Building your own Super Router with pfSense and Untangle

• March 7, 2011

Super Router, the foundation

INTRODUCTION

Over the years I have used many different routers, Belkin, Linksys, Netgear, D-Link and others. I have even “hacked” one of them with a different firmware like Tomato, but all of them seemed lacking in some way or another.

The problem really hit home when the kids started using the computer more and we expanded our two computer home to four computers, one for every member of the family. To make matters worse, our house became the “play” house with the kids having friends over nearly everyday. On weekends, the Xbox and the kid’s computer were used nearly non-stop playing games and watching Netflix, Hulu and YouTube and talking with remote friends on Skype. This additional use brought some problems:

  • stuttering Xbox FPS games when a computer was using Hulu, Netflix or YouTube,
  • kids going to inappropriate websites, and
  • kids sucking up to much bandwidth causing VOIP issues.

At the same time, we were switching from DSL to cable internet.  So, I had a bright idea, why not run both for a while.  With that in mind and looking for something a little better than the $90 routers found on Newegg,  I bought a dual WAN Netgear router for about  $350.   This router allowed me to setup Xbox traffic to be routed through the DSL connection and everything else through the cable connection. This worked great and stopped the stuttering problem with Xbox FPS games.

One problem with this setup: COST! Keeping two internet connections at home just so Call of Duty plays without stuttering was not a long term option. Heck, it wasn’t good short term solution as it still didn’t do much to solve the inappropriate websites.  However, after spending $350 on this thing, there was no way I was going to stop using it and it did a fairly good job reducing the FPS stuttering and VOIP issues even after we dropped DSL.  Under heavy load, it still had issues from time to time and it had limited web filtering capabilities; but at this point I was going to use it until it died.

Like an auto mechanic who can’t stop working on his car, and which never seems to work 100% either, I was moving some network cables for no memorable reason and touched the router. A HUGE released of static electricity hit me.  My first thought was, well lets leave that out.  Not only did I kill the router, but also took out two 8 port gigabyte switches.  The entire network was down.  It took less than a minute before I could hear the footsteps coming running down the stairs, “Dad the internet is down, how long before you have it fixed?” Give me a second to grief here, will yea?!  Pulling out an old Tomato hack router and a 16 port 10/100 switch from “storage” got us back online, and bought me some time to consider the next move.

So now what to do. Spend another $350 and get the same router, spend less and load DDWRT or Tomato, spend more and hope it is worth the cost? None of these sounded like good options.

DECISION TIME

Like many geeks, I had plenty of old PC parts lying around and had searched the internet looking for some unusual ideas for how to use them.  One idea I came across many times was using it to run a software based router.  This idea never really appealed to me as my first thought was “how safe can a software firewall be run from a PC”, an old one at that?”.  Then when my Dual WAN Netgear router died, I decided why not give it a try, what could it hurt?  After all, isn’t even a normal router from Newegg or Best Buy just a piece of hardware running some kind of software developed by the manufacture?  Also, the hardware these “pre-made” routers run on is pretty weak, even when compared to my old pile of junk PC hardware.

So, the search took me to three main candidates:

pfsense-logo

There are others, many of which are very good, but I was already feeling overwhelmed and wanted to keep the list small.  After giving each a brief try, actually just the install process, I decided on pfSense.  To me it seemed like the best firewall/router solution of the three.  However, I do love Untangle and in a future post, I will cover adding it to pfSense to complete the Super Router build.  For this post, let’s just cover the install process for pfSense.

pfSense Hardware considerations

pfSense can run on some really low powered hardware.  As you can see below, the minimum requirements are crazy low for PC standards.

pfsense-minimum-specs

While these minimum specs are fine for testing, for long term use you need to give it a bit more thought.  Since you will most likely want to run some additional packages, and pfSense has some nice ones, you will want something a little stronger. An Atom processor might sound perfect for this build, but that comes with some trade-offs as well. If you plan to run a processor demanding package such as SNORT (IDS/IPS protection), your Atom chip may struggle under a fast connection and heavy load.  Also, as we will cover in a future post, if you plan to go virtual with the Super Router build (which I HIGHLY suggest), you will need the appropriate hardware.

