Upgrading a Home Network to a Small Business System Using pfSense

[ Share this article ]

Share this page via Facebook, Twitter or LinkedIn.

inShare

[ Send this article ]

[ Save this article ]

by Matt Williamson | September 2009 | Open Source

In this article by Matt Williamson, we will learn how to upgrade a home network to a small business system using pfSense in a step by step manner. We will begin right from the basic concepts of networking to the actual implementation of the upgrade.
I believe the most significant leap in understanding networking comes from learning how to turn a simple home network into a full-featured small business environment.  Surprisingly, I’ve never come across a plain-language tutorial on how to do just that.  However, I’ve learned a great deal throughout my career so far and today, I intend to write the article I wish I had found several years ago.

Prerequisites

1. Cable/DSL/FIOS Modem—Any internet connection device that has Ethernet out will do.
2. Wireless Router or Switch—Either will do. Be sure to read the next section for clarification.
3. Firewall Computer —The key to a business type environment is a dedicated hardware firewall.  We’ll be using pfSense, and if you check the hardware requirements you’ll see that an older machine will do nicely.  Any machine to be configured as a firewall requires a minimum of two Ethernet ports.
4. Client Computer—A laptop or desktop computer to be used as a client.  Windows or Linux will both work, but I’ll only be referencing Windows commands in this tutorial.
5. Disable All Security Software on All Client Machines—Make sure you disable Windows Firewall and any other security software you may have.  This introduces an added level of software security that will only hang you up while you’re trying to establish that your hardware firewall is working correctly.

Network Device Clarification

It’s very important to understand the similarities and differences between the core types of networking equipment.  The following should shed some light on the subject, in order of simplest to most complex:

1. Network Interface Card—Every type of wired networking device has at least 1 NIC, with 1 Ethernet port. A NIC can have multiple Ethernet ports. Each Ethernet port has a unique MAC address.
2. Cross-Over Cable—A crossover cable is sometimes needed to connect two network devices together without a switch. This may be the case if you’re using older hardware, and you want to connect a single client computer to your firewall computer. Most of the newer hardware “autosenses” regular and crossover cables so both will work automatically, but if you’re not receiving a signal or seeing any flashing lights then try using a crossover cable.
3. Switch—A switch adds more ports to your network and eliminates the need for a crossover cable. A typical 8-port switch will have 1 Ethernet cable running to the firewall, and the other 7 cables running to clients or other network devices.  It’s important to remember that it doesn’t matter which cable goes in to which port, they are all the same.
4. Router—A router provides an interface between two (or more) networks and will also usually act as a DHCP server. That's why on a router you have a special WAN port for that huge network we call the internet, and then a port for your internal Local Area Network (LAN). As a DHCP server, it’s responsible for automatically assigning an IP address to any device connected to the LAN and then it routes all traffic between both networks.
5. Wireless Access Point—A wireless access point (WAP) is simply a wireless switch. When you connect to one, it’s the same as if you would have plugged your computer into a switch.
6. "Wireless Router"—I have put this item in quotes because it’s important to understand that this type of device that most of us own is usually a combination of all the devices above. It has built-in NICs with Ethernet ports. It auto-senses crossover connections so they are never an issue. It routes traffic from that special WAN (usually labeled “Internet”) port to other ports for you to use as a LAN. Those 4 other ports are all for the same single subnet (your LAN) so that means it’s actually a 4-port switch. Additionally, those antennas provide WAP functionality.

Acronym Reference

1. WAN—Wide Area Network. Also known as the internet.
2. LAN—Local Area Network. Your internal network, also known as your domain or your intranet.
3. DMZ—De-Militarized Zone. A fancy name for just another type of internal network just like your LAN. The difference is, using firewall rules you prevent any traffic that comes into your DMZ subnet from going to your LAN subnet, for security purposes. This is where you would host a web server or FTP server, a place where anyone on the internet can access certain things without having access to your private LAN devices.
4. DHCP—A type of service that automatically hands out IP addresses. Many types of network devices are configurable as DHCP servers.
5. WAP—Wireless Access Point.  Essentially, a wireless switch.
6. NIC—Network Interface Card.

* WAN’s, LAN’s  and DMZ’s are all the same type of Ethernet network.  They all use the same hardware and work in the same way.  They are just given special names to differentiate how these networks are used.

Part 1 – Understanding your Existing Home Network

The diagram above is very typical of home networks. Study the diagram carefully and note the following key points of interest:

1. The wireless router can connect clients wirelessly using its built-in WAP.
2. The wireless router can connect wired clients using its built-in 4-port switch.
3. While not noticeable in the diagram, those wired clients could be connected via crossover cable (as long as the client’s NIC’s also support "autosensing").
4. And again, while not noticeable, the wireless router is likely configured as a DHCP server and will automatically hand out (and keep track of) IP addresses for each client that connects to it.

