Starting pfsense for New Users

[TanKianW]

Hi All, decided to start a new thread on helping forumers to give them a head start using pfsense firewall.

Below are my reasons for doing so:​

1. As working from home becomes the default mode of working for many of us, securing your home network becomes a major task. In fact, if you have read the recent reports on spike in network vulnerability, more home networks are compromised during this WFH period. Therefore, by deploying a quality firewall, our home network becomes more secure and safe. Of course, having a firewall is only one piece of puzzle to secure your home network.​
2. Provide an alternative to the more advanced mikrotik and ubiquiti routers. Actually pfsense is a "Step Up" comparing with these alternatives.​
3. Change the perception that pfsense is hard to configure and only exclusively to advanced users.​
4. With our increase demand for internet speed, IOTs, multiple home mobile devices and awareness of network security increases, OTS consumer product just lacks the capability to protect our home network​
5. OTS routers or even some lower end Mikrotik/Ubiquiti routers are not really build/capable for Dual-WAN. Therefore, as more subscribed to 2x 1Gbps plans or 2x ISPs plans, the demand for a multi-WAN capable router fit into place.​
6. An "always on" router, no need to power cycle, no need for reboot (maybe except for major updates). Enterprise class routing solutions are suited for 24/7 operations. Compare this with any top range consumer routers, where after a long period of operation, consumer routing solutions tend to "ghost" on the connection and behave extremely sluggish for most cases.​

What I will try to do is:​

• Provide some hardware recommendations for building your pfsense box​
• What could be my personal preferred pfsense set up. This could be subjective.​
• Provide good YouTube links for setting up your pfsense and some step by step configurations complementing the online resources (if any). Most of the time I will be quoting YouTube links from Tom of Lawrence System since his online tutorials are the most extensive and in my opinion...honest and less BS.​
• This should not be a too complicated thread which touches on too many advanced setting where majority of the forumers here will not be using. It is to provide a head start for the new users, but still require new users to learn the interface and basics of firewall on their own to really understand the concepts of a firewall/router.​

*Disclaimer: I am not in any position to market the pfsense appliance from Netgate.
*A little background of my experience on using pfsense: Been learning, using, contributing, deploying pfsense over the past few years for several enterprise and home set up environment. I dare not say I am a professional since I still has a lot to learn and still make mistakes along the way. As Albert Einstein put it simply, "A person who never made a mistake never tried anything new."

**Hardware recommendations for pfsense (updated Jul 2021)**

*Option A: Building your own pfsense box
The most important parts to take note when building your pfsense box, chassis, motherboard form factor, CPU and NIC.​

• CPU: Intel CPUs preferred with support for AES-NI crypto. You can look for Intel CPUs model that ends with "U" or "T" which are low powered. If you are concerned of power usage, you can turn on pfsense native support for EIST under System->Advanced->Misc->PowerD options​
• Chassis: I will go with a mini-box that house a mini-ITX or a 1U low depth chassis.​
• PSU: Flex-ATX power supplies usually allows for slimmer profile chassis, SFX power supply will need bigger ones. A good power supply with >250 watt, bronze and above certification will suffice.​
• Memory: I will go for non-ECC Kingston Value RAM. at least 8GB​
• Storage: I will go with Suds over magnetic disk. >128GB should suffice unless you enable heavy logging.​
• Motherboard: This is one of the most important component. I will go with server class motherboards like Supermicro or Asrock Rack. Good to get motherboard that comes with Intel NICs.​
• NICs: Due to the nature of driver compatibility of FreeBSD, Intel NICs are preferred over Marvell and Realtek. RJ45 or Fiber through SFP/SFP+ are ok. Do get NIC with good heatsinks since it might run pretty hot under load.​

A few good NIC makers comes to mind:​

• 10Gtek (uses reliable Intel NIC chips)​
• Chelsio (Recommended for 10Gbps set up)​
• Mellanox (for >10Gbps set up)​
• *Other Intel OEM (Beware of counterfeits)​

*You can check out the NICs recommended on "serve the home" website/forum and the FreeBSD driver support for NICs :https://www.freebsd.org/releases/12.0R/hardware/​

*Recommendation for 1U pfsense set-up (Enterprise use) - for reference only (updated on Jan 2022)

• 1U custom casing with 4x Noctua 4cm PWM fans
• Asrock Rack E3C23DI m-itx board with 2x Intel NIC,
• Intel Xeon E3-1240L v5 (tray) at 25W (4-cores, 8 threads)
• Dynatron 1U T-06 CPU cooler
• 2x 8GB Kingston unbuffered DDR4 ECC Memory
• OEM 500W Flex-ATX PSU (Platinum Rating)
• 2x 240GB Samsung EVO SSD in ZFS mirror
• Chelsio T520 with 2x 10G SFP+ OR Quad port Intel 1G NIC

