Comprehensive Guide to pfSense 2.3 Part 1: The What and Why

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
Howdy Folks this is the first video in a new video series I'm doing about pfSense this is going to be a comprehensive set of videos covering everything from what pfSense is uh through choosing Hardware to run pfSense on installing pfSense several videos about configuring pfSense and uh some of the numerous things it can do followed by how to maintain uh pfSense over time make sure that it's a continually secure things like that um I've been working with pfSense for a couple years now by no means am I an expert but uh I thought I'd just uh give this give this a shot um as I don't see that many fully comprehensive uh video series about pfSense uh that are up to date at least I'm going to do this video series on pfSense 2.2.3 and uh at the time time I'm recording this video uh it's actually not even stable yet it's currently uh currently uh not even beta yet uh so I'll be doing a couple videos about what pfSense is and the hardware and when when when pfSense 2.3 finally comes out I'll begin to do the install and configuration with that and the reason I'm holding off is because there is a massive user interface redesign that's being done between the current version now and 2.3 and of course I don't want my videos to become immediately out of date so uh that's what I'm going to be holding off so to start off with really what is pfSense now pfSense is a complete router software platform so this includes firewall DHCP DNS um it it really includes everything you need to run a network and pfSense is based on FreeBSD uh currently FreeBSD 10.1 and uh that's quite important because FreeBSD has arguably the best networking stack of any operating system right now Linux is catching up but uh there the network stack in FreeBSD is is kind of Untouchable at this point and uh I'll make the distinction right now that pfSense is not a package that you install on an existing operating system it is a complete operating system and all of the requisite software on top of it all pre-bundled for you the other thing I want to note right away is the pfSense is free and open source now it is financially backed by a company called Electric Sheep fencing LLC and you can purchase support from them should you want to deploy this in an Enterprise environment or something and uh you know have support in case something goes wrong and need to phone somebody but uh of course most people don't need that and you can use it without restrictions uh without having to pay a dime which is uh excellent in my opinion now pfSense is uh technically is a derivative of uh other platforms that are like this unfortunately the derivative pfSense came from no longer exists uh but there are other things like pfSense I'm simply talking about pfSense because it seems to be the most popular and it's what I personally use um so that's why this tutorial is on PSN there are other platforms like it out there um but I'm not going to go into those now when you hear the word router most people think of something that looks kind of like this the uh iconic uh lynxis WRT54G and uh these things which a lot of people call wireless routers uh they're not just routers and I want to make this distinction these little boxes contain a router a Gateway a firewall a wireless access point an ethernet switch and probably a bunch of other stuff uh at least in the more expensive ones things like file servers print servers all sorts of whizbang stuff all in one little box so it's more than just a router uh but I'm going to continue to use the the term router in sort of quote marks to talk about these things now you may ask well if pfSense is a router then why on Earth should I just you know why should I even bother with pfSense why don't I just buy one of these things and the reason is because the companies that make these I mean they have a handful of Engineers and these Engineers they have to design the hardware because they're almost always custom they then have to build all the software on top of that so some of it is open source software they can grab but all things like the user interface and all the glue that holds it all together they have to do themselves especially any proprietary features they must write themselves they then have to test both the hardware and the software and then test them together and ensure that there's no problems incompatibilities uh things like that they have to make it perform to what the management or what the users want so of course if it's to be held to a certain speed standard for example they have to make sure that in all cases it it meets that and the big thing is they've got to make it really really incredibly cheap I mean if you buy uh if you look at what what there's what's out there I mean most of the stuff probably costs less than $50 to manufacture and that's kind of insane so you know and not only that I mean once you buy it they have to keep it up to date with security patches um they have to continually release new firmware uh to make sure that as exploits in the software they inevitably used comes out that they get fixed and also of course the bugs and the mistakes that they make get fixed as well and the thing is that's realistically not going to happen a couple Engineers are not going to be able to do all of this even in big companies nobody can get this right because at the end of the day they're not getting enough money from it this is a consumer product it's not a Enterprise class product that you throw a couple thousand dollars at and they can actually afford to invest the time in making it right this is you know get it out the door before our competitors can and you know as long as it works well enough it's good enough and in my opinion good enough is not we shouldn't have to experience flaky routers um we shouldn't have to live with bugs in the UI and I mean they'll always be like oh well if something goes wrong just reboot it just restart it but I mean the router is the core of your network it's critical Network Hardware you shouldn't just need to restart it it that that's that's fundamentally wrong in in in software