Build a Router 2016 Q4 -- pfSense Build

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Check out /r/level1techs, Wendells new Reddit home

👍︎︎ 14 👤︎︎ u/[deleted] 📅︎︎ Nov 08 2016 🗫︎ replies

I've been wanting to do something like this for a while and this video just boosted my confidence. Looks like I'll be busy this weekend.

👍︎︎ 6 👤︎︎ u/Meaux76 📅︎︎ Nov 08 2016 🗫︎ replies

Really well done video, thanks for posting!

👍︎︎ 5 👤︎︎ u/Jwkicklighter 📅︎︎ Nov 07 2016 🗫︎ replies

Great Video!

👍︎︎ 5 👤︎︎ u/[deleted] 📅︎︎ Nov 07 2016 🗫︎ replies

That was a great video. Really loved how he goes into some of the different packages you can use with pfSense. I've been running snort, Darkstat, and squid on a XTM505 with an E8200 for a little over a year now. It's a perfect box for what I'm doing with it.

👍︎︎ 2 👤︎︎ u/[deleted] 📅︎︎ Nov 08 2016 🗫︎ replies

been running pfSense on an old RSA appliance for nearly 2 years without a single glitch , I even used the proxy cache for my most visited sites and love it , the wireless features work flawless as well

👍︎︎ 2 👤︎︎ u/[deleted] 📅︎︎ Nov 08 2016 🗫︎ replies

I have this exact same machine (but with the i5-2400) running as a FreeBSD11 server. Once I build myself a more proper server, I'm looking to fill the box with a pair of multi-NIC cards (much like this video showed…one dual, one quad) and virtualize pfSense on one NIC card, and learn IDS with Ubuntu on the other NIC. If bhyve is up to it performance-wise, I'll use that as the hypervisor, or it's also a good time for me to familiarize myself with Proxmox!

👍︎︎ 2 👤︎︎ u/himay81 📅︎︎ Nov 08 2016 🗫︎ replies

I bought a PCEngines APU and installed PFSense on it. Runs the small startup I'm in. And I love the OpenVPN Export Plugin. Just 1 click and our employees have there VPN config including the installer.

👍︎︎ 2 👤︎︎ u/XenGi 📅︎︎ Nov 09 2016 🗫︎ replies

This seems just mildly overkill. My router is a PCEngines APU2 and unless you need to be routing over ~300Mbit/s, it does the job for $150 new.

