The proposed rollback of consumer internet privacy by our new FCC chairman has everyone watching intently.

While the recent push of “just doing everything over HTTPS” is a move in the right direction, it does not solve all of our problems.

To combat this I embarked on a research project to find a consumer grade router capable of handling my 80/20 cable internet connection to secure all of the traffic from my home.

Unfortunately this led to the realization that even the most expensive consumer grade routers simply would not work for my needs. They either require you to run custom firmware such as DD-WRT, OpenWRT, and Tomato or you have to deal with the router manufacturer and the terrible interfaces and options they provide. Now I did explore the custom firmware route, but after reading about various compatibility issues, I decided that was not for me. If you want to read more about an actual successful project like this you can check out this article from Charles Perry.

After exhausting my options I began to look at other software based approaches that I could run on commodity hardware. I have always wanted to learn how to setup a software router running Linux but the sheer amount of knowledge and new tools I would need to learn was daunting.

I am an engineer and love tinkering,but when it comes to my internet connection, I would rather set it up once and forget it.

Software Routing

During my research I stumbled upon a distribution of FreeBSD that has been packaged and built explicitly for running routers on commodity hardware called pfSense. Not only is pfSense open-source, it is actively supported and maintained by a company and I could even BUY support if I needed it. After browsing the documentation on the install process, and some great videos on YouTube I decided pfSense would fit all of my needs and more.

Hardware

The next task was to figure out what could pfSense run on. The answer is just about anything with 2 ethernet ports (one port for a WAN connection, the other for your LAN interfaces) but there are some other items I was concerned about.

With these items in mind I was pleasantly surprised to find a plethora of excellent options.

I ultimately went with the PC Engines APU.2C4 from mini-box.com due to the fact that I could easily order it online. They also carry the matching case and power supply (I ordered the mSATA drive from Amazon).

With Lanner Inc. you have to call them and order things - not really my style, but I have no doubt that any similar embedded Celeron board would work. In fact SuperMicro has a number of embedded boards with Intel NICs and Intel Celeron chips that would work.

pfSense Router PC Engines APU2C4

An assembled PC Engines APU2C4

Current Network Setup

A few words about my current setup before I get to the installation and configuration. I have the following networking gear:

With this setup I am able to max out my 80/20 connection wirelessly anywhere in my condo. I also can get a around 100 megabytes/sec from my FreeNas server to wired clients.

I use FreeNAS for Time Machine backups, Plex Server and general storage for just about everything. I HIGHLY recommend it.

Installation

In order to install pfSense on the PC Engines board you are going to need a USB -> DB9 Null Modem cable and a USB stick that has the correct pfSense image. For the PC Engines board I am using the installer with the following options.

Thats right folks this embedded board has no VGA output!

This may sound scary, but in reality, if you are comfortable using a terminal and SSH, you will be fine. Once the install is complete, we configure and manage everything from a Web GUI.

After mounting the motherboard into the case with the included heatspreader, I popped in the mSATA SSD and then connected the DB9 cable to my desktop.

Next up we need to run the screen application to see the console output from the motherboard. The screen tool in our case needs two arguments.

bash$ screen /dev/usbSerialDevicePath 115200,8n1 

Once we have this up and running we can plug in the router (which will play a nice little jingle) and we should see the console output of the device booting up.

We hit F10 to get to the boot menu and select the option to boot from our USB stick containing pfSense.

Once booted up we can start the installer by hitting the I key when prompted.

There is a “Quick Install” option that should be fine for most users so I selected that option. The install took a few minutes and the machine rebooted into pfSense.

WAN and LAN Configuration

The next thing we need to do is configure what the ethernet ports actually do. Your typical consumer routers will usually have icons that specify what to plug your modem into and what to plug your other devices into. We have to configure that ourselves here.

pfSense actually has a nice utility for this. Select the Assign Interfaces option from the console menu. It will ask you if you want to configure VLANs first (which I did not).

It then prompted me to setup the WAN interface. I chose the automatic option that tells pfSsense to auto-detect my WAN port. After hitting a for auto and then enter, I plugged in my modem and then hit enter again. I then did the exact same process for my LAN port and connected it directly to my computer.

Once you plug your computer into the LAN ethernet port you should be able to access the Web GUI via 192.168.1.1. If you can you can disconnect your USB->Serial cable!

Chrome and other modern browsers will complain about the Web GUI using HTTPS with an invalid certificate. You can bypass this and fix it later in the Web GUI.

After walking through the basic GUI setup which sets your timezone and enables some standard things like DHCP, you should have access to the internet again through your new router! If you need help you can watch the excellent YouTube series I mentioned earlier.

OpenVPN

I made a number of other configuration changes but the biggest one I will focus on in this article is the configuration of OpenVPN.

My VPN provider (Private Internet Access) has an excellent walkthrough on how to secure all traffic from the router using OpenVPN here.

Once completed I navigated back to PIA and the top of the page indicated I was secured! But what about the speed? Am I losing any bandwidth in the process?

I did a quick check on the Netflix FAST site and SpeedTest and I was happy with the results. I was still getting a full 80/20 connection! I then did some basic testing by turning on Netflix on my AppleTV, downloading a large ISO from the internet and some basic browsing. I didn’t notice any speed issues at all.

Mission Accomplished! I am going to be writing more about my customizations such as the local Squid Cache in future articles. If you have any questions or comments, you can put them below or send me a message on twitter!

comments powered by Disqus