Overcoming Challenges and Achieving Success
The Ambition, The Journey, The Struggles, and The Outcome
I recently undertook the deployment of a pfSense firewall solution in my home network. Although it was a project I had wanted to tackle since 2019, I encountered various challenges along the way. However, with perseverance and improved knowledge, I finally achieved success. This blog post will outline my journey, from the initial struggles to the rewarding outcome.
Starting with a Virtual Machine
In 2019, I began the project by setting up a virtual machine. Since I was unsure about the best hardware solution at the time, virtualization seemed like a reasonable starting point. However, being new to networking and virtualization, I faced difficulties in properly configuring and routing everything. Despite spending days on troubleshooting, I struggled to achieve the desired results.
Frustrated with virtualization, I decided to try using an old laptop as an alternative solution. Unfortunately, the laptop lacked sufficient ports for WAN/LAN connectivity, and my home’s network setup posed additional challenges due to limited access to power outlets. Eventually, I had to table the project, feeling disappointed by the setbacks.
Revisiting the Project
In early 2023, I felt confident enough to give the project another try. Armed with a better understanding of networking and having watched informative YouTube videos and explored relevant forums, I embarked on a more prepared journey.
To find the most suitable solution, I delved into Reddit threads, forums, and YouTube videos, considering options such as prebuilt Netgate systems, knockoff appliances, and Protectli. After thorough research, I decided to invest in a 5-port Qotom Mini-PC with 5 Intel NICs. Although it exceeded my original budget, I saw it as a versatile and long-lasting choice. While some may choose to virtualize pfSense and utilize the device as a Proxmox Server, I opted for a stable and reliable standalone solution, suitable for multiple users in my home.
Setting up the System
Setting up the system involved downloading the pfSense image from the official website. The trickiest part was the initial setup, which required connecting to a monitor. Due to limited nearby outlets and available monitors, I ended up using an HDMI cable to connect to the family TV. After completing the setup, I no longer needed an ethernet cable for device access, which was a relief.
With access to the web panel, I began configuring the interfaces according to my network segmentation plan. Each network, such as secure wireless, personal projects, and work-related devices, received its own IP addressing scheme. Leveraging the wealth of resources, documentation, and community support for pfSense, I swiftly set up the interfaces and started working on firewall rules to further secure and segregate the networks.
Plugins and Future Plans
During the configuration process, I discovered pfBlockerNG, a powerful plugin comparable to Pi Hole for DNS-level adblocking. To enforce DNS blocking, I created NAT rules to route DNS traffic through pfBlockerNG. However, I encountered challenges with newer DNS over HTTPS (DoH) and DNS over TLS (DoT) protocols, which could potentially bypass blocking mechanisms. Researching the security implications of DoH, I found valuable insights on zdnet.com.
As part of future plans, I aim to integrate Graylog and Grafana to ingest pfSense logs into a SIEM solution, although I encountered deployment issues with Graylog initially. Additionally, I aspire to explore honeypots and incorporate active defense tools in my home network for enhanced security. These endeavors reflect my ongoing passion for networking and continuous learning.
In conclusion, deploying a pfSense firewall solution in my home network was a challenging but ultimately rewarding experience. Starting with a virtual machine, encountering setbacks with an old laptop, and revisiting the project with better knowledge, I finally found success. Through thorough research, the selection of appropriate hardware, and diligent configuration of interfaces and firewall rules, I achieved a secure and segmented home network.
By utilizing powerful plugins like pfBlockerNG and planning future integrations with Graylog and Grafana, I aim to enhance the functionality and security of my pfSense firewall solution. With ongoing plans to explore honeypots and implement active defense tools, I am committed to continuously improving my home network’s security posture. Stay tuned for further updates on my journey!
Phase 2: A Virtualized Environment and Revisiting Ideas
Hello again, this is a continuation to the last part of this post!
Inspired by apalrd and other YouTube channels, I decided to move my pfSense installation from bare metal to a virtual environment using the Proxmox Virtual Environment platform. This decision allowed me to explore more technologies without wasting valuable resources on a lightweight setup. It marked the beginning of a new phase in my project, where I revisited some of the exciting ideas I had for my home network.
Raspberry Pi Surveillance Network
One of my intriguing ideas was to create a Raspberry Pi surveillance network for my home. The inspiration came from my high school Cybersecurity teacher, who deployed a Raspberry Pi on the side of his driveway to capture SSIDs from passerby cars and even perform license plate detection, recording the data in an organized spreadsheet with timestamps. I saw the power of such small form, single board computers, and decided to deploy my own throughout my home in a surveillance project to monitor different angles of my house. Using open-source and privacy-respecting software, I ensured a secure and locally hosted system.
A Family Calendar and File Transfer Solution
Next, I wanted to create a family calendar and facilitate file transfers within my home network, while respecting our privacy. To achieve this, I installed a snap version of NextCloud. The calendar became a fun addition to our family meetings, and I was pleasantly surprised by how simple it was to point our Apple phones to the server. Now, we enjoy a locally hosted and privacy-respecting alternative to big tech calendars. While I understand that putting data on the cloud can be convenient, I believe in diversifying and not letting one tech company have too much control over our information.
An Enriching Experience
As my projects expanded, I found myself having a lot of fun experimenting with different technologies. I loved the challenge of consolidating multiple services onto a small, cost-effective appliance without overheating. It allowed me to explore new cloud solutions and tools, enriching my knowledge and skills.
Looking ahead, I plan to integrate Graylog and Grafana into my pfSense setup for better log management that I mentioned earlier. I ran into some issues with Grafana but I will figure it out soon enough. Additionally, I’m excited about exploring honeypots and implementing active defense tools to further enhance my home network’s security. On top of honeypots and active defense, searx (open source, privacy respecting, search engine software) and invidious (YouTube front end) might be on that list.
Some Hardware Issues..
Recently, I encountered a mysterious issue with my D-Link DGS-1100-08 switch, prompting me to purchase a Ubiquiti Flex Mini Switch. Though I’m a bit apprehensive about being drawn into the Ubiquiti ecosystem, I’ve heard positive reviews about the switch’s capabilities. I look forward to sharing updates on how it performs and the networking project I’m planning for a place where I volunteer.
I faced some challenges when trying to image my Netgear R6260 Access Point with OpenWRT. After a few unsuccessful attempts, I reverted to the stock firmware. However, this experience taught me valuable lessons, and I even used the nmrpflash tool to unbrick the router.
A Media Server Project and Tailscale
Currently, I’m exploring how to integrate Jellyfin and FreeNAS Core virtual machines to create a local media server. I’ve also recently installed Tailscale on my pfSense server, which impressed me with its simplicity and mesh networking technology. While I plan to revisit OpenVPN in the future, Tailscale has been serving me well for now.
Conclusion
My pfSense journey has been a remarkable experience of learning, experimentation, and discovery. I’m excited about the possibilities that lie ahead and the continuous improvements I can make to my home network. Stay tuned for more updates as my projects evolve and my passion for networking and security continues to grow.
(Phase 2 update 06-2023)
Notable Resources:
Lawrence Systems YouTube Channel