Posted on by will

pfSense Firewall

Back in late 2016 I built a pfSense firewall based on the Fitlet XA10-LAN:

  • AMD Quad-Core A10 Micro-6700T
  • 4x GbE LAN ports
  • 802.11b/g/n module
  • 120GB mSATA SSD
  • 8GB DDR3 RAM

I’ve recently done a ground-up overall and completely reinstalled pfSense with the newest 2.3.4 release.  I’d like to give a shout out to Mark Furneaux for his video series Comprehensive Guide to pfSense 2.3 which I drew on heavily in assisting with my setup.
Packages enabled so far:
  • Squid + LiteSquid:  Local caching enabled utilizing 2GB RAM + 40GB HD space. 1GB max filesize.  Overkill for a home network I realize but it does help sometimes in caching OS updates, Steam downloads, and site content I often frequent.
  • Suricata:  I was previously using a Snort configuration but Suricata handles multi-threading and also appears to have some improvements over Snort’s signature handling.  I followed this guide and found it very helpful in the initial setup and tuning.
  • NTP: 4 NTP.org pools, Linux Servers and Windows desktops setup to sync NTP through pfSense
  • DNS (Unbound): Combination of 2 OpenDNS servers and 2 Google DNS servers.  The OpenDNS servers tend to be the fastest to return most of the time, but Google provides a good authoritative backup.  I’m configured to continuously re-cache the most often used sites.
  • DHCP: Static pool for servers, some custom host names mapped to MAC address for ease of use.
  • 8/20/2017 Update: Let’s Encrypt Certs generated and tied to pfSense Portal/GUI, VPN
  • 8/28/2017 Update: OpenVPN implemented with FreeRADIUS3 2-Factor Authentication
  • 9/01/2017 Update:  Configured pfBlocker Geo-block to restrict all incoming WAN connections to specific geo-location.  Configured blocking of outgoing traffic to all countries on TopSpammers list. Setup DNS BL blocking ads from EASYLIST.
  • 9/01/2017 Update: Configured DNSBL using lists from Pi-Hole & uBlock Origin

TO-DO

  • Tuning period for Suricata is almost done where I see very few “noise” entries or false positives.
  • Possibly setup SELKS and pipe Suricata information to it from pfSENSE
  • Create new wireless interface with separate VLAN to be used with IoT and other iffy devices
  • Keep fine-tuning DNSBL to get better  ad-blocking coverage.