1U rack pfsense deployment:

pfSense and core switch (MikroTik CRS312):

Home office/lab (MikroTik CRS309 + CRS326) connecting to pfSense upstream

*Option B: Purchasing your Netgate firewall appliance
You will not be able to purchase a Netgate appliance directly from their website. But you can use a local carrier to deliver it to Singapore if you are really keen of getting the original appliance.
Pros: support for pfsense straight from the box.
Cons: Expensive. Might have problem claiming warranty
Check out: https://www.netgate.com/products/appliances/​

*Option C: Purchasing a third party all-in-one box with embedded (low powered) CPU and multiple NICs build in
Recommendation:​

• Chassis: Passively cooled with lots of fins​
• CPU: embedded Intel CPU with models ending with "U". For power users and VM users, recommend a CPU that has at least 4 cores, 8threads. Most will support AES-NI unless it is the earlier J19XX atom series.​
• Memory: Recommend to get a box that do not come with memory. Can purchase separately locally for warranty claims. Recommend 8GB.​
• Storage: Same as above. Prefer to purchase it locally for warranty claims.​
• NICs: It will usually come with Intel's. Look for one with at least 4 NICs so can run dual-WAN and LACP LAGG to your switch. But performance will not be as good as dedicated higher end NICs with bigger heatsinks.​

*Recommendation of mini x86 boxes on Option C - for reference only (updated on 21 May 2021)
CPU (support AES-NI): Intel Celeron Quad Core J4105 TDP at 10W.
*UPDATED*: J4125 and J5005 are good buys too. Take note that supported memory capacity is up to 8GB only (But 8GB is more than enough for pfsense) Recommend getting one with Intel NICs.

• J4105: https://ark.intel.com/content/www/u...-j4105-processor-4m-cache-up-to-2-50-ghz.html
• J4125: https://ark.intel.com/content/www/u...-processor-j4125-4m-cache-up-to-2-70-ghz.html
• J5005: https://ark.intel.com/content/www/u...-j5005-processor-4m-cache-up-to-2-80-ghz.html

Comparison with J4105:
J4125 VS J4105
J4105 VS J5005

**Alternative solutions from "Protectli" if you are not confident of such pc boxes from China:
https://protectli.com/
*Advantages over mini-pc boxes from China can be found here:
https://forums.hardwarezone.com.sg/...-for-new-users.6390714/page-45#post-139621353

**Mini-pc Boxes from China (Taobao/Alibaba)
RAM: 8GB
Storage: 64GB or more
Chassis: passively cooled small chassis
NIC: at least 4 x Intel NIC i211
Price: Varies from $220-$240 (4GB-64S to 8GB-128S) including direct shipping

Typical Dashboard:

 

[TanKianW]

<<OTHER SETTINGS>>

**(For Mission Critical) Setting up pfsense to auto-shut down during power down when connected to a UPS**
Install "apcupsd" package plugins, under Services -> apcupsd -> General
*I recommend connecting to a APC UPS with a USB connector. The set up should be pretty straight forward. Alternatively, you can also install the "nut" plugin for other brand UPS that supports the nut daemon.

APC UPS Settings over USB
Below are the details of the apcups daemon setting on pfsense over USB.

Status information for a working UPS:

Side note: You can configure the system to send you email notifications during a power failure by selecting "php" options (if you have set up it on pfsense earlier). Test the notification setup by initiating a simulated power failure and followed by powering it back on.

NOTE: If you want the pfsense appliance to power back on after a shutdown, do configure the power settings in the BIOS. This is extremely useful for those running their personal servers at home and want the servers to automatically turn back on when power resume back, after an earlier shut down/halt.


**Create mail Notification on pfsense**
Under System -> Advanced -> Notification
*You will need to create an app access on your gmail control interface if you using your gmail account. Setting as below:

**Setting up Telegram Notification on pfSense**
Some of the pfsense users asked me instead of using email notification, what could be another good way for pfsense appliance to send you notifications or alerts? Well, you could use pfsense to send you alerts through Telegram notifications too. The set up is pretty straight forward so you just need to follow the step by step guide using the link below:

Link: https://forums.hardwarezone.com.sg/...-for-new-users.6390714/page-20#post-136423344

Create Telegram Notifications:

**Setting Power savings for CPUs that support variable frequencies**
Under System -> Advanced -> Miscellaneous
*I prefer setting the power plan to "Adaptive". To save power and at the same time rev the clock speed up when required. Helps to strike a balance. You can also set your CPU to enable AES-NI Cryto acceleration here.

​

**For Just-In-Case Screw Ups on pfsense: Restoration of Previous Settings / Config**

Restore back to the last auto saved settings: Under Services -> Auto Config backup -> Restore.
*Do remember to set the auto config back up!

