pFsense for Those tired of Consumer Routers

This is mostly just based on my experience and there's no one size fits all, so if your'e happy with what you have and its working well stay with it and probably don't mess with it and this may not be worth the effort or cost, but if you are tired of consumer routers due to various issues and need additional features, functions and proper firmware updates even after more than 2-3 years you may want to take a look at Pfsense.

I got fed up with the firmware quality of consumer routers and decided to try pFsense. If anyone is interested they can get a $150-250 Qotom or similar box on Amazon or even an old PC and install Pfsense and use their current router as an Access Point cum switch. Do note that it does take a bit of learning or guidance and its not for everyone, but even as a novice myself a few great videos by Lawrence Systems on YouTube got me setup in regards to the basics, pFblocker, OpenVPN and Traffic Limiting for Bufferbloat management. Took me only about 20-30 mins to get all the previously mentioned functions ready. I switched my RAX120 to AP mode with my NAS connected to the RAX120's 5Gbe port.

Basic Setup and getting online:

pFblocker: (Don't use the Geo Blocking part unless you really need to)

Traffic Limiters: (for Buffer Bloat)


For VPN profiles from providers ExpressVPN etc have links on their own site on how to setup manually.


pFsense Home Page on my SuperMicro 1U Unit



DNS Setup & Resolving:
By default pFsense does DNS resolving itself rather than using the ISP for security, you can go to DNS Resolver and select Forwarding mode for a speedup and enable DNS over TLS for security in forwarding mode if you want to use third part DNSs. (First disable DNSSEC when switching to forwarding)



If using Third party DNS Servers you can enable those in general setup, I added an image below with CloudFlare primary & secondary IPv4/IPv6 DNS servers. Also disable WAN DNS override so it won't use ISP DNS servers. If you want speed in resolving, ISP DNSs’ can and will be faster in most cases at the cost of security.



Enabling Hardware Crypto and Thermal Sensors for Intel & AMD CPUs:
In the Advanced -> Miscellaneous section you can enable hardware crypto (helps VPN) and Thermal sensors as shown in the attached image.



pFblockerNG (Use the Development Version):
You can get pFblockerNG by going to the package manager in the System section, after install it shows up under Firewall section, it has a guided setup by default.

Another simple guide: https://www.linuxincluded.com/block-ads-malvertising-on-pfsense-using-pfblockerng-dnsbl/
One thing I should mention about pfblocker NG is that it has a section you can enable called TLD (Top Level Domain Blocking). Be careful as that feature can take a lot of RAM depending on your block lists' size. Im using upwards of 4.5GB RAM on my unit with TLD function enabled with my large number of blocklists.

A few short topics from the makers of pFsense including limiters, captive portals etc.



I went a bit more extreme and recently bought an Intel Xeon D-1541 (EDIT: Now using an AMD EPYC 3251) based SuperMicro 1U unit to install ESXi VM for pFsense and FreeNAS side by side. I so far only installed pFsense (2.4.5) and I must say it's far more powerful ( honestly even a $200 Intel based Qotom box is probably more powerful than the best consumer router in terms of routing and VPN), reliable and the sheer amount of functions available are amazing including packages like pFblockerNG piHole like ad/tracking blocking but more powerful. OpenVPN and tracking options (ie ntoppng) are really great and the limiter and traffic shaping functions seem to be far better than most consumer routers. I liked OpenWRT on consumer units but with a lot of hardware acceleration functions being lost due to closed source binaries and the fact that even though I can even use OpenWRT on my Xeon D it just doesn't seem as friendly out of the the box as pFsense.

Will add more info as time permits or on request.

 

Very interesting and by the looks of it more user friendly than OpenWRT...

 

Another OpenWRT user here and yes I agree PfSense does look more user friendly however I have used PfSense I know that it can be user unfriendly.



Sent from my SNE-LX1 using Tapatalk

 

@hacktrix2006 OK, so if you've used both how would you compare them as far as user experience is concerned?
I get it that it can be user unfriendly but overall?

 

Firstly my last time I used PfSense was when it was at build 2.0 so a lot would of changed. Easiest way would be for me to install PfSense into a Hyper-V to see what has changed.

However, for normal users or even people that use OpenWRT there is still a learning curve in certain area's of PfSense and vice versa.

If it was taken on first boot experience the PfSense would win that hands down due to its wizard at the start, where as OpenWRT doesn't have it.

When I was using build 2.0 the bit that was steep learning curve was firewall rules and setting up vlans.

But at the end of the day where PfSense excels in some places OpenWRT will excel in others.

Although PfSense GUI is better to be honest.

