Jump to content
RESET Forums (homeservershow.com)
  • Sign in to follow this  

    Building your own Super Router with pfSense and Untangle


    Dave

     

     

    Super Router, the foundation

     

     

    INTRODUCTION

     

    Over the years I have used many different routers, Belkin, Linksys, Netgear, D-Link and others. I have even “hacked” one of them with a different firmware like Tomato, but all of them seemed lacking in some way or another.

     

    The problem really hit home when the kids started using the computer more and we expanded our two computer home to four computers, one for every member of the family. To make matters worse, our house became the “play” house with the kids having friends over nearly everyday. On weekends, the Xbox and the kid’s computer were used nearly non-stop playing games and watching Netflix, Hulu and YouTube and talking with remote friends on Skype. This additional use brought some problems:

    • stuttering Xbox FPS games when a computer was using Hulu, Netflix or YouTube,
    • kids going to inappropriate websites, and
    • kids sucking up to much bandwidth causing VOIP issues.

    At the same time, we were switching from DSL to cable internet.  So, I had a bright idea, why not run both for a while.  With that in mind and looking for something a little better than the $90 routers found on Newegg,  I bought a dual WAN Netgear router for about  $350.   This router allowed me to setup Xbox traffic to be routed through the DSL connection and everything else through the cable connection. This worked great and stopped the stuttering problem with Xbox FPS games.

     

    One problem with this setup: COST! Keeping two internet connections at home just so Call of Duty plays without stuttering was not a long term option. Heck, it wasn’t good short term solution as it still didn’t do much to solve the inappropriate websites.  However, after spending $350 on this thing, there was no way I was going to stop using it and it did a fairly good job reducing the FPS stuttering and VOIP issues even after we dropped DSL.  Under heavy load, it still had issues from time to time and it had limited web filtering capabilities; but at this point I was going to use it until it died.

     

    Like an auto mechanic who can’t stop working on his car, and which never seems to work 100% either, I was moving some network cables for no memorable reason and touched the router. A HUGE released of static electricity hit me.  My first thought was, well lets leave that out.  Not only did I kill the router, but also took out two 8 port gigabyte switches.  The entire network was down.  It took less than a minute before I could hear the footsteps coming running down the stairs, “Dad the internet is down, how long before you have it fixed?” Give me a second to grief here, will yea?!  Pulling out an old Tomato hack router and a 16 port 10/100 switch from “storage” got us back online, and bought me some time to consider the next move.

     

    So now what to do. Spend another $350 and get the same router, spend less and load DDWRT or Tomato, spend more and hope it is worth the cost? None of these sounded like good options.

     

     

    DECISION TIME

     

    Like many geeks, I had plenty of old PC parts lying around and had searched the internet looking for some unusual ideas for how to use them.  One idea I came across many times was using it to run a software based router.  This idea never really appealed to me as my first thought was “how safe can a software firewall be run from a PC", an old one at that?”.  Then when my Dual WAN Netgear router died, I decided why not give it a try, what could it hurt?  After all, isn’t even a normal router from Newegg or Best Buy just a piece of hardware running some kind of software developed by the manufacture?  Also, the hardware these “pre-made” routers run on is pretty weak, even when compared to my old pile of junk PC hardware.

     

    So, the search took me to three main candidates:

    pfsense-logo

     

    There are others, many of which are very good, but I was already feeling overwhelmed and wanted to keep the list small.  After giving each a brief try, actually just the install process, I decided on pfSense.  To me it seemed like the best firewall/router solution of the three.  However, I do love Untangle and in a future post, I will cover adding it to pfSense to complete the Super Router build.  For this post, let’s just cover the install process for pfSense.

     

    pfSense Hardware considerations

     

    pfSense can run on some really low powered hardware.  As you can see below, the minimum requirements are crazy low for PC standards.

     

    pfsense-minimum-specs

     

    While these minimum specs are fine for testing, for long term use you need to give it a bit more thought.  Since you will most likely want to run some additional packages, and pfSense has some nice ones, you will want something a little stronger. An Atom processor might sound perfect for this build, but that comes with some trade-offs as well. If you plan to run a processor demanding package such as SNORT (IDS/IPS protection), your Atom chip may struggle under a fast connection and heavy load.  Also, as we will cover in a future post, if you plan to go virtual with the Super Router build (which I HIGHLY suggest), you will need the appropriate hardware.

