Beginner Guidance on How To Use pfSense



  • In case you don't want all the boring details: 
    TL/DR new guy knows little about networking past basic router management and needs help

    Background:  I do the IT at our local church because I'm available near any time.  I did 20 years of communications in the Air Force, but I was radar maintenance, not networking.  I have some basic networking skills, but it was always troubleshooting an existing infrastructure with a tech order, and I'm feeling a little out of my league upgrading and doing a small business router/firewall setup.  I good IT guy I know recommended pfSense and it seems to fit the bill.  Mostly because it is open source and I have spare hardware I can use.  We don't have the budget for a large purchase, and I'm willing to put in the blood, sweat, and tears to learn and set up what we need. For my home, I just use open DNS but that's not an option at church because it isn't free.

    So That leads me here.  I did a forum search for "beginner" and there isn't much for newcomers to this stuff as far as the basics and how-to and all that.  The answers get pretty specific, but are mostly above my knowledge level, even though I am willing to learn it.  I can't believe there isn't a sticky on the basics for beginners.

    Does anyone have some web resources they can point me to?  I may have to spend the $499 out of my own pocket, because the church can't swing it right now.  We are doing a renovation of our school, to put an iPad in every student's hand and there aren't extra dollars right now.  There may be once the renovation is done, but we don't have corporate money available to make it work.

    Our current setup is:
    1. Charter Business internet in from a cable modem @ 100 MBPS
    2. Cisco small business router
    3. Into a 24 port switch
    4. Multiple Linksys AC1750Pro wireless access points (bridged)
    5. Multiple lan drops for computers, printers, etc.

    I think I need to replace the Cisco with ofSense to get the content filtering and antivirus at the packet level, but even though I understand my needs I don't have the technical knowledge to get it done.

    Thanks in advance for your time!



  • Install pfSense on that spare hardware and start learning.

    Did you mention what you were thinking of spending $499 on?  I must have missed it.  If you spend out of pocket, make sure it is done in a way that makes it fully tax deductible.  My preference in that regard would be $$$ donation to the church and then the church uses it to make the purchase.  Keeps it all nice, clean and clear in case of an audit.  Documented dollars and cents is easier to assign value to the convincing an auditor of equipment value, training value, etc.

    Tangent topic:
    It's been my experience that charitable donations tend to reduce tax liability by about 20 cent on the dollar.  So if handle properly Uncle Sam will likely help you out with about 20 percent of that purchase.
    Of course that is all assuming you're in the U.S. and the church has tax deductible status.



  • Download and read

    pfsense the definitive guide pdf



  • https://doc.pfsense.org/index.php/Main_Page

    DansGuardian for content blocking

    I would really avoid doing AV on the router.  It's slow, and I believe you get better protection from client-based AV solutions.



  • Welcome on board; you will find here a great community in the true FreeBSD spirit, with some (many) extremely talented people (me excluded, as I have claimed myself the title of eternal noob on this forum)  ;D

    People are nice over here, and always willing to help out. What often helps of course is if you provide clear questions, and clear information as to what you've done yourself, what errors you've seen, etcetera. I think I sort of missed your question to begin with; what is it you need help with? Can you formulate concrete, detailed, questions?

    As a suggestion: given church, I would setup a VLAN for your guests, and put some content filtering on it (Squid + Squidguard, or Dansguardian). So keep LAN for trusted computers, and VLAN for guests. Captive Portal seems typical for this setup too.

    On the firewall level, I would absolutely add BB's pfBlockerNG, a package you can't do without. Snort, or Suricata, comes to mind too of course (layered defense: pfBlockerNG blocks bad IP's based on reputation lists, Snort/Suricata examine content of packages and block when something bad is found).

    Depending on how many guests you will have on your network you will probably also like some traffic shaping, but although I have that in my setup, I have a limited number of clients in my networks which makes it easy to configure. You probably have many, and I am not sure how you could set this up efficiently, so perhaps people more knowledgeable in this area (remember, eternal noob is my © on this forum ;D ) can help you there.


Log in to reply