Building your own Super Router with pfSense and Untangle
Super Router, the foundation
Over the years I have used many different routers, Belkin, Linksys, Netgear, D-Link and others. I have even “hacked” one of them with a different firmware like Tomato, but all of them seemed lacking in some way or another.
The problem really hit home when the kids started using the computer more and we expanded our two computer home to four computers, one for every member of the family. To make matters worse, our house became the “play” house with the kids having friends over nearly everyday. On weekends, the Xbox and the kid’s computer were used nearly non-stop playing games and watching Netflix, Hulu and YouTube and talking with remote friends on Skype. This additional use brought some problems:
- stuttering Xbox FPS games when a computer was using Hulu, Netflix or YouTube,
- kids going to inappropriate websites, and
- kids sucking up to much bandwidth causing VOIP issues.
At the same time, we were switching from DSL to cable internet. So, I had a bright idea, why not run both for a while. With that in mind and looking for something a little better than the $90 routers found on Newegg, I bought a dual WAN Netgear router for about $350. This router allowed me to setup Xbox traffic to be routed through the DSL connection and everything else through the cable connection. This worked great and stopped the stuttering problem with Xbox FPS games.
One problem with this setup: COST! Keeping two internet connections at home just so Call of Duty plays without stuttering was not a long term option. Heck, it wasn’t good short term solution as it still didn’t do much to solve the inappropriate websites. However, after spending $350 on this thing, there was no way I was going to stop using it and it did a fairly good job reducing the FPS stuttering and VOIP issues even after we dropped DSL. Under heavy load, it still had issues from time to time and it had limited web filtering capabilities; but at this point I was going to use it until it died.
Like an auto mechanic who can’t stop working on his car, and which never seems to work 100% either, I was moving some network cables for no memorable reason and touched the router. A HUGE released of static electricity hit me. My first thought was, well lets leave that out. Not only did I kill the router, but also took out two 8 port gigabyte switches. The entire network was down. It took less than a minute before I could hear the footsteps coming running down the stairs, “Dad the internet is down, how long before you have it fixed?” Give me a second to grief here, will yea?! Pulling out an old Tomato hack router and a 16 port 10/100 switch from “storage” got us back online, and bought me some time to consider the next move.
So now what to do. Spend another $350 and get the same router, spend less and load DDWRT or Tomato, spend more and hope it is worth the cost? None of these sounded like good options.
Like many geeks, I had plenty of old PC parts lying around and had searched the internet looking for some unusual ideas for how to use them. One idea I came across many times was using it to run a software based router. This idea never really appealed to me as my first thought was “how safe can a software firewall be run from a PC”, an old one at that?”. Then when my Dual WAN Netgear router died, I decided why not give it a try, what could it hurt? After all, isn’t even a normal router from Newegg or Best Buy just a piece of hardware running some kind of software developed by the manufacture? Also, the hardware these “pre-made” routers run on is pretty weak, even when compared to my old pile of junk PC hardware.
So, the search took me to three main candidates:
There are others, many of which are very good, but I was already feeling overwhelmed and wanted to keep the list small. After giving each a brief try, actually just the install process, I decided on pfSense. To me it seemed like the best firewall/router solution of the three. However, I do love Untangle and in a future post, I will cover adding it to pfSense to complete the Super Router build. For this post, let’s just cover the install process for pfSense.
pfSense Hardware considerations
pfSense can run on some really low powered hardware. As you can see below, the minimum requirements are crazy low for PC standards.
While these minimum specs are fine for testing, for long term use you need to give it a bit more thought. Since you will most likely want to run some additional packages, and pfSense has some nice ones, you will want something a little stronger. An Atom processor might sound perfect for this build, but that comes with some trade-offs as well. If you plan to run a processor demanding package such as SNORT (IDS/IPS protection), your Atom chip may struggle under a fast connection and heavy load. Also, as we will cover in a future post, if you plan to go virtual with the Super Router build (which I HIGHLY suggest), you will need the appropriate hardware.
In addition to the minimum hardware mentioned above, you will need two network connections for this test system, one to your internet modem and the other to your network switch or hub. You will also need a CD drive to load the software or run it from the LIVE CD and a small hard drive (20gig should be fine) if you want a more permanent install which I highly recommend. My initial build used some old Netgear 10/100 network cards which worked fine. Again, if you plan to eventually go virtual, that build will need a minimum of 3 network cards (3rd one for management of the virtual server) and a larger hard drive. You should also consider going with better network cards, like the Intel 10/100/1000 cards.
The first thing you need to do is download the software from www.pfsense.org (go with the pfSense-1.2.3-RELEASE-LiveCD-Installer version) and burn it to a CD. You can run the software straight from the CD or use it to install to a hard drive. The downloaded file will contain the ISO image inside of a .gz compressed file, so use your favorite program to pull this out (try 7-Zip if you don’t have something already). There is a new version coming which will have a number of very nice updates and additions. This new version was just released as a Release Candidate and is considered fairly stable. As with all pre-release, consider carefully if you want to run this in a production environment.
Now that you have downloaded and burned the ISO to a CD, we are ready for booting up the system. Make sure the BIOS is set to boot from the CD and you should see the screen below once the software is loaded. Chose option #1 to get the install process started. At this point, all we are doing is installing into ram. An option to install to the hard drive will come later.