In addition to the minimum hardware mentioned above, you will need two network connections for this test system, one to your internet modem and the other to your network switch or hub.  You will also need a CD drive to load the software or run it from the LIVE CD and a small hard drive (20gig should be fine) if you want a more permanent install which I highly recommend.  My initial build used some old Netgear 10/100 network cards which worked fine.  Again, if you plan to eventually go virtual, that build will need a minimum of 3 network cards (3rd one for management of the virtual server) and a larger hard drive.   You should also consider going with better network cards, like the Intel 10/100/1000 cards.

INSTALLATION

The first thing you need to do is download the software from www.pfsense.org (go with the pfSense-1.2.3-RELEASE-LiveCD-Installer version) and burn it to a CD. You can run the software straight from the CD or use it to install to a hard drive. The downloaded file will contain the ISO image inside of a .gz compressed file, so use your favorite program to pull this out (try 7-Zip if you don’t have something already).  There is a new version coming which will have a number of very nice updates and additions.  This new version was just released as a Release Candidate and is considered fairly stable.  As with all pre-release, consider carefully if you want to run this in a production environment.

1-directory of file downloads

Now that you have downloaded and burned the ISO to a CD, we are ready for booting up the system. Make sure the BIOS is set to boot from the CD and you should see the screen below once the software is loaded.  Chose option #1 to get the install process started. At this point, all we are doing is installing into ram. An option to install to the hard drive will come later.

2-pfsense-boot-screen

Two things to note on this screen. First the system should have found your to network interfaces. Second, chose “n” to indicate you don’t want to set up a VLAN. pfSense is capable of running a VLAN, but that is not a topic of this post.

3-prsense-vlan-initial-setup

OK, here is where we assign our interfaces. First is to the LAN side. If your network interfaces are already plugged into your switch and modem, you can try the auto-detection. If this doesn’t work or you haven’t made the connections yet, you will need to assign either re0 or re1 to the LAN and then the other to the WAN. While it is helpful if you get these correct, it’s not the end of the world if you get it wrong.

4-pfsense-network-interface-setup

In the screen below, you can see what happened when I tried the auto-detect without having them connected to anything. Note the “No link-up detected” message. No problem, just manually assign the interfaces. I assigned re0 to the LAN and re1 to the WAN.

7-pfsense-network-interface-LAN-WAN-manual-name

While this article is not going to cover this in detail, you will notice after assigning a LAN and WAN interface, you are asked if you want to assign an Optional 1 interface. What’s happening here is that you are not limited to just the LAN and WAN interfaces. I have used the Optional 1 interface to create a unsecured guest wireless connection in the past.

8-pfsense-network-interface-optional

After assigning the interfaces, you are now actually up and running. The system auto assigned 192.168.1.1 to the router (ie, LAN) and the WAN side will get an address from your ISP or you can assign it if you don’t have a DHCP connection to your ISP.

Ok, now let’s install the OS to the hard drive. Chose option #99. You will see a few install screens after this, just chose the default option each time.

10-pfsense-running-2

When you get to this screen, chose the Quick/Easy Install option. You will then be asked if your are sure and that the process will erase all data on the hard drive.

13-pfsense-quick-install

Here you need to chose what type of processor you plan to use. Single core or multi core. After you chose this option, the system will reboot and you will come back to the menu screen shown couple of images above.

16-pfsense-processor

Time to long into the router from your web browser and complete the install. From now on, almost all of the admin will be performed from a browser. In your browser, type 192.168.1.1 into the address bar and you should be presented a logon screen.  The initial user name is “admin” and the initial password is “pfsense”.  After entering those credentials, you should see the screen show below.