     

    In addition to the minimum hardware mentioned above, you will need two network connections for this test system, one to your internet modem and the other to your network switch or hub.  You will also need a CD drive to load the software or run it from the LIVE CD and a small hard drive (20gig should be fine) if you want a more permanent install which I highly recommend.  My initial build used some old Netgear 10/100 network cards which worked fine.  Again, if you plan to eventually go virtual, that build will need a minimum of 3 network cards (3rd one for management of the virtual server) and a larger hard drive.   You should also consider going with better network cards, like the Intel 10/100/1000 cards.

     

     

    INSTALLATION

     

    The first thing you need to do is download the software from www.pfsense.org (go with the pfSense-1.2.3-RELEASE-LiveCD-Installer version) and burn it to a CD. You can run the software straight from the CD or use it to install to a hard drive. The downloaded file will contain the ISO image inside of a .gz compressed file, so use your favorite program to pull this out (try 7-Zip if you don’t have something already).  There is a new version coming which will have a number of very nice updates and additions.  This new version was just released as a Release Candidate and is considered fairly stable.  As with all pre-release, consider carefully if you want to run this in a production environment.

     

    1-directory of file downloads

     

    Now that you have downloaded and burned the ISO to a CD, we are ready for booting up the system. Make sure the BIOS is set to boot from the CD and you should see the screen below once the software is loaded.  Chose option #1 to get the install process started. At this point, all we are doing is installing into ram. An option to install to the hard drive will come later.

     

    2-pfsense-boot-screen

     

    Two things to note on this screen. First the system should have found your to network interfaces. Second, chose “n” to indicate you don’t want to set up a VLAN. pfSense is capable of running a VLAN, but that is not a topic of this post.

     

    3-prsense-vlan-initial-setup

     

    OK, here is where we assign our interfaces. First is to the LAN side. If your network interfaces are already plugged into your switch and modem, you can try the auto-detection. If this doesn’t work or you haven’t made the connections yet, you will need to assign either re0 or re1 to the LAN and then the other to the WAN. While it is helpful if you get these correct, it’s not the end of the world if you get it wrong.

     

    4-pfsense-network-interface-setup

     

    In the screen below, you can see what happened when I tried the auto-detect without having them connected to anything. Note the “No link-up detected” message. No problem, just manually assign the interfaces. I assigned re0 to the LAN and re1 to the WAN.

     

    7-pfsense-network-interface-LAN-WAN-manual-name

     

    While this article is not going to cover this in detail, you will notice after assigning a LAN and WAN interface, you are asked if you want to assign an Optional 1 interface. What’s happening here is that you are not limited to just the LAN and WAN interfaces. I have used the Optional 1 interface to create a unsecured guest wireless connection in the past.

     

    8-pfsense-network-interface-optional

     

    After assigning the interfaces, you are now actually up and running. The system auto assigned 192.168.1.1 to the router (ie, LAN) and the WAN side will get an address from your ISP or you can assign it if you don’t have a DHCP connection to your ISP.

     

    Ok, now let’s install the OS to the hard drive. Chose option #99. You will see a few install screens after this, just chose the default option each time.

     

    10-pfsense-running-2

     

    When you get to this screen, chose the Quick/Easy Install option. You will then be asked if your are sure and that the process will erase all data on the hard drive.

     

    13-pfsense-quick-install

     

    Here you need to chose what type of processor you plan to use. Single core or multi core. After you chose this option, the system will reboot and you will come back to the menu screen shown couple of images above.

     

    16-pfsense-processor

     

    Time to long into the router from your web browser and complete the install. From now on, almost all of the admin will be performed from a browser. In your browser, type 192.168.1.1 into the address bar and you should be presented a logon screen.  The initial user name is “admin” and the initial password is “pfsense”.  After entering those credentials, you should see the screen show below.

     

    19-pfsense-initial-web

     

    The next screen you will be presented with is where you name your router and provide some other details. After you name your router, you can skip the rest of the data for now if you don’t know your DNS server address.

     

    20-pfsense-general-parameters

     

    Chose your timezone and a time server.

