pfSense router upgrade madness!

Upgraded the home firewall to pfSense 2.2 last night. Long night. Even longer early morning. But I think things are better now, after a bit of hardware reduction.

While preparing for the firewall’s upgrade I came across a good number of horror stories that led me to consider just rebuilding the software from scratch with the new version (which makes the jump from FreeBSD 8.3 to 10.1 as the base system), restoring the configuration from backup. However, since I’d bricked the old Rosewill shortly after switching over to the new firewall, I found myself with nothing to fall back on if the rebuild on firewall’s SSD went bad. As a precaution I decided to first install the pfSense NanoBSD image to an SDHC card so I’d have a fall back (NanoBSD is a pretty interesting spin of FreeBSD on its own terms).

After loading the 4GB image on the available 8GB card, I shut down the firewall and removed the SSD. Then I plugged the SD card into its slot on the motherboard and powered on the device, watching the boot process in a serial console.

New Home Network

The new WAP, cable modem, firewall, switch and SIP adapter.

The process of configuring the firewall went fairly quickly, but once I got into the web configuration console it occurred to me that I really could just stick with the SD card and not bother re-doing everything on the SSD. One of the main justifications for using the SSD was that the extra storage it provided made it possible to install various packages like BIND and Snort. But the intensity of Snort’s write operations would have been really hard on that SSD, and the default DNS forwarder (the dnsmasq service) could provide most of what I needed from BIND. Given the problems people who heavily relied on those extra packages were having with the upgrade, it seemed the logical thing to do was to reduce my own dependence on them. One of the major incentives for building a pfSense firewall had, after all, been my desire to have a device that could be regularly updated with necessary security patches.

So after several hours of tweaking and testing (including scouring the config backup for a working set of firewall rules), I finally had everything functioning pretty much ss it had before. The resulting hardware setup was much leaner than my original concept: just the 1GHz, 4GB RAM APU1C4 motherboard, case, power supply and a $9 SDHC card — which happens to be the same hardware that the publishers of pfSense stock as the entry level device in the pfSense Store. The pair of wifi cards and 3 pairs of wifi antennae that I’d retired earlier in favor of a couple of more reliable (and better performing) TP-Link wireless APs, were now joined in the parts box by the 32GB mSATA SSD.

Note: If I had it all to do over again I probably would opt for the less expensive 2GB APU1C board, which along with the enclosure, power supply and the SDHC card would have cost around $200, less than half the price of the VK-T40E offered in the pfSense Store. I did look carefully at the competition, principally products from Mikrotik, and while some of their lower cost gear was tempting I was put off by the fact that their RouterOS source isn’t open to public inspection.

This entry was posted in Security, System Administration, Systems Analysis on by .

About phil

My name is Phil Lembo. In my day job I’m an enterprise IT architect for a leading distribution and services company. The rest of my time I try to maintain a semi-normal family life in the suburbs of Raleigh, NC. E-mail me at philipATlembobrothersDOTcom. The opinions expressed here are entirely my own and not those of my employers, past, present or future (except where I quote others, who will need to accept responsibility for their own rants).