19-pfsense-initial-web

The next screen you will be presented with is where you name your router and provide some other details. After you name your router, you can skip the rest of the data for now if you don’t know your DNS server address.

20-pfsense-general-parameters

Chose your timezone and a time server.

21-pfsense-time

Now we get to set up our WAN connection (connection to our ISP). Many of these settings are specific to your ISP connection.

22-pfsense-wan-setup

LAN setup is even easier. Unless you have some special needs, no changes are needed on this screen.

23-pfsense-lan-setup-2

Now setup the password you will use for future web admin logins.

24-pfsense-password-setup

After you re-log into the server, you will be presented with the System Overview screen. If you set everything up correctly, the router should have made the connection to your ISP.

28-pfsense-system-overview

You are done with the basic setup. But before we end Part 1 of this post, lets check two things:

Go to the Status menu and chose Interfaces. Check and make sure the router got an address from your ISP, if it uses DHCP and that the Status is UP.

pfsense-interfaces-2

Next go to the Services menu and chose DHCP server. If you want the router to issue IP addresses to your local network, you will need to set that up here.

pfsense-DHCP-setup

That’s it, you should be up and running with a basic install of pfSense. This will be the foundation of our Super router. In a future post, we will continue the pfSense build with some additional setup options and finalize the Super router build  by adding  Untangle into the mix. Combining these two products into one incredibly powerful router, aka SUPER ROUTER!

BRIEF Q&A

  • So you first thought may be, “why even bother with this, isn’t my Linksys router good enough?”.
    • That Linksys router may be good enough for you and this project isn’t for everyone.  There are also some downsides to building your own router (can be more complicated, may use more electricity and you may be perfectly happy with your current router), but if you already have some old hardware lying around, why not give it a try?  Once you do and see all the options available and then take a look at a few logs to see what the system is blocking, you will be amazed.
    • Another reason I love running a software router, is virus protection at the router level.  While every computer in the house has virus protection, having it at the router adds another layer of protection.
    • I also love all the real-time reporting.  I can see what computer or device is using what amount of bandwidth at any given moment.
  • Why did you chose pfSense as the router and Untangle as the UTM? Why not just use one of these two?
    • Either of these software routers would be an excellent choice and if you already have a good router you are happy with, you may want to try Untangle in bridge mode as a first step.  We will go over this in more detail in a future post, but briefly this means the Untangle system will sit between your current router and the rest of your network.  This will allow you to continue to use your current setup, but add Untangle’s excellent filtering capabilities.  Since my router had died, I needed a new one.  Personally, I liked pfSenese’s real time reporting, Traffic Shaping, UPNP feature and free “app store” (referred to as Packages in pfSense) better than Untangle.  However, as mentioned before, I love Untangle’s filtering abilities and therefore I chose to use both.
  • How long will it take  to get this up and running?
    • The actual install process is really quick.  After doing it several times now, I can have pfSense installed and running in just under 15 minutes.  This doesn’t count the building of the hardware, downloading of the software and burning it to CD.  Plus once you have the system up and running, you will most likely want to look around at all the options and make some changes to your liking and/or needs.
  • Why do you call this a Super Router?
    • That’s just my term, you can all it what ever you like.  To me, this setup seems SUPER compared to any other router I have ever owned.  Plus, by using both pfSense and Untangle, I feel I am getting the best of both products.  Now once you take this setup virtual (ie, on a virtual server), all that “Super” power is now in one box and your setup options really expand.
  • With all this filtering going on, isn’t my internet connection going to be slower?
    • This is a hard one to answer as there are so many factors.  Some have seen a drop in speed when all available filters are running.  My own recent testing has been inconclusive.  The results indicated I was FASTER with everything turned on, which doesn’t seem right and requires further testing.  pfSense by itself and not running process intensive packages like Snort, should provide just as much speed, if not more, as your current router.  However, your actual results will be impacted by the hardware you use for the router.

