What is pfSense?
pfSense is free and open source software (FOSS) for anyone to download and use, it is essentially an operating system that serves as a very robust and full featured firewall for your home or business internet. pfSense is installed on a dedicated device and placed in between your incoming internet from your ISP (Internet Service Provider) and your home network and all of its devices.
The physical device that hosts pfSense is typically a purpose made box such as these from Protectli or Netgate, for a full list of supported devices for this task visit https://www.pfsense.org/
Why do we want one of these? It gives us much, much more privacy as well as security for our home internet. Normally the ISP sees every website you visit and collects insane amounts of data on us, lock them out instead with one of these. These can also be configured to harden your network against attackers seeking to do bad things to our network.
Small, yet powerful Netgate SG-1100:
A Protectli 4 port machine for hosting pfSense home firewall software:
To set this network up, you first download pfSense and burn the image to a bootable USB stick. Plug in power, monitor and keyboard into the Protectli box, plug in the USB and install pfSense, the default settings are generally recommended for most, just hit enter through the installation options, you can change anything you want later. Once installed, remove the USB stick when prompted, and remove monitor and keyboard and plug it into your network (run a cable from your internet provider modem to the WAN port on the Protectli box, add a router if so desired and configure it as an Access Point. (see first video below for details) Login to the device through a web browser on your computer and navigate to the default IP address of your pfSense box, usually 192.168.1.1.
Configure pfSense with your VPN (Virtual Private Network) provider account credentials, once your connection is set up with the VPN, anything you connect to your network through pfSense will be protected behind the VPN. This is advantageous, as compared to simply connecting to your home network and then turning on the VPN. Even with killswitch settings on, you still leak too much information to the ISP in those moments before dropping out behind the VPN. With pfSense firewall, your Protectli box connects, and your computer or phone connection/traffic is hidden.
Remember though, even though using this makes your traffic invisible to the ISP, you are likely being logged by the VPN company, which is why careful selection is wise when choosing who to trust with your data. Some VPN companies are logging, all have the ability to log, and possibly even selling that data, especially the freebie ones. Proton and Mullvad are considered best choices by many, but please do your homework to see what fits for you. Some VPN’s such as Mullvad and others can be paid with cash or crypto for better anonymity, while any such as Proton, PIA, Nord, IVPN may offer better speeds over one or the other.
The other wonderful things this box can do is filter out anything, create rules for certain ports or IP addresses, certain devices to restrict or grant access. There are things like Intrusion Detection services such as Snort (free), that can be configured to monitor for anyone trying to scan or attack your network. There are many, many other services or plugin like software to play with, pfSense is extremely robust and rich featured.
An excellent resource to take a closer look at the installation, configuration and use of this system is Michael Bazzell’s website at https://inteltechniques.com/firewall/
Network Chuck does an excellent explanation of the install and basic setup, very easy to follow
—————————
One of the more advanced and thorough tutorials is by Lawrence Systems, he has excellent knowledge of this subject
Here is another diagram with an example configuration, there are many options of wireless only, wired only or a mix of wired and wireless. Most will want some type of router with WiFi for their phones on their home network, but wired ethernet connections offer better connections for your computers.
————————————-
Now in addition to a Protectli box (or a different hardware option) running pfSense, you may wish to expand your network by adding a managed switch. While many use just WiFi connections, wired connections are easier to protect and recommended for that clunky desktop that sits in the same spot. Run a LAN (ethernet) cable to it if you can. The Protectli boxes come in 2, 4 or 6 port (ethernet ports) versions, most will be fine with a 2 port, but if you run multiple computers or devices hardwired, the 4 port offers not only more room but allows for other features such as running an open port for things like streaming Netflix video or games. (on a 4 port for example, you have the incoming WAN from your ISP taking one port, another for a router, one for another device all protected with a VPN, and the remaining port not behind a VPN to do streaming and games.
A Netgear 8 port managed switch:
————————————-
Want more? Check out how to make a ‘DNS Sinkhole’ or AdBlocker using AdGuard in video below
** In pfSense under ‘Services’ you can install PfBlockerNG which is another version of a ‘DNS Sinkhole’ or AdBlocker which can filter out known ads, spam or any other domain
Also check out Pi-hole.net site for instructions on how to build a cheap network wide Ad-Blocker using an old computer or Raspberry Pi device.