It’s no big secret that I have become a pfSense fanboy over the course of the last year. A lot of my blog posts have talked about using pfSense for this, that, or the other. In my most recent home network update post I mentioned making a post that explains the things I use my pfSense for currently. Well, here it is. In this post I’ll discuss how I’ve changed various parts of network and eventually replaced them with pfSense.
Before we begin with this it would be helpful to review my retrospective review as I will be referencing distinct parts of those networks to explain how I’ve modernized them with pfSense.
Original: Multiple Routers | Replacement: VLANs
Ok, so this one is simple and something I should have done a long time ago. In my original network I used multiple routers and subnets to isolate different devices. This works, kind of. While certainly not ideal it does work to isolate based on how it’s configured. You must put your untrusted devices closer to the edge and your trusted devices behind the double-NAT. This creates one way isolation as the second router’s Firewall keeps untrusted devices from seeing the trusted devices. This causes issues with port forwarding and can cause some issues with gaming as it causes Peer-to-Peer services to have trouble.
To modernize this, I used VLANS in pfSense to isolate everything but keep it all near the edge, so nothing was behind a double NAT. VLANs were an essential part of my network strategy. Setting them up not only simplified the network but it also allowed me free up valuable electrical outlets in my server rack by not having to have multiple routers plugged in.
Original: SweetSecurity | Replacement: Suricata
When I started working in Cyber Security years and years ago and I first learned about Intrusion Prevention Systems I knew that I wanted to play around with on my home network. Unfortunately, I didn’t have the hardware to really run one, so I had to improvise. I looked up running Snort on a Raspberry Pi 3 B+ (yea right….) and found that it wasn’t possible, but I did find a talk called SweetSecurity. SweetSecurity used ARP spoofing to have a RPI3B+ MiTM all the network traffic and run it through Bro IDS (now Zeek) then push it all over to an ELK stack.
Unfortunately, this required more RAM than was on a single RPI3B+ so you needed 2, one as sensor and one as server. The other issue here was the RPI3B+’s NIC. All RPIs before the RPI4 were limited to 100Mbps on the NIC. You could increase that to around 300Mbps by adding a USB2.0 NIC to the card but if you were on a Gig network that was still a massive cut in speed.
I used this for a little while, but the speed cut was too much for me; furthermore, ARP spoofing is not always an effective way to intercept traffic. I needed a replacement and there was a hot new piece of tech on the market; the Asus RT-5300. This router was a monster of a router, but it had one truly distinctive feature, AI Protect.
As far as I know the RT-5300 was the first consumer router to include an IDS/IPS like feature in it. Asus partnered with Trend Micro (Antivirus Company) to inspect network traffic and block connections to known bad IPs, URLs, and block known bad files. This feature is in most home routers now and is about as pointless as it is common. My largest issue with this feature was that it didn’t really give you any information. It would tell you that it blocked an attack from XYZ IP address and gave you a category, but it never told you what that actual attack was.
The ASUS router did have another benefit though with its support for custom firmware; specifically, MerlinWRT. I flashed Merlin on the router and ran scripts like SkyNet to autoblock IPs based on a list. Merlin also allowed me to SSH into the router and customize the IPTables of the router so I could manually block certain websites. Unfortunately, the IPTables were stored in router RAM so it wasn’t permanent.
All of this was replaced by Suricata in pfSense. pfSense has three different IDS available, and two IPS; Snort, Suricata, and Zeek. I originally went with Snort as I was most familiar with that but unfortunately the instance of Snort on pfSense is <3.0, meaning that Snort is only single cored and severely cuts network traffic speeds. Suricata is multicore and can process traffic faster thereby not cutting the traffic speeds as drastically.
Original: Pi-Hole | Replacement: pfBlockerNG-Devel
One of the very first tools I tried installing was Pi-Hole to block ads on my network. When I first set it up, I failed miserably (because of the Double-NAT issue) and scrapped the project for a while. When I did get it set up properly, I loved Pi-Hole. Overtime I had several disagreements with the Pi-Hole developers that eventually led to me moving away from the project.