Sent from my SNE-LX1 using Tapatalk

 

OpenWRT does have great documentation I managed to compile my own by builds for my R7800 despite being new thanks to the effort they put into the docs and their throughness (I did have to make certain changes to my build environment vs the docs as it didn’t work right away using their instructions) and great community too. I loved that they had Cake SQM available, when I was with my VDSL ISP it helped bring my Bufferbloat from a D-F to an A with very little tinkering.

However as you said the Wizards in pFsense do make it easier to just get up and running and all the needed packages are right there and no need add or compile extra things like I needed on my R7800 OpenWRT builds (LEDE at the time since most of the DEVs split with OWRT due to an internal conflict that is now resolved) vs their stock builds.


In certain instances with consumer routers due to OpenWRT covering a vast array of devices certain changes they made to support one “similar” chipset could be detrimental to another like some changes to enhance support for the IPQ4XX series caused issues with the R7800’s stability though later rectified in later patches.

As you said they both excel in their on way and I totally agree some areas do require a learning curve. I will say though the OWRT community is very polite even when people ask the same old questions without searching forums or maybe they just missed the info, the experts kindly tell them to look throughly or just help sometimes. From looking at pFsense forums it seems they’re less accommodating to that.

 

pfsense/wrt/tomato/etc....

If you're looking for multi use / function going with a custom build is the way to go and linux is going to be your underlying OS.

I setup a router/firewall/wifi/nas/dvr/etc all in one box using ubuntu / hostapd / iptables / pihole for DNS blocking of ads and bad domains

With Nordvpn using wireguard through "nordlynx" profile I'm able to get 97% throughput over VPN on a gig connection vs the old ovpn profiles maxing at 100mbps.

Once you get the hang of what needs to go where and how they cross function it's fairly easy to modify things as you need to. It's a bit of a stumbling toddler when you start and then think of things that will improve performance by streamlining things such as combining iptables entries into match-sets vs individual entries per line. Being able to block countries worth of IP CIDR entries i a match set improves your processing of the rules and speeds of throughput. Tweaking your hostapd.service files to auto restart when they fail keeps you from having to connect to the machine with a monitor and keyboard.

It all kind of comes down to what you want to do, use it for, and being comfortable with tweaking linux to your mercy.

 

Yeah I have looked at a Linux alternatives like Clear OS and Untangle but they have various paywalls for various functions, and the good free ones like Vyos aren’t very intuitive as I’m not at the level where I can handle a CLI only distro, I see no real alternative with a GUI and nothing really seems as intuitive or as simple as pfSense or OPNSense at that level. While you can turn Ubuntu into a router and play around with iptables it just seems more effort than it’s worth and clunky, when something like this already exists. Plus pf in FreeBSD seems a bit more simpler than iptables which can be messier and more can go wrong. Additionally I’ve found pfblockerng on Pfsense to be more powerful than pihole. Everything you mentioned is more work me than something just works out of the box and installing pfblocker or ntopng is just a click away in the package manager... and importantly everything is laid out nicely in the GUI as this distro is specifically tuned for networking, so I see nothing to gain from doing all what you are saying, in my use case.

Again as you said to each their own depending on need and level of skill.

 

Here's my complete condensed / tuned iptables....