and Hardware you it should be stable right if if it's designed to do something it should be stable so don't give into this really awful software quality that comes in these um you know quote unquote wireless routers now these products are generally designed for what I'm going to call the average Joe they're designed for someone who's not technically inclined now of course you are probably uh more inclined than that um they they don't have a lot of features primarily because well a they don't want to have to do a lot of work and also because uh they don't want users to look at it and get confused because it's too complicated but like I said you're you're smarter than that you are you know you're watching this video you're probably more technically inclined than the average person they're marketing these consumer products at and in fact you may work with Enterprise class gear you just can't afford it so with something like pfSense you can do really cool and useful things with your network and I call it your network because you own it right this is in your house this is with your Hardware so really all you need is software that's capable of doing what you want to do and pfSense is what will enable you to inevitably do all those things and I'll get to some of those things in in just a moment so not only is the software generally awful but the hardware is usually no better most of these devices of course to get that $50 or less cost they use integrated um systems on a chip and they're very low low power so I'd say probably the average uh wireless router probably has a processor somewhere around 400 MHz with maybe 64 to 128 megabytes of ram at Absolute maximum now yes you can spend three or $400 on one of these things and you know it has like six Wireless antennas and it looks all crazy and stuff but it maybe it's but it's probably only still got like 256 megabytes of Ram or something it's really uh it's really quite underpowered for what it really needs and they also don't generally design them to be very durable or to last um I mean I don't think I've ever seen one with a fan in it and I've definitely seen people who had to modify Theirs to actually you know they cut a hole in the top of it and they stick a fan in it so it doesn't crash when they're downloading things I mean that's just that's terrible um I mean there's no no Hardware should be like that especially when it's something as important as a router I mean that is the heart of your network so I'll give you a little bit of an example as to uh why you may not want a wireless router aside from all these reasons I'll give you a real world example so I'm going to use bit torrent as as an example here now for those of you who are unfamiliar with the bit torrent architecture it uses multiple connections to download a file uh from multiple peers in parallel um and of course that increases speed so if you have a large number of connections each relatively slow they aggregate together and give you a much higher speed so this is what allows you to download things relatively quickly uh without a lot of overhead uh from the people you're downloading it from now because this this box which we're calling a router also has a Gateway in it which is the Gateway um from the outside Network which is the internet to your Lan uh it has to perform Network address translation and this is something U ipv4 was designed with ipv4 to try and minimize ipv4 address depletion and it's also used for security and stuff like that but basically um it has to keep track I'm not going to go into Network address translation at the moment uh this is just an intro video but just think of it that the Gateway has to keep track of every connection uh that you make out and every connection incoming it has to keep those connections in memory in Ram in the device and what's called a state table so every time new data arrives from a connection it knows um which device in your internal Network to forward that data too so every time a packet comes in have to it has to search the state table every single time so that's why it has to be in Ram now each of these uh states in the state table takes 10 kilobytes of space roughly uh in the table and let's say that this router has 64 megabytes of ram which is which is quite a normal average and of course these things are like 99.99% of them run some form of embedded Linux um simply because it's it's cheap I mean it's basically free for the uh the company uh they have you know low memory Footprints and uh they're generally generally stable if you do it right and you know then there's the argument of do they really do the software right and in my opinion the answer is no that's why they crash because Linux inherently won't crash unless you do something wrong so that's a whole other argument I'm not going to go into so let's say that uh you know this is this is this is what i' we've established so far every connection is 10 kilobytes your router has 64 Megs of ram so we'll say that the kernel and the init MFS takes six Megs and the web UI server for the uh the interface that let's say that takes up another four megabytes I'm making these numbers up um but you know let's just so let's just say in total the software that the device is running has a memory footprint of about 10 megabytes so if you do the math with 10 kilobyte states that gives you a a simultaneous maximum of uh 5400 connections so you can have no more than 5,400 connections at a time on your router because you physically have no memory left uh at the end of that now of course if you had things like uh a file server print server all that kind of other stuff uh that would eat up a large portion of your memory so you would probably have significantly less than 54 Megs available I'm just using this as a simple example now to put that into perspective a single bit torrent download can have over 500 connections I mean if you if you let it uh you can have ridiculous numbers of connections so when you think about not only that that's just a single download if you had multiple bit torrent downloads maybe multiple users um there's web browsers there's you know uh Skype connections people playing video games