Building a home firewall: review of pfsense

For some time now, I’ve been running OpenWRT on an RT-N66U device. I initially set that because I had previously been using my Debian-based file/VM server as a firewall, and this had some downsides: every time I wanted to reboot that, Internet for the whole house was down; shorewall took a fair bit of care and feeding; etc.

I’ve been having indications that all is not well with OpenWRT or the N66U in the last few days, and some long-term annoyances prompted me to search out a different solution. I figured I could buy an embedded x86 device, slap Debian on it, and be set.

The device I wound up purchasing happened to have pfsense preinstalled, so I thought I’d give it a try.

As expected, with hardware like that to work with, it was a lot more capable than OpenWRT and had more features. However, I encountered a number of surprising issues.

The biggest annoyance was that the system wouldn’t allow me to set up a static DHCP entry with the same IP for multiple MAC addresses. This is a very simple configuration in the underlying DHCP server, and OpenWRT permitted it without issue. It is quite useful so my laptop has the same IP whether connected by wifi or Ethernet, and I have used it for years with no issue. Googling it a bit turned up some rather arrogant pfsense people saying that this is “broken” and poor design, and that your wired and wireless networks should be on different VLANs anyhow. They also said “just give it the same hostname for the different IPs” — but it rejects this too. Sigh. I discovered, however, that downloading the pfsense backup XML file, editing the IP within, and re-uploading it gets me what I want with no ill effects!

So then I went to set up DNS. I tried to enable the “DNS Forwarder”, but it wouldn’t let me do that while the “DNS Resolver” was still active. Digging in just a bit, it appears that the DNS Forwarder and DNS Resolver both provide forwarding and resolution features; they just have different underlying implementations. This is not clear at all in the interface.

Next stop: traffic shaping. Since I use VOIP for work, this is vitally important for me. I dove in, and found a list of XML filenames for wizards: one for “Dedicated Links” and another for “Multiple Lan/Wan”. Hmmm. Some Googling again turned up that everyone suggests using the “Multiple Lan/Wan” wizard. Fine. I set it up, and notice that when I start an upload, my download performance absolutely tanks. Some investigation shows that outbound ACKs aren’t being handled properly. The wizard had created a qACK queue, but neglected to create a packet match rule for it, so ACKs were not being dealt with appropriately. Fixed that with a rule of my own design, and now downloads are working better again. I also needed to boost the bandwidth allocated to qACK (setting it to 25% seemed to do the trick).

Then there was the firewall rules. The “interface” section is first-match-wins, whereas the “floating” section is last-match-wins. This is rather non-obvious.

Getting past all the interface glitches, however, the system looks powerful, solid, and well-engineered under the hood, and fairly easy to manage.

9 thoughts on “Building a home firewall: review of pfsense

  1. If you are willing to try something not really open source, but also, not prohibitively expensive, I’d suggest looking at MikroTik, which can be run on PC hardware, but also is available on their hardware (named Routerboard). It has been pretty solid and I have yet to find something that I can’t do on it.

    Reply

    John Goerzen Reply:

    Interesting – hadn’t heard of them. I like having a lot of control available to me, so Debian/FreeBSD-based items are appealing… but thanks for the pointer.

    Reply

  2. You would have been able to do everything you wanted, and with basically none of the problems you mentioned, if only you took my advice and got an EdgeRouter Lite :)

    Reply

    John Goerzen Reply:

    Yes, but then I wouldn’t have the option to put Debian on it later ;-)

    Reply

    CasualLurker Reply:

    EdgeOS is derived from Vyatta/VyOS, which are based on Debian Wheezy; system configuration is generated dynamically from a single file with human readable syntax, like any sane network device.
    The only difference is that the ER devices are built upon Cavium Octeon accelerated network processors, so you get multi-gigabit line rate forwarding under 100$

    Reply

    Dan Reply:

    CasualLurker took the words out of my mouth – it pretty much already runs Debian.

    Reply

    John Goerzen Reply:

    My understanding had been that they couldn’t be upgraded past wheezy, but perhaps that information is outdated. Thanks guys.

  3. I wrote up my reasons for building a Debian x86 firewall a couple of years ago — I have no regrets at all. The extra cost is significant as a percentage, but not so much when you consider hardware modularity and the satisfaction of having a properly supported OS.

    https://randomstring.org/blog/blog/2014/11/09/a-new-firewall/

    I expect the price would be slightly lower these days what with the decline of SSD prices. Being able to reboot in less than a TCP timeout is really nice, too.

    Reply

    John Goerzen Reply:

    I’m curious – what are you using to manage it? Or is it just shell scripts around iptables, bind, etc?

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *