Moving to pfSense

Quite a while back, I was introduced to pfSense by a friend. At first looks, I didn't much get the benefits of using pfSense over manual iptables or a hardware router. The MakerForce server had been behind a consumer RT-N56U (quite a rock-solid access point cum router), with port forwards, and for a while, fully 1:1 NATed (or "DMZ"). It served us well for quite a while, but recently I noticed some occasional freezes. So, I decided to jump ship and revamp the networking at home.

I began by decommissioning the RT-N56U to just act as an access point. I have two NICs on my main box, and since I didn't have another box and was already running QEMU/KVM, virtualising pfSense was the best and only option.

The two NICs are important, because it allowed me to use one NIC for WAN, and the other for LAN. In virt-manager, I configured the WAN NIC to use macvtap to passthrough into pfSense, and then set up a bridge in the host networking side (I had problems when QEMU managed the bridge). The host bridge was linked to the LAN virtual interface of pfSense, the host OS and the LAN NIC. Also, if you are running a virtual BSD machine, the e1000 driver is by far the most stable. I had issues with the libvirt driver that I will explore sometime.

This way, my entire LAN routes through my pfSense router through the LAN port. I have my 8-port desktop switch connected to that NIC, with my home access points, printer and other test boxes connected to the switch.

When it came to configuring pfSense, I was amazed at the options. It's filled with so many useful options and features, yet it's somewhat easy to configure. I had to mess around with IPv6 settings to get it to work, but setting up DHCP, OpenDNS, port forwarding and firewall rules were quite a breeze. The package manager also made it easy to install add-ons, so I experimented a little with FreeRADIUS and 802.1X.

Nice dashboard

So far, everything has been running smoothly, except for a few hiccups with my WAN going offline, most likely due to my ISP. I'm still looking into that though.

Anyway, even if you don't have a home network to run, do try out pfSense in a VM, it's quite fun to mess with :)