all the devices in in your network your phones your tablets everything's connected and everything's talking to apis grabbing data even in the background even when you're not actively doing it doing stuff your phone is polling servers stuff like that there's a lot of connections open and you can run out of connections very quickly in this kind of scenario now when the state table gets full so let's say you try to exceed that 5400 connections it has to start deleting things in order to make new connections now because it's effectively deleting States deleting connections that are valid um the performance starts to tank because uh you know you send a request and then before the response gets back uh the connection gets severed because the uh state that was uh corresponding to that gets deleted so it has to resend it again and then you know it's all about probability as to whether it's going to get dropped before the data gets back so your performance will uh absolutely tank and generally just weird stuff will happen because uh you know you may load a web page and some of the graphics will load some of them won't because all of course all of those things are different connections and it gets very very weird and uh that's that can be caused I'm not saying that's what it always is but it can be caused by a full State table and in fact there is a connection limit option if you've ever seen this in bit torrent clients and the reason for that one of the one of the reasons for that is so that you can limit the number of connections based on the amount of memory your router has now you don't have to deal with this you don't have to limit your bit torrent speed and limit the number of connections you have because you have a shitty router I mean I just checked my router about 5 minutes ago and it has currently about 31,000 States open so I mean I'm not even doing anything intensive right now I've just got a couple web pages open and I think a friend is uh watching some YouTube videos that's about it so I mean that alone is over 300 megabytes of ram just in States and I don't know even even those crazy $3 $400 routers don't have that much memory in total let alone that they can dedicate to a state table so this sort of shows that uh the kind of consumer gear may be good for you know the average Joe but if you try to do sort of power user type things with it it's probably not going to live up to the uh the your expectations now the thing is your PC definitely has more than 300 megas of ram in it and you can easily build a PC that has more than 300 megas of ram in it in fact I don't even think they make memory sticks that are less than a gig now um I just I checked uh my local computer stores website and I can't buy anything that's lower than a gig so you can easily either build or buy a machine that will basically run circles around anything you can buy off the shelf and of course it will be more stable and it will last longer because it will be built with quality components because you'll have chosen them and uh when you put pfSense on it that gives you sort of a combination you have great software and great hardware and when you combine the two you you know the possibilities are endless so I'll just go over some of the things that you can do with pfSense that maybe other people uh may not talk about or may not show in this way so you can do uh a real custom traffic shaper which is something that I've employed on my network so I can use a hierarchical fair service curve to uh make sure that that everyone on the network uh gets Fair access as well as make sure that different Protocols are prioritized in a different way to ensure true quality of service so rather than just checking a box that says quality of service on your you know store bought router and you're not really sure what happens when you click that whether it even does anything at all you can pick and choose everything you can tweak it to the nth degree and that's that's something that uh when I get into the conf and you you'll be able to see how much power you really have over your own network it provides a proper what I would call Enterprise class firewall it really allows you to set up very fine grained rules uh and make sure that your network is as secure as it can be but it also allows you to um really all it allows you to do a lot of things that I have never seen a consumer class router be able to do so uh again when when I show you the the config um you'll be able to see what I mean by this um of course you can set up things like openvpn so you can uh you know access your network internally uh when you're mobile or away and uh some sort of more cool things you can set up your own DNS server and uh the reason I say server SL forwarder here is because you can actually uh set up your device to uh cach other DNS servers and uh that'll improve performance across your entire network and of course this allows you to make up your own host names so you don't have to access your computers with IP addresses anymore you can give them cool names uh some of my servers are named things like Tesla Volta M watt I've given them names of famous scientists uh but you know you can do things like that which of course You' see on uh proper Enterprise networks anyway you can also cache objects uh with squid you can install squid and uh basically it uh intercepts HTTP transactions and stores them in memory as well as on disk and uh that allows you to basically rereads them uh from cache and streams them back to you over basically land speeds uh if uh you request them within a certain amount of time or before they get overwritten so just as an example uh I I bought a a steam game and about 2 Days Later a friend bought the same game uh they downloaded it in about 90 seconds my internet connection is only 7 Megs a second at Absolute maximum and they downloaded at somewhere almost about 50 megabytes a second that is a real screenshot that's not a glitch that is actual speed it's not magic it's just uh just squid you can also uh use pfSense to block ads um you can also use this is also squid uh that can do this um so this is just a non-rooted phone this does not have any way of