Experimenting with pfSense

I've been working today on replacing a client's Snapgear SG580, a Linux-based firewall appliance which is no longer supported, and is no longer coping with the load being placed on it.  We've been casually searching for an appropriate successor over the last year or so, and weren't really impressed with the options available.

The main features we were looking for were:

  • Support for IPSec, OpenVPN, and PPTP VPNs
  • Support for VLANs, OSPF, policy-based routing, and multi-WAN failover
  • Simple, web-based interface to firewall rules which supports symbolic names and groups
  • SNMP support for monitoring
  • Reasonable price

We would have preferred a low-power appliance (and did consider some like the Mikrotik RouterBoards), but this was less important than finding something that would work well.  We considered a few different Linux-based software appliances, including Endian Firewall, Untangle, and Vyatta, but each of them fails on one or more of the above criteria.  The one solution that seemed to keep coming up was pfSense.  My only reluctance was that because it is based on FreeBSD & OpenBSD, my troubleshooting experience on Linux would be negated.

However, we gave it a try and so far pfSense has been very impressive.  I installed version 2.0.1 (64-bit version) on an IBM x3550 server with 2 GB RAM and two 300 GB 10K RPM SAS drives in RAID 1 configuration, and it seems to perform very well.  In particular, the web GUI was quite responsive compared with the SG580.

We're logging everything to a syslog server on the internal LAN, and this has proven helpful in getting a feel for what pfSense is doing under the covers.  The biggest frustration i've found so far is that there isn't any obvious way to turn off logging on the default block all firewall rule, which means that every DHCP or NetBIOS broadcast on the LAN and every RDP or MSSQL scan on the WAN is logged.

Update: It turns out there is an option for this in the GUI.  See the comments below.

It turns out that it is possible.  Here's how i did it:

  1. OpenBSD's pf is a little unfamiliar to those of us used to Linux iptables rules or Cisco router ACLs, but i found http://doc.pfsense.org/index.php/How_can_I_see_the_full_PF_ruleset and followed the instructions, which showed me all the firewall rules.  Sure enough, there's a log option on the default rule (which lives at the top of the list, not the bottom as in iptables).
  2. http://doc.pfsense.org/index.php/How_can_I_edit_the_PF_ruleset pointed me to /etc/inc/filter.inc, which i read through and found the code which generates the default rules.  There's an undocumented configuration option in the code to disable logging: syslog -> nologdefaultblock
  3. I read through the other files in /etc/inc and found references to config.xml.  http://doc.pfsense.org/index.php/How_can_I_reload_the_config_after_manually_editing_config.xml%3F talks about how to edit it.  I used viconfig from the command line, but using Diagnostics -> Edit File from the web configurator works equally well.
  4. I included the XML directive <nologdefaultblock/> in the syslog section of config.xml and saved my changes.
  5. One thing i was not fully clear on was how to activate this config change; viconfig did not seem to automatically reload it when i used it, but perhaps i was just being impatient and it would have loaded it within a few seconds or minutes.  Being a beginner, i decided that i wanted to be sure that this change would persist across reboots, so i rebooted my test system.
  6. Sweet syslog relief!  It had the desired effect and the change was persistent.

I might blog a few more things about pfSense as i test it more over the next few weeks.  It's looking like a pretty capable platform.  Although i can't help wishing from the perspective of familiarity that it were based on Debian (with its massive range of packages) and used Shorewall (with its outstanding documentation) for the firewall. :-)