Column by: Paul Venezia
Those of us who work in the depths of high technology are not immune to the age-old adage of the shoemaker’s children having no shoes. We probably have the most technologically advanced homes of anyone we know, but we also tend to leave various items alone if they’re not causing problems. After all, that’s what we deal with at work. Who needs to saddle themselves with network upgrade projects at home when nothing’s broken?
That’s how your home winds up with a circa 2001 "small"-form-factor Dell GX110 as a firewall, running an oldish version of IPCop, booting from a CompactFlash card, dutifully whirring away for 12 years. I finally decided to put it out to pasture a few weeks ago.
That leads me to the point of this column, which is that you should totally go check out pfSense.
I’ve used pfSense in all sorts of commercial endeavors for years now. It’s an astoundingly full-featured and very fast firewall, built on FreeBSD, using the stellar pf packet filter. The UI is as good as if not better than many expensive commercial offerings, and you can always dig under the covers if you like. It supports IPSec, PPTP, L2TP, and OpenVPN VPNs. It can handle multi-WAN configurations, and it offers QoS, extremely detailed performance data collection and graphing, load balancing, captive portal, DHCP services, and all kinds of other capabilities. Heck, it even supports fail-over to companion pfSense boxes via CARP (Common Address Redundancy Protocol).
Since I’d decided to finally mothball my elderly IPCop installation, I was definitely going to use pfSense, but I also wanted to get rid of the power-hungry and ancient GX110. Thus, a nice embedded board with several NICs was in order. Netgate is one resource for boards like this, and its APU1D kit was the right fit. A small board with RS232 and USB ports and three gigabit NICs, the APU1D runs an AMD G series T40E APU dual-core at 1GHz, embeds 2GB of RAM (you can opt for 4GB with the APU1D4 board), and sports a SDHC (Secure Digital High Capacity) slot. The kit comes with the case and power supply. (Purchase this from ByteFoundry preassembled and ready to run)
It’s the work of only a few minutes to put the kit together (don’t forget the heat spreader) and another few minutes to use whatever disk imaging tool you wish (such as dd) to image an SD card with the right pfSense image and to boot up the unit with a null-modem cable in the serial port. Note that the board BIOS runs at 115200 8,N,1 while pfSense boots at 9600 8,N,1. Thus you’ll want to align those after the initial setup. Oh, and if you’re using a straight pfSense image and not a Netgate image, you’ll need to set the kernel boot delay at the first boot, then in loader.conf.local. This is a minor hassle, but very necessary.
Then you’re done. Fire it up, do basic NIC configuration via the serial console menu, then hit it with a Web browser to do the rest. All in all, deploying your pfSense firewall is the work of less than an hour, start to finish. I retired the GX110 after well over 100,000 hours of total operational time and I am all the better for it.
If DIY isn’t your thing, you can buy a ready-built firewall, complete with support. Any way you cut it, the pfSense project has grown far from its m0n0wall roots into probably the best out-of-the-box firewall solution out there. Go forth and install.
Original article posted here.