Two things to note on this screen. First the system should have found your to network interfaces. Second, chose “n” to indicate you don’t want to set up a VLAN. pfSense is capable of running a VLAN, but that is not a topic of this post.
OK, here is where we assign our interfaces. First is to the LAN side. If your network interfaces are already plugged into your switch and modem, you can try the auto-detection. If this doesn’t work or you haven’t made the connections yet, you will need to assign either re0 or re1 to the LAN and then the other to the WAN. While it is helpful if you get these correct, it’s not the end of the world if you get it wrong.
In the screen below, you can see what happened when I tried the auto-detect without having them connected to anything. Note the “No link-up detected” message. No problem, just manually assign the interfaces. I assigned re0 to the LAN and re1 to the WAN.
While this article is not going to cover this in detail, you will notice after assigning a LAN and WAN interface, you are asked if you want to assign an Optional 1 interface. What’s happening here is that you are not limited to just the LAN and WAN interfaces. I have used the Optional 1 interface to create a unsecured guest wireless connection in the past.
After assigning the interfaces, you are now actually up and running. The system auto assigned 192.168.1.1 to the router (ie, LAN) and the WAN side will get an address from your ISP or you can assign it if you don’t have a DHCP connection to your ISP.
Ok, now let’s install the OS to the hard drive. Chose option #99. You will see a few install screens after this, just chose the default option each time.
When you get to this screen, chose the Quick/Easy Install option. You will then be asked if your are sure and that the process will erase all data on the hard drive.
Here you need to chose what type of processor you plan to use. Single core or multi core. After you chose this option, the system will reboot and you will come back to the menu screen shown couple of images above.
Time to long into the router from your web browser and complete the install. From now on, almost all of the admin will be performed from a browser. In your browser, type 192.168.1.1 into the address bar and you should be presented a logon screen. The initial user name is “admin” and the initial password is “pfsense”. After entering those credentials, you should see the screen show below.
The next screen you will be presented with is where you name your router and provide some other details. After you name your router, you can skip the rest of the data for now if you don’t know your DNS server address.
Chose your timezone and a time server.
Now we get to set up our WAN connection (connection to our ISP). Many of these settings are specific to your ISP connection.
LAN setup is even easier. Unless you have some special needs, no changes are needed on this screen.
Now setup the password you will use for future web admin logins.
After you re-log into the server, you will be presented with the System Overview screen. If you set everything up correctly, the router should have made the connection to your ISP.
You are done with the basic setup. But before we end Part 1 of this post, lets check two things:
Go to the Status menu and chose Interfaces. Check and make sure the router got an address from your ISP, if it uses DHCP and that the Status is UP.
Next go to the Services menu and chose DHCP server. If you want the router to issue IP addresses to your local network, you will need to set that up here.
That’s it, you should be up and running with a basic install of pfSense. This will be the foundation of our Super router. In a future post, we will continue the pfSense build with some additional setup options and finalize the Super router build by adding Untangle into the mix. Combining these two products into one incredibly powerful router, aka SUPER ROUTER!
- So you first thought may be, “why even bother with this, isn’t my Linksys router good enough?”.
- That Linksys router may be good enough for you and this project isn’t for everyone. There are also some downsides to building your own router (can be more complicated, may use more electricity and you may be perfectly happy with your current router), but if you already have some old hardware lying around, why not give it a try? Once you do and see all the options available and then take a look at a few logs to see what the system is blocking, you will be amazed.
- Another reason I love running a software router, is virus protection at the router level. While every computer in the house has virus protection, having it at the router adds another layer of protection.
- I also love all the real-time reporting. I can see what computer or device is using what amount of bandwidth at any given moment.
- Why did you chose pfSense as the router and Untangle as the UTM? Why not just use one of these two?
- Either of these software routers would be an excellent choice and if you already have a good router you are happy with, you may want to try Untangle in bridge mode as a first step. We will go over this in more detail in a future post, but briefly this means the Untangle system will sit between your current router and the rest of your network. This will allow you to continue to use your current setup, but add Untangle’s excellent filtering capabilities. Since my router had died, I needed a new one. Personally, I liked pfSenese’s real time reporting, Traffic Shaping, UPNP feature and free “app store” (referred to as Packages in pfSense) better than Untangle. However, as mentioned before, I love Untangle’s filtering abilities and therefore I chose to use both.
- How long will it take to get this up and running?
- The actual install process is really quick. After doing it several times now, I can have pfSense installed and running in just under 15 minutes. This doesn’t count the building of the hardware, downloading of the software and burning it to CD. Plus once you have the system up and running, you will most likely want to look around at all the options and make some changes to your liking and/or needs.
- Why do you call this a Super Router?
- That’s just my term, you can all it what ever you like. To me, this setup seems SUPER compared to any other router I have ever owned. Plus, by using both pfSense and Untangle, I feel I am getting the best of both products. Now once you take this setup virtual (ie, on a virtual server), all that “Super” power is now in one box and your setup options really expand.
- With all this filtering going on, isn’t my internet connection going to be slower?
- This is a hard one to answer as there are so many factors. Some have seen a drop in speed when all available filters are running. My own recent testing has been inconclusive. The results indicated I was FASTER with everything turned on, which doesn’t seem right and requires further testing. pfSense by itself and not running process intensive packages like Snort, should provide just as much speed, if not more, as your current router. However, your actual results will be impacted by the hardware you use for the router.