# Generated by iptables-save v1.8.4 on Mon Aug 31 14:58:34 2020
*security
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [1:144]
COMMIT
# Completed on Mon Aug 31 14:58:34 2020
# Generated by iptables-save v1.8.4 on Mon Aug 31 14:58:34 2020
*raw
REROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [1:144]
:BLOCK - [0:0]
:FORWARD - [0:0]
:LOGNDROP - [0:0]
COMMIT
# Completed on Mon Aug 31 14:58:34 2020
# Generated by iptables-save v1.8.4 on Mon Aug 31 14:58:34 2020
*mangle
REROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [1:144]
OSTROUTING ACCEPT [1:144]
:BLOCK - [0:0]
:LOGNDROP - [0:0]
COMMIT
# Completed on Mon Aug 31 14:58:34 2020
# Generated by iptables-save v1.8.4 on Mon Aug 31 14:58:34 2020
* nat
REROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
OSTROUTING ACCEPT [0:0]
-A POSTROUTING -o bo0 -j MASQUERADE WAN
-A POSTROUTING -o nordlynx -j MASQUERADE Nord
COMMIT
# Completed on Mon Aug 31 14:58:34 2020
# Generated by iptables-save v1.8.4 on Mon Aug 31 14:58:34 2020
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
:BANNED - [0:0]
ERMIT-FWD - [0:0]
ERMIT-IN - [0:0]
ERMIT-OUT - [0:0]
-A INPUT -j BANNED
-A INPUT -j PERMIT-IN
-A FORWARD -j PERMIT-FWD
-A OUTPUT -j PERMIT-OUT
-A BANNED -i bo0 -m conntrack --ctstate NEW -j SET --add-set banned src
-A BANNED -i nordlynx -m conntrack --ctstate NEW -j SET --add-set banned src
-A BANNED -m set --match-set banned src,src -j DROP
-A PERMIT-FWD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A PERMIT-FWD -i br0 -o bo0 -j ACCEPT
-A PERMIT-FWD -i br0 -o nordlynx -j ACCEPT
-A PERMIT-FWD -j LOG --log-prefix "BLOCK FORWARD: "
-A PERMIT-IN -i bo0 -m set --match-set banned src -j DROP
-A PERMIT-IN -i nordlynx -m set --match-set banned src -j DROP
-A PERMIT-IN -i bo0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A PERMIT-IN -i nordlynx -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A PERMIT-IN -i lo -j ACCEPT
-A PERMIT-IN -i br0 -j ACCEPT
-A PERMIT-IN -j LOG --log-prefix "BLOCK INPUT: "
-A PERMIT-OUT -o bo0 -m set --match-set banned dst -j DROP
-A PERMIT-OUT -o nordlynx -m set --match-set banned dst -j DROP
-A PERMIT-OUT -o bo0 -m conntrack --ctstate NEW,RELATED,ESTABLISHED -j ACCEPT
-A PERMIT-OUT -o nordlynx -m conntrack --ctstate NEW,RELATED,ESTABLISHED -j ACCEPT
-A PERMIT-OUT -o lo -j ACCEPT
-A PERMIT-OUT -o br0 -j ACCEPT
-A PERMIT-OUT -j LOG --log-prefix "BLOCK OUTPUT: "
COMMIT
# Completed on Mon Aug 31 14:58:34 2020

Basically just have to enable NAT and put an entry or two to allow "forwarding" inside/outside... instead of tackling udp/tcp ports to block I just block everything "NEW" inbound as I'm not running services that should be reachable from the real world. Those sources get auto added to the ipset as they hit the rule and no longer have to be processed if they hit again. If they get banned on entry there's a good chance they should be banned for outbound traffic as well which is the rule under Permit-Out.

I just save a copy to a location on the network and edit the file in notepad++ and then restore the file with the changes w/o doing all of the CLI work on it. Overhead is quite minimal with this approach and no loss in speeds and the CPU doesn't take a hit even at full load on the network. The higher the load though the more instances of WG kick into overdrive to handle the throughput but no performance hits to other programs running.

For surveillance I run ntopng for logging things and being able inspect the traffic sources/destinations and which ports they're using. (web gui)

Pihole (web gui) for domain / ad blocking

webmin (web gui) monitors system performance / can be used to edit CLI files as well instead of SSHing into your box

 

So, i rand into a bit of a hiccup with Nord over the last couple of days. They released a new version of the client on *nix and it failed to setup the nordlynx adapter to successfully connect. I blew away the profiles and reinstalled but to no avail would it actually connect again using wireguard or even legacy ovpn profiles.

I figured it might be something on their end and let it sit for a couple of days while securing things through a socks5 server instead. Dug around a bit and stumbled upon a reddit post that had the repo info in it and while it worked on 3.8.0 that's also wasn't working since the update to 3.8.1. Pulled the 3.7.4 version and it's working again. Disabled the apt source for updates though until they get their stuff together on further releases.

https://repo.nordvpn.com/deb/nordvpn/debian/pool/main/ (didn't think to look at the source file post update)

I'm not exactly sure what they changed in the newer releases but, obviously something major got zapped in the process that makes it not work. Hard to figure out though w/o it being open source and transparent to read through or do a compare between the code in both files.

The socks isn't too bad but, speeds are a bit more limited due to congestion on their limited servers since they took the function off the majority of servers and now there are only 42 that connect that way. Must be a conflict between socks and WG since the 4000+ servers w/ WG don't have socks enabled.

Also, went on a hunt for other WG compatible services and there's only 3 running WG options thus far.

******************************************************************************************************************************
If you go here
https://nordvpn.com/coupon/deal/?coupon= thevpnman75&utm_medium=affiliate&utm_term=a_16072020_FtheVPN_man_Tach_d&utm_content&utm_campaign=off15&utm_source=aff33768

Gives you the 3-year option @ $107.55 ($2.99/mo) + ebates / rakuten 20% off ($86.04 / $2.39/mo)

Unless of course you have a subscription already you can login and renew w/ code WIRED for the lowest price $89/36 months + another 20% rebate if you use Rakuten bringing it down another $17.80. (($1.97/mo))