👍︎︎ 2 👤︎︎ u/[deleted] 📅︎︎ Nov 08 2016 🗫︎ replies

Captions

have you guys lost your damn minds why would you replace this which does routing and wireless with an old computer that's just going to suck up a lot of electricity and run hot and otherwise be annoying well because you can turn your old PC into a really awesome router [Music] so this is a tender a sear outer it's got built-in wireless it's got an ability to be a USB print server you know it's fairly compact runs off a power brick doesn't use much power the thing behind me is a small form factor though a small form factor Dell this particular one is a knife I've 2500 which is extreme overkill for a router unless you're in a business it's got you know 100 users you don't really need that much horsepower for a router that's crazy but if you're a computer science student or you're wanting to learn networking or you're wanting to build just a really powerful router that's more powerful than consumer grade gear kind of like what something that you would run into in the enterprise or in business well then you can start with a computer you don't even need any sort of fancy special Hardware you can put a distribution on it a BSD distribution like PF sense and turn a computer like that into an epic router now strictly speaking you really ideally have two network interfaces that things only got one let's get two expansion slots and so we can add some more NICs to it the particular network cards that I've got to go to to port Intel Nick so you'd have a total of three and I've also got a four port Broadcom adapter so that's got a total of four on it plus the one on board makes five if I put both cards in there I'll have a total of seven Nick's coming off of this I five 2,400 well why would you want to do that well how does that work well normally you don't really even need to do that you would just run the router into another device called a switch and for your wireless you would run it to a wireless access point and you would put your wireless access point somewhere convenient like the middle of the ceiling or somewhere you know in the attic or somewhere conveniently located at your house all too often people have terrible Wi-Fi connections and that's because the the router is you know under a desk in the floor in some corner of the house where you know nobody ever goes oh so go it's in the basement under the hot water heater well of course your Wi-Fi is going to be terrible but if you put a wireless access point in a central location in the house and then you get an Ethernet cable back to your network connection back to your router back to your you know ISPs outside connection you're going to have a lot of better experience so your first step on the road of enlightenment is to build your own router so that you can understand how to secure your network and you can do some really advanced things having your Router means that you can do things that you can't normally very easily do with a consumer-grade router but one thing pfSense has an extensive plug-in system these plugins provide things like a transparent proxy VoIP intrusion detection on HTTP proxy all manner of extensions and plugins to this system will let you extend it in ways that you never really thought possible I mean yeah you can do a print server and that kind of thing but you can do so much more than that it's really really nuts what you can do when you've got a full computer that's actually doing your routing you run a DNS proxy you can run pretty much anything that you can imagine so let's take a look at installing pfSense on something like this now the first thing that you're going to do is prepare your USB stick when you prepare a USB stick you really got two options for the Installer one you can set up a USB stick that's already sort of a ready to run installation to pfSense so what that means is you stick the USB stick in the computer you boot off of it and then your npf sense it's going to walk you through a wizard to configure the network interfaces set it up and you're good to go that USB stick basically becomes a permanent part of your router that's what pfSense boots off of and that's what it runs from from now until the end of time now that's a little bit more limited you can't really use the plug-in system as well and there are some features that you don't get in PF sense but if you want a you know lightweight compact you know no frills installation certainly one way to do it if you want something that's a little bit more feature full you're going to use the USB stick to create an installer and so what that means is that you boot off the USB and you use it to install it to the computer now the computer will need an SSD or mechanical hard drive something for PF sense to install to another USB stick would also work but I'm not going to recommend that because generally USB sticks are not as reliable as a hard drive but if you want to use a 64 128 gig SSD that'll be fine it'll run like greased lightning and that'll be enough space that you can do things like run a caching server or run a proxy server or something like that so proxy server means that when you download a big file from the internet assuming it's not an HTTP connection that big file that you download if the Internet will be cached on the router and so things like Windows Update or things like you know packages that you might download from a Debian repository if you've got multiple Debian machines on your network those will actually be cached on your router automatically turns apparently so when you download those files they'll actually come from your router the second third fourth time's the you know you need to use it rather than having to redownload that over the Internet if you get a metered internet connection doing that kind of caching can really save you some bandwidth against your data cap whatever you might be running into in terms of you know your data cap so in general if you're just in a mode to learn or you're wanting something to fart around with I'd recommend going for the Installer USB stick and then actually install it to the hard drive on the machine once you've created your USB stick on Windows who use Rufus on Mac OS or Linux if you're creating the USB stick from there you can just use DD to write the image directly from the disk image file to the actual USB stick the installation instructions for how to do that are online there's a link below in the description once you get your USB stick you just plug it in the computer and you boot off of it the installer is going to come up and it's going to ask you to configure some settings it's going to ask you about your keyboard layout and some other physical parameters of your machine basically you're just going to hit enter next all the way through this it's not really going to be a big deal to install this once you do the installation it's going to copy the data from the USB stick to the onboard hard drive then the whole thing is going to reboot the next thing you need to do is configure your interfaces so if you want to do it automatically you'll want to make sure that all of the network cables are unplugged from the device and if you do a for automatic then it'll ask you to plug in a cable to the particular interface and so you can just you know use a sharpie or a label maker or something and actually label the physical network interface that you want to be the LAN connection that is the connection from your ISP plug in the cable to there and then once the light goes green that's an Ethernet link light then the PF