PfSense

pfsense

 

Since recently, i have a PfSense Firewall and IDS/IPS running. IDS stands for Intrusion Detection System, IPS stands for Intrusion Prevention System. I love to build and enhance my home-network, and this was a fun and educational project to complete. On this page i will tell you more about it and even provide a DIY-manual to build one by yourself.

Background

It all started last year by an announcement in the news about people’s pc’s that were turned into a gigantic botnet. Hundreds of thousands of them. So, i decided to start this project to protect our home-network from internet-intruders.

The project

The first step was getting a VPN. I had a good look around and learned about the “14-eyes-countries”. You can read all about this HERE and also some here.

Another VPN issue is the logging policy. There’s lots of VPN’s available on the internet and they all have their own logging and privacy policy. No logging is always best of course. You can find a detailed VPN comparison chart HERE.

So, after all the reading, i finally got my VPN. I installed the software on my pc and was now able to choose a country. Yay, it worked!

After some testing, the time had come to install VPN on more devices. The provider allowed for 6 in total, including mobile phones. So, i got my son one for his pc and one for his mobile phone. I also installed it on my own mobile phone. Works great by the way 🙂

But, soon i found that the 6 devices were not enough: We all have pc’s, ipads, mobile phones, laptops, you name it. So, i had to look for another way. I started reading again and learned about DD-WRT-routers, that were able to act as a VPN-client and serve a whole network. So, i got myself an ASUS RT-AC56U wireless router. This one:

asusrouter

ASUS RT-AC56U

 

I installed a VPN on it and connected the ASUS directly to the cable-provider’s router , so all internet-traffic went through the VPN. It worked! But….
It was slow…. Really slow. A speed-drop of about 80%. Bummer… Again, i started searching for possible causes. I read about the OpenVPN client not being optimized and that sort of thing. Someone said the CPU was too weak. But an 800Mhz, dual-core CPU? Too weak? I didn’t believe it. So, i wrote the VPN provider and explained my problem. The next day i got an answer: yep, too weak indeed. The CPU is not able to handle the VPN. Why? Because the software in the router uses only 1 of the 2 available cores when you have a VPN configured. If i wanted speed, i had to buy myself a 600 dollar router. But, the VPN provider had another suggestion: PfSense. This is a freeware firewall that can also act as a VPN client and can do lots more. They suggested i try this out if i had a spare pc to install it on. So, i politely said thank you for the good and honest advice and started my PfSense project.

I had an old ASUS core2duo board lying around that i could use. It had 2GB ram that i expanded to 4GB with spare dimm’s i still had. I also found an old laptop drive. 80 GB, good. Next step was the power supply. I had a few lying around, but which one still works? Then i found one on which i scribbled “ok” once. Apparently, that one was still good. I also had a few old network cards lying around, so i hooked everything up and switched on. Yay, it works!

Next step was the software. Pfsense is available in a lot of flavors. There’s PfSense and OPNSense, both are available in 64 bits and 32 bits. And both are forks of older software called monowall. Both are available as ISO to burn on DVD, but there’s also the USB-stick image, you can put on the USB using Rufus. This is the most simple way: Download Memstick pfSense image, Extract the .img file from the .gz archive, Download Rufus, Run Rufus, Select your USB, Under “Create bootable disk using” click on CD-ROM icon, Select extracted pfSense .img that you downloaded, Click Start and wait for image to be copied to USB.That’s all!

At first, i tried OPNSense. It looked better, more professional. However, during install this proved not to be justified. The installer crashed and that was it. Even after several tries the installer refused to complete and crashed at several points. So i turned to PfSense. I found a good installation manual HERE. I put the VGA image onto the USB stick and started the installer. It installed without any hiccup! I now had PfSense running on my old motherboard. Here’s an example i found on the internet of the PfSense console. This is what you see after installing:

 

pfsenseconsole

An example of the PfSense console

 

I now had to actually DO something with it, of course. So again, i started searching the internet for manuals on how to install a VPN on PfSense. I had a good look around and found one… from my own VPN provider! 🙂
That evening, i hooked up my motherboard to my home network using 2 network cables. One was used as the internet-side and the other one as the internal LAN side. I started reading the manual. Luckily, it covered configuring PfSense from scratch, so i had a good start.
You can find the PfSense VPN installation manual HERE.

That whole evening i was totally busy configuring the VPN. The next evening also… The list with stuff you need to configure is really long… But finally, i completed configuring and was able to try it out. It worked!

Now that everything worked, i had reached the point where i could attach it to my network more permanently. But how? I had a motherboard, a disk and a powersupply, but no case to put it in. So, for now i decided to use an old carton box from Amazon:

 

 

cartonbox

oh well.. at least it works 🙂

 

Snort

The next step was the installation of the Intrusion Detection / Intrusion Prevention software. I had heard about a very good IDS system called Snort and wanted to learn more about it. I then read about the possibilities with PfSense and it’s ability to install plugins. To my pleasant surprise i saw Snort in the list of available plugins. Yay! Installing Snort had become real easy. Just the press of a button. And so i did and Snort installed.

