John's Musings


Yeah, Me Neither

pfSense Hardware Firewall

I am always blathering on about network security. The only real security is a firewall. Your router that you bought on Amazon or at Walmart is NOT secure. Look at the box. It says it is FAST. It doesn't say it is secure. Furthermore there is a sticker on the bottom of it with a WiFi password that looks like this:


098798te6rfghjvhfydtHY(UYGIGUYTTUI^(*&)(&*(^*&T*&%TGYIKHLNLKL


That's awesome. It really is.


So then you plug your router into the cable modem which attaches it to the INTERNET via direct physical connection. Guess what the password is for that direct physical connection?


Answer: password


I'm not fucking kidding. Every router out there has a default WAN password that is something stupid like password or actually no password. And silly you thinks that long wifi password makes you secure.


Probably the BEST non-enterprise firewall out there is something called pfSense. And best of all it is FREE. You can download it for free. You just need some hardware to install it on. You can take an old desktop computer and put an extra ethernet port in it and you are ready to rock however the big old desktop will be on 24/7 and will probably jam your power bill up more than it is worth. What you really want to do is get a small hardware appliance that sips power.


One way to do it is to buy an appliance from pfSense. They are a bit pricey though but you are also buying support which you may need as pfSense is a bit geeky. pfSense is basically FreeBSD Unix. FreeBSD is probably the most stable and secure operating system there is. The internet backbone that you use every day doesn't run on Windows. It runs on Unix and Linux. It is rock solid stable.


One of the "gotchas" in using a computer or getting an appliance is that the next version of pfSense will require the CPU to support the AES-NI instruction set. So if you spend your money and your hardware does NOT support AES-NI you will not be able to update.


I previously had a pfSense Netgate SG-2220 (and by the way it is for sale now). It still works, it has AES-NI, etc. Just if you know me I have to have the latest and greatest is all.


One way to keep costs down a bit is to buy a mini appliance. I bought a Minisys E3845 Quad Core device from here Got it for about $230. The nice Chinese company that ships it even sends it with pfSense installed!




Uh......yeah..........I totally trust a preinstalled firewall from China. I also trust my 401K to Hillary Clinton and Mexican tap water.


Best to blast that OS to the moon and install a fresh copy. Go here to download. Also to do this you'll need a USB keyboard and a VGA cable to a VGA monitor.




Configure your download like this:




It will download a compressed file with a .gz extension. Unzip that compressed file and inside will be a file named:


pfSense-CE-memstick-2.4.2-RELEASE-amd64.img


Get yourself a USB thumbdrive and a program called Etcher and burn the image file to the thumbdrive. From there you set your Minisys to boot from the thumbdrive and follow the install routine. Follow these directions. I'm not going to write them out. These are great instructions.


You will have to set port assignments after it boots. Set as follows

WAN = em0

LAN = em1



that corresponds to LAN 1 and LAN 2 respectively on your Minisys.


Now plug this bad boy in directly AFTER your cable modem using the WAN port (LAN1).

Now plug your router in to the LAN 2 port.


You can access and control your firewall from going to a browser and pointing to http://192.168.1.1

at first the credentails are:


user = admin

pass = pfsense


For God's sake change these. At this point you have a decent hardware firewall.


Oh yeah there is tons of configuring you can do. You can add ad blockers, and all manner of protection programs such as Snort, Squid, and pfBlockerNG. I encourage you to read up on that stuff, there are guides galore on the internet. if I can figure it out, so can you.


But just as is you're running a fairly tight ship with just the hardware firewall. You probably won't keep North Korea or the NSA out but you'll keep most of the common hacks from penetrating your network. Is it perfect? No. But it is TEN THOUSAND times better than plugging a router full of security holes and no password up to the internet.

blog comments powered by Disqus
133,231