Back in late 2016 I built a pfSense firewall based on the Fitlet XA10-LAN:
- AMD Quad-Core A10 Micro-6700T
- 4x GbE LAN ports
- 802.11b/g/n module
- 120GB mSATA SSD
- 8GB DDR3 RAM
I’ve recently done a ground-up overall and completely reinstalled pfSense with the newest 2.3.4 release. I’d like to give a shout out to Mark Furneaux for his video series Comprehensive Guide to pfSense 2.3 which I drew on heavily in assisting with my setup.
Packages enabled so far:
- Squid + LiteSquid: Local caching enabled utilizing 2GB RAM + 40GB HD space. 1GB max filesize. Overkill for a home network I realize but it does help sometimes in caching OS updates, Steam downloads, and site content I often frequent.
- Suricata: I was previously using a Snort configuration but Suricata handles multi-threading and also appears to have some improvements over Snort’s signature handling. I followed this guide and found it very helpful in the initial setup and tuning.
- NTP: 4 NTP.org pools, Linux Servers and Windows desktops setup to sync NTP through pfSense
- DNS (Unbound): Combination of 2 OpenDNS servers and 2 Google DNS servers. The OpenDNS servers tend to be the fastest to return most of the time, but Google provides a good authoritative backup. I’m configured to continuously re-cache the most often used sites.
- DHCP: Static pool for servers, some custom host names mapped to MAC address for ease of use.
- 8/20/2017 Update: Let’s Encrypt Certs generated and tied to pfSense Portal/GUI, VPN
- 8/28/2017 Update: OpenVPN implemented with FreeRADIUS3 2-Factor Authentication
- 9/01/2017 Update: Configured pfBlocker Geo-block to restrict all incoming WAN connections to specific geo-location. Configured blocking of outgoing traffic to all countries on TopSpammers list. Setup DNS BL blocking ads from EASYLIST.
- 9/01/2017 Update: Configured DNSBL using lists from Pi-Hole & uBlock Origin
TO-DO
- Tuning period for Suricata is almost done where I see very few “noise” entries or false positives.
- Possibly setup SELKS and pipe Suricata information to it from pfSENSE
- Create new wireless interface with separate VLAN to be used with IoT and other iffy devices
- Keep fine-tuning DNSBL to get better ad-blocking coverage.