Now I use pfBlockerNG-Devel to handle my adblocking. I know a lot of people that still use Pi-Hole and I think that’s perfectly fine, at the end of the day fewer ads on the internet are always better. I also recognize that Pi-Hole does some things better such as DNS based on individual clients or DNS based on groups, and the dashboard for Pi-Hole is lightyears better than pfBlocker.
At the end of the day, I use pfBlockerNG-Devel because it handles IP blocking as well as DNS and it consolidates everything to the router rather than having different servers. I’ve considered resetting up Pi-Hole just for the dashboard, but I don’t want to overcomplicate my network by having multiple DNS servers to deal with.
Original: NGINX | Replacement: haProxy
I spoke a bit about how I built a training lab for remote learning a while ago where I allowed people to remotely connect to my network for training. During this time, I was using NGINX to handle the connections; however, I had actually set this up to access my Pi-Hole from the internet.
NGINX is a great reverse proxy, but it can be difficult to manage by hand. There are some docker containers like NGINX Proxy manager which create a GUI to manage it but in my set up I used SWAG which did not come with the GUI by default, and I didn’t want to add it in myself.
With pfSense I was able to replace my NGINX proxy with haProxy. This included GUI and was again built into the router. haProxy is a beast with amazing documentation on their website. haProxy does everything that I used NGINX for plus some added features. I’ll make a post about using haProxy at some point or another.
Original: Pi-VPN | Replacement: OpenVPN server
As I changed routers in my home network, I lost one feature I didn’t think about, my OpenVPN server. The Asus server had one built in, but Google Wi-Fi didn’t and my Netgear Orbis didn’t either. My Mikrotik hAP AC 2s did but it was TCP only vs the faster UDP.
To compensate for this, I used the Pi-VPN setup script to set up OpenVPN. The script was later updated to set up WireGuard but it had some problems with the WireGuard routing and internet was broken. You could remotely access your LAN but not the WAN with WireGuard on. The other issue with this script is that it could only set up OpenVPN or WireGuard but not both. If you’re a frequent reader, you probably know that I’m not a terribly huge fan of WireGuard even though I use it.
Thankfully I don’t have to make this decision with pfSense. The router can act as both an extensively customizable OpenVPN server and a WireGuard server simultaneously, and in fact I use it as both. Again, this allows me to remove unnecessary equipment from my environment by consolidating it in my router.
Original: FingBox | Replacement: ARPWatch
In 2017 I acquired a FingBox from someone off Facebook who didn’t want it anymore. I’ve had this device plugged into my network for years despite my negative opinions on it.
In my opinion the FingBox only provides three benefits; it watches ARP packets and logs new devices, it can autoblock new devices, using ARP spoofing, and it does constant speed tests. The other features in the FingBox range from worthless to only viable in extremely specific situations. Despite all of that I’ve kept the FingBox plugged for years until I got my pfSense set up with ARPWatch.
Now unfortunately there really isn’t a simple of replacing all the useful features of FingBox so we’re going to have to get a bit hackey with some of them.
Original: FingBox Device Discovery | Replacement: ARPWatch
ARPWatch provides a remarkably simple service, it watches for new ARP requests, attempts to resolve the vendor, and emails the results to you. The pfSense version also keeps a database of all the devices it’s seen.
While most of the other things on this list have been a one for one replacement ARPWatch actually provides me with an added benefit over the FingBox. ARPWatch can see all the devices across every VLAN whereas the FingBox can only see devices on the VLAN it resides on. This means if a device joins my IoT network I’d have no way of knowing since the FingBox is on my trusted LAN.
Original: FingBox Speed Test | Replacement: Speedtest-CLI & Mail Report
Another feature that FingBox does that I enjoy, pointless as it may be, is automatic speedtests. I can replicate this using the Mailreport package and then setting a custom script to run every day to check my bandwidth speeds.
speedtest | awk -v FS="(: | ms| Mbit/s)" '{print $2}' | tr '\n' ',' | sed 's/^.....//' | sed 's/.\{2\}$//' | sed 's/,\{2,\}/,/g'After installing the speedtest-cli package This code will run a speedtest every day and then cut the output so it only shows ping,download,upload speed and emails it to me daily.