sense should detect that and say oh that can be your wham connection you can do the same for land and then in the PF sense vernacular there's another type of network connection called opt and that's an optional connection if you want to have a physically separate wireless network for example you can use opt one your first optional network interface for your wireless access point if you do that then people that are on your wireless network are physically isolated from your wired network and you can set up firewall rules and bandwidth rules and other sorts of rules to prevent people on the wireless from abusing the local network and vice versa if you're an advanced user you don't even really need more than one physical network to do you can do it another way with VLANs although if you're going to do it VLANs I would recommend getting a switch an Ethernet switch it does VLANs and setting up VLANs in your Ethernet switch and then setting up your access point but hopefully also supports the VLANs to use the felines on the switch and then you can figure VLANs on pfSense and it's like as if you have multiple physical adapters but you only have the one LAN connection and that's why you know if you even if you've got a router that only has two Ethernet connections you can still use a VLANs to set up a really really complicated pfSense set up with tons and tons of interfaces if you really want to even have you know quote unquote physical isolation but that video is a little more advanced so we'll save that for another day now for my particular setup if I'm going to use this for port Broadcom adapter I'm actually going to have three optional interfaces because I've got land and land and then opt one up two and op three and because of which network interfaces I pick I can say the onboard connection which is an Intel adapter is going to be my LAN connection and then lands going to be the top port and then you know opt one is opt one the second port third port fourth port you know all the way through op three communities the Intel adapter then the machines going to have a total of three interfaces and I say this is much more normal for your pfsense router which you're going to learn on and so the onboard connection I'll sign that to LAN and then the first connection on my Intel adapter that'll be laying and the second one will be opt one and so that will give me some flexibility in terms of you know when and land for my main connections and then opt one for wireless if I really want it in terms of where do i plug in all of my computers well for that you'll need an Ethernet switch you can get an 8 16 12 24 port Ethernet switch and you'll just have the cable that comes out of your router and goes into the Ethernet switch and then all of your computers will plug into the Ethernet switch as well now this setup is Gigabit through and through and the i5 2500 will have no problem pushing full gigabit speeds even for VPN even for anything like that those of you out there they're on Google Fiber or are fortunate enough to have an ISP that can push true fiber-optic bandwidth something like this is going to be good for you because it is hard to find a quote-unquote consumer-grade router that can really push gigabit under all scenarios it doesn't necessarily bog down under certain kinds of traffic so like if you're torrenting or if you're doing you know a peer-to-peer you're downloading a game and the game's downloader has some kind of peer-to-peer system for actually doing the download you can have full gigabit from your ISP but a lot of time consumer gear can't keep up with full gigabit in all the scenarios in which you might be generating traffic receiving traffic or transmitting traffic something like this definitely got the horsepower to handle it once you get your interfaces set up then you can just go to the IP address on your local area network now by default pfSense runs the DHCP server a dhcp server is a type of service that this computer listens on the local network for requests from client computers its client computers plug in and say hey is there anybody in the network that can give me a hint about what the configuration should be so that I can get on the Internet DHCP is the service that does that and so pfSense has a built-in DHCP server that you can configure the parameters for if you want to get under the hood and tweak some things but by default the DHCP server will be enabled in both of the GUI and the the command line sort of text interface to get on the console of the router you can configure the DHCP server turned on turned off whatever when you're first setting up the machine it says hey do you want to DHCP server nine times out of ten yes you do in the corporate environment if you're deploying this in a corporate environment pfsense should not be your DHCP server most of the time that's going to be your Active Directory controller or you know your LDAP server or some other infrastructure on your network your router is not usually your DHCP server in the enterprise I can sense a lot of network administrators in the audience saying well but we don't have anything other than an ass and some workstations so our router is a DHCP server ok well I mean that's fine whatever that's totally ok but the point is the here DHCP server is going to tell your client machines how to work or you know what IP addresses to use so if you plug in a laptop or you plug in the desktop and you get it to get a new DHCP lease it's going to be assigned an IP address by your new router when you do that you can go to the IP address of the router in your web browser and then you've got a much easier to use web configuration GUI just like a traditional consumer router this is where you can install plugins this is where you can tweak the settings this is where you can do anything more advanced that you might want to do the first thing that you want to do is set a password once you've set a password on this that we'll help really secure the device now you can enable SSH if you're familiar with SSH SSH is sort of a remote control remote interface remote UNIX administration thing that's been around since the dawn of time SSH is its own subject that you could talk about for hours and hours and hours and write thousands and thousands of pages of books but know that the SSH service is available and you can turn it on if you want to but there's so much other stuff you can do in the configuration here even just out of the box the thing is going to generate graphs traffic graphs show you how much traffic you're using how many packets per second inbound and outbound it's going to support ipv6 and ipv4 a lot of new ISPs will give you internet routable ipv6 addresses so all the devices on your internet can be just completely naked on the internet with no firewall if you want to with a publicly addressable ipv6 address now they don't let you do that with ipv4 addresses because there's an ipv4 address shortage you'll have to use network address translation that's what the essence does by default network address translation but for ipv6 your ISP can tell your router hey this range of Internet you know publicly routable ipv6 addresses is available to be assigned to devices behind you and you set the rules such that everything is wide open then internal devices to your network can be completely internet routable which is not something that you want most of the time but ipv6 is something that's fully supported on the newest versions of PF sense now that we've got two configured how do we deploy it how do we use it