pfSense experiences

I need a firewall cluster for $DAYJOB.  I could grab any BSD, throw it on commodity hardware, and make it work.  I’ve done that.  Repeatedly.  I could plug OpenVPN into Radius.  I could set up CARP and rsync-based config replication.  But I decided to try pfSense instead.  Here’s why, and what happened…Years ago I wrote a few articles on how to build your own firewall with FreeBSD.  This has led to lots of people trying to hire me to build a firewall for them.  I haven’t wanted that work for years now, so I usually either refer them to OpenBSD (for those I think are geek enough) or pfSense (for those who aren’t).  This led me to recently writing the foreword for Buechler’s and Pringle’s pfSense book.

A foreword is not a review, nor is it a statement that the foreword author has performed an exhaustive review of the material.  It’s more of an endorsement, and comes down to “I’ve read this book, and it looks good, and I think the topic is important and worthwhile, so you should read it.”  I considered writing a pfSense book myself, actually, but I’m just as glad that Chris and Jim beat me to it.  (I abhor creating visuals for books.)

My usual reaction to a GUI-based product is “throw in the CD, boot, and click likely-looking buttons until you like how things work.”  With pfSense, this mostly works.  When it didn’t work, I grabbed the book and followed through the instructions, and I’m pleased to report:  the book works exactly as you think it should.  Actually reading the instructions resolved all my obvious issues.

There’s a more subtle issue at play, though.  There’s a difference between building a firewall for my use, and building a firewall for other people.  Specifically, on my firewall I’m going to want to do Weird Shit.  I don’t know in advance what that Weird Shit is, but I don’t want any GUI to get in my way of implementing it.  To my surprise, pfSense supports all the Weird Shit that I want.  For example, I wanted to attach OpenVPN to a CARP address. Select the CARP virtual address from the interface drop-down, and I’m done.  Anything I could think of, someone had already done.

Some parts look too good to be true.  pfSense includes an OpenVPN client config export wizard, where you can download a Windows installer that includes the OpenVPN software configured for your VPN.  My server IP address change wasn’t included in the export.  I thought “Aha!  I got you!  I knew I should have rolled everything by hand!  I am Alpha Network Geek, and no pretty GUI product can support my needs! Bah, humbug, grumble grumble.”

But the pfSense folks said: yes, this is a bug.  And they acknowledged it quickly.  I’m fairly confident it will be fixed, or I’ll be shown the error of my ways.

I’m using pfSense 2.0 because a) I want some of the features, and b) I have enough experience that I’m confident I can resolve any problems.  If nothing else, I can do strange and terrible things with the command line on the underlying FreeBSD system.  I can even install additional FreeBSD packages if needed.  Not that I want to, but I have the option.

My only real problem with pfSense is that I cannot use aliases for groups of network ranges in the advanced NAT rules.  I have several IP ranges on different DMZs behind the firewalls, and being able to use aliases would make managing NAT easier and reduce the chances of me screwing up.  But that’s comparatively minor, and hopefully they’ll do something with NAT and aliases in the future.