Building a Smarter Network Part 2: pfSense On a Small Office Network

The goal of this project was to implement network segmentation in my office. This was done to increase network security. By adding a wireless access point and router/firewall to my topology, I have been able to achieve this through the separation of VLANs and subnets. Having a firewall in place, I can also reduce malicious traffic from entering or leaving the network. At its core, my setup ensures that each host connects through the AP, gets assigned to an SSID and VLAN, passes through the router for segmentation, and then reaches the internet securely.

WAP and Router on bench before deployment

Setup Process:

Choosing the Right Hardware:

Choosing the right hardware was essential to making this a practical endeavor. Some of the criteria emphasized were: cost, power consumption, footprint, performance, and functionality.

Router / Firewall:

I went with the GMKtek MiniPC N100 as it met all of the criteria. This was an affordable contender at around $115 shipped. The GMKtec sports an Intel Alderlake quad-core processor, 8GB of RAM and uses very little power. This is more than enough horsepower to run pfSense.

Wireless Access Point:

My design required the utilization of wireless SSIDs. I found a good deal on an enterprise Cisco wireless access point (Air-Cap 3700 series) ~$50. With a feature-set more than adequate for my use case and a steep learning curve to boot, it was perfect for a homelab-style project. Furthermore, it is certainly not on the bleeding edge of wireless technology and protocols however after doing my homework I was quite-pleased with the amount of features and level of customization available.

Software Considerations

The three heavy-hitters on the FOSS router scene are pfSense, OPNsense, and OpenWRT. I opted for pfSense because of the shear amount of documentation available and activity on the project. pfSense is built on top of BSD, and for simplicity’s sake I would install it bare metal, leaving VM experimentation for another day.

Configuring the WAP via console connection

Setup and Configuration:

Configuring the Access Point

Unsurprisingly this would not be a plug-and-play experience. Out of the box, the default firmware installed is configured for “Light-Weight” functionality. This translates to what is usually a mesh of access points that are centrally managed by a Wireless Lan Controller (WLC). This impractical (if not impossible) for a single deployment in a small office. I proceeded to flash the device with the “Autonomous” firmware, permitting the device to be fully featured without the need of a WLC. I found some very useful information to get me started here:

https://mrncciew.com/2012/10/20/lightweight-to-autonomous-conversion/

Once complete I was greeted by a familiar Cisco IOS CLI. I was surprised by the amount of features available and settings that could be adjusted. Even though this was not fully fledged Multi-Layer Switch or Router, the WAP flavor of IOS contains a wide-range of features. I commenced to assigning SSIDs, assigning each to its own VLAN and directing traffic to the appropriate sub-interface on the router (more on this later). One of the challenges was that SSIDs were not broadcast initially and as a workaround I enabled “guest-mode”. Not wanting to overshoot my desired wireless range I was able to tune the radio strength to only provide coverage to the desired area. As with any wireless setup, WPA2 or WPA3(preferred) should be utilized.

pfSense dashboard interface

Setting up pfSense

Installing pfSense consisted of installing from a bootable USB drive. Next up was assigning the WAN and LAN interfaces, configuring IP addresses, configuring gateways, and finally entering DNS and DHCP information.

Shout out to Lawrence Systems for providing a wealth of information for anyone who wants to take on a similar project.

Below is a playlist of relevant content:

https://www.youtube.com/playlist?list=PLjGQNuuUzvmsuXCoj6g6vm1N-ZeLJso6o

Now, in order to effectively segment the traffic in a small office environment, pfSense allows you to create VLANs to ensure separation at Layer 2. Traffic is then tagged to ensure it is properly handled across devices. When a network has a multitude of devices connecting from different departments or with permissions VLANs are quite useful. For example, it’s not uncommon in an office environment to see employees, departments, guests, and IoT devices each on their own VLAN.

Following best practices, each VLAN was also given its own subnet (Layer 3 separation). For simplicity’s sake, I went with only two VLANs (you can always add more later). A “work” and a “guest” vlan/subnet were sufficient. On say a college campus, you could potentially separate a network by who needs access to what, for instance students, faculty, and guests.

Lastly setting up DHCP for each sub-interface would allow each device to get an IP address from a pool corresponding to its subnet allowing each host to connect to the internet. Firewall rules were also put in place to separate “vlan10work” from “vlan20guest”. More rules can be added to customize allowed access and restrictions further.

A view of analytics available inside the pfSense interface

Lessons Learned and Next Steps:

During the initial setup I ran into an unexpected issue and was able to get a quick response from the Netgate community forums. As I expected using gear and software that is designed for enthusiasts and corporate settings, some of the configuration process was counter-intuitive. If you’ve never laid eyes on pfSense or IOS, then I definitely recommend going with an all-in-one solution. I however was up for the challenge and look forward to further fine-tuning firewall rules diving into the wide array of extensions available for the pfSense platform. Some worth mentioning are:

Suricata: Provides IDS/IPS capabilities, monitoring security in real-time

Snort: IDS/IPS tool with deep packet inspection and traffic analysis

pfBlockerNG: Enhances firewall capabilities and DNS filtering, geo-blocking, ad/malware prevention

Wireguard: A modern and lightweight VPN

Darkstat: Provides historical and real-time insights into hosts and traffic

Zeek: A network analysis framework providing in-depth traffic visibility detecting anomalies and threats

The Darkstat extension for pfSense

A glance at the Zeek extension

“Geoblocking” feature in pfBlockerNG

Key Takeaways:

Some of the best homelab projects are the ones you can deploy when they are complete. Here we have demonstrated a project that employs networking, security, hardware and software. Although there is more work to be done on this project, I recommend similar setups for anyone with a small office or home environment. All-in-one solutions would probably be a safer bet for those with time constraints, but for an inexpensive intermediate-level project this might be for you.

In further installments on the “Building a Smarter Network” series I hope to explore integrating network automation, log fetching, and AI analysis. Keep a lookout for further installments as we continue refining and expanding the capabilities of a smarter, more secure network.