After installation, snort does nothing. It just sits there. You now have to attach Snort to an interface. This can be LAN, WAN or the VPN. Best choice here is LAN. This has many benefits: Snort has only 1 interface to monitor, but Snort can also monitor the INSIDE of your home network now for irregularities. Also, Snort can monitor the unencrypted VPN-traffic before it enters the VPN and also the unencrypted traffic after it leaves the VPN. Ergo, choosing LAN is best by a long shot!

I went looking for a Snort installation manual and found a good one. HERE it is.

some explaination regarding Snort-rulesets, or Categories. The manual isn’t very clear on them, so i’ll explain a little here. After following the manual to the letter, you’ll have a community-ruleset activated in Snort. Besides that, you’ll have an “Emerging”-ruleset and an “Openappid”-ruleset that you can activate. Hovever, the community-ruleset is very, very complete. When you activated the “Snort GPLv2 Community Rules (VRT certified), you’ll notice that the snort-ruleset (the 2 columns in the center) has been sort of greyed out. You can’t click on anything there. That’s because these are all part of the community-ruleset. The columns on the left (Emerging) and the right (Openappid) are the ones you can select categories of.

 

snortrules

Snort rulesets

Openappid

ONLY select the following from Openappid: ads, browser-plugin, hacktools.

If you select more from Openappid, you will get lots of unneeded warnings and blocks, because Openappid is a ruleset for businesses that do not want certain applications to run on their network. I.e: “messaging.rules” will trigger if you start a messaging-app on your pc or mobile and you will get blocked.

Emerging

Best practice here now is, to ONLY select Emerging rulesets that are NOT part of the 2 columns in the center.

In the “Emerging” column there are 21 rulesets that do not occur in the community-rulesets you can select, so you do not have doubles. Select ONLY the following:

activex, attack-response, botcc-portgrouped, botcc, ciarmy, compromised, current-events, dos, drop, dshield, exploit, malware, misc, mobile-malware, rbn-malvertising, rbn, sql, trojan, web-specific-apps, worm.

The “Emerging”-rulesets and community-rulesets are directed to prevent real threats from the inside AND outside.

 

After configuring Snort, i had a look at the PfSense theme. The default web-interface of PfSense is kind of boring. Black on white. I read that the interface of PfSense is completely configurable and so i went ahead. I changed the theme to PfSense-dark and moved around with the modules in de PfSense-dashboard.
It now looks like this:

 

dashboard

My PfSense dashboard

Traffic Shaping

If you use PfSense on the network with more people, then it’s a good idea to activate the Traffic Shaper. With the Traffic Shaper active, it’s no longer possible for one user to hog the connection, effectively locking other people out. Many people complain on fora about Traffic Shaping being difficult to configure right, but PfSense made it easy and provided for a Wizard that does this for you. HERE is the manual for configuring Traffic Shaping on the PfSense, using the Wizard.

 

Earlier, i ordered a minitower case at Amazon for my poor motherboard in it’s carton box. The case arrived and i installed the motherboard into the case, along with the disk and power supply. It looks a lot better now. 🙂 Here it is:

pfsensetower

The PfSense minitower

 

And that’s it! Set the DNS of all your clients on the network to point  solely  at your PfSense-router to prevent DNS-leaks and you’re fine.

A tip: It’s good practise to have a regular look at the logs, especially the OpenVPN-log of Pfsense. There’s a good chance the OpenVPN-logs get fludded with lines like this:

openvpn 9869 Authenticate/Decrypt packet error: bad packet ID (may be a replay):
 [ #295316 ] -- see the man page entry for --no-replay and --replay-window for 
more info or silence this warning with --mute-replay-warnings

If you get these, you will have around 100 lines every second and a slow system. Open VPN can handle that much errors, but it’s better to fix this: Go to VPN –> OpenVPN –> Client and click the pencil behind your VPN. Scroll down to “Advanced Configuration”. Here, you have the Custom Options. One of them is called “mssfix 1450;”. Change the 1450 into 1400 and then hit the Save-button. Now wait for half an hour or so, then check your logs. The lines should be gone now.

—–

The minitower is happily whirring away softly and every now and then i fine-tune the Snort-rules a little in the event someone ran into trouble connecting to a site. Most of the time the cause is a malformed line in the HTML. But it could also be worse: on the PfSense dashboard screenshot on this page you see Snort-alerts about EXE  or DLL downloads. That is my son’s laptop. He had the same thing on his pc and had to resort to Malwarebytes to get rid of the malware that tries to install more malware on his pc. A normal antivirus (he has Avira running on his pc and laptop) found nothing. After several hours Malwarebytes was finished and found 14 pieces of malware on his pc. He should really be more careful.

