pfSense by-passing FiOS and Comcast hardware
Taking my home network to the next level...
First of all, thanks for continuing to read my blog posts. I've finally had some time to put together a post on what I've done with my home network and how you can easily do the same.
Switching Internet Providers seamlessly...
Let me start by saying, yes after a few years of having Verizon FiOS, I went to the 'dark side' and became a Comcast internet customer. The main reason for my move was that 1) FiOS started charging double what I paid initially and 2) they were QoS'ing my traffic to Netfix / AWS. Instead of dealing with their limitations, I simply switched to Comcast.
For most people, changing providers is a massive pain since now you have to re-ip or make some changes to some or all of your devices (new WiFi password, new IP's, firewall configurations, etc.) I learned my lesson from this switch, I will never ever use the cable company provided gateway device (modem + router), instead I will just get a standalone modem that I can plug into my firewall / router. Now, I control the firewall rules and all my network settings (DHCP, etc.) on hardware that I never have to rent or return. So, when Comcast jacks up my prices, I simply get a new modem for the next provider and seamless switch. No angry wife asking "What's the new WiFi password?!?"
That's when I figured out that my little network setup made it really easy to move from FiOS to Comcast without having to make any changes to my network. Now, I can move from provider to provider without having re-architect my network.
Step 1 - ditch the cable company provided Gateway
After getting rid of the FiOS gateway, I was able to setup my pfSense firewall and simple wireless AP. All of the firewall intelligence is fully configurable and I even have an IDS/IPS (snort) as a part of the pfsense appliance. This little box has a ton of very cool and interesting tools, like Captive Portal (using simple username passwords to log into WiFi, making sharing it easier with guests.) You can even get NetFlow data using softflowd and an OpenVPN! (I will share how to set these up, but for now, please use the online documentation and google to set this up.)
Let's start with the hardware:
I bought this hardware new from Amazon in 2014 and it's been solid. You can get away with using older hardware, but for simplicity sake, here's what I used:
Motherboard:
4GB of RAM - PC3-10600 204-PIN SODIMM - Here's the one I used. - $30
4GB CF Card - Here's the one I had laying around. -$30
Lastly, you'll need this CF-to-SATA adapter - $13
(Yes, you can use the 1GB card, but then you'll possibly limit your ability to install the packages you want.)
Total cost ~$250
Now let's build the pfsense firewall
I built mine using the cfcard install on my Mac OSX. Here's how you do it.
First, download the correct version for your hardware - 64bit 4GB Embedded CF Card.
Now, let's get the image on the CFCard. You can either follow the documentation on the pfsense website, or you can just run the following command:
First, let's get the right disk, that is your CF Card:
host:~> diskUtil list
dd if=/path/to/pfsense.img of=/dev/disk2
Here's the source I used to make my disk.
Awesome, my pfsense firewall is on my CF Card, now what?
Let's install the hardware and get the firewall online. Follow the prompts, and the online documentation from pfsense to complete the install. For this example, we are just going to install the WAN and LAN links, if you want to build your own VLAN's, you can read the fine manual to do that.
I want the syslogs!
Instead of logging the data directly to my pfsense firewall, I decided to use a Raspberry Pi. You do not need to do this step, and you can feed your syslog directly into your Splunk Indexer. I did this to setup a forwarder and also because I had an extra Raspberry Pi.
Raspberrypi - syslog-ng
To the Cloud!
Now let's setup an EC2 instance on Amazon and use the t1-micro instances to setup our Splunk environment in the Cloud. From here, you should be able to simply install Splunk on the Amazon AMI's and start Splunking your data! I plan on doing a post on how to setup your environment and also help you setup a mobile site using the new Splunk mobile server.
First of all, thanks for continuing to read my blog posts. I've finally had some time to put together a post on what I've done with my home network and how you can easily do the same.
Switching Internet Providers seamlessly...