Restore and save your config settings:
Under Diagnostics -> backup & restore -> backup & restore

**Improving Bufferbloat using pfsense**
For those that is interested in bufferbloat. Though I have no problem with that, but I guess some here does. You can feel free to play with the different preset algorithm to see if works for you. It will be under Firewall -> Traffic Shaper -> Limiters. Feel free to check out this youtube link:



**How To Setup pfsense Firewall for Dual WAN (Multi-WAN) and Gateway Policy Based Routing Rules**


For those who still need more understanding on how to set up multi-WAN (or policy routing) on pfSense, this will be the updated tutorial video from Tom of Lawrence System. I will be updating this video on Page #1 of the thread for future reference to new users.



*Deploying 3G/4G Mobile Broadband as (Last Line of Defense) Backup WAN on pfSense*
I have been receiving requests on the deployment of 4G Mobile broadband as the "last line of defense" WAN. Therefore, I will like to provide a workable solution to this, especially for those looking at a more resilient multi-WAN setup. These are the group of users who will keep telling me dual-WAN can still be down if the fiber internet was cut at the manhole outside......that will be like.......Well, since some like to be prepared for the "worst case scenario", I will cover it here.​

https://forums.hardwarezone.com.sg/...-for-new-users.6390714/page-49#post-140440294

NOTE: I think this set up will be useful to those with mobile data plan and fiber plan from the same ISP, and when their fiber is down (M1, Singtel, Starhub?) their data plan will be free for use during the downtime. In this set-up, the network will fail over to the mobile data plan. I am using a spare 4G mobile SIM from Singtel.


*(WAN Setup) Configuring Ping and Gateway Monitoring/Logging on pfsense*
For those who want to configure ping and gateway monitoring/logging on pfsense. Especially when you want to track if your ISP (or which ISP) was down in order to trigger a WAN failover. Or even to lodge a complaint/case to your ISP about high packet loss or high latency during a certain period of time.​

https://forums.hardwarezone.com.sg/...-for-new-users.6390714/page-19#post-134636338

*IF running Dual-WAN, you can either set load balance or fail-over for the respective WAN.

• For load balancing GW Group: Priority set is Tier 1 - Tier 1 for both WAN.​
• For fail-over GW Group: Priority is Tier 2 - Tier 1 or vice versa for either of the WAN​

 

[TanKianW]

**Virtualizing pfSense on Hypervisor XCP-ng + XOA build from Source**

Been a while since I updated the thread on some information on the first page. Though I have always been receiving queries from users asking me how to virtualize their pfsense, it has always been about ESXi from VMware....which I am not a fan of.

However, recently I start to receive some queries from users/clients who tried virtualizing pfsense (for testing) on hypervisor like XCP-ng+XOA (which I am interested in). And their main issue is that they are not able to run some of the extended features and plugins on XOA. The main reason being that the XOA server they using are the "free version" of the XOA which will only be unlocked with a paid subscription. However, the good thing about opensource (OSS) is that you can easily build the "unlocked version" of XOA (from Debian or Ubuntu) directly from source (github) if you know how to. The build from source version will also include the "sdn plugin" and several others for building internal networks on your hypervisor. As for installing pfsense on the hypervisor is as easy as copying the pfsense image (ISO) onto the host storage disk OR link to your NAS shared storage in SMB/NFS (what I am using) and install like any other hypervisor. By the way XCP-ng stands for "Xen Cloud Platform-Next Generation"!

Install pfsense on XCP-ng:
https://xcp-ng.org/blog/2019/08/20/how-to-install-pfsense-in-a-vm/

Recommend those trying out the opensource XCP-ng+XOA hypervisor to watch through this video tutorial:


Unlock the potential of your XOA by building from source:


Below show screenshot of XOA build from source with all plugins unlocked:

Do also remember to install your "guest tools" to ensure that your hypervisor can directly communicate to your operating system. Especially for those who are not able to get gigabit speed on their pfsense VMs. More information can read here: https://xcp-ng.org/docs/guests.html#linux
​

# install guest tools on the shell command of your pfsense:
pkg install xen-guest-tools xe-guest-utilities

# follow by starting the service
service xenguest start

Below showing the pfSense VM with guest tools installed and you are good to go.

Lastly, listen to Wendell from Level1tech/linux on what he thinks about XCP-ng:

**HOW TO FIX BUFFERBLOAT on pfsense**
This video comes timely since I received frequent queries from forumers/clients/peers asking me if I configure traffic shaper/limiters on my pfsense. Though my answer is still "no". I figured there are still some who like to tweak and optimise their internet, and prefer to pursue this path due to their personal use cases. I have also provided another video recommended by Tom of Lawrence Systems explaining how to configure traffic limiters on pfsense. Will also update this on the first page.



​