Posted on by & filed under hardware, infrastructure, learning, security.

Ed. note: Even blogs get holidays off. Please enjoy this reprise post from October 31st, just before November’s Blog-a-thon kicked off. Happy Thanksgiving!


Ever since I’ve had a home internet connection, I’ve used consumer grade routers, like linksys or netgear (using both their factory firmware as well as dd-wrt). A few years ago I upgrade to the Apple Time Capsule. This gave me a stable and reliable wifi router with wireless backups. My home network has grown to support multiple phones, tablets, laptops, desktops, and servers running VMs. With all these devices, I wanted the ability to VPN into my home network. Looking online and at consumer electronic stores, home VPN routers cost between $150-$500 and received awful reviews. Most were proprietary and clunky. Low-end VPN routers lacked good software and hardware. I spoke with Clark Hartsock about this issue and he suggested running my own pfsense box. I liked the DIY aspect of this approach, and I am always curious to explore a new technology.


pfSense is an open source firewall project. In their words:

“pfSense is a free, open source customized distribution of FreeBSD tailored for use as a firewall and router.”

pfSense is feature rich, and it surpassed all of the turn-key products in my price range.


I wanted to build a firewall that was reliable, low-powered, and not terribly noisy. I sought to spend around the same amount of money as a turn-key VPN router but specifically didn’t want the undistinguished VPN router hardware. I have previously put dd-wrt on linksys routers, but their hardware remains a limiting factor. Consumer grade hardware at this price point does not put all your money into server grade components.


There are many low-powered computers available today. At work I employed the Supermicro SYS-5015A-PHF for an experimental low-power Hadoop cluster. The server grade motherboard incorporates a fan-less Atom processor (with 4 cores) and two ethernet ports. While cheaper or more optimized hardware exists, I appreciated this known server. pfsense only needs 10 Gigs of hard drive space so I used an old 80 Gig drive I had lying around.cpu01


If I were to wildly and unscientifically estimate capacity, I bet my setup could serve a small or medium sized business. I host over 20 nodes on my network, run public facing web servers yet I have not seen my CPU go higher than 10% and my RAM go over 25%.

Why running your own pfsense box is cool

I have learned SO much about networking. Unless you work at an ISP or are a System Engineer, it is unlikely you’ll get a real network to play and learn on. The following items are not mind blowing features (and are available on many turn-key/dd-wrt solutions) but I have never played with them before. The pfsense GUI is great at administering all of these things:

  • Bandwidth graphs bw01 Everyone likes to see pictures and what is coming in an out of your firewall.
  • Running your own VPN – Incredible simple, it requires a few GUI clicks to setup. I followed this chapter in the pfsense 2 Cookbook.
  • Reverse Proxy Server – This was Greek to me before I started. I wanted to host multiple websites from my home network which is on a single dynamic IP from my ISP. I made a reverse proxy server node, NATed all port 80 traffic to it via pfense. The reverse proxy server then directs web traffic to the right node via incoming domain name.
  • DNS Forwarding – Set statics IPs on boxes and register DNS Forwarding in pfsense so the whole network will know hostname and address of the machine.
  • Set DHCP with MAC addresses – This is like a faux static IP. The box is set to DHCP but functionally gets a static IP. If you re-build a box the same static IP will remain with a new OS. Music to my ears.
  • Learning DNS – My router defaulted to comcast DNS which was not updating fast enough. I added Google’s public DNS to pfsense’s DNS list and my domains that would previously not resolve were now found. This is basic DNS, but I believe you have to do it yourself to master it.dns01
  • Simple Updates with GUI – You can upgrade the pfsense software in place and easily get the latest updates.

Extra Learning

I re-purposed my Apple Time Capsule by putting it in bridge mode. DHCP and router duties fell onto pfsense but wifi connectivity worked through the Time Capsule and Time Machine wireless backups. Liberating my Time Capsule from router duties allowed me to move it away from the coax cable and modem that served my internet connection from my ISP. I wound up rewiring my living room and relocated the Time Capsule into the center of my house. FaceTime now works throughout the house because of the Time Capsule’s central location.

Future Upgrades

This server board only has 2 network adapters. This allows for a WAN and LAN, so you only have one internal network. This server can take 1 PCI-E card. I would find a 4 port NIC that pfsense supports (compatibility chart is on pfsense’s website) so you have 5 internal networks. The PS3 goes on one network so Sony traffic is not on my main network and a guest network is decoupled from my server’s network. One day I’ll get really crazy and have a home storage tier with its own storage network. (Who doesn’t love backuping up?)

Take aways

While this post is about pfsense, my main message is about the value of learning networking on your home setup. pfsense isn’t what made me run a reverse proxy server to host multiple websites from my house, but it sure made it easier. DNS Forwarding is likely available on many routers, yet I had never used it until it was on a fun pfsense GUI menu. You never know what you might discover.

What didn’t work

I originally used an SSD hard drive with my pfsense box. I liked the idea that it was quieter than a spinning drive. After about a year the SSD couldn’t write to itself. I upgraded it with the 80 Gig SATA drive and have not had a problem since.


2 Responses to “Learn Networking with a DIY home firewall”

  1. Michael Sokolov

    Sounds cool — I’d like to try this. I have been frustrated with the router/firewall that comes with Verizon’s FIOS service, but it seems that you are required to use it in order for the set-top boxes to be able to get network access. I had tried putting my own firewall behind theirs, but ran into too many complications. This is inspiring me to take another look!