Network Security with PfSense

I haven’t written anything for a while because I retired and sold and bought a house and moved at all the same time.

During setup of the new home though I had to redo my internet setup and start fresh with a newly mapped network.  If I’ve said this once, I’ve said it a million times………If you hook a store bought router to your Cable Company modem you are begging to be hacked.  Your security is non-existent. 

This is not just my opinion.  It’s a stone cold fact.  To have any element of actual security you need a hardware firewall or a router with custom firmware such as DD-WRT or OpenWRT.  OR BOTH.

This is where PfSense comes in.  It is a hardware firewall which routes all your internet traffic through its very capable interface.  And it is far from being just a firewall as well.  It is a full fledged network Operating System.

The easiest way to get some decent network security is to buy a pre-configured appliance.

Netgate 1100

This is the Netgate 1100 and it comes in at a cost of about $179.

Yeah, that’s a little bit of cabbage but do you really want to protect your network or not?

You can build your own appliance and there is no shortage of mini computers built just for hardware firewalls.

PfSense is a free download and there are several other firewall OS’s out there that are free and also Open Sourced.


OPNSense is one and it is in fact of fork of PfSense.  Another good OS is IPFire.   There are many more as well but these are the 3 that I have dabbled with.  I always keep coming back to PfSense though.

In my opinion the minimum firewall parameters to install and configure are Snort for network intrusion detection and PFBlockerNG which is magnificent for Ad Blocking.  Both are just a little geeky but there is no shortage of tutorials online.  PFBlockerNG has tons of ad blocking lists and I just google “best PFBlockerNG feeds” and then enable those that the community experts live and die by.  Below is a tiny pic (meant not to be entirely legible) but you can see some items have check marks on the right and some do not.  The list is WAY LONGER than depicted in the screen grab below.

PfBlockerNG feeds

Snort can be free but they have much greater updated lists that you can pay for annually.  I opt to pay for the Snort “Oink Code” which lets PfSense be much more up to date and proactive.

Also you can run an OpenVPN server on your firewall.  There is a Wizard for configuring OpenVPN and if you’ve ever done it on Linux or router firmware such as DD-WRT or something you’ll really appreciate the Wizard. Trust me on this one.

Anyway, let’s summarize.  If you hook your cable modem to a store bought router (any of them, Linksys, Netgear, Belkin, etc.) you are a had lad.  No security exists.  None.  If you don’t believe me then google “security issues Netgear” or whatever.  You’ll be shocked.  You need a firewall, and no, Windows Firewall ain’t gonna cut it and it only protects your one computer.  NOT YOUR WHOLE NETWORK.  You want active detection and blocking on data incoming and outgoing right at the source it enters your network.

I don’t think I said anything today that I haven’t said on this blog before but it bears repeating.  You thinking you have ANY network security is a fallacy unless you take some measures such as a hardware firewall.

You are welcome.

Leave a Reply

Your email address will not be published. Required fields are marked *