doing ad blocking whatsoever and this ad will never load it'll just sit like this forever um you can block domains you can you can basically intercept and uh uh replace resources um and things like that and this will both improve performance of course it's it's less uh obtrusive because you don't see the ads but that's that's always uh nice to nice to see now just some generic other reasons you get real security patches is um you know for a fact that there will be a security patch whenever there's a uh a you know a security hole found and uh they really do come out timely and uh you know you know it will come out because there's enough people relying on it it's open source it will happen rather than with your router you have to rely on that company which you know they may or may not choose to allocate an engineer to keep updating that product however many years down the road so U you know you get peace of mind that you're safe it's also scalable um you can do pretty much anything I mean you can put it in any configuration you want you can have multiple WS so you can have multiple internet connections you can do load balancing failover um you can you know depending on your Hardware you can run you know 10 GB ethernet speeds faster than that you can run infiniband you can run uh I mean you can basically do whatever the hardware is capable of doing um you can do really crazy stuff and uh I mean it's it's fun to play around with but it's also very practical uh you can log data about your network so um Rod tool is uh included by default so you can track your usage you can track um the quality of your network connection you can track all sorts of stuff um which is really useful when you want to blame your ISP for doing something they shouldn't be doing um screenshots of all that data is very useful you get to see logs um from all the different services DNS DHCP server all that kind of stuff which can be very useful you can create guest networks captive portals you can block domains at will all sorts of stuff like that and I mean I could go on for hours about all the little things you can do and uh I really just don't have time to go into them at this point but I mean the internet is a thing you can Google and you can find out all the different things the pfSense can do um by looking at forums and Wiki and all sorts of other stuff so sort of in summary pfSense it's comprehensive router and firewall operating system it's completely free open source but you can get support if you want it you can scale it to pretty much any configuration you can possibly dream up as well as any speed you can dream up so regardless of what kind of connection or connections you have um you can be pretty sure that if you have the right Hardware it will work it has probably the closest to an Enterprise class feature set of any router platform I've seen and it's very secure I mean I I trust the firewall more than I trust any consumer offthe shelf device definitely so I mean and also I guess it's it's probably better when than whatever you're running now um I I think I can say that with a pretty decent amount of confidence unless you're already running pfSense in which case good job I'm not entirely sure why you're watching this video but uh anyway so the next video I'll be doing will be choosing Hardware so it'll be on uh how to select components if you're building a machine and uh I'll give some of the different configurations um for some of the different use cases of pfSense uh as well as some of the things to look for if you're planning on buying something pre-built or maybe reusing that old laptop that you you've got sitting in the corner um you know that kind of thing so I'll go over all the different uh Hardware configurations that you can you can run and uh type of performance you can expect and uh little caveats and stuff so I I'll do that next um if the video is up this uh there'll be an annotation on the screen right now and there'll be a link in the description um of course uh if there's nothing there it's cuz I haven't made the video yet so anyway hopefully this was useful and uh if you have any questions about pfSense like I said I'm not an expert but uh I'm also not tech support so I mean be reasonable but uh leave leave any questions in the comments and I'll try and get back to you and uh hopefully I'll get on to making the hardware video soon uh I have uh a bunch of stuff to do within the next few weeks so it may take uh a couple weeks before I can get the next video out so there may be a little bit of a gap here but uh it will be coming trust me I I will not abandon this video series so anyway hopefully that was useful thanks for watching
Info
Channel: Mark Furneaux
Views: 229,046
Rating: undefined out of 5
Keywords: PfSense (Software), Software (Industry), how to, guide, Networking Cables (Invention), computer network, router
Id: agieD5uiwYY
Channel Id: undefined
Length: 26min 8sec (1568 seconds)
Published: Sun Nov 29 2015
Related Videos
Comprehensive Guide to pfSense 2.3 Part 2: Hardware
Mark Furneaux
94K
Tutorial: pfsense and pfBlockerNG Version 3
Lawrence Systems
207K
How To Setup VLANS With pfsense & UniFI. Also how to build for firewall rules for VLANS in pfsense
Lawrence Systems
462K
Your PC Can Look Like THIS Now!
Linus Tech Tips
881K
Modding a "New" ATI Rage XL PCI GPU to Work on a Vintage Motherboard
Mark Furneaux
25K
The Common pfsense Packages / Plugins We Use and Why
Lawrence Systems
109K
Google Data Center 360° Tour
Google Cloud Tech
5.2M
GPT-4o Deep Dive & Hidden Abilities you should know about
AI Search
75K
pfsense and Rules For IoT Devices with mDNS
Lawrence Systems
113K
Comprehensive Guide to pfSense 2.3 Part 3: Installation
Mark Furneaux
103K
Setup Guide / Tutorial for pfBlockerNG 2.2.5 on pfsense with DNSBL & GeoIP Blocking
Lawrence Systems
138K
Whole-network VPN with pfSense Router
Level1Linux
136K
Google IO 2024 Full Breakdown: Google is RELEVANT Again!
Matthew Berman
53K
TrueNAS Scale: A Step-by-Step Guide to Dataset, Shares, and App Permissions
Lawrence Systems
84K
✅ pfsense on 1 network/ethernet port PC using VLANS
Mr. Nick's Hardware & Food
189K
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.