Microsoft pfSense

Terminal Server Aware Web Proxy Server with pfSense

At work, I have a client that was requesting the ability to monitor/block sites that their users were visiting.  This is traditionally quite easy with just a squid proxy server or a Barracuda Web Filter but they really didn’t want an extra server to be installed during this process AND they were using a terminal server.

I started looking for server side applications that I could install and just have the admin pull the data from there, however, the costs I was finding were a bit too much.  I setup a pfSense in a quick lab to demo this up.  After installing pfSense on some old hardware, did a basic configuration of the box, and then installed the Squid proxy package.  I configured this to be a traditional proxy where I had to send traffic on a specific port, and the user was required to login.  That was really the trick to get the terminal server users broken apart.  I know it could probably use a little masaging with NTLM authentication or some other clean mechanism but for the lab and the purposes of this client, this hit the mark for a great price.

I did mention that they did not want to install new hardware during this process, but the knew they needed to upgrade their Linksys “router” that was currently firewalling their network.  I am once again impressed with the flexibility and ease of use that pfSense gives you.  I truly only have 1 complaint about the system at all but it has nothing to do with this and as I understand it, that feature has been added in pfSense 2.0.  The management of OpenVPN clients/certificates is somewhat of a nightmare for large installs unless you use a single certificate for all users (not recommended).


pfSense 1.2 Release

I had been waiting for quite some time for 1.2RC4 to be kicked out of the way for 1.2 Final release. This release made some pretty big improvements from previous releases. Those improvements can be found here and here. What’s funny is I waited and waited like a little kid, then when it came out, I was probably the 300kth to download it. For some reason, I go so busy when this release hit it was crazy. However, when I did get around to installing it I did my home one first. I was running 1.2RC4 since the day it came out with zero issues. The upgrade went very smoothly. I wish all upgrades were that easy. Hint, when doing the firmware upgrade, click on another menu item to see a cool picture of a HD spitting out 1’s and 0’s. After I knew the install was a success I upgrade a number of other systems to the latest and greatest (6 in total) and had zero issues on the upgrade. After the upgrades were done, I reinstalled the packages that had newer release versions and kept on trucking.

This weekend I’ll be doing two more that are quite important and I will need to make sure I backup the configs before hand…..yeah, I didn’t on the other ones 🙂 I’m hoping the next year flies by for the BSD7 version of pfSense. It’s supposed to have a large number of improvements as well. FreeBSD’s website has a large number of them listed here. It amazes me that an already good product can go from release after release and the product just gets better and better.

I’m hoping my company will start using more of these instead of the Cisco ASA for our smaller clients, but we just started down the reseller path for Cisco so I don’t have to high of expectations for doing so. Oh well, I’ll use it where I can.

For more information on pfSense, it’s little brother m0n0wall or FreeBSD check out the hotlinks.


Update – Very Delayed

Ok, so far this year I’ve done a very crappy job of keeping the site updated. Too busy, to bored, sick, at work, excuses excuses… I have actually been sick and too busy lately so those really aren’t bad excuses. 🙂 Well, since I don’t have anything tech like to talk about I’ll update you on my current work.

pfSense 1.2 Final will be out here sometime soon so I’ll be updating numerous firewalls to that code base when it does hit FINAL.

This next weekend I will be installing a pfSense box for my Dad to start using/managing.

I have been working with my Dad on a web hosting reseller configuration at Hopefully we will be able to get that up and running so I can migrate the rest of my websites over to there. He is doing the reseller setup through HostGator.

I’ve been working on some other website / blogging ideas to help pass the time, however, I don’t have time to think about them…strange situation.

This week at work, the TechTalk for the second time will be hosted by someone else. Kenny Kant, my counterpart at work has offered up his services to do a TechTalk on Microsoft Small Business Server 2003. I’ll try to talk to him about adding some content on here as well.


pfsense Embedded Hardware Project

Hello everyone, sorry I have been away for so long. Holiday plus vacation took a little bit out of me. Hopefully I will be back strong this year and write up a bunch of articles that someone will get something out of. Here we go.