     

    21-pfsense-time

     

    Now we get to set up our WAN connection (connection to our ISP). Many of these settings are specific to your ISP connection.

     

    22-pfsense-wan-setup

     

    LAN setup is even easier. Unless you have some special needs, no changes are needed on this screen.

     

    23-pfsense-lan-setup-2

     

    Now setup the password you will use for future web admin logins.

     

    24-pfsense-password-setup

     

    After you re-log into the server, you will be presented with the System Overview screen. If you set everything up correctly, the router should have made the connection to your ISP.

     

    28-pfsense-system-overview

     

    You are done with the basic setup. But before we end Part 1 of this post, lets check two things:

     

    Go to the Status menu and chose Interfaces. Check and make sure the router got an address from your ISP, if it uses DHCP and that the Status is UP.

     

    pfsense-interfaces-2

     

    Next go to the Services menu and chose DHCP server. If you want the router to issue IP addresses to your local network, you will need to set that up here.

     

    pfsense-DHCP-setup

     

    That’s it, you should be up and running with a basic install of pfSense. This will be the foundation of our Super router. In a future post, we will continue the pfSense build with some additional setup options and finalize the Super router build  by adding  Untangle into the mix. Combining these two products into one incredibly powerful router, aka SUPER ROUTER!

     

    BRIEF Q&A

    • So you first thought may be, “why even bother with this, isn’t my Linksys router good enough?”.

      • That Linksys router may be good enough for you and this project isn’t for everyone.  There are also some downsides to building your own router (can be more complicated, may use more electricity and you may be perfectly happy with your current router), but if you already have some old hardware lying around, why not give it a try?  Once you do and see all the options available and then take a look at a few logs to see what the system is blocking, you will be amazed.
      • Another reason I love running a software router, is virus protection at the router level.  While every computer in the house has virus protection, having it at the router adds another layer of protection.
      • I also love all the real-time reporting.  I can see what computer or device is using what amount of bandwidth at any given moment.

    • Why did you chose pfSense as the router and Untangle as the UTM? Why not just use one of these two?

      • Either of these software routers would be an excellent choice and if you already have a good router you are happy with, you may want to try Untangle in bridge mode as a first step.  We will go over this in more detail in a future post, but briefly this means the Untangle system will sit between your current router and the rest of your network.  This will allow you to continue to use your current setup, but add Untangle’s excellent filtering capabilities.  Since my router had died, I needed a new one.  Personally, I liked pfSenese’s real time reporting, Traffic Shaping, UPNP feature and free “app store” (referred to as Packages in pfSense) better than Untangle.  However, as mentioned before, I love Untangle’s filtering abilities and therefore I chose to use both.

    • How long will it take  to get this up and running?

      • The actual install process is really quick.  After doing it several times now, I can have pfSense installed and running in just under 15 minutes.  This doesn’t count the building of the hardware, downloading of the software and burning it to CD.  Plus once you have the system up and running, you will most likely want to look around at all the options and make some changes to your liking and/or needs.

    • Why do you call this a Super Router?

      • That’s just my term, you can all it what ever you like.  To me, this setup seems SUPER compared to any other router I have ever owned.  Plus, by using both pfSense and Untangle, I feel I am getting the best of both products.  Now once you take this setup virtual (ie, on a virtual server), all that “Super” power is now in one box and your setup options really expand.

    • With all this filtering going on, isn’t my internet connection going to be slower?

      • This is a hard one to answer as there are so many factors.  Some have seen a drop in speed when all available filters are running.  My own recent testing has been inconclusive.  The results indicated I was FASTER with everything turned on, which doesn’t seem right and requires further testing.  pfSense by itself and not running process intensive packages like Snort, should provide just as much speed, if not more, as your current router.  However, your actual results will be impacted by the hardware you use for the router.

    Sign in to follow this  


    User Feedback

    Recommended Comments



    Great article. Just curious is it possible to integrate pfsense vm + untangle vm (bridge mode) into 1 physical hardware, using just 2 NIC (1 for WAN + 1 for LAN) ?

