If you need some one on one Training with PFsense, I can supply it: $75.00 [wp_eStore_buy_now:product_id:7:end]
Firewalls. Everyone needs one and buying a linksys, Netgear or D-link router just doesn’t give you the capabilities that you’ll eventually need. I’m an enterprise technologies architect with over 17 years experience and I’ve worked with all the major firewalls out there including Cisco PIX, Checkpoint, Sonicwall, etc.
There’s one firewall that everybody doesn’t even think about. It’s open-source, has the ability to give you VPN access, Site to Site VPN inclusive, Load Balancing, SIP Proxying, and all of the functionality and performance of a Multi-Thousand Dollar solution without the cost. All of this running on PC Hardware with no licensing fees. I’ve replaced every customer’s firewall with pfsense. Why? Because, simply, it gives you all the flexibility and extensibility + more of the big box solutions for FREE.
Properly configured, they are extremely secure and can do more than all the big box solutions without the ridiculous licensing fees.
I run Site to Site VPNs between my offices and my houses all over the world. Completely secure, completely redundant, and completely (nearly free). After all, I actually pay for the hardware (I buy used Dell Desktops).
So this article will discuss exactly what it takes to make it happen for your home setup, business, or enterprise. If you’re not an enterprise customer, the cost of the hardware is minimal. If you’re an enterprise, a set of redundant, load balancing firewalls should cost you less than $2000.00 USD if even that much.
So Let’s get started.
pfsense is one of the unknown firewall distributions out there that is easy to install and extremely robust with over millions of installations worldwide. It provides everything from transparent firewalling to proxying and more. VPN capabilities, dynamic dns, VOIP proxying, Network Intrusion, Network Statistics reporting, thousands of connections capacity, high throughput, and did I mention my favorite? Support from experienced experts and a community that is very active!!!!
If you run into any problems, I’m available to consult (at very reasonable fixed fees). Advice will always be free, but consulting is what I charge for.
I can even set up a pre-configured firewall for you and ship it out to you or I can come on location to do the job. (Your preference), but telephone advice will always be free.. Just contact me via my contact page on this blog with your information and I’ll be in touch with you very quickly.
So let’s get down to the nitty gritty. You can read about pfsense at the following link: http://pfsense.org
I recommend using an old PC you have laying around if you’re a small business. You can always use a netgate pre-configured appliance, but it won’t handle the p2p traffic or the throughput you’re really looking for unless it’s for an external employee, although, it would still be cheaper to put in a refurbished PC and you’ll get more power and throughput.
If you don’t have an old PC laying around, I recommend the following (please use these links as they actually provide me with a small commission). Buy a used Dell PC (refurbished) and add a couple of cheap Ethernet Cards. You only need two for a simple setup, although you can add as many as you want. I use Intel Based chipset ethernet cards, because they lower the CPU utilization on the machine and perform the best.
Download the pfsense distribution iso and burn it to a CD. The installation is self guided and will allow completely automate the installation for you. Just remember to install it on the hard drive *anything with 20 GB or more is plenty*. Then it’s just a matter of configuring the options you want and it just “works”.
I will be writing a how-to on rules and setting up pfsense properly for a variety of situations, but if you have something special, please feel free to drop me a line and I’d be more than happy to entertain writing a blog post about how to do it.
If you’re in need of a pfsense box and don’t feel comfortable setting one up, I can do it for you. Just click on the Hire me link and let me know. We’ll talk about your needs and within a week or so, you could have your very own pfsense box doing all the magic you need it to do.
**Update**
I’ve opened up a new webstore called cheappfsensefirewalls.com
The concept is to sell pfsense firewall appliances. Let me know what you think. Also, for any purchase from the store, I will donate $5.00 towards to the pfsense developers. So hopefully, some of you will be interested in purchasing a firewall from me.
I will help you configure the firewall completely and to your specifications as well. One of the nice things about the firewall is that you will gain alot of extra throughput and features your current router probably doesn’t have.
Comments and suggestions would really be appreciated.
Cheers.
If you need some one on one Training with PFsense, I can supply it: $75.00 [wp_eStore_buy_now:product_id:7:end]
Of-course instead of getting paid firewalls there are many free downloads available in the market now and its better to utilize these resources to be more secured.
I think I figured out what the plboerm is with your VPN. The firewall that you have configured is for the IN firewall on your external NIC. You have to open up the port on the LOCAL firewall. I just configured it and tested it in my lab and it let me VPN in after configuring the local firewall on the external NIC.My firewall configuration is:rule 20 { action accept destination { port 1723 } protocol tcp}To set the local firewall using the CLI:set interfaces ethernet ethX firewall local name [firewall_name]The VPN configuration is exactly how it’s configured in the other reply I posted.Let me know how this works out for you. Sorry about the confusion between the IN firewall and the LOCAL firewall. Since the VPN request is set to terminate at Vyatta, that’s the firewall that needs to be opened.As for the transparent proxy, I’ve never used it. You are correct in your understanding of what it is supposed to do though. In your webproxy settings, is the listen-address the default gateway for your client machines? If that address is not the default gateway, that would be a potential plboerm. Also, in looking at the configuration that you posted before, disable-transparent is set. Did you remove that setting?From the CLI:delete service webproxy listen-address [internal eth address] disable-transparentGood luck.
Is pfsense is licensed one?,does it applicable for every browsers and OS?, in what way it is different from other firewalls?….
pfsense, while licensed, is a free-for-use vpn license free firewall that does everything the big name firewalls do. Just for no additional cost. It’s a very powerful and reliable firewall.