.853,618.55,509.6Original: FingBox Device Notifications | Replacement: NTOPPNG
FingBox has one additional feature that I find useful; the ability to notify you when specific devices join or leave the network. This can be useful for checking when/if your kids go on Mobile data to avoid parental restrictions. I can replace this feature with pfSense’s package ntoppng. With ntoppng I can do ICMP monitoring of different devices and configure email alerts to notify me when a device drops off the network.
Original: DuckDNS Cron Script | Replacement: Dynamic DNS Service
So this is perhaps one of the coolest features of the pfSense router, it has a Dynamic DNS (DDNS) updater that’s not tied to a specific service. Both my Asus and Netgear routers had a DDNS service built in but it provided a single URL and it was tied to a specific company. For the Asus router I got a random URL at asusrouter.com and for the Netgear Orbi I got a URL tied to a free NoIP account. The Asus one was fine, but the NoIP DDNS address had to be manually confirmed every 30 days or it was automatically deleted. My Google Wi-Fi router didn’t even have an option for DDNS, (come on Google).
When I switched from Asus to Google I realized I needed a new DDNS service because Google Wi-Fi didn’t have one. I did a bit of searching and found the fantastic DuckDNS which offers completely free DDNS services that you don’t have to manually confirm all the time. They also provide a simple script that you can run on any Linux device to keep the IP address updated. This script was running on the same RPI3B+ that ran Pi-Hole, Pi-VPN, NGINX (SWAG), LetsEncrypt (SWAG), Docker, and Cloudflare Updater.
pfSnese has an awesome utility in it that can automatically update any DDNS service for you, including DuckDNS, and the DuckDNS folks have created a helpful tutorial on how to do just that.
Original: Cloudflare Updater | Replacement: Dynamic DNS Service
I run several public services that are all behind Cloudflare. The problem is that I don’t pay for a Static IP from my ISP so my IP occasionally changes. This unfortunately breaks most of websites as Cloudflare is trying to send visitors to the wrong IP. They did build a script a while ago to automatically update but then they made changes and never updated the script. There are some Docker containers that do auto updating for you but why spin up a Docker Container to do that when it’s built into the router?
Like how the Dynamic DNS service can automatically update DuckDNS it can also automatically update any one of my Cloudflare records.
Original: LetsEncrypt (SWAG) Docker Container | Replacement: ACME Service
As mentioned earlier I use Cloudflare to act as an edge proxy and WAF. One of the benefits that Cloudflare provides is edge certificates between them and the Clients viewing my page; however, the last mile (the connection between Cloudflare and my server) would be unencrypted. To avoid this last mile of unencryption I used LetsEncrypt certs with the SWAG Docker container.
In pfSense I was able to replace this with the ACME certificate service. This plugin creates and automatically renews certificates for me. It also stores them in the pfSense Certificate store so they can be used with haProxy later. These certs are largely fire and forget. Once you create them the service will automatically renew them until you tell it to stop.
The service supports standard http verification as well as a ton of different DNS based certificate verification. Since I use Cloudflare as my DNS server I simply made a Cloudflare API key to modify DNS records and added it to pfSense. This allowed ACME to create the DNS records that LetsEncrypt would use to verify the URL. ACME will then automatically renew these certs for me.
Original: Asus RT-68U PIA VPN Router | Replacement: Policy Based Routing
This is another one of those instances where I was rigging something to work in an less than ideal manner before the pfSense. It’s no secret that I do security research and sometimes analyze malware when I get some free time (not often anymore). When I first started this I knew that I didn’t want to be connecting to malicious domains using my real IP, especially not if I’m doing things like Dirbusting the domain to find additional malware files hosted. To do this I used an Asus RT-68U router with a PIA ovpn cert to connect the router. Everything that went through that router was then send over to PIA’s servers.
