A little weekend project: Firewall & VPN for iDevices with pfSense

Discussion in 'Mac OS X Server, Xserve, and Networking' started by ChristianVirtual, Aug 30, 2012.

  1. ChristianVirtual, Aug 30, 2012
    Last edited: Aug 30, 2012

    ChristianVirtual macrumors 601


    May 10, 2010
    My recent little weekend project ...

    Sometimes it just makes fun to not buy an Apple from the Store; instead search for some components and build something myself.

    Why now ? With server version of Mountain Lion Apple send the firewall ipfw and DHCP on the bench. Instead they suggest to use pf (as part of BSD systems).
    Never heard about pf before I was searching for some information and run into a FreeBSD-based distribution called pfSense. First I played with it a bit in VMWare with it and kind of liked what I saw.
    As all the Macs I have don't have two NICs and I don't like USB-Ethernet adapter (mine getting too hot) it was time to go online and search for some nice components and build something myself.

    Here what I got delivered the same day:


    1) Motherboard C7Q67 from Supermicro (two Intel-NIC on-board !)
    2) Intel CORE i3 3.3 GHz
    3) 500 GB HDD
    4) 8 GB RAM
    5) a MicroATX case (still too big)

    Cost around 55'000 Yen all together; and yes: totally oversized. But enough capacity for some IDS or private cloud solution.

    Not being a first-time PC builder it was a short 20 min timespan until the first power-up and start of installation of pfSense from DVD.


    The system is very unfancy with respect to visual effect; just a VGA text screen to do the initial setup of NIC's. After that a browser-based config and monitoring system will be used.


    and after one week of recording it shows also quite nice all the traffic consumed on hour, daily and weekly, monthly and annual base. Looks like lots of Hulu ;-)

    Attached Files:

  2. ChristianVirtual, Aug 30, 2012
    Last edited: Aug 30, 2012

    ChristianVirtual thread starter macrumors 601


    May 10, 2010
    (Part II) Firewall/NAT/VPN

    The system primary works as firewall and can be easy as shown here

    Here we allow allo traffic outbound from VPN.

    But how to configure "road worrier" VPN via IPSec. Is was quite easy.

    I have an fixed IP adress and mapped one hostname from my public domain to the pfSense box. But I'm sure it works wirh DynDNS too.

    First a group which allow user to open VPN (with xauth Dialin)

    Second the mobile site of the VPN; here I learned that the subnet for the virtual adress pool must be different from the internal net segement. First I though could be the same ; just different numbers. But need to be a different segment.


    Finally the main screen with the mobile data like shared secret and what kind of encryption to be used

    Finally on the iDevice side the following

    now make sure that the follwoing settings are in sync

    iDevice .................... pfSense
    Server .................... WAN side of your box
    Account ................... a user assigned to the VPN group
    Group Name ............. peer identifier
    Secret ..................... preshared key

    Switch on VPN and thats it ... you might need to tweak the rules. For example you need to allow VPM traffic on port 4500 and 500 for UDP and ISAKMP.
    Screen Shot 2012-08-30 at 9.43.40 PM.png

    The rest work like a charm.

    I still play and learn. If you have any question let me know. If you have suggestions I can learn from: let me know too.

    I run some external test with ShieldUp and the FW is pritty closed from begin.

    Kind of really like it.

Share This Page