Firebox X1000 pfsense Configuration, Subnet Isolation, and Bandwidth Limiting

This time around I got my hands on a Firebox X1000! I had a customer ask about putting a system together which would allow him to distribute his internet connection to several users while isolating them from each other. He’s trying to sublease internet access to rural areas using high frequency equipment and didn’t want his customers to have more bandwidth than what they’re paying for!

2014-10-12 01.02.39

First things first, let’s go over the hardware. The Firebox is basically a Celeron ~1.3Ghz headless PC with six Realtek 10/100 ports, an LCD screen, and serial debug port. They’re fairly cheap to get a hold of (sub-$30 on eBay) and make great pfsense servers! I’ve upgraded the internal memory from 256MB to 512MB and the internal CF card from 64MB to 4GB, but opted to not upgrade the CPU. People looking for performance have found that it’s possible to upgrade the CPU to a 1.4GHz P3, but I don’t feel that this is required in this particular setup. I personally run an Atom-Based PC with 8GB RAM at home in order to support Snort, HAVP (Antivirus), a wireless hotspot, OpenVPN, etc. but that’s another post!

Assuming you’ve got the hardware set up, upgraded, and ready to go let’s work on getting pfsense on the CF card. I use Win32 Disk Imager to write the image in Windows to the CF card according to the official tutorial found here. You’ll also find a download link to the image on that page. Be sure to select the settings as shown below (and of course, select the right CF card size).

Screen Shot 2014-10-12 at 12.01.00 AM

Now that you’ve got the image, you’ll need to extract it using 7zip. Be sure to not skip this step! You can’t write a .tar.gz file to the CF card (well, you can, but it won’t work)!! Once that’s done, go ahead and write the image as shown below.

win32diskimagerNow that we’re finished with that, replace the CF card inside the Firebox. You’ll need to remove the HDD caddy from the case to get to the slot. Also, please be sure to disconnect the Firebox before you mess with it, the power supply isn’t shielded and is dangerous!!

Now that we’ve got pfsense on the box, let’s get the serial communication ready. You’ll need a null-modem adapter, a serial (DB9) cable, and an RS232 to USB converter. Connect everything to your computer and configure your serial port like this: 9600-8-None-1 and enable DTS. You also want to make sure that you’re using “Line Mode” (sending one line at a time) and only sending a CR (Carriage Return) when pressing Enter. I’m using CoolTerm for Mac, but you can also use PuTTY or HyperTerminal on Windows.

Screen Shot 2014-10-12 at 12.18.53 AMNow that we’ve got all that set up, close the Firebox case and turn the system on! If you’ve set up everything correctly, you should see it boot in your serial terminal window! From here on out, the setup is exactly the same as any other pfsense install. I chose to configure only the LAN and WAN ports in the terminal, but you can configure all six ports there if you really want to (I prefer a GUI).

Now that we’ve got the box configured, connect a network cable to your PC and log into the system (U:admin/P:pfsense). Run through the initial setup like you would any other install and head back to the home screen. First things first, let’s get the LCD working on the Firebox! Head on over to System>Packages and install the LCDproc-dev plugin. The -dev is important! Only this version contains the drivers needed to make the LCD screen function! Once installed, head on over to Services>LCDproc and configure your settings as shown below. After everything is saved, reboot the Firebox.

Screen Shot 2014-10-12 at 12.29.24 AM

You can select what information is displayed on the screen on the “Screens” tab. Once the system starts booting, you should see a screen like this!

2014-10-12 00.31.20

Now, next on the list (and frankly the entire reason for this tutorial) is setting up the interfaces and rules! Head on over to Interfaces > (assign). Here you should see a list of interfaces currently configured (LAN and WAN) and a little “plus” symbol. Click on that symbol and add all of the remaining interfaces. Be sure to name them something useful (like the port number)!

Screen Shot 2014-10-12 at 12.35.33 AM

On every interface page you’re going to change the IPv4 configuration type to “Static IPv4” and under “IPv4 Address” type in an address for that port. I chose to follow the 10.10.#.1/24 scheme where # is the port number. Do this for each port and apply changes when finished.

Screen Shot 2014-10-12 at 12.35.45 AM

Next, let’s enable DHCP on each port. Head on over to Services > DHCP Server and click on the first tab for your ports (PORT 1 in my case). Click on “Enable DHCP server on <NAME> interface” and type in an IP range. I chose to use ~ for my range, but you can use whatever you like. Do this for all other interfaces, click save when finished, and apply changes. Make sure to choose different IP ranges for every adapter!

Screen Shot 2014-10-12 at 12.41.54 AM

At this point you should be able to swap your Ethernet cable over to one of the other ports and be issued an IP address, but you won’t get any traffic! We need to build some firewall rules to pass traffic from WAN to each port while limiting access to other ports! Head on over to Firewall > Rules and select the tab corresponding to your first port.

Set up each of the rules as shown below. You’ll need to do this for each port, and adjust the ports accordingly depending on which port you’re working on. I’ve included a picture of two different ports for you to identify which settings to adjust.

Screen Shot 2014-10-12 at 12.48.09 AM Screen Shot 2014-10-12 at 12.48.18 AM

Once you’ve applied all the settings, you should be able to swap your Ethernet cable over to another port and have internet access, but not be able to ping any IPs on other subnets (ports) or access the web GUI! Keep in mind that the order of rules is important! Also, you shouldn’t add any of these rules to the LAN network since you might end up locking yourself out!

We’ve achieved one of our objectives which was to isolate each port’s traffic. Now we need to limit the bandwidth! Move your cable back to the LAN port and head to Firewall > Traffic Shaper. Once there, click on the “Limiter” tab and then create a new limiter. I’ve chosen to limit both incoming and outgoing bandwidth so I’ve created two rules. If you want to limit bandwidth symmetrically, you only need to create one rule. Both rules are created the same, the only thing that changes is the name! Here’s my 1Mb/sec rule.

Screen Shot 2014-10-12 at 12.54.36 AM

In order to apply the rule, head back to Firewall > Rules, choose the tab corresponding to the port you want to limit, and edit the “Pass Data to WAN” rule (the only “pass” rule you’ve set up). Scroll to the bottom to the “In/Out” button. Expand it and select your rules as shown below. Do this for every port you want to limit. You can also create new rules like shown in the step above for different bandwidth limits and you can limit individual IPs within each subnet!

Screen Shot 2014-10-12 at 12.57.34 AM

That’s it! Connect your cable to one of the ports you’ve limited and test your connection!

I hope that this tutorial is useful! If you have any questions or would like me to add any other explanations on some of the steps, just let me know in the comments below!