Security HowTo's

Experiences with pfSense in a business with internal servers

I can’t say enough good about pfSense. Having said that, i’m not against Cisco devices, Linux and BSD and other proprietary firewall devices and systems. But the PF does stand out as a great option. Like always, it’s about the right tool for the job and in this is what i’m sharing here.

The PF device i’m talking about is the low-end “sg-2220”. It has two interfaces; a wan and a lan port. Both are capable of gigabit speeds. It’s a small device about the size of a sandwich. While they don’t supply a default username and password in the package it comes in, it’s a quick google to find those. In my case it was “admin” and “pfsense”.

See their quick start guide here:

https://portal.pfsense.org/docs/manuals/sg-2220/getting-started.html#initial-setup

In my case the PF had two roles; to do NAT’ing / firewall’ing and VPN. We opted to go with OpenVPN to accommodate both Apple and Microsoft devices. It’s also pretty easy to configure and provides downloads of configuration packages for a variety of devices for easy installation o the client device.

The initial configuration is simple and intuitive. The firewall and NAT configuration is easy enough provided you understand NAT (and PAT). I was tricked by permitting DNS through (this client hosted their public DNS services internally) only on TCP but UDP was also required. Otherwise, no hassles.

I usually configure DHCP and DNS on the router to accommodate for server outages that would otherwise leave staff without Internet access regardless of a working Internet connection. However, this client was large enough to have suitable infrastructure to sensibly move DHCP to an internal server (and as i said before, DNS was hosted internally).

There was an issue when trying to permit an external (Internet side) technician access to the PF web interface. We have to make to changes relating to where one can access the device from and a DNS issue. Both issues are easily solved and the device gives directions if/when you encounter these problems. I’d call them minor and sensible (they occur for reasons).

With a cost of about $300 AU, it’s hard to argue against the PF. I’m a Cisco and Linux guy and know how good they are. I’m not saying they’re less capable than a PF. Because of it’s nice web interface, the PF allow even less-capable/new technicians to use make changes.

I hope this has helped with your choice to use or not use the pfSense in your home or business.

Share This:

Leave a Reply

Your email address will not be published. Required fields are marked *