Unfortunately, this diagram fails to illustrate the importance of subnets. Also referred to as interfaces, subnets are the keystones of understanding how to take your network to the next level:

This illustration highlights a few more key benefits and limitations of a typical home network:

1. The wireless router is the central piece of the network.
2. The wireless router provides a ton of functionality for a single network device.  It’s a router, autosensing switch, WAP, DHCP server and most even have very limited firewall functionality (allow/block IP’s, website filtering, port-forwarding, etc).
3. The wireless router is limited to two interfaces, the WAN and the LAN.

So how do we resolve these limitations? How do we bump our network up a notch? We replace that wireless router with a serious hardware firewall. We take an old computer we have laying around and we turn it into router on steroids. Enter pfSense.

Part 2 – Creating a Small Business Network

Now that we thoroughly understand what we’ve already got, let’s take a look at what we want to create:

As you can see in the diagram above, our dedicated firewall is the centerpiece of our small business network.  Any firewall requires a minimum of two different interfaces, which means it requires a minimum of two NICs.  It should be obvious that the network illustrated above has four, but we’ll only be using two for this tutorial.

---

Books from Packt

Cacti 0.8 Network Monitoring

FreePBX 2.5 Powerful Telephony Solutions

Building Enterprise Ready Telephony Systems with sipXecs 4.0

Asterisk 1.4 – the Professional’s Guide

ASP.NET 3.5 CMS Development

Choosing an Open Source CMS: Beginner's Guide

3D Game Development with Microsoft Silverlight 3: Beginner's Guide

Magento: Beginner's Guide

---

Choosing Dedicated Firewall/Router Software

We’ll be using pfSense during this tutorial, but there are a variety of options to choose from:

1. pfSense
2. M0n0wall
3. Microsoft ISA Server
4. Smoothwall
5. IPCop

Building a Dedicated Firewall Box

Regardless of which software you choose, be sure to check the minimum requirements and throughput considerations before ordering any new hardware. Chances are you’ll be in good shape using old hardware, as you’ll see by the pfSense documentation below:

1. pfSense Minimum Hardware Requirements
2. pfSense Throughput Considerations

Remember, you need at least 2 NICs (WAN and LAN) and then more for any additional interfaces you plan on building.

Installing pfSense

You must first decide on what type of pfSense installation you’ll use— Embedded or LiveCD/Harddrive.  The embedded version is meant to be installed on a compact flash card and the entire image is configured specially to reduce the amount of writes to the disk (since flash media expires faster the more times it’s written to).  The LiveCD/Harddive version is meant for a regular old computer.  You'll boot to the CD where pfSense will run live with an option to install to the hard drive on the main menu.
Many "appliance" type machines (see Soekris or Recommend Vendors) will use the embedded version and most desktop machines will use the LiveCD/Hardware.  However, with the right adapters, an appliance can use a hard drive and a desktop can use a flash disk.
Once you've decided on which type of installation you'll use, refer to the detailed installation instructions here:

• http://doc.pfsense.org/index.php/Installing_pfSense
• http://doc.pfsense.org/index.php/HOWTO_Install_pfSense

Assigning Network Interfaces

From the main menu, choose the option to assign your network interfaces. Each NIC will be assigned an interface alias, something like "fxp1", which you’ll then assign to your logical interfaces (WAN, LAN, etc).  You may have to scroll up through the pfSense output to find the list of your aliases.  Once you’ve found them, assign your WAN, LAN and any optional interfaces.

Connecting Components

Connect your cable modem to the Ethernet port you think is associated with the alias you just created and assigned. Hit enter to refresh the screen and you should see some indication (a spinning star) of which interface is trying to obtain an IP.  Make sure you connect your modem to the WAN interface.
Next, connect your LAN devices. If you have more than 1 client, then connect using a switch; otherwise connect directly (remember, that might require a crossover cable).
Connect any devices you have for any additional interfaces you may have created.

Connecting to the pfSense Web Interface

Once you’ve installed pfSense, you must connect to the web interface through your LAN gateway from a client computer.  The main menu will tell you your LAN’s gateway IP (most likely 192.168.1.1). So using this, you can connect to the LAN interface Ethernet port directly from a client computer  (you might need a crossover cable). You can also do the same using a switch and then browse to the gateway IP address.  You should be prompted for a username and password which defaults to:

• Username: admin
• Password: pfsense

Configuring the WAN Interface

1. From the Interfaces drop down menu choose WAN.
2. Most ISP’s (Comcast, Optimum Online) have their customers obtain their IP via DHCP request.  If that’s the case, then leave type as DHCP and you should be done.  Otherwise, you may have to choose another connection type and possibly input some credentials.
3. Once you’ve configured your WAN, make sure you Save/Apply all settings and then check the Status -> Interfaces-> menu to make sure you’re obtaining a public IP address.  I’ve noticed this can sometimes take a few minutes, and sometimes it’s necessary to completely reboot your system.

Properly Rebooting Your Network

When obtaining IP addresses for the first time, and during other substantial network reconfigurations, you may find it necessary to reset your network.  The proper way to do that is as follows:

1. Turn off and disconnect every device from its power source. Wait 1 minute.
2. Reconnect your modem; wait for the lights to display a proper connection. Wait 1 minute.
3. Turn on your firewall. Wait for it to boot completely.
4. Turn on any other network devices (WAP’s, switches, etc) and wait for them to boot completely.
5. Turn on client machines.