    Share this comment


    Link to comment
    Share on other sites
    I actually had it setup the way for a long time Durian. The VM software was Xenserver and it ran great. Until my internet speeds were increased to 60 down. At that point, I started having issues and it turned out to the the virtual NIC's in Xenserver. This may not be an issue with something like ESXi, but instead of going that route, I now have pfSense and Untangle on separate machines. However, I LOVED having them as a VM. Turning them on and off with ease. Loading another version. VM's were so nice! At some point, I may go the VM route again and try ESXi in a beefed up machine.

    Share this comment


    Link to comment
    Share on other sites
    I have the same pile of junk (routers). I fought with my cable connection for some 5 plus years. Plugging directly into the cable modem or rebooting the router "always" fixed the degraded speed. I have 30 years in the computer industry and have never heard anything about BSD (openbsd, FreeBSD, freenas, pfsense, dragonfly, pcbsd, etc.). I started down the Linux path, but to much to choose from and never quite sure of support. So here I am loving my pfsense. I want the world to know, screaming from the mountain tops. I BUILT MY OWN "SUPER ROUTER". In a previous life, I was a safe cracker. My fastest time in was 2.5 minutes.....and I can install pfsense that quickly. Best regards, moxie - the abliity to face difficulty with spirit.

    Share this comment


    Link to comment
    Share on other sites
    Something that I don't understand here. If I already have adsl2+ modem, how do i cofigure pfsense since in the WAN setting pfsense need the ISP configuration info.

    Share this comment


    Link to comment
    Share on other sites
    @geekylinux - You would use DHCP with the WAN connected to DSL Modem LAN connection. You would need to put a switch (or hub) on the LAN side of the pFsense box. You might want to turn off all filtering on the DSL modem or have pre-filtering down on the modem and final filtering done on the pFsense box. You will also need to have the DHCP server setup on pFsense or some other IP Addressings solution for clients. Normally DSL modems provide Internet / router functions including DHCP server.

    Share this comment


    Link to comment
    Share on other sites
    This is very interesting. I just got 8 static IPs from my ISP to run my web/mail/ftp/mysql servers from my SOHO. I am confused how to get these public IPs from the ISP modem/wireless/router to a pfsense VM and then from the pfsense VM to the LAN where all my other machines can connect: servers with their now static IPs and other computers in the LAN, wired and/or wireless? I have a second modem/wireless/router as well to use if needed. Am I better off using an older Dell Dimension with 2 nics as the firewall, giving it one of the public static IPs received? Once I use the Public Static IPs from the block received, I lose the original static IP that came with the first setup. Out of the 8 IPs, I can only use 5 of them. The first is for the Network ID, the second for the Modem Subnet and the last one for the Broadcast. I understood the second is used for the router's LAN. But how can I have a DHCP served from one Public IP address? Networking is definitely not my forte! LOL Any suggestion?

    Share this comment


    Link to comment
    Share on other sites
    You need to put the DSL (or cable) modem in transparent bridge mode. This passes the external IP addresses through to the PfSense router. If they are static, set the WAN port of the PfSense to static, otherwise set DHCP and use Dynamic DNS. Works a treat.

    Share this comment


    Link to comment
    Share on other sites
    I installed plenty of pfsense in physical boxes and in virtual environments but I never tried to combine it with Untangle, I actually don't know Untagle at all. I would really love to read about how you did the implementation. Is there any second part of this article anywhere?

    Share this comment


    Link to comment
    Share on other sites
    seem like not this was posted over 2 years ago and he only did one post of this

    Share this comment


    Link to comment
    Share on other sites
    PFsense is seem to me a great solution for your home internet performance issues. Youtube, Netflix and Hulu these type sources always hunts quite a lot internet speeds and spaces as well. I think currently the way you have chosen for vast internet service is effective. Thanks.

    Share this comment


    Link to comment
    Share on other sites



    Create an account or sign in to comment

    You need to be a member in order to leave a comment

    Create an account

    Sign up for a new account in our community. It's easy!

    Register a new account

    Sign in

    Already have an account? Sign in here.

    Sign In Now

  • Our picks

    • OneDrive Personal Vault and expandable storage
      Microsoft's OneDrive has a few new features and options worth pointing out.  Personal Vault and Expandable Storage.
       
      Personal Vault is a protected area in OneDrive that can only be accessed with a strong authentication method or a second step of identity verification, such as your fingerprint, face, PIN, or a code sent to you via email or SMS. 
       