Let me start by saying, yes after a few years of having Verizon FiOS, I went to the 'dark side' and became a Comcast internet customer. The main reason for my move was that 1) FiOS started charging double what I paid initially and 2) they were QoS'ing my traffic to Netfix / AWS. Instead of dealing with their limitations, I simply switched to Comcast.
For most people, changing providers is a massive pain since now you have to re-ip or make some changes to some or all of your devices (new WiFi password, new IP's, firewall configurations, etc.) I learned my lesson from this switch, I will never ever use the cable company provided gateway device (modem + router), instead I will just get a standalone modem that I can plug into my firewall / router. Now, I control the firewall rules and all my network settings (DHCP, etc.) on hardware that I never have to rent or return. So, when Comcast jacks up my prices, I simply get a new modem for the next provider and seamless switch. No angry wife asking "What's the new WiFi password?!?"
That's when I figured out that my little network setup made it really easy to move from FiOS to Comcast without having to make any changes to my network. Now, I can move from provider to provider without having re-architect my network.
Step 1 - ditch the cable company provided Gateway
After getting rid of the FiOS gateway, I was able to setup my pfSense firewall and simple wireless AP. All of the firewall intelligence is fully configurable and I even have an IDS/IPS (snort) as a part of the pfsense appliance. This little box has a ton of very cool and interesting tools, like Captive Portal (using simple username passwords to log into WiFi, making sharing it easier with guests.) You can even get NetFlow data using softflowd and an OpenVPN! (I will share how to set these up, but for now, please use the online documentation and google to set this up.)
Let's start with the hardware:
I bought this hardware new from Amazon in 2014 and it's been solid. You can get away with using older hardware, but for simplicity sake, here's what I used:
Motherboard:
BLKD2500CCE Intel Desktop Board D2500CC -$120
Case:
(You'll need this power supply and plug) $20
4GB CF Card - Here's the one I had laying around. -$30
Lastly, you'll need this CF-to-SATA adapter - $13
(Yes, you can use the 1GB card, but then you'll possibly limit your ability to install the packages you want.)
Total cost ~$250
Now let's build the pfsense firewall
I built mine using the cfcard install on my Mac OSX. Here's how you do it.
First, download the correct version for your hardware - 64bit 4GB Embedded CF Card.
Now, let's get the image on the CFCard. You can either follow the documentation on the pfsense website, or you can just run the following command:
First, let's get the right disk, that is your CF Card:
host:~> diskUtil list
/dev/disk0
#: TYPE NAME SIZE IDENTIFIER
0: GUID_partition_scheme *251.0 GB disk0
1: EFI EFI 209.7 MB disk0s1
2: Apple_CoreStorage 250.1 GB disk0s2
3: Apple_Boot Recovery HD 650.0 MB disk0s3
/dev/disk1
#: TYPE NAME SIZE IDENTIFIER
0: Apple_HFS MacHD *249.8 GB disk1
/dev/disk2
#: TYPE NAME SIZE IDENTIFIER
0: Apple_HFS USB *4 GB disk2
dd if=/path/to/pfsense.img of=/dev/disk2
Here's the source I used to make my disk.
Awesome, my pfsense firewall is on my CF Card, now what?
Let's install the hardware and get the firewall online. Follow the prompts, and the online documentation from pfsense to complete the install. For this example, we are just going to install the WAN and LAN links, if you want to build your own VLAN's, you can read the fine manual to do that.
I want the syslogs!
Instead of logging the data directly to my pfsense firewall, I decided to use a Raspberry Pi. You do not need to do this step, and you can feed your syslog directly into your Splunk Indexer. I did this to setup a forwarder and also because I had an extra Raspberry Pi.
Raspberrypi - syslog-ng
To the Cloud!
Now let's setup an EC2 instance on Amazon and use the t1-micro instances to setup our Splunk environment in the Cloud. From here, you should be able to simply install Splunk on the Amazon AMI's and start Splunking your data! I plan on doing a post on how to setup your environment and also help you setup a mobile site using the new Splunk mobile server.
Comments
Post a Comment
Please do not post ads or spam to this comment section.