Anyone using PFSense as a firewall?

[pete_c]

I wasn't really sure where to post this or if I should just write a blog.
 
Over the last month or so I have been building a new firewall using new hardware.  I have used Smoothwall for many years.  That said it is today running on a small footprint Atom based motherboard with three NICs in a small mITX case.
 
I am looking to do load balancing on the WAN side and have multiple networks on the inside with the new PFSense box.
 
The new PFSense box is very small footprint build. 
 
The small case has a single slot riser board.  Ordered a double slot riser board for it today.
 
I started with 3 NICs using the two built into the motherboard.  Today I replaced the single added Intel Gb NIC card with a double server style NIC card.  I am looking though to add another double Intel NIC or maybe go to a 4 port Intel NIC card.
 
I noticed that its really plug n play and just wondering if anyone else has a PFSense firewall configured?

 

[JonW]

I looked at pfSense, but ended up going with the Ubiquiti Edge routers a few months back.  They are based on Vyatta.  I couldn't be happier.  They are fast and give you several ports for setting up segregated LAN segments, load balancing, DMZ, etc.  Web interface is pretty good, but you still have the full CLI for advanced functions.

 

[pete_c]

Thanks Jon.
 
Might give it a try. 
 
I do for home stuff lately like the whole DIY thing and relating to doing commercial stuff I always did try to break things while learning about them.....

 

[roussell]

I've ran pfsense for the past 4-5 years and for the past 3 on a Alix2d3 routerboard with a minipci crypto accelerator card. Pfsense is phenominal, I've yet to find something it can't do.

 

[Frunple]

Best there is. ( The period at the end needs to be bigger to really get the sense of that statement. )

 

[znelbok]

About a year ago I moved it over to a VM for my CQC server and moved pfsense with it.  Its a bit of overkill now as I only have a need for the single LAN and WAN, but it [touch wood] has been rock solid and gives me no grief at all.
 
I did test it with multiple networks and was fairly easy to configure the routing.
 
Mick

 

[pete_c]

Order a double riser card and a second 2 port NIC card for it today such that it will the have 6 NICs.    
 
I've been doing a like for like configuration GUI to GUI and finding the layout of management GUI for PFSense is making more sense to me than that of Smoothwall even though I have been using SW for years now.
 
I was used to a color description; red, green, et al and just seeing the hardware interface (with MAC) makes more sense.  This is my only my opinion though.

 

[znelbok]

Can you post more info in the hardware you have used please.  Always interested in options
 
Thanks
 
Mick

 

[pete_c]

Hello Mick,
 
I am using a Casetronic C-137 case.  I did actually get a "deal" on these a few years back and purchased "closeout" stock with core duo motherboards. I have attached some stock photos of it. 
 
Over the years mostly because of the deal I got I have been using these boxes for lots of stuff.  I am not promoting the company nor the case as I do not work for them.
 
Today these have become sort of mini servers for me with newer modern motherboards. IE: I have one set up as a MythTV box.  I am still playing with this box though.  Now it has 6 tuners plus three tuners for 9 tuners and I do not watch TV.  I did add satellite (OTA, cable and satellite).
 
Homeseer boxes are using these with different motherboards and CPUs.  Note that I am not a server hugger and utilze VM's today for playing with OS's and other stuff.  I also have two HS boxes built using the Foxconn mini-itx cases (such that I guess I have 5 HS boxes set up but only three are on right now?).  Foxconn's are using Atom based D525's and one was transplanted with a core duo motherboard.
 
I will go into details on the motherboard with another post.  It does have two Gb built connections, mini-pcie slot, pcie X slot, pci slot, CF card slot etc.
 
The motherboard also has VGA, HDMI, DVI and LCD video outputs on it.  Kind of a "do all motherboard"  because it also has some 4-6 serial ports and abundant USB ports on it.  (another deal such that I purchased a "few" of these boards).
 
I am also building a new box with one of these cases for LinuxMCE.  I am internally (in my head) debating on whether to go AMD or Intel quad core CPU mITX motherboard with this setup (have a collection here).
 
I will post pictures of my custom PF-Sense box with the 6 NICs after I finish it. 

 

[pete_c]

Just a quickie question relating to putting boxes inside of a DMZ. 
 
In experimenting sometimes I do drop the boxes in the Smoothwall DMZ open to the internet with no rules. 
 
For example dropping secondary firewalls layered inside of my network or just boxes that I want to open up to the internet in general.
 
Curious about the methodology of doing this with PFSense. Have two questions:
 
1 - should I create a 1 to 1 NAT first?
2 - firewall rule which allows all incoming traffic on the WAN link to one IP on one LAN link/IP?
 
or should I just move my experiments over to another LAN interface / subnet and just open up the entire subnet to the WAN?
 
Today my main network subnet bit mask is /25 (then smaller WLAN subnet) and I keep the DHCP scope to some 3-4 addresses with the rest of the network devices with static IPs.
 
Attached is the sort of equilivant with Smoothwall pictures to my guesstimate with PFSense.

 

[Frunple]

I used another interface/subnet and just setup firewall rules as necessary. 

 

[pete_c]

Thanks Frunple.
 
Yup my main subnet is slmost totally full these days ...almost running out of IPs now...and having put managed switches on the network will help me in "testing" sandbox stuff mods...

 

[pete_c]

Added the second NIC card.  Worked first time.  Now have 6 NICs running.  I found a source for PCIx cards and made up a double stacked riser card.  The PCIx intel nic Gb cards were about $17 each.

 

[znelbok]

Are you trying to say that you have four single port cards in that case - the one that has two slots available?
 
What do you mean exactly by "made up a double stacker riser card"?
 
NIC's are cheap - I remember buying my first one for $200 (Intel as well) and that was a 10base2 card.
 
Unfortunately, dual and quad NIC's dont scale in price as nicely - if I could get a quad for the cost of four singles I would be happy, but thats not the case.
 
Thanks for the info onthe case
 
Mick

 

[pete_c]

Yup; two are on the motherboard and I installed a dual PCI riser with two dual intel PCIx NICs each for $10 USD which I think was a good deal as I couldn't find them for less than $50.