pfSense – The Ultimate Router
Last Updated on April 27, 2021 by Travis Kipp
If you have internet at your house, you have a router. A router is in charge of directing internet traffic between devices, among other things. Most consumer routers are a combination of devices. Typically they are a router, switch, and wireless access point. There are many different brands with different features and capabilities. Did you know there is a free router called pfSense?
What is pfSense?
That last statement is somewhat misleading. pfSense is free, however, you still need physical hardware to run pfSense. PfSense is an open source software distribution. It’s core is based on FreeBSD which is a Unix-like operating system. If you’re familiar with Linux, it’s based on Unix as well. It’s maintained by Netgate which you can purchase devices from that have pfSense already installed. If you want to learn a lot about computers, you can also install it on any regular computer based on the x86 architecture. I recommend getting a network interface card to add more ports as most computers only have one and you ideally want two or more. One is for the WAN (Wide Area Network) and the other is for the LAN (Local Area Network). The others can be used to create other networks. For example, you may want to sperate your smart TVs from your more trusted devices.
PfSense offers a robust router experience. It’s packed full of functionality while being easy to configure thanks to the fantastic web interface. Also, if you get stuck, Netgate has amazing documentation. PfSense will do anything a consumer router will do and more. Create new networks, traffic shaping, VPN, open ports, static DHCP mapping. If you can think of it, pfSense can probably do it. Static DHCP mapping is one of my favorite. This allows your client computers to be set to obtain an IP address automatically while pfSense always assigns them the same IP. You have one central location to change static IPs rather than needing to change them on each client.
Being able to VPN into your home network is extremely useful. Maybe you forgot to copy a file to your flash drive before you left for work. Simply remote in and copy it over. PfSense supports setting up an OpenVPN connection so you can easily remote into your home network from anywhere in the world. If you decide to do this, I recommend installing the Open VPN Client Export package.
Want to add functionality to pfSense? Take a look at the packages. My favorites are Suricata and pfBlockerNG.
Suricata is an intrusion detection system (IDS) and intrusion prevention system (IPS) solution. An IDS scans network traffic for suspicious activity based on rules and alerts an administrator about these activities. An IPS takes it one step further, once it sees something suspicious, it then blocks the IP for a specified amount of time.
My other favorite is pfBlockerNG. This package allows you to block domain names. If you’re familiar with Pi-Hole, they’re both very similar. First thing you need to do is find block lists. You can find lots of these by doing a quick search. They are simply a list of domain names. PfBlockerNG will then disallow access to the domains in the list. Lists are typically specialized. For instance, one might be adult content and the other tracking domains. Another amazing feature of pfBlockerNG is the ability to block IPs from an entire country. If you only do business in the United States, for example, you could block access to every other country. There’s no need for persons in those countries to access your site so might as well limit your attack surface.
OpenVPN Client Export
If you use OpenVPN, you’ll want to use the OpenVPN Client Export package with it. This allows you to easily export the configuration files needed to connect to your network rather than inputting the information manually.
While pfSense is great, it’s not a silver bullet. One area in which it struggles is wireless connectivity. Since the underlying operating system is FreeBSD, pfSense is limited to the same hardware that FreeBSD supports. This operating system does not support the newer wireless standards like 802.11ac, now called WiFi 5, or Wi-Fi 6, for that matter. To put things into perspective, 802.11n, which was released in late 2009 is just now gaining support in the latest version of pfSense. As a result, it’s recommended to use a separate access point for better performance and support for newer wireless enabled devices.
If you want a powerful turn key router solution, pfSense is the ultimate router. Netgate offers devices which has pfSense preinstalled. If you are a tinker, you can install pfSense on any x86 based computer. By going that route, I recommend purchasing a 2 or 4 port gigabit network card to make the experience better. Using pfSense as a wireless access point is not recommended as it does not support new Wi-Fi technologies. Suricata and pfBlockerNG are great plugins to run on pfSense. They both help you prevent unwanted traffic from entering your network.