well if your ISP uses DHCP to assign you your public Internet address then pretty much all you have to do is plug your DSL modem or your cable modem or your you know fiber-optic termination point or whatever directly into the way in connection on your router once you do that the ISPs equipment should allow PF sense to issue a DHCP request to the ISP to ask what is public IP should be now if you have an ISP that uses pppoe or layer 2 tunneling protocol l2tp or any other you know DSL pppoe you know whatever then you'll have to configure that as extra step on the way in settings in PF sense so your ISP hopefully has a documentation for that hopefully you know enough about that that you don't get too lost setting that up but you may have some additional steps that you have to do on your way in interface if you have a static IP from your ISP meaning that you know what your IP address should be and your net masking your gateway then you can key that in manually on the way in information settings but by and large 95% of people out there just a DHCP configuration option and you'll have ipv6 DHCP as well typically once you've got your LAN connection plugged in and your land computer that's accessing the web browser basically you should be on the Internet the only other type of problem that you would encounter commonly is maybe a DNS problem DNS is the thing that converts a name like a Google com into an IP address like 8.8.8.8 when you have a new piece of equipment like this sometimes the correct DNS server doesn't always make it through so you may want to go and configure the DNS servers actually on your router sometimes you don't want to use your ISPs DNS server sometimes you want to use Open DNS or or you want to use Google's DNS servers or a third-party DNS server or something like that which may be your ISPs DNS servers are slow you can configure all of that through the web GUI sometimes you have a high speed it does weird stuff like it's crazy YouTube caching server thing well you can go in firewall rules and block a YouTube caching server which will actually speed up your YouTube process so now that you've got PSN set up and installed you've got a whole new world open to you you should go here and check out the available plugins and don't be afraid to experiment with the available plugins if you break the machine just keep that USB stick handy and do a reinstall you can backup your configuration before you actually make any changes so that if something goes horribly wrong and it destroys everything you could just do a fresh install and then you can go to restore your configuration and it'll take your router back to the moment where it was messed up you can get good at this and with a machine like this you know you can be up and running from nothing again in 5-10 minutes so this is really a great learning platform and this is really something that's awesome that gives you a ton of flexibility in terms of what you want to do on your own local network and in terms of being able to see what's going on on your network what kind of connections are your machines making out to the Internet you know how often is windows10 phoning home this gives you the capabilities to do that this whether you know a mechanical hard drive or an SSD hard drive where you've got a lot of storage unlike a consumer-grade modem you can store months or years of logs on here to actually see what these machines were doing where they were connecting on the Internet and that sort of stuff so that you can know exactly what your machines are doing in the Internet another really great plug-in that pfSense offers that I'll mention really quick is called snort and I really want to do some separate videos on snort specifically cisco bought snore the snort is a really really awesome intrusion detection system snort is an engine but there are intrusion detection rules that the community maintains that cisco maintains that a bunch of other companies maintain uh-huh and you can use those rules to actually ferret out all of the stuff that's going over the internet because when you're downloading you know 12 gigabytes of Windows updates from Microsoft having the router sift through the 12 gigabytes of data looking for anything that looks nefarious that's just an exercise in bureaucracy but with with the rules and an intrusion detection system it can look at it and it can say oh this is a known vulnerability oh you've downloaded a virus oh something from a bad place on the Internet is trying to connect Oh Chinese hackers are at it again Oh Russian hackers are at it again those rules are insanely valuable to you in knowing what sort of traffic is good and what sort of traffic is bad and so that will be part of any intrusion detection system there are some other options available with PF sense you can also do stuff from the command line through SSH with PF sense but this is really just the first video hopefully of many that use this as a basis to explore some functionality hell if you want to use PF sense as a you know an internal sip router there's a sip of proxy so you can use your pfsense machine as a sip relay for voice over IP it's actually reasonably secure as opposed to putting your sip devices out there on the Internet the SIP traffic can be filtered through your pfSense box if you want to go that route so PF sense has a ton of flexibility a ton of features and the PF sense team has done an amazing job with the software if you want to you can actually buy routers physical Hardware routers directly from them to support the project and those are those really nice Aleks small form-factor you know six inch square an inch thick machines I happen to have some there based on the AMD APU have three network adapters so you've got LAN LAN and opt want internally it's got three mini PCI Express connections one of which is for an SSD or whatever that you might run and the whole platform is you know very low power but it's a full PC it's full x86 and so you can install pfSense on this and actually run with it and it's great now it doesn't have as much horsepower as an i5 but it's also a lot less costly if you were to buy that new the only reason this works for us is because we're basically using surplus you don't have to use a sexy small form-factor computer you can use a full desktop computer hell you can just use the motherboard on a desk if you really want it to you could use an old server an old server with error correcting memory and all the you know robust oomph that you get from an old server and that makes it perfectly fine reasonable router hell we even use Super Micro routers you know Super Micro 1u 1/2 depth you know Xeon D or socket 1151 Xeon servers with error correcting memory and those are for you know 500 user lands with all the you know all the bells and whistles as far as corporate monitoring goes and you know being able to months monitor instant messaging systems instant messaging programs the ones that don't use encryption anyway over the land through pfsense those are really big features for the enterprise so if you decide to embark on a journey with pfsense and experiment with the plugins let us know how you did let us know what you set up and let everyone at level one know what you learned so that we can contribute to the pool of knowledge I'm Windell I'm signing out and I'll see you in the forum you

Info

Channel: Level1Techs

Views: 431,635

Rating: undefined out of 5

Keywords: pfsense, router

Id: ledv33t6SNE

Channel Id: undefined

Length: 19min 35sec (1175 seconds)

Published: Mon Nov 07 2016