PF Sense Router... Why/When?

[Biohack]

So I discovered some builds of routers with PFSense as software on YouTube, using full blown computers.

My question is, why? When do you need to go to all that trouble? It's cool and all, but practically speaking... when do you need something like that? I couldn't find any use cases online, this seems to be the domain of organisations so it's not discussed by common folk it seems.

[Needfuldoer]

You answered your own question!

 

32 minutes ago, Biohack said:

It's cool

 

pfSense/OPNsense/Sophos XG are also better firewalls than an off the shelf modem/router combo. Some people like having that granular control.

 

If you virtualize your hypervisor you can also consolidate other services (like PiHole) onto that one machine.

[brwainer]

Choosing to “build” a PFSense router with a full PC (oftentimes described as an old PC with an extra ethernet port(s) added via PCIe card) is just one method of achieving a more broad goal - to have a more capable (feature-wise) and usually more stable router, than what is available as a device from the ISP or off the shelf from the usual home router brands. It should be noted that in doing so (PFSense on an old PC or not), a separate wireless access point, and sometimes a separate ethernet switch, are also required. One major reason people start down this path is because they want to split up their home or homelab into separate VLANs, such as isolating IoT devices which have dubious security away from the rest of the client devices.

 

Here’s a long but not exhaustive list of ways to achieve that goal:

• Build a PFSense/OPNSense/OpenWRT/Untangle/etc router from a PC you have on hand
• Build a PFSense/OPNSense/OpenWRT/Untangle/etc router from a PC that is designed specifically to be a router, such as Protectli or one of thousands of listings on eBay or Aliexpress
• Buy a router from the developers of PFSense/OPNSense/Untangle that has that OS preinstalled, providing you a better supported platform and financially supporting the developers
• Flash OpenWRT or Tomato onto a compatible regular home router - this one is easy if you already have a model that is well supported by one of these projects and just want a bit more features and stability. For example, last week someone else on this forum had an issue that the stock firmware on their Archer router wouldn’t do a DHCP range larger than 256 addresses, flashing it to OpenWRT allowed them to configure it how they wanted with no loss of functionality (this isn’t always a given, especially if the router uses a Broadcom chipset, or is an early AC model). This is the only option on this list that does not require a separate AP to be purchased, and is also a good way to reuse a prior router as an AP if the stock firmware doesn’t have an AP mode
• Buy a Ubiquiti EdgeRouter or Mikrotik RB-series router - this one is a good option if you want many more true router features, where “true router” means a device that handles packets at L3 and L4 and can speak many dynamic routing protocols such as OSPF and BGP, and are less interested in advanced firewall features like application recognition, intrusive prevention, and DNS-based content filtering. It is also a good option if you want very good price-to-performance or power efficiency when it comes to being a simple router and stateful firewall for a home or business. For example, a Mikrotik hEX at ~$70 USD (IIRC) will out perform everything else in its power, size, and cost categories (including the low cost pre-pandemic of getting a used office PC and adding a NIC), if you don’t need to go beyond stateful firewall. Stateful firewall means you can create normal rules based on IP or port, and can do inbound/outbound NAT and PAT.

[Alex Atkin UK]

3 hours ago, Biohack said:

So I discovered some builds of routers with PFSense as software on YouTube, using full blown computers.

My question is, why? When do you need to go to all that trouble? It's cool and all, but practically speaking... when do you need something like that? I couldn't find any use cases online, this seems to be the domain of organisations so it's not discussed by common folk it seems.

A big reason is policy routing and other advanced features like whole-network VPNs, especially on faster broadband connections.

 

Consumer routers for example use hardware NAT acceleration to be able to do Gigabit speeds.  If you try to do policy routing with those the hardware NAT is usually disabled, they can then no longer handle Gigabit and may only do 200-300Mbit (or worse).

 

Policy routing is where you can tell the router to treat certain ports/traffic or clients on the network differently from each other, including things like QoS (Quality of Service) where you might for example prioritise gaming or VoIP traffic.  Or you might send certain clients down a VPN rather than having to connect to it on that client directly.

Examples:
I have certain domains go over a US VPN to get around region blocking and this is completely seamless to any device on the network, its all done on the router.

I can switch my gaming PC between 500Mbit 5G when downloading games, back to my DSL for online gaming, just with a few mouse clicks.  Ideally I'd have it configured to use 5G automatically for the download servers and DSL for everything else, just haven't gotten around to trying to figure out how to do that yet.

Or when I had two DSL lines I would load-balance traffic down both to double my download speed.

 

I also have pfBlockerNG installed to automatically block access to/from IP addresses that are being used for scams, trojans, etc.  As well as region-blocking access to my server so its logs don't get spammed with foreign hackers trying to guess my SSH password or find exploits on my web server.

I also have a permanent VPN connection to my VPS so I can access its web management without having it enabled on its public IP address, one less avenue for hackers to get into.

[Biohack]

Hmm, none of these things ring any bells to be honest. Sounds like it's not something I need to worry about for now.

[brwainer]

1 hour ago, Biohack said:

Hmm, none of these things ring any bells to be honest. Sounds like it's not something I need to worry about for now.

Yeah, no reason to replace a normal router until you find something you want/need to do that it isn’t capable of.