Share

Tags: , , , ,

Category: Review

Comments (36)

Trackback URL | Comments RSS Feed

  1. James Walker says:

    I have also setup my own software router. I tried Untangle and like it but it ran very slow on the hardware platform I used but like you I want virus and span filtering at the router/firewall level. After trying smoothwall and Astaro. I decided to stick with Astaro. It give me the daily. weekly and month usage reports, virus and span filtering, and web content filtering . It runs very well on the hardware platform that untangle ran slow on— and it is free for home use.

  2. MattD390 says:

    They can be called the wrecking crew :).

  3. bengwade says:

    Nice write-up. I'm jumping on this in the next couple months. What are you using for your modem? A single user modem from your cable provider or one of those 4-user-router/wifi deals?

  4. geek_accountant says:

    I am using a Motorola SB6120 that I purchased from Amazon, I think.

  5. James Walker says:

    When you get the Astaro setup and I am assuing ruuning as a UTM and not the primary router. I would be interested in how you set it up. What rules you put in place and how you defined and retined your network traffic profiles.

    • geek_accountant says:

      Yes, that is one way I will test it, as a replacement for Untangle. Since I have all this on a Xenserver, I will most likely run it as a standalone solution for a while and then as a UTM behind pfSense. However, it may be a while since there are a few other projects I want to complete first, like the next article.

      • James Walker says:

        10-4 – : )

        • James Walker says:

          I was looking at smallnetbuilder.com and one of the authors is using pFsense as a UTM and failover setup. He has some interesting comments about some of the strenghts and weakness in his view of PfSense.

          • I'm running something very close to this at my home with the exception that it is all running under VMware. My setup takes the Cable Modem(CM) to ASTARO (UTM) to pfSense2.0(ROUTER) to Cisco 2970 gigabit switch via a trunk port. Having used both Untangle and Astaro in this setup – once you get use to Astaro you won't want to go back – just give a fair shake :)

  6. axiom00 says:

    @geek_accountant: when do you think you'll have part 2 ready? really interested in your setup. Thanks!

  7. Muligan says:

    Great combination of products. I've been using both as a 'Super Router' solution for years now, and I've yet to find a better solution!!!

  8. Mike says:

    Pfsense offers antivirus, IDS, and spam filter

  9. fred jones says:

    Clearos 5.1 does everything untangle does for free and more, after lots of testing with astaro untangle and clearos Clearos is the best, astaro is really nice , but slow and full of bugs, untangle are a basically trying to milk every dollar they can and their qos is shit.

  10. igmac says:

    And Clearos milks it just the same.. I fail to see the difference?

  11. Ryan says:

    Hey did you ever write the follow-up to this thread?
    Combining this with Untangle?

  12. nicotine says:

    Yes I am keen to see your follow up on to adding Untangle to the VM as I am in the process of trying this out. I know how to setup untangle on it own as I have used it before but not quite sure how to link it with the Pfsense in a VM environment.

  13. Brian says:

    I've been running a version of this setup at home for almost a year… Bought a used Dell 1u rackmount server on ebay, installed ESXi 3.5, added Smoothwall. I WILL NEVER go back!

  14. Durian says:

    Great article. Just curious is it possible to integrate pfsense vm + untangle vm (bridge mode) into 1 physical hardware, using just 2 NIC (1 for WAN + 1 for LAN) ?

  15. @jpeg2raw says:

    I actually had it setup the way for a long time Durian. The VM software was Xenserver and it ran great. Until my internet speeds were increased to 60 down. At that point, I started having issues and it turned out to the the virtual NIC's in Xenserver. This may not be an issue with something like ESXi, but instead of going that route, I now have pfSense and Untangle on separate machines. However, I LOVED having them as a VM. Turning them on and off with ease. Loading another version. VM's were so nice! At some point, I may go the VM route again and try ESXi in a beefed up machine.

