PDA

View Full Version : A little weekend project: Firewall & VPN for iDevices with pfSense




ChristianJapan
Aug 30, 2012, 07:26 AM
My recent little weekend project ...

Sometimes it just makes fun to not buy an Apple from the Store; instead search for some components and build something myself.

Why now ? With server version of Mountain Lion Apple send the firewall ipfw and DHCP on the bench. Instead they suggest to use pf (as part of BSD systems).
Never heard about pf before I was searching for some information and run into a FreeBSD-based distribution called pfSense (http://www.pfsense.org). First I played with it a bit in VMWare with it and kind of liked what I saw.
As all the Macs I have don't have two NICs and I don't like USB-Ethernet adapter (mine getting too hot) it was time to go online and search for some nice components and build something myself.

Here what I got delivered the same day:

355115

1) Motherboard C7Q67 from Supermicro (two Intel-NIC on-board !)
2) Intel CORE i3 3.3 GHz
3) 500 GB HDD
4) 8 GB RAM
5) a MicroATX case (still too big)

Cost around 55'000 Yen all together; and yes: totally oversized. But enough capacity for some IDS or private cloud solution.

Not being a first-time PC builder it was a short 20 min timespan until the first power-up and start of installation of pfSense from DVD.

355116

The system is very unfancy with respect to visual effect; just a VGA text screen to do the initial setup of NIC's. After that a browser-based config and monitoring system will be used.

355117

and after one week of recording it shows also quite nice all the traffic consumed on hour, daily and weekly, monthly and annual base. Looks like lots of Hulu ;-)



ChristianJapan
Aug 30, 2012, 07:48 AM
(Part II) Firewall/NAT/VPN

The system primary works as firewall and can be easy as shown here

Here we allow allo traffic outbound from VPN.

But how to configure "road worrier" VPN via IPSec. Is was quite easy.

I have an fixed IP adress and mapped one hostname from my public domain to the pfSense box. But I'm sure it works wirh DynDNS too.


First a group which allow user to open VPN (with xauth Dialin)
355129

Second the mobile site of the VPN; here I learned that the subnet for the virtual adress pool must be different from the internal net segement. First I though could be the same ; just different numbers. But need to be a different segment.

355126


Finally the main screen with the mobile data like shared secret and what kind of encryption to be used
355127

Finally on the iDevice side the following
355128

now make sure that the follwoing settings are in sync

iDevice .................... pfSense
Server .................... WAN side of your box
Account ................... a user assigned to the VPN group
Group Name ............. peer identifier
Secret ..................... preshared key

Switch on VPN and thats it ... you might need to tweak the rules. For example you need to allow VPM traffic on port 4500 and 500 for UDP and ISAKMP.
355130

The rest work like a charm.

I still play and learn. If you have any question let me know. If you have suggestions I can learn from: let me know too.

I run some external test with ShieldUp (http://www.grc.com/default.htm) and the FW is pritty closed from begin.

Kind of really like it.