So how do we get around this?  You learn about Aliases!!!

That one word right there makes me ignore all pfSense’s faults and want it to have my children.  I’m sure other firewalls do this, but I cannot recall IPCOP or Endian having this option anywhere..and I think it should be on every firewall ever invented.  Normally, when someone says the word “Alias” a normal network guy, like me, is going to think Interface or IP Aliases for an interface.  Meaning that, if I have 5 static IP addresses to the internet, then my red interface needs to respond to 5 different ips.  This is a normal interface Alias – You have your primary one, then 4 additional ones all on the same card.  This is not a pfSense Alias.

pfSense has created a way for you to make groups of either IP addresses OR ports!  So, if I have 2 servers in my DMZ, both requiring a different set of ports (as each server is a server with a different function, like Mail and Web) – we’ll say each server takes 10 ports to function to fit in with my example of 20 above.  I can go into the Firewall->Aliases screen, create a new alias of ports, list all 10 ports for server 1 and call it “Server1Ports”.  I then create another one and list all 10 ports for Server 2, and of course call it Server2Ports.  I then go into Firewall->WAN and create my incoming rule, but now instead of having to specify specific destination ports in 10 different rules I simply put “Server1Ports”, and the IP of Server 1 into the destination box, and it even auto-completes for me!  That’s just cool.  So now my 20 rules on 3 screens, just became 2 rules on 3 screens: One for each server.  6 rules instead of 60! For servers that don’t require an outbound rule to be made, it’s actually even simpler since the NAT rule will create a WAN rule for you – You manually create 1 rule to allow as many ports into your server as you need.

As complicated as all that is – once you understand it, it’s actually less work than creating a DMZ in Endian and IPCOP.  The same idea works for aliasing IP addresses.  Say you have 2 webservers, and each require the same ports to be open, you just make yourself a “WebServerPorts” alias with the ports, and a “WebServers” alias with both webservers ips, and voila!  3 rules later (remember, 1 for each interface+NAT) and you have all the right ports going to both the right servers.  That is simply awesome.

To be fair, I believe the reason for the difference in these 2 methods of doing things is actually a difference in underlying OS: BSD vs Linux.  More specifically – their respective firewalls.  PF allows for the creation of “lists” and pf will automagically create the rules for you – whereas in iptables every one must be done one at a time.  However, there is no reason an interface, especially a web interface, could not be written to emulate this sort of functionality and simply extrapolate what the user puts into aliases into a different iptables command for the server.  So, while I understand that it’s likely the underlying technology that drives these methods – I find it to be no excuse.  Everyone should have Aliases.

Speaking of underlying technology – pfSense has it’s flaws.  For example, you cannot access your DMZ’s website from within the LAN by going to the external IP address.  Check here.  I had no problems doing this in both Endian and Ipcop, so I’m not sure if this is an iptables thing or what – but now I have to maintain two DNS’s.  The primary one that the world uses to get my public ip address – plus I have to use pfSense’s and create one that points to the “internal” ip of the DMZ server.  So every domain name I have I have to create twice.  That gets annoying.

Now we’ve reached the end – My conclusion.  The way I see pfSense is this, for an average user that is contemplating buying a Linksys router, or using an old PC they have in the house – pfSense could work just fine.  I personally don’t think the interface is quite as refined and easy to follow for a beginner as Endian or Ipcop, but it requires little setup after installation for a simple LAN to Internet configuration.  Where I think pfSense shines, however, is in it’s ability for a completely advanced configuration to be done completely through the web interface.  From assigning static NAT addresses, to the several diagnostic interfaces in the site it just makes doing complicated things a little easier.  Unfortunately, that kind of granularity in the interface also makes some of the more simple things more complicated, meaning that unless you have a desire to learn at least a little abount firewalling, you are probably better off going with IPCOP or Endian.

For now, since pfSense is so far the only firewall I’ve gotten an actual Full Tunnel VPN to work properly (which means complete client browsing through the tunnel) using only out of the box tools – I’ll be keeping it for a while.  If I change, I’m sure you’ll be some of the first to know ;).

Keep your network locked!

Pages: 1 2