Typical pfSense deployment scenarios
Once you have decided to add a pfSense system to your network, you need to consider how it is going to be deployed on your network. pfSense is suitable for a variety of networks, from small to large ones, and can be employed in a variety of deployment scenarios. In this section, we will cover the following possible uses for pfSense:
- Perimeter firewall
- Router
- Switch
- Wireless router/wireless access point
As this book is aimed at beginner pfSense users, we will mainly focus on the first two items, as these are the most common uses of a pfSense device. We will, however, briefly discuss the latter two items.
The most common way to add pfSense to your network is to use it as a perimeter firewall. In this scenario, your internet connection is connected to one port on the pfSense system, and your local network is connected to another port on the system. The port connected to the internet is known as the WAN interface, and the port connected to the local network is known as the LAN interface.
If pfSense is your perimeter firewall, you may choose to set it up as a dedicated firewall, or you might want to have it perform the double duty of a firewall and a router. You may also choose to have more than two interfaces in your pfSense system (known as optional interfaces). In order to act as a perimeter firewall, however, a pfSense system requires at least two interfaces: a WAN interface (to connect to outside networks), and a LAN interface (to connect to the local network).
The perimeter firewall performs two broad functions. The first, monitoring and controlling inbound traffic, should be fairly obvious. Allowing certain traffic on certain ports, while blocking all other traffic, is a core function of all firewalls. The second, monitoring and controlling outbound traffic, might seem less obvious, but is also important. Outbound web traffic tends to pass through the firewall unchallenged. This, however, leaves our network vulnerable to malware that targets web browsers. To protect our networks against such threats, we need to monitor outbound traffic as well.
It is commonplace to set up the networks behind the firewall with a split architecture, with assets that are accessible from the internet being kept separate from the rest of the network. In such cases, the internet-accessible resources are placed on a separate network, which is generally referred to as the demilitarized zone (DMZ). If your network requires such a setup, you can easily do this with pfSense as your perimeter firewall, as we will see later.
In more complex network setups, your pfSense system may have to exchange routing information with other routers on the network. There are two types of protocols for exchanging such information: distance vector protocols obtain their routing information by exchanging information with neighboring routers; routers use link-state protocols to build a map of the network in order to calculate the shortest path to another router, with each router calculating distances independently. pfSense is capable of running both types of protocols. Packages are available for distance vector protocols such as Routing Information Protocol (RIP) and RIPv2, and link-state protocols such as Border Gateway Protocol (BGP). These protocols will be discussed in greater detail in Chapter 10, Routing and Bridging.
Another common deployment scenario is to set up pfSense as a router. In a home or SOHO environment, firewall and router functions are often performed by the same device. In mid-sized to large networks, however, the router is a device that's separate from that of the perimeter firewall.
In larger networks which have several network segments, pfSense can be used to connect these segments. Traditionally, using a router to connect multiple networks requires multiple network interfaces on the router. However, with VLANs, we can use a single network interface card to operate in multiple broadcast domains via 802.1q tagging. VLANs are often used with the ever-popular router on a stick configuration, in which the router has a single physical connection to a switch (this connection is known as a trunk), with the single Ethernet interface divided into multiple VLANs, and the router forwarding packets between the VLANs. One of the advantages of this setup is that it only requires a single port, and, as a result, it allows us to use pfSense with systems where adding another NIC would be cumbersome or even impossible: for example, a laptop or certain thin clients. We will cover VLANs in greater depth in Chapter 3, Configuring pfSense.
In most cases, where pfSense is deployed as a router on mid-sized and large networks, it will be used to connect different LAN segments; however, it could also be used as a WAN router. In this case, pfSense's function would be to provide a private WAN connection to the end user.
It is possible to have pfSense function as a switch. This can be done by bridging together interfaces and thus bypassing the packet filtering capabilities of pfSense. This is generally not recommended, however, for several reasons. A dedicated switch can be purchased for a fraction of the cost of a pfSense device (for example, a 5-port gigabit Ethernet switch can be purchased for less than 15 U.S. dollars). These switches will likely outperform pfSense, since pfSense is limited by the bus speed of the expansion bus on which the network cards reside. Finally, there is an administrative overhead involved in using pfSense as a switch, while commercially available unmanaged switches are designed to be plug-and-play. Managed switches can be more difficult to configure, but the pay off of using such switches is that they support more advanced features such as VLANs. For these reasons, it is generally not recommended that you use pfSense as a switch.
Another possibility is using pfSense as a wireless access point (WAP)/router. This can be done by adding a wireless network card to one of the expansion slots on your pfSense system. If you decide to go this route, you will want to check the FreeBSD Hardware Compatibility List (HCL) to make sure that the wireless card you use is compatible with pfSense.
One way to add wireless capabilities to your network without having to worry about hardware compatibility issues, however, is to use a commercially available wireless access point or wireless router and connect it to your pfSense device. If you use a router, you will likely want to operate it in wireless access point mode, if it has one. You can then configure pfSense to run a DHCP server on the interface to which the WAP or router is connected. Nodes connecting to the WAP or wireless router will then be able to obtain an IP address from pfSense's DHCP server.