  16. Moxyspirit says:

    I have the same pile of junk (routers). I fought with my cable connection for some 5 plus years. Plugging directly into the cable modem or rebooting the router "always" fixed the degraded speed. I have 30 years in the computer industry and have never heard anything about BSD (openbsd, FreeBSD, freenas, pfsense, dragonfly, pcbsd, etc.). I started down the Linux path, but to much to choose from and never quite sure of support.

    So here I am loving my pfsense. I want the world to know, screaming from the mountain tops. I BUILT MY OWN "SUPER ROUTER".

    In a previous life, I was a safe cracker. My fastest time in was 2.5 minutes…..and I can install pfsense that quickly.

    Best regards,

    moxie – the abliity to face difficulty with spirit.

  17. geekylinux says:

    Something that I don't understand here. If I already have adsl2+ modem, how do i cofigure pfsense since in the WAN setting pfsense need the ISP configuration info.

  18. JHPArizona says:

    @geekylinux – You would use DHCP with the WAN connected to DSL Modem LAN connection. You would need to put a switch (or hub) on the LAN side of the pFsense box. You might want to turn off all filtering on the DSL modem or have pre-filtering down on the modem and final filtering done on the pFsense box. You will also need to have the DHCP server setup on pFsense or some other IP Addressings solution for clients. Normally DSL modems provide Internet / router functions including DHCP server.

  19. marcnz says:

    This is very interesting.
    I just got 8 static IPs from my ISP to run my web/mail/ftp/mysql servers from my SOHO. I am confused how to get these public IPs from the ISP modem/wireless/router to a pfsense VM and then from the pfsense VM to the LAN where all my other machines can connect: servers with their now static IPs and other computers in the LAN, wired and/or wireless? I have a second modem/wireless/router as well to use if needed.
    Am I better off using an older Dell Dimension with 2 nics as the firewall, giving it one of the public static IPs received? Once I use the Public Static IPs from the block received, I lose the original static IP that came with the first setup. Out of the 8 IPs, I can only use 5 of them. The first is for the Network ID, the second for the Modem Subnet and the last one for the Broadcast. I understood the second is used for the router's LAN. But how can I have a DHCP served from one Public IP address?
    Networking is definitely not my forte! LOL
    Any suggestion?

    • Brutaltruth says:

      You need to put the DSL (or cable) modem in transparent bridge mode. This passes the external IP addresses through to the PfSense router. If they are static, set the WAN port of the PfSense to static, otherwise set DHCP and use Dynamic DNS. Works a treat.

  20. David says:

    I installed plenty of pfsense in physical boxes and in virtual environments but I never tried to combine it with Untangle, I actually don't know Untagle at all. I would really love to read about how you did the implementation. Is there any second part of this article anywhere?

  21. Christy says:

    PFsense is seem to me a great solution for your home internet performance issues. Youtube, Netflix and Hulu these type sources always hunts quite a lot internet speeds and spaces as well. I think currently the way you have chosen for vast internet service is effective. Thanks.

  22. complex says:

    how to configure separate browsing to online games in pfsense?

  23. Andy says:

    I wish to set up a router as per the advise here but I don't want to pay the fees for AV on untangle, is it still worth using untangle without the AV addon? Could i use sophus instead of untangle and if so do I bother with pfsense?

  24. Michael says:

    I have a Verizon FIOS 50/25MBs connection with a FIOS Gigabit router. I would like to continue to use the FIOS router so I don't void my support with them plus I have a MOCA connection for my FIOS TV set top boxes. I would like to setup a Web filter on a new Dell Core I7 laptop that I have because by son know how to bypass the OPEN DNS filter I currently have set on my router. Is this possible? Can I place the web filter behind my router? If so how is this physcally connected? Do I run untangle only? Thank you!

  25. xklonez says:

    Hi,
    Thanks for this post. I just want to know two things.
    [1] Do I need to add the other NIC at the esxi network configuration option as a fail-over for management port?
    [2] How do I assign an IP address to untangle in bridge mode?
    thank you!

×

Shop and help out Home Server Show. Drag this box to your BookMarks Bar. Amazon