple WAN connections.
In short, pfSense can be used in a variety of scenarios, ranging from a simple home network with a handful of internet-connected devices to a corporate network with thousands of users. For those administering corporate networks, commercially available equipment with proprietary technology (such as Cisco switches and routers) may prove to be the better option. Such equipment often performs better under heavy load scenarios, offers integrated voice, video, and data services, and often comes bundled with technical support.
This book, however, is aimed primarily at beginners; therefore, it is generally assumed that the reader is more likely to set up a home network or SOHO network than a corporate network, in which case pfSense is generally a cost-effective, sensible option. There is a great deal of functionality built in to pfSense, and in many cases, when the base install does not provide the functionality you need, there are third-party packages available that do provide such functionality.
There will be times when you encounter a problem that cannot be solved by referencing this book or by troubleshooting the problem yourself. Although this book provides a detailed procedure for troubleshooting in Chapter 11, Diagnostics and Troubleshooting, it is often expedient to refer the problem to those who are more knowledgeable about pfSense than you are. In such cases, you can turn to the online pfSense community.
The official pfSense forums have recently moved to Netgate's website, which has reorganized the forums and added several more (including many devoted to pfSense international support). Anyone can read the forums, but in order to post on the forums, you must register, which requires you to provide a name and email address. Participation in the official forums can be an effective way of resolving problems and increasing your knowledge of pfSense.
Reddit has its own pfSense forum, and members of the pfSense development team often participate in this forum. Although Reddit isn't everyone's cup of tea, it is a good place to find out the latest pfSense news, ask questions, and (hopefully) get answers.
Also worth mentioning is the Spiceworks pfSense forum. Spiceworks is a professional network for the IT community. Although the company has its headquarters in Austin, Texas, it has an international presence as well. Their pfSense forum also has polls and how-to guides.
Finally, for those who find it easier to watch videos, there are many useful how-to video guides available online. An online search for the pfSense topic in which you need assistance will often turn up multiple videos, of varying degrees of complexity and clarity. YouTube is the most obvious place to look for such videos, although other video sites, such as Vimeo, also have pfSense-related content.
The purpose of this book is to explain the basics of pfSense—installing, configuring, and utilizing its services—to the networking beginner. This book does not presuppose any prior knowledge of networking, and thus some of the material is devoted to explaining networking basics. At the same time, this book focuses on pfSense fundamentals—not networking fundamentals—and if you find such explanations inadequate, it might behoove you to find a good networking primer to supplement your reading. For example, any of the popular review guides for the CompTIA's Networking+ exam should prove adequate.
The following are the main topics covered in this book:
- Installing and configuring pfSense
- Captive portal configuration
- Configuration of other basic services (DNS, NTP, SNMP, and so on)
- Firewall and NAT
- Traffic shaping
- Multiple WANs
- Routing and bridging
- Diagnostics and troubleshooting
This book is not aimed at intermediate users—it is aimed mainly at beginners setting up a home for their SOHO network. Therefore, some topics that would be more appropriate in a corporate network scenario have been omitted, such as load balancing and failovers. Other topics that might be worthy of a more extensive treatment in a more intermediate-level book, such as VLANs, have been scaled back somewhat. Also, although third-party packages are mentioned where appropriate, this book does not discuss such packages in any great depth.
Nonetheless, the reader should come away from this book with a basic understanding of how to utilize pfSense in the most common scenarios. If you feel you need to know more about pfSense than the information contained within this book, you might consider another book I authored, Mastering pfSense, which covers intermediate-level topics.
In this chapter, we introduced FreeBSD and the pfSense project, provided a brief overview of what pfSense can do, mentioned the online pfSense community, and looked at the objectives of this book. In the next chapter, we will provide a survey of the basics of networking, ways in which pfSense can be deployed in typical networks, the hardware requirements for pfSense, and how to install pfSense and do some basic configuration.
- What OS is used to run pfSense?
- What does pf stand for?
- Name one open source alternative to pfSense.
Hansteen, Peter N.M. (2014). The Book of PF: 3rd Edition. San Francisco, CA: No Starch Press. To my knowledge, the only comprehensive guide on pf, the command-line utility upon which pfSense is based.