At work one of my upcoming projects will be testing the embedded hardware from ALIX to build a firewall that is as capable as a Cisco PIX 506E and then some for under $300. The hardware I am speaking of actually needs to be assembled which is kinda cool and all in all is the size of a Cisco PIX 501 which is in the neighborhood of 6″x6″. Not too shabby huh.

Here’s the parts list stolen from the pfSense blog:

ALIX Board

Black Case
2GB CF Card
Power Supply
Wireless Card

The CF card, wireless card, pigtail and antenna might be sourced elsewhere if I can find good deals however for the power supply, ALIX board and case I will be using Netgate. Total cost for the item’s mentioned at time of this writing is $235.50 plus tax and shipping.

As you can see the embedded hardware will have 3 10/100 NIC’s and an 802.11a/b/g wireless card which when pared with pfSense would make an excellent branch office or home router/firewall/IDS/wireless device.

I’ll let you know my progress as it begins to unfold, it shouldn’t take me long after I receive all the parts.


pfsense in the Enterprise

I know I haven’t been updating my blog like I usually do, but to my defense, I have been pretty busy. Lately it seems even though I would like to go home on time, I don’t or can’t because of another pressing issue or a deadline at work. Additionally, I have added a few projects to my todo list. One of which includes building a fully functional, failover capable firewall solution that can handle more traffic than I personally can provide content for. The solution I am speaking of is pfSense. I have mentioned the BSD based firewall solution before but that was only my home firewall. The CD-ROM based version of the distribution works perfectly on even some of the oldest (I’m using that term loosly) hardware and still provides enough throughput for the biggest Cable download speeds you can buy.

At work, as a project, I am (with one of my colleagues) building two firewalls that act as one just like an active/passive failover cluster. Currently I am running release 1.2 RC3 that was released just a few days ago. So far the solution has been stellar to say the least. The developers and the community behind pfSense are really awesome, the capabilities that the “FREE” firewall solution has in it’s back pocket beat the crap out of a Cisco PIX 515 or ASA 5510. Sure, you can do most all of the things that pfSense does with a PIX or ASA from Cisco but It’ll cost you extra. Now with the Snort Package available from pfSense as well as Squid and a BGP package, pfSense is starting to grow some muscles. I will say that Cisco has the VPN department OWNED but hopefully the features that they offer will be developed for OpenVPN in the near future. Now on to the build.

Here is a simplified diagram of the design that I have built successfully:

pfSense network diagram

The design is a no brainer, managed switches inside and outside, two firewalls with a CARP sync connection between and 3 VLAN’s internal to the network that are in noway, shape or form able to talk to each other, unless of course, someone does a little VLAN hopping. I’m not going to worry about that at this point however.

The true beauty behind using pfSense for this solution is the simplicity of the installation and configuration to get it up to a production level. Once you figure out how the different facets of NAT can help you achieve your goal, the configuration is very straight forward. If you want your entire segment to send out traffic as a single IP (NAT Overload) you put it in the Outbound NAT table, if you want to provide services on specific ports, you add them to the Port Forward Table, and if you want your single IP address on the inside to have it’s own dedicated outside IP, add it to the 1:1 NAT Table. Very simple stuff. When you add things to the Port Forward NAT table, it has the ability to auto add a firewall entry for you as well, I usually let it do this and then adjust it’s configuration accordingly.

The CARP (sync mechanism) for pfSense is quite easy to configure as well. Their is a very nice tutorial on that shows you how to accomplish this. Basically on the primary firewall, you put in the IP of the other firewall, tell it what interface to sync through and what to sync, and voila, you are done.

I’ve barely started putting services behind the firewall but will be pushing the project live here very soon. I will keep you posted on how it performs, the battles that I had to fight to get things to work and offer any guidance that I may have that would benefit you. Thanks for reading.