My Own Great Firewall

Posted on by

Feeling “Exposed” ?

All you need to do is Google “router vulnerability” and you’ll be greeted with countless articles on security holes in just about every major router (wireless or otherwise) that continually pop-up. If that’s not scary enough, dig a little deeper into how often (or not) these companies update the firmware on their routers to fix these vulnerabilities. Now ask yourself: When was the last time I even checked/updated my router’s firmware? Probably never.

But routers are only half the picture. Now Google “modem vulnerability” and you get just as many articles on security holes in the hardware your ISP provides you that’s ‘supposed’ to keep you safe. They’re not much better at providing updates to patch these holes either. Plus, many have Backdoors that allow your ISP (or a good hacker) in, even after you’ve locked it down with a strong password. There is also speculation that many of these ISPs monitor and report activity on their modems to other companies for sale, or to governments…

Feeling vulnerable? Violated? Powerless?

I was. So I did something about it.

I built my own Great Firewall…

pfSense is an Open Source Network Security solution. So while this post is going to sound like a sales pitch for pfSense. It’s really not because pfSense is FREE. And being Open Source means that many independent developers write, validate, audit and vet the code for any known (and not yet discovered) security vulnerabilities. There’s no giant corporation or government with ulterior motives wanting to plant spyware/malware around the globe. Updates are frequent, obvious, and easy to install. And its got a huge, welcoming, knowledgeable community behind it to help you out with whatever issues (however silly) you may have. You can also subscribe, for 100$/year, for their Gold Membership program for direct, company, support.

pfSense is Enterprise Level Network Security that not only protects and monitors your intranet from the internet, but also can protect and monitor all traffic in your intranet. For home users, it may be a bit of overkill, but you don’t have to use all its features. And the power it provides will allow you to grow and secure your home network to virtually any size.

pfSense is more than just a router. It’s features include: Firewall, NAT, VPN, Captive Portal, DHCP, DNS, Load Balancer, NTP, PPPoE Server, UPnP, Wake-on-LAN, Snort, just to name a few. You can use as many, or few, of them as you need.

There is an awesome (but incomplete) series on YouTube on the features, and configuring, pfSense. It’s a long watch, but well worth it if you’re interested: Comprehensive Guide To pfSense 2.3

pfSense is just software. You need hardware to run it on. Ideally, you need a computer with 2 Network Cards: 1 for WAN and 1 for LAN. But you can use just one and set up Virtual Networks to service both WAN and LAN. There are countless articles on the Internet on how to use your old PC/Laptop hardware as a pfSense router. And it doesn’t take a lot of horsepower to run it. Anything made in this century should be more than powerful enough to run as a pfSense router for your home.

I elected to buy new hardware as I wanted a small, dedicated box with a 4 Network ports. So I opted for a model very much like this:

Firewall Micro Appliance With 4x Gbe Intel Lan Ports for PFSense

Its also pictured in the heading of this post.

pfSense also sells their own hardware, bundled with their Gold Membership, but this was cheaper.

My ISP was not very happy…

pfSense is not a modem, and I hated my ISP provided Modem/Router. It was slow, buggy, handled only four concurrent connections…and lord knows what they were doing in it…

So I also bought a very nice, cheap, Gigabit Fiber modem from TP-Link,:

TP-Link TL-EP110 (116¥)

I just set it to ‘Passthrough’ modem to disable it’s Router and let pfSense do all the work.

My ISP said it couldn’t be done, that I must use their ‘Special’ hardware. Their serviceman even tried to sell us a ‘special’ modem, for 800¥. A little digging around on the Real Internet and I found out how to configure it. Then it was only a matter of typing in the CORRECT Username/Password for PPPoE login (again, our ISP was not wanting to give this to us. But after enough yelling and blowing up, they did).

Now I can monitor all the traffic, watch out for (and get alerted) on possible attacks, block known malicious web sites and servers, update the software regularly, and optimize the traffic and routing for all my devices and IoTs. I can even monitor outgoing traffic just in case some malware gets installed on one of our devices and tries to do Evil things. If I want to be more like that other ‘Great Firewall’, I can even block web sites/services like Facebook, Google, YouTube, etc…(not gonna happen)

pfSense may be overkill for most people. But for me, I felt it was necessary. With all the hacks going around (DDoS attacks from infected IoT devices, data breaches, unpatched security holes, etc.), I felt it was time for me to take back some control over my privacy and data…as we all should.