Project Titanicarus: Part 3 – Building the PFSense Firewall

PFSense is a FreeBSD firewall distro that is primarily focussed on delivering a very simple and secure firewall solution. I am using it because I’ve used it before in production environments and it proved to be a really reliable workhorse. Installation is incredibly simple, I followed the installation guide on their wiki here. I have set the box up with 2 network interfaces, one for internet access and one for internal network access.

PFSense Main Page

Setting up NAT

NAT (Network Address Translation) is what most common household routers use to share your home internet connection. It takes a single (or more) public IP address and allows one or more Private (RFC1918) IP addresses to access the internet without exposing those machines directly to the internet.

Setting up NAT in PFSense is pretty easy, I followed this guide  and have chosen to setup manual NAT as I’m going to use some additional IP space inside the network that I want to NAT and leaving PFSense’s auto settings might cause unexpected issues.  For most people however auto NAT should work fine.

Once you’ve set NAT up, simply set the default gateway on your servers to point at your PFSense box (10.0.0.1 in my case) and you should be able to ping an external internet IP address.

PFSense NAT Config

You will still need a DNS server for internet access to work properly, we will be installing DNS resolvers on the Load Balancers next week for your servers to use.

Allow yourself access to the Admin Panel

By default only LAN IP addresses can get access to the PFSense Admin Panel. If you have a static IP address at your home or office, you can add a ruleset to the WAN interface allowing inbound connections on the port that PFSense is running.

Please be careful not to leave the Web GUI open to the whole internet, thats just asking for trouble regardless of how complicated your passwords are and what ports you choose to run the interface on. Eventually someone somewhere will work out how to breach your firewall, failing that they will keep trying until the box runs out of resources, giving you huge amounts of pain trying to work out why its struggling so badly so lock it down now and never have to worry again.

PFSense Firewall Rules

Setup an Admin VPN

Even if you do have a static IP, I suggest setting up a VPN for all admin work so you’re not leaving admin interfaces open to the outside world. To setup the VPN I used the OPEN VPN setup wizard that comes with PFSense, I also installed the OpenVPN Client Export Utility Package so I can quickly and easily download a config file for my VPN client.

This VPN config is also going to be used to link the other Islands together. As you add Islands, you will add VPN links so every island has a VPN to every other Island. This means that your data replication and backend admin processes can all happen securely rather than transmitting potentially cleartext content over the internet.

PFSense VPN Config

Thats it!

There really shouldn’t be anything more you need to do on the firewall at this time provided you can access the admin panel and all your servers internally can ping the outside world.

Last updated by at .

One Reply to “Project Titanicarus: Part 3 – Building the PFSense Firewall”

Comments are closed.