After being attacked by random internet hackers, I went about isolating all of the computers on my network and nuking them one by one before allowing them access back onto the network. This process was painful, and very time consuming. I realized that even though I just bought this new fangled router, it didn’t provide the flexibility, logging, security and advanced features I wanted/needed to easily manage my home network. Having dumb switches didn’t help the situation either, but the way I wired up my home made it easy to segment even if I continued to use them.
I had an old dual core computer with 2GB of ram, so I decided I was going to build my own router. I just grabbed a 4 port gigabit Ethernet card off of eBay and a right angle PCI Express adapter (for the horizontal look). Eventually I will get a more slimline power supply and build a case for it.
Initially I was going to install a Linux distribution, using IP tables, OpenVPN, and Snort to start, but then I bought my server and realized I didn’t have time to play as hard as I wanted to, so I opted to go with Pfsense running off a USB stick. Setup was pretty painless.
I’m not going to go into too much detail on the setup because much of it is already documented, but I will link to how to documents where appropriate.Initially I logged in via the console, enabled SSH, and setup a root password. After that all of the configuration was web based.
Pfsense is extremely powerful, and going through the menu’s took time, but actually changing the settings and adjusting the configuration is painless. One thing to consider is when you know your going to setup a VPN and have remote devices be able to access local resources, you’ll want to pick two private LAN ranges that are uncommon. This will prevent routing conflicts between your local network (a coffee shop, school, where ever your connecting from) and your remote network (your Pfsense router networks). As much as I used to love mucking up the whole IP to be something unique to me (let’s say 22.214.171.124/24), it is really important to stick with an RFC1918 compliant private address scheme. This will prevent security professionals from thinking Russia is attacking a server when in reality that’s the IP of your development network (a great example from www.defensivesecurity.com).
With the basics setup, I can work on getting the server up and running, and transitioning VPN over from my old server.