Configuring the LAN Interface

By default, your LAN interface will be configured as 192.168.1.1/24. This means that your gateway (web interface) is 192.168.1.1 and your usable IP range is 192.168.1.1-192.168.1.254. This is known as a C Network Class.
If you’d like a larger range of IP’s, try a B Network Class of 172.16.0.1/16. This will give you a usable IP range of 172.16.0.1-172.16.255.254. This means your web interface IP will be 172.168.0.1!
The largest type of private network is a C Network Class.  10.0.0.1/8 gives you a usable IP range of 10.0.01-10.255.255.254. This means that your web interface IP will be 10.0.0.1!

Configuring Optional Interfaces

Any additional interfaces can be configured similarly to the LAN. You choose a gateway interface (which becomes the pfSense web access IP) and then you apply a subnet mask to specify the range of allowed IPs.  If you’ve been using the defaults and you are setting up an optional DMZ interface, then you’ll likely specify it to be 192.168.2.1/24. This will give you a range of 192.168.2.1-192.168.2.254.

More on Subnet Masks

A handy subnet calculator is available here—subnet-calculator, but for the most part you should just remember that:

• 24 means 255.255.255.xxx
• 16 means 255.255.xxx.xxx
• 8 means 255.xxx.xxx.xxx

Part 3: An Alias, NAT, Firewall Rule Walkthrough

Now that your firewall is running and you’ve gotten the major interface configuration out of the way, it’s time to create the custom rules that will define your network.  I find the best way to learn is by example, so the following is a complete walkthrough on how to forward Remote Desktop traffic to your client computer so that you can access that machine from anywhere.

Create an Alias

Although optional, it’s best to create an alias for each IP address, port, or range of ports you’ll be using in any of your firewall rules.  In this case, I’ll only create an alias for our client computer’s IP address since the pfSense includes a built-in alias for the Microsoft Remote Desktop (RDP) port (as well as other common ports):

• Firewall -> Aliases -> Add new alias.
• Name: Computer01
  Type: Host(s)
  IP: 192.168.1.101

Now we can reference the Computer01 alias in all of our NAT or Firewall rules.  Any box with a RED background can accept an Alias value.

Create a Static IP Mapping

Using pfSense’s built-in DHCP server, we will assign static mappings to all of our machines.  This allows our clients to remain configured as DHCP, but will guarantee they receive the same IP address each time they connect which is absolutely necessary if any of our rules are to perform correctly.

1. Status -> DHCP Leases.
2. Locate the Computer01 lease and click the + button to create a static mapping.
3. IP Address: 192.168.1.101 (SAME AS ALIAS!) Hostname: Computer01 (for simplicity all of my computer names match my alias names, but there’s no reason they can’t differ if you want them to).
4. Save and apply changes.
5. Disconnect and reconnect Computer01’s network connection.  From now on it will always receive the same 192.168.1.101 IP address, so now we can create rules for it.

Create a NAT (Port Forward) Rule

NAT rules go hand-in-hand with firewall rules.  NAT rules provide the redirection (this traffic goes where) while firewall rules provide access (allow/deny this traffic here).  So what we want to do is tell our system that all RDP traffic should be forwarded to our Computer01 machine.

1. Firewall -> NAT -> Port Forward Tab -> Add new mapping (+ button)
2. External Port Range – MS RDP
   NAT IP – Computer01
   Local Port – MS RDP
   Leave Auto-Add firewall rule checked!

So we just told our firewall to take all WAN TCP traffic coming in on port MS RDP (3389), and forward it to Computer01 (192.168.1.101) on port MS RDP (3389).  What's nice is, we haven't hard coded any values, if the IP address of Computer01 changes in the future, we simply change the alias and all rules will work correctly.

Analyze the Firewall Rule Created Automatically

Let’s take a look at the firewall rule pfSense created for us automatically. Firewall -> Rules -> WAN tab.  You’ll notice there are two, the first is a default and should never be changed while the second is the one we created for our NAT mapping. Reading the rule aloud should sound like:

 ALLOW traffic from ANY IP on ANY PORT access to COMPUTER01 on port MSRDP.

The one point of confusion may be why are we allowing traffic FROM ANY PORT? You have to remember that you’ll never know what port another computer is connecting FROM.  For example, when you browse to Google you’re requesting their port 80 traffic from, let’s say, your local computer’s port 65235.  Then your next request to Yahoo might be on port 51123. The point is, it’s up to your computer and you just never know what it’ll be.

Test It Out!

Now, from a public computer at the library or your office maybe, open Remote Desktop and type in your public IP address.  If Computer01 has Remote Desktop connections enabled and all security software is disabled, you’ll connect right to it!  Simply repeat these steps for all your other traffic. Enjoy!

Summary

In this article, we have learnt how to upgrade a home network to a small business system using pfSense.

About the Author :

Matt Williamson