In our previous article, we discussed how you can run your company entirely on open-source software. Now you’ve decided to save money by using open-source software, great. We need to begin with a firewall. After all, everybody needs the internet above all else. For this piece, we will be using PfSense (free firewall software). You can buy a commercial solution by purchasing directly from NETGATE or you can use an older computer that is just sitting around.
If you choose to repurpose an older computer, you will need the following:
- A thumb drive (at least 8gb), for installing the pfSense software on a computer.
- A full-size desktop computer that can use additional, standard-sized cards inside.
An additional network card. You can find cheap network cards on eBay or Amazon or any big box retailer in your area. I would suggest the “gigabit” speed which allows you to use internet speeds of up to 1 gigabit or 1,000 megabits.
I would also suggest a new hard drive since the older computer will most likely have a drive that is not brand new. This is not required but it’s a smart choice since this is the most common piece of hardware that will fail in any computer. I will recommend this step also in a later article for workstations as well. Look for something small like 60GB to 240GB on one of the online retailers or big box stores. A solid-state drive(SSD) would be a nice addition. This will allow your firewall to reboot faster, perform updates and backups quickly as well.
This is commodity hardware and cheap insurance against a failure that will impact your business later. You might plan right now and ask yourself how many workstations you might end up using that are older. Grab a new drive for them as well to get the shipping started.
You will also need a monitor and keyboard temporarily to get the firewall software installed. This can be removed after the firewall is operational.
What type of computer do I need?
For this article, I am assuming you are a basic startup without a lot of highly complex needs (stateful packet inspection, for instance).
If you simply want to provide basic internet access, literally any type of computer that turns on and can accept full-sized cards inside will work fine.
Here are the different types of computers that are common:
Of these computers, the two on the left will be fine while the two on the right are not large enough to use standard size pc cards inside.
Download the free firewall software
Computer technology changes fast and open-source software evolves the most quickly due to the sheer number of people working on it. You have a choice:
- Download the latest version of the free firewall software mentioned. This is the safest but it means the images and videos mentioned might not match up with what has been written here.
- Download the software from our repository. This will ensure that you are using the same version of the software that was used for these articles. The downside is that you MUST update your software after you install and configure it!
Getting pfSense onto a thumb drive
You will end up with a file that ends in “.gz”, if you have an unzipping program, you can right-click on the file and unzip it. You will end up with an ISO file. Now you can insert a thumb drive into your computer and write it to the thumb drive. This can be done with Rufus, another free download. You will use this software again when setting up Ubuntu on your workstations so it’s worth installing on a computer for now.
Installing the second network card
After writing the ISO file to the thumb drive, it’s time to install the second network card into your firewall. This will allow the computer to connect to your internet connection and to your internal network that we will build. The video will show how to install a Wi-Fi card but the network card we are talking about is the exact same process.
Now we install the free firewall software (finally!)
I have created a short video to show the process of installing the PfSense software, but it consists of 3 stages: The basic install of the operating system, determining which network card is connected to the internet/internal network, and setting up the network addresses for each network card.
For the first phase, insert the thumb drive and boot from it. If you have replaced the drive in the firewall with a brand new one, it will boot to your thumb drive automatically. If there is already data on the drive, you will need to follow THIS VIDEO to get your computer to use the thumb drive instead. Throughout this phase, you accept all the defaults. During the installation, it will ask where to install the software, this is where you point to the new or existing disk that is inside the computer (it will be over-written permanently). If you are confused, watch the video I created that walks through the process.
At the end of the setup process, it will ask if you want to open a shell before rebooting, there is no need for this so just click reboot. Be careful that you don’t end up booting from the thumb drive again and reinstalling the software. It would be a good idea to remove the thumb drive while the machine is just starting up.
The startup process takes just a minute or two and you will end up with a screen that looks like this:
The next step is assigning the addresses to each network card. Since we only have two cards, we can mentally choose which will be internet/external and which will be internal. If they don’t work at the end, the cables are just plugged into the wrong network card. Swap them and try again.
For the external/internet card we need that information from your ISP. If they said your internet connection was DHCP, then the card on the menu will need to be set as DHCP. We do this via option 2 as seen in the video. Keep in mind we are changing the card that says “WAN” for the internet connection.
For the internal network connection (labeled “LAN”) we need to choose what our IP addresses will look like. There are many options but for this article (and all the others that build upon this) I will assume we chose “10.0.0.X” which means all the machines on your network will have the “10.0.0” and end with a unique number instead of “X”.
The firewall will have the address of “10.0.0.1” and the subnet mask of 24. We can discuss what this means later but for now, just assume this is what we need.
Setting up the DHCP server
The server will ask if you want to set up DHCP and you want to say yes. This will mean your firewall is going to hand out the information to your internal workstations automatically. It will ask for a range of addresses that it can hand out. Give it a range of 50 for now. For the beginning of the range, tell it “10.0.0.200” and for the end of the range, tell it “10.0.0.250”. Answer yes when you are done.
The hard part is over!
You should now be able to plug the firewall (internet port) into your internet modem and a computer into the internal (second port) connection and after a few seconds you should be able to access the internet. If it doesn’t work, switch the connections on the firewall. We had a 50/50 chance of getting it right.