      Personal Vault gives you an added layer of protection for your most important files, photos, and videos—for example, copies of documents such as your passport, driver’s license, or insurance information—should someone gain access to your account or device.
      Plus, this added security won’t slow you down. You can quickly access your important documents, photos, and files with confidence wherever you are, on your PC, OneDrive.com, or your mobile device.

       
      Beyond a second layer of identity verification, Personal Vault also includes the following security measures:
       
      Scan and shoot—Using the OneDrive app, you can scan documents or shoot photos directly into your Personal Vault, keeping them off less secure areas of your device, like your camera roll.
      Automatic locking—No need to worry about whether you left your Personal Vault or your files open—both will close and lock automatically after a period of inactivity.
      BitLocker encryption—On Windows 10 PCs, OneDrive automatically syncs your Personal Vault files to a BitLocker-encrypted area of your local hard drive.
      Restricted sharing—To prevent accidental sharing, files in Personal Vault and shared items moved into Personal Vault cannot be shared.
       
      Taken together, these security measures help ensure that Personal Vault files are not stored unprotected on your PC, and your files have additional protection, even if your Windows 10 PC or mobile device is lost, stolen, or someone gains access to it or to your account.
       
      Expandable Storage
       
      If you are and Office 365 Subscriber you get 1 TB of OneDrive storage space with all the other Office goodies like Word, Excel, etc.  I know personally that I have gone over the 1TB limit and have always wanted to be able to add additional storage to my account.  Now you can!

       
      Pick and option and keep on hoarding, errr, I mean saving! Cancel anytime, upgrade at any moment.
      • 1 reply
    • Ubiquiti adds new items to the Unifi Line including UAP Flex HD and the Unifi Dream machine
      Ubiquiti has been busy.  There area ton of new items to recently released and I'm going to share two of my favorites.
       
      The UAP Flex HD and the Unifi Dream machine. The Flex HD is a mouthful of descriptors like most of UI gear is.  It's a 2Ghz 2x2 MIMO, 5GHz 4x4 MU-MIMO, POE, Indoor/Outdoor, multi mount, mesh point that is no bigger than a can of Coke.

       
      You will still need the Unifi controller although you can configure it with basic functionality with the Unifi App.  I've always found it's best to configure with your controller and then use the app as an add-on.  There are several mounting options that include sitting it on a shelf! That is something that Unifi has not had before unless you count the ceiling AP I have awkwardly mounted placed on top of a few books.  It can be found on the Unifi store for $179.
       
      https://store.ui.com/collections/wireless/products/unifi-flexhd
       
      The Dream Machine is an altogether different beast that I hope lives up to its naming.  This is the gateway drug, for lack of a better term, to the Unifi world.  The starter kit.  It is an Access Point, Gigabit Switch, Security Gateway, and the Cloud Key all in one package.  The latter being the most significant as this is something that has deterred new users from getting started with Unifi.  Requiring new users to purchase a $100 item just to run the AP's has been somewhat of a roadblock in the past.  Granted, that is improving every year with the ability to run it in the cloud, on a NAS, a Pi, Docker, MacOS, and of course Windows, it is still a barricade to getting up and running when manufacturers such as Eero offer simplicity in an app.
       

       
      The switch includes 4 LAN Ports and 1 WAN port.  All of which are Gigabit and security services such as IPS are rated at Gigabit speed. It's $299 in the Unifi store but I'm unsure how nicely it will play with other Unifi gear.  This may be a nice "first AP" with its built in Cloud Key if you can add additional units or other Unifi access points.
       
      https://store.ui.com/collections/routing-switching/products/unifi-dream-machine
      • 2 replies
    • Let's start small with the definition. If you know about podcasts already you can skip ahead.  
       
      What is a podcast?  There is no set definition but in general a podcast is a voice recording on a subject that you can usually listen to however and whenever you want.  Let's break these down a little bit and that will also help define the term for you.
      • 1 reply
    • Here is something that wasn't planned but came to me while I was at Unveiled.  The Unveiled event was a little lackluster so I had a little fun with the DJI Osmo Pocket.  Take a look.
       
       
      • 0 replies
    • It's the most important post covering CES.  The swag bag review.
       
       
       
        • Like
      • 0 replies


×
×
  • Create New...