I think I figured out what the plrobem is with your VPN. The firewall that you have configured is for the IN firewall on your external NIC. You have to open up the port on the LOCAL firewall. I just configured it and tested it in my lab and it let me VPN in after configuring the local firewall on the external NIC.My firewall configuration is:rule 20 { action accept destination { port 1723 } protocol tcp}To set the local firewall using the CLI:set interfaces ethernet ethX firewall local name [firewall_name]The VPN configuration is exactly how it’s configured in the other reply I posted.Let me know how this works out for you. Sorry about the confusion between the IN firewall and the LOCAL firewall. Since the VPN request is set to terminate at Vyatta, that’s the firewall that needs to be opened.As for the transparent proxy, I’ve never used it. You are correct in your understanding of what it is supposed to do though. In your webproxy settings, is the listen-address the default gateway for your client machines? If that address is not the default gateway, that would be a potential plrobem. Also, in looking at the configuration that you posted before, disable-transparent is set. Did you remove that setting?From the CLI:delete service webproxy listen-address [internal eth address] disable-transparentGood luck.
Take a look at my configuration and tell me where am I going wrong and how to erorcct it.firewall { all-ping enable broadcast-ping disable conntrack-expect-table-size 4096 conntrack-hash-size 4096 conntrack-table-size 32768 conntrack-tcp-loose enable ip-src-route disable ipv6-receive-redirects disable ipv6-src-route disable log-martians enable name FWTELNET { default-action drop rule 1 { action reject destination { port telnet } protocol tcp source { address 0.0.0.0/0 } } rule 2 { action accept destination { address 0.0.0.0/0 } protocol all source { address 0.0.0.0/0 } } } name WAN_IN { default-action drop rule 10 { action accept description Allow VPN connection destination { address (wan ip address from isp) port 1723 } protocol tcp } rule 20 { action accept description Allow-MSTSC-Access destination { address 192.168.2.3 port 3389 } log enable protocol tcp } } receive-redirects disable send-redirects enable source-validation disable syn-cookies enable } interfaces { ethernet eth0 { address 192.168.2.6/24 description Internal LAN duplex auto hw-id 00:0d:87:53:94:44 smp_affinity auto speed auto } ethernet eth1 { address dhcp description External WAN duplex auto firewall { in { name WAN_IN } }vpn { pptp { remote-access { authentication { local-users { username vpnuser { password ************ } } mode local } client-ip-pool { start 192.168.2.151 stop 192.168.2.161 } outside-address (wan ip address from isp)
The pfsense lecinse is located at: . It is free for commercial use, but I always suggest that my commercial clients make a donation to the pfsense organization if they use it and like it. It keeps the product going. It works with most major browsers (IE, firefox, chrome, safari).The main difference with pfsense vs. the commercial firewalls is really the fact that you get all the functionality you would normally pay upgrades and lecinse fees you could get with the commercial options.Let’s put it this way, for every major technology, (IPSEC, VPN, PPTP, Proxying, Captive Portals, Rules Based Firewalls, Stateful Inspection, Intrusion Detection, etc), there is an open source project that supports the exact same thing. Pfsense offers these technologies in their distribution for free vs. paying the per lecinse or per seat fee.
The pfsense license is located at: HERE. It is free for commercial use, but I always suggest that my commercial clients make a donation to the pfsense organization if they use it and like it. It keeps the product going. It works with most major browsers (IE, firefox, chrome, safari).
The main difference with pfsense vs. the commercial firewalls is really the fact that you get all the functionality you would normally pay “upgrades and license fees” you could get with the commercial options.
Let’s put it this way, for every major technology, (IPSEC, VPN, PPTP, Proxying, Captive Portals, Rules Based Firewalls, Stateful Inspection, Intrusion Detection, etc), there is an open source project that supports the exact same thing. Pfsense offers these technologies in their distribution for free vs. paying the “per license” or “per seat” fee.
i learned a lot here. thank you so much for your personal help.
you post is very well elaborated, it interested me a lot, thanks for it.
Hello, Neat post. There is an issue along with your web site in web explorer, could test this? IE nonetheless is the marketplace chief and a good component of other people will miss your wonderful writing because of this problem.
What seems to be the problem with IE? I’ve tested it and can’t find any problems. What version are you using?
I’ve not implemented it myelsf, but what about having Outlook connect to Exchange using instead of using POP?The mobility standardization question is also starting to come up for me as well. I’m at a much smaller org (< 25 users, with a max of 5 who need wireless mobile e-mail access). Currently I'm supporting one company-owned Blackberry, and several user-owned Palm-OS devices, which is getting to be a drag. I'm a long-time Palm OS user, and hate the thought of bowing to the MS hegemony yet again, but, like you, since we have the ActiveSync capability on hand already, and buying the devices and plans is enough of a stretch, getting BB Enterprise Server or Good Mail.
An outstanding share! I’ve just forwarded this onto a co-worker who has been conducting a little research on this. And he actually bought me breakfast due to the fact that I found it for him… lol. So allow me to reword this…. Thank YOU for the meal!! But yeah, thanks for spending the time to discuss this issue here on your website.
Thank You. My aim is obviously two-fold. To work empower people with knowledge and also to support my family! Get the word out on the blog! If you ever need a consultant, I would hope I will be the first on the list! Cheers!
Hello, Neat post. There is an issue along with your web site in web explorer, could test this? IE nohslnetees is the marketplace chief and a good component of other people will miss your wonderful writing because of this problem.