At this point, you have a working internet connection, but you might be asking, “how secure is my internet?”
Out of the box, the firewall is set to ignore all connections coming from the internet and allow everything from the internal network to access anything on the internet. A secure setup. Later, we will cover advanced topics like setting up a second firewall at a remote location.
One of the reasons we chose PfSense for our firewall is the free price tag but there are many more important reasons for choosing this path. Let’s cover a few of them before moving forward:
- PfSense is supported by thousands of managed service providers across the globe. You can google “PfSense support” and choose from many pages of results. Your business is important, and you can’t operate without the internet.
- PfSense is enterprise software meaning it will grow as your business grows. If you need a second site and need to link them, it will accommodate that easily.
- If you need to monitor how your internet connection is being used, you can set up telegraf and Grafana for a dashboard that looks like it came out of a science fiction movie.
- If you need to enable controls to limit access to certain websites or the speed that is available, it’s very easy to accomplish.
- If you grow and need to install a VOIP phone system, you can add a third card to your firewall and create a separate network just for phones. You would then go back to the first (internal) network on your firewall and limit the total amount of speed to leave some headroom for the phones to always have the bandwidth it needs.3
The flexibility to grow combined with the ease of installation makes PfSense a natural choice firewall software.
Now that we have a single computer that can get to the internet it is a good time to purchase two additional pieces of equipment: A battery backup (commonly referred to as a “UPS”) and a switch.
With a UPS, we know that our internet won’t have an outage from common power problems. You see, the firewall is a complex piece of software, and it takes a minute or two to reboot. If your power goes out for just one second, it will take a minute or two to come back online. Trust me, this is frustrating, to say the least.
To figure out how what size UPS you might want, try this website. You might also want to plug your internet modem into this UPS for additional peace of mind.
Time to 'SWITCH' things up a bit
With a functional internet connection, you will most likely want to connect more machines to the firewall, and this is done with a switch. It looks like a small box with many network connections on it. I would suggest getting a switch that runs at gigabit speed or higher. Gigabit is the standard speed so don’t worry about a higher cost for this speed.
You need to stop and consider two things: how big your company might grow and do you think you might use a VOIP phone system in the future. Every device on your network will plug into this switch so I would suggest not purchasing anything less than 24 ports. 24 and 48 port switches are common. If you grow past that number, you can plug a second switch into the first and have a higher capacity.
As you consider how many ports your switch should have, consider all the devices that you might need:
A wireless access point needs a plug. You might need several of them if your office is large.
Each network printer will need a plug. Many printers are shipping with built-in Wi-Fi. I strongly urge you to resist using Wi-Fi. While convenient, the speeds are not as fast as a direct cable connection and Wi-Fi isn’t as stable as a direct connection via a cable.
If you think you might use a VOIP phone system, you should consider purchasing a switch that has “POE” (power over ethernet). POE allows power to be sent over the same cable as the data and most VOIP phones are powered this way.
VOIP phones also take one plug, however, the phones usually have an additional port on them that allows a computer to plug into the back of them. This allows one office phone and computer to share a single network connection.
To connect your switch, simply plug the wire from your firewall into any of the ports (support professionals always choose either the first port or the last but you can choose any port you like) and use the rest of the ports as a place to plug in your other workstations, servers, and miscellaneous devices.
Before you consider yourself done, you might want to consider plugging this device into your battery backup. Almost all your critical devices should be plugged into a UPS. This will minimize the disruptions from a glitch in the power and your devices will live a longer life by having more stable power. Unexpected shutdowns can corrupt data, so we want to take steps to avoid that.
Now that we have a stable internet connection, we need to log in to the firewall and change the default password and take an initial backup. Let’s move forward!
Plug a computer into your new switch (or directly into the firewall if you haven’t gotten a switch yet) and verify your internet is working. Once it is working, open a browser and in the address bar (do not “search” for this address, type it in directly) type http://10.0.0.1 which is the internal address that we chose during the installation.
You will see a warning about an insecure site, don’t worry, we know this is our firewall and we can click “bypass and continue”. You will see a login screen. The default username is “admin” and the password is “pfsense”. Once you log in, you will see a warning at the top of the screen showing you that you are still using the default password. I strongly urge you to change that password right now.
After changing the password, navigate to the “diagnostics” menu option and choose “Backup & Restore”. Leave all the options as they are, this will just backup the entire configuration of the firewall. Click the blue “Download configuration as XML” button and save this backup in a secure place.
While it might not seem critical to do a backup on a brand-new machine, it might come in handy if you make a change early on and don’t want to rebuild the firewall from scratch. Because it is so easy to do a backup, I would suggest performing a backup before making any changes to the firewall.
The final step? Updating your firewall. While ignored most of the time, this machine is probably the most critical to keep up to date and secure. It is also the easiest. On the top menus, click “System, Update”. If you see “Status: up to date” in green, then there is nothing to do. Keep those updates done on a periodic basis.
Congratulations! You have installed a solid, enterprise-ready firewall performed your first backup!
I hope this article has been informative for you. Interon has now set up many “open source offices” and the economic benefits for our clients have been immense. If you would like to learn more or hire us to implement any or all of the technologies discussed feel free to call us or use our CONTACT US page to request more information!