pfSense and Sensibility

Upon reading my last piece, my partner here at the 'secc informed me that my post, while interesting, had pretty much nothing to do with infosec. Lol ... I hate when she's objectively correct. But, as I reasoned, this is the only blog to which I contribute, and my brain dump had to go somewhere! And it was technical, at least!

Here's hoping I can redeem myself with this more bite-sized post about the latest project upon which I've embarked. Networking! Routing! Is there a piece of infrastructure more important to the security of your network than your firewall? I'd say no (unless Clyde from accounting who will click on literally ANYTHING is classified as infrastructure).

As an enthusiastic aficionado of open source software, I'd been hearing about pfSense for quite some time, but up until recently I have never been curious enough to find out what the fuss was all about. I'd been using dd-wrt and Tomato as edge devices at home and SonicWall at work. They all seemed to serve their purposes well enough. But when I set up a new home surveillance system and my router was fighting me every step of the port forwarding/NAT'ing way, it seemed like a good time to give pfSense a whirl.

The cool thing about pfSense is that it's not terribly discriminating in terms of what hardware it will run on. I have an old HTPC in my basement which had been running FreeNAS (now TrueNAS), and Ubuntu before that, but it's been powered off since the last electrical outage (about 6 months ago) and no one has had any urge or purpose to fire it back up. That miiight have been a sign I should re-purpose it. To make this project make any sense whatsoever, I needed at least one additional Ethernet port, which the NAS box actually did have installed.

After etching the installer ISO onto a USB stick and installing it on a small SSD, I was up and running with pfSense with minimal effort. I stepped through the process of assigning it a LAN IP. Before putting it into action, I re-assigned the old firewall a different IP address and gave the pfSense box the same gateway address the old box had so that the DHCP leases would still function and I'd get yelled at by my streaming-dependent family a little less.

Unfortunately, I forgot one small step to this process, which was to actually power off the old router. Ugh, it started handing out leases with its new IP address as the gateway, which caused some momentary frustration until I unceremoniously pulled the plug on the thing. One DHCP-doling device at a time, or you're gonna have a bad time. Another recommendation I have upon initial setup is to set the router to listen on a port other than the most common ones (80/443), especially if you have any designs on doing web-related port forwarding.

The pfSense UI is modern and sleek, and coming from a SonicWall world, the way to configure things is similar yet seemingly more straightforward. In addition to feeling more secure with an up-to-date and well-supported appliance, I wanted to accomplish two advanced networking tasks with this thing:

Configure ExpressVPN on the router level, as opposed to on the client level

There are many well-documented reasons one might want to set up a VPN on their home network. In my case, I pay for a content delivery service and I would like to consume the offerings of said service without being prevented from doing so because of arbitrary geographic restrictions.

ExpressVPN has some good documentation about how to accomplish this via the OpenVPN module in pfSense. It took some trial and error to get my config file matched properly with the settings outlined in the how-to guide. Ultimately I got it working but it definitely took quite a bit of time, trial and error. 

Get my NAT working so I can view my home cameras from afar

My prior problems with port forwarding port 80 seemed to be on the ISP level, as I still struggled with this even with the new routing appliance. I could easily get other ports to forward, just not 80. I ended up only port forwarding 443 after I finally got my certificate to validate via DNS records. pfSense made the NAT'ing process about as easy as it can be. Success.

Caveats and Slick Features

I regret to report that the pfSense experience was almost completely derailed. I was the subject of much ire in my house when there was an unacceptable lag performing basic internet browsing tasks. I thought it had something to do with the VPN settings or maybe something with the routing rules. It took me longer than I care to admin to finally determine the culprit. If you're in the IT field, it shouldn't surprise you:

Of course. It's always DNS. By default, the resolver was enabled. Frankly, I would prefer this on my home network to make it easy to access local resources by their host names, but switching the pfSense to DNS Forwarding completely alleviated the lag issue on the WAN. I don't know yet if there's a way to tweak the resolver settings to make it work properly but I'm content at this stage to leave DNS forwarding on for now.

I mentioned the logical and straightforward UI. Another neat thing pfSense does is a continual diff of each configuration change. If you run into troubles with the config, but it worked 15 minutes ago! simply go to Diagnostics->Backup and Restore->Config History and restore the config from 15 minutes ago. I made use of this feature a few times. Most appliances will have the import/export functionality, but baking it right into the UI is a slick feature.

I'm trying to refrain from ripping and replacing the SonicWall TZ600 at work with a fancy pfSense appliance. The SonicWall is already configured pretty optimally and it does its job well enough. Wish me luck.