I was able to replace this with policy based routing on the pfSense. Any traffic that left from my Analysis network was automatically sent over the PIA network rather than having to run a second router.
Original: Squid3 | Replacement: Squid-Guard
Squid is forward proxy server that can also do caching, as there is a direct port of the tool onto pfSense I’ll just talk about it because it’s the same whether you use it external or not.
Squid is a forward proxy used for policy filtering and caching. I use mine for policy filtering. Essentially what happens is traffic is sent to the proxy which acts on it based on the policies set. You can use Squid to do things like block the download of .exe files, or block connections to a specific URI like /r/all underneath www.reddit.com.
You can also set up squid proxy to TLS decrypt traffic and inspect the decrypted traffic; however, that is incredibly resource intensive so I only do that on individual devices at a time. Usually when I’m looking at some piece of malware with a self signed cert or when I need to check on traffic coming from a specific app or computer. Otherwise the TLS decryption is turned off.
Original: None | Replacement: ntoppng
Ntoppng is a wonderful netflow monitoring tool. I can record stats and monitor netflow data of various devices on my network. It tells me what % of the traffic is send/receive, who it’s talking to, what type of traffic it’s using, and then you can set up ICMP monitoring to alert you on status changes.
One of the neatest tools of ntoppng however is the ability to capture up to 10 minutes of PCAP from any device.
Original: None | Replacement: Captive Portal
pfSense has a Captive Portal feature where you require users to agree to Terms and Conditions before they’re allowed on the network. The Captive Portal can also use a voucher based system where users are given a one time code allowing connection for a set period of time.
Think about when you go to a Hotel and you have to put your Last name and Room number into a webpage to get Wi-Fi; same principle here.
Original: UFW-Docker & IPTables | Replacement: pfSense Firewall
What really got me started down this road to pfSense was a desire to better secure my Pi-Hole against attacks on the internet. I was using Docker to host my NGINX proxy and some of my services. If you aren’t aware Docker does not play nice with UFW. It will insert itself into the pre-routing chain with a default allow all. This the UFW rules don’t apply to Docker Containers. You either have to modify the IPTables manually, or you have to install something Docker UFW.
I opted for option 3, block at the edge. I bought a pfSense primarily because I wanted the ability to control my own firewall beyond basic port forwarding. I wanted to limit access to my servers to only Cloudflare IPs, thus forcing all traffic through the Cloudflare proxy.
Original: Google Wi-Fi Guest Mode | Replacement: Avahi MDNS reflector
I wrote a blog post about this the other day, but one of the things I wanted to do was allow guests on my guest network to cast to a limited number of Chromecasts on my trusted network. My old Google Wi-Fi had this feature, they didn’t have much else but they had this. In Google Wi-Fi I could make a guest network page and then allow casting to specific devices.
It was a bit more of a manual process to set it up in pfSense but I was able to also replicate the same process using the Avahi MDNS reflector.
Original: None | Replacement: Traffic Shaper
Another neat feature I use on my pfSense is traffic shaper. With this feature I can limit the speed of certain devices or certain networks if I don’t want them consuming all my bandwidth. I know when I was growing up my brother and I hogged all the bandwidth in the house; he was playing WoW all the time and I was watching YouTube while playing video games online. Between the two of us it was near impossible for anyone else to do things because we were hogging all the bandwidth.
Now I have a Gig network so bandwidth is not a concern, but there are still times when the traffic shaper is useful. I can make sure the IoT network does not use more than 10Mbps, or I can limit the Guest network. The Traffic shaper can also be applied on a schedule so at bedtime I can reduce speeds to Kbps for my kids’ devices.
Conclusion
Thanks to pfSense I’ve been able to replace and consolidate a lot of my equipment into one device. I’ve now replaced 3 RPI3B+s and 4 routers by offloading all of their functions to the pfSense.
The pfSense has really helped me meet my new network strategy of streamlining the servers and features of my network. This is an amazing piece of technology and something every networking or security professional should strongly consider.