 

Monitoring

It is generally a good idea to have PfSense monitor it’s services by itself. You do that by going to system –>Package manager and install the package “Service_watchdog”. After installing, go to Services –> Service Watchdog. Here, click on “add service” and add a service you want auto-restarted, should it stop. I added all services, so i won’t have to worry about any service stopping by itself. It will get restarted automatically:

 

watchdog

Service Watchdog

 

I also checked notifications on some of them, because i want to know it when a service goes down.

Should you want to be informed by email about the status of your PfSense, then install the package “mailreport”. HERE is the installation manual.

In case you use PfSense professionally, or you’re one of those “tech-nerds” (like me) that have their own monitoring-server running at home, here are a few pointers to get PfSense decently hooked up to your monitoring. Rule no.1: do NOT try to install a Nagios- or Check_mk-client on your PfSense-server. You won’t succeed. PfSense is built on a fully customized version of FreeBSD and everything is protected. Example: if you try to add anything to rc.conf or xinetd.conf or in /etc/rc.d, it will be deleted automatically. Same goes for all PfSense-configfiles. At every reboot everything is newly written. So, forget about installing. There are, however, other ways. I succeeded using SNMP. I have a Check_mk server running. So, i hooked up my PfSense to my check_mk using SNMP. HERE is the installation manual for SNMP.

After you installed SNMP and configured the community-string, you can add PfSense to your monitoring. Check_mk came right up with 25 checks after connecting, here is a screenshot:

 

nagios1

Check_mk screenshot

nagios2

Check_mk screenshot 2

 

But i guess every monitoring environment has it’s own set of checks for this and you will probably also disable some of the checks for various reasons.
In my case, i found that some checks didn’t get filled after a while, so i disabled them. the list is a bit shorter now, but at least it makes sense. (Ok, i still have to look at the memory-check. 🙂 ):

 

nagios3

Check_mk screenshot 3

 

The latest addition that i’m very happy with, is a little monitoring script on my Nagios-server that checks the VPN every minute. It does a DNS-query through the VPN to a NordVPN DNS-server with a 2-second timeout. When the timeout is reached, the script acts like a human and logs in on the PfSense-server, goes through the PfSense SSH BSD-shell menu, then restarts the VPN-service, goes back to the menu, then logs out and sends me a message. This works like a charm. Every now and then, the data through the VPN stalls and when that happens, the connection is refreshed by stopping and reconnecting the tunnel. It works so good, that in the same minute my Nagios server detects timeouts on various sites like duckduckgo.com and google, the script comes in action and restarts the VPN. After that, i get a Telegram-message on my mobile phone to notify me that the VPN has been restarted. It’s perfect!

Here’s my script.

1 – Main script, this is restartvpn.sh:

#!/bin/sh
LOG_FILE="/<scriptdir>/log/ssh-`whoami`-$$.log"
echo "#### start logfile ###" >>${LOG_FILE} 2>&1
if (! nslookup -timeout=2 duckduckgo.com 78.46.223.24 >>${LOG_FILE} 2>&1); then
 echo "VPN not OK - restarting" >>${LOG_FILE} 2>&1
sshpass -p "<password>" ssh -o StrictHostKeyChecking=no <login>@<ip-address> < /<scriptdir>/vpnrestart.sh >>${LOG_FILE} 2>&1
sleep 1; echo "msg <telegram-username> The VPN has been restarted. " | nc -w 5 127.0.0.1 2301
fi
echo "--- Finish --- " >>${LOG_FILE} 2>&1
exit

The script comes in 3 parts: the one above is the main script, the one below is the input for the SSH-session. Last part is configuration of cron.

2 – Input file, this is vpnrestart.sh:

8
/usr/local/sbin/pfSsh.php playback svc restart openvpn client <vpn client id>
exit
0

3 – Cronjobs:

* * * * * /<scriptdir>/restartvpn.sh
0 2 * * * find /<scriptdir>/log/ -mindepth 1 -mtime +1 -delete

I created 2 cronjobs: one for the script and a second one for clearing out obsolete logs. I really do love logs, but with a new logfile every minute, a little housekeeping is a neccessity. This little cronjob removes everything older than yesterday.

 

Pfsense and SSD

One more thing: i tried an SSD in my PfSense-firewall for a few days, but today i switched back to a normal HDD. The SSD started to create errors that made the VPN-connection hang and more and more services started to crash randomly and ultimately daily. My conclusion is: Do not use an SSD-drive, it is not suitable for PfSense.

 

Good luck building your own PfSense VPN-router/firewall!