Cyber-Security Linux Ubuntu, Mint & Debian Linux

Experiences with pfSense in a business with internal servers

I’m pro-pfSense. The pfSense is a nice all-in-one firewall/router device that small and medium businesses can use for their perimeter firewall. This article covers my experience with pfSense with a client that hasn’t looked back.

We’re using this pfSense with this client for their firewall and VPN server. We could have also use it for the “Captive Portal” to present wireless devices with a message from the business and a “click here to accept our conditions” message.

The pfSense device i’m talking about is the low-end “sg-2220”. It has two interfaces; a WAN and a LAN port. Both are capable of gigabit speeds. It’s a small device about the size of a sandwich. While they don’t supply a default username and password in the package it comes in, it’s a quick google to find those. In my case it was “admin” and “pfsense”. Note that they don’t sell this device any longer. It has been superseded by other devices.

See their quick start guide here:

https://portal.pfsense.org/docs/manuals/sg-2220/getting-started.html#initial-setup

In my case the PF had two roles; to do NAT’ing / firewall’ing and VPN. We opted to go with OpenVPN to accommodate both Apple and Microsoft devices. It’s also pretty easy to configure and provides downloads of configuration packages for a variety of devices for easy installation o the client device.

The initial configuration is simple and intuitive. The firewall and NAT configuration is easy enough provided you understand NAT (and PAT). I was tricked by permitting DNS through (this client hosted their public DNS services internally) only on TCP but UDP was also required. Otherwise, no hassles.

I usually configure DHCP and DNS on the router to accommodate for server outages that would otherwise leave staff without Internet access regardless of a working Internet connection. However, this client was large enough to have suitable infrastructure to sensibly move DHCP to an internal server (and as i said before, DNS was hosted internally).

There was an issue when trying to permit an external (Internet side) technician access to the PF web interface. We have to make to changes relating to where one can access the device from and a DNS issue. Both issues are easily solved and the device gives directions if/when you encounter these problems. I’d call them minor and sensible (they occur for reasons).

With a cost of about $300 AU, it’s hard to argue against the PF. I’m a Cisco and Linux guy and know how good they are. I’m not saying they’re less capable than a PF. Because of it’s nice web interface, the PF allow even less-capable/new technicians to use make changes.

I hope this has helped with your choice to use or not use the pfSense in your home or business.

Leave a Reply

Your email address will not be published. Required fields are marked *