Monday, July 14, 2014

pfSense by-passing FiOS and Comcast hardware

Taking my home network to the next level...

First of all, thanks for continuing to read my blog posts.  I've finally had some time to put together a post on what I've done with my home network and how you can easily do the same.

Switching Internet Providers seamlessly...

Let me start by saying, yes after a few years of having Verizon FiOS, I went to the 'dark side' and became a Comcast internet customer.  The main reason for my move was that 1) FiOS started charging double what I paid initially and 2) they  were QoS'ing my traffic to Netfix / AWS.  Instead of dealing with their limitations, I simply switched to Comcast.

For most people, changing providers is a massive pain since now you have to re-ip or make some changes to some or all of your devices (new WiFi password, new IP's, firewall configurations, etc.)  I learned my lesson from this switch, I will never ever use the cable company provided gateway device (modem + router), instead I will just get a standalone modem that I can plug into my firewall / router.  Now, I control the firewall rules and all my network settings (DHCP, etc.) on hardware that I never have to rent or return.  So, when Comcast jacks up my prices, I simply get a new modem for the next provider and seamless switch.  No angry wife asking "What's the new WiFi password?!?"

That's when I figured out that my little network setup made it really easy to move from FiOS to Comcast without having to make any changes to my network.  Now, I can move from provider to provider without having re-architect my network.

Step 1 - ditch the cable company provided Gateway

After getting rid of the FiOS gateway, I was able to setup my pfSense firewall and simple wireless AP.  All of the firewall intelligence is fully configurable and I even have an IDS/IPS (snort) as a part of the pfsense appliance.  This little box has a ton of very cool and interesting tools, like Captive Portal (using simple username passwords to log into WiFi, making sharing it easier with guests.) You can even get NetFlow data using softflowd and an OpenVPN! (I will share how to set these up, but for now, please use the online documentation and google to set this up.)

Let's start with the hardware:

I bought this hardware new from Amazon in 2014 and it's been solid.  You can get away with using older hardware, but for simplicity sake, here's what I used:


BLKD2500CCE Intel Desktop Board D2500CC -$120

(You'll need this power supply and plug) $20

4GB of RAM - PC3-10600 204-PIN SODIMM - Here's the one I used. - $30
4GB CF Card - Here's the one I had laying around. -$30

Lastly, you'll need this CF-to-SATA adapter - $13

(Yes, you can use the 1GB card, but then you'll possibly limit your ability to install the packages you want.)

Total cost ~$250

Now let's build the pfsense firewall

I built mine using the cfcard install on my Mac OSX.  Here's how you do it.

First, download the correct version for your hardware - 64bit 4GB Embedded CF Card.

Now, let's get the image on the CFCard.  You can either follow the documentation on the pfsense website, or you can just run the following command:

First, let's get the right disk, that is your CF Card:
host:~> diskUtil list
   #:                       TYPE NAME                    SIZE       IDENTIFIER
   0:      GUID_partition_scheme                        *251.0 GB   disk0
   1:                        EFI EFI                     209.7 MB   disk0s1
   2:          Apple_CoreStorage                         250.1 GB   disk0s2
   3:                 Apple_Boot Recovery HD             650.0 MB   disk0s3
   #:                       TYPE NAME                    SIZE       IDENTIFIER

   0:                  Apple_HFS MacHD                 *249.8 GB   disk1
   #:                       TYPE NAME                    SIZE       IDENTIFIER
   0:                  Apple_HFS USB                   *4 GB       disk2

dd if=/path/to/pfsense.img of=/dev/disk2

Here's the source I used to make my disk.

Awesome, my pfsense firewall is on my CF Card, now what?

Let's install the hardware and get the firewall online.  Follow the prompts, and the online documentation from pfsense to complete the install.  For this example, we are just going to install the WAN and LAN links, if you want to build your own VLAN's, you can read the fine manual to do that.

I want the syslogs!
Instead of logging the data directly to my pfsense firewall, I decided to use a Raspberry Pi. You do not need to do this step, and you can feed your syslog directly into your Splunk Indexer.  I did this to setup a forwarder and also because I had an extra Raspberry Pi.

Raspberrypi - syslog-ng

To the Cloud!

Now let's setup an EC2 instance on Amazon and use the t1-micro instances to setup our Splunk environment in the Cloud.  From here, you should be able to simply install Splunk on the Amazon AMI's and start Splunking your data!  I plan on doing a post on how to setup your environment and also help you setup a mobile site using the new Splunk mobile server.  

No comments:

Post a Comment