Back in June, when I moved into my current house, I had no idea what I’d be doing with computers today. And because of that, I signed up for a 100Mbps, 12-month contract with Xfinity. That’s perfectly fast, if you’ve got no more than 5 devices connected. However, when you get into the double digits, it’s a lot more difficult.
I’ve effectively solved the problem of squeezing all of the juice out of my internet connection, and it’s all thanks to something called pfSense. What is that? Put simply, it’s a better router.
pfSense is a free, open-source router and firewall software that can run on virtually any computer, as long as the networking hardware is up to specifications. I installed pfSense on an old Dell Optiplex 990, which has 4Gb of RAM and an Intel i5-2500. I also had to install a Network Interface Card (NIC) that could handle the task of routing packets within my network, so I chose an Intel i350-T4, which has 4 gigabit-capable ports for ethernet cables. This computer is WAY overkill. Most of the time, my CPU usage doesn’t surpass 2%. So why choose such an overpowered computer? Two reasons:
I already had the computer lying around
Because of the way Carrier Sense Multiple Access (CSMA) Works
Big confusing acronym, I know, but CSMA is simply the way multiple computers share a network. If two computers try and send data over ethernet cables at the same time, you’ll get what’s called a collision. When this happens, the two computers will wait to send their data packet for a random amount of time, usually several milliseconds, in order to avoid these electrical collisions. As more and more collisions start to occur because of more and more connected devices, computers start implementing Exponential Backoff. Exponential Backoff is the process of waiting 2 seconds, then 4 seconds, then 8 seconds, and so on, until the network is clear and they can send their messages. So, with a normal router and only a handful of connected devices, this is fine, and CSMA + Exponential Backoff work great together at determining where data packets are coming from, where they’re going, and when they can be sent. However, as you start to increase the number of connected devices, which are all competing for their turn to “speak” their data into the router, Exponential Backoff kicks in, and wait times grow even longer.
The beauty of pfSense is that I can solve this problem without upgrading my network bandwidth or speed. With the help of pfSense, I’ve implemented two main solutions to network bottlenecks:
FAST data handling within the router itself
Multiple LAN networks
First, the sheer compute power provided by the i5-2500 CPU allows the router to handle data at significantly higher speeds than conventional routers ever could. Because the packets of data are in and out of the box so quickly, communication is not bottlenecked at the router itself, which was the problem with the old router. Second, multiple LAN networks allow me to have several independent “pools” of copper-wire ethernet cables, thus limiting the effects of Exponential Backoff. I’ve drawn up a diagram of how my network functions below:
My network is comprised of a pfSense router, a DNS server, and three separate LAN networks. pfSense is more than just a router. It’s also a highly-configurable firewall. If you have a home or work network, there are certain ports that you don’t want opened, certain protocols that you want to force, and lists of IP Addresses that you don’t want to be able to communicate with any of your computers. For example, when you use SSH (Secure Shell) to communicate with other computers within your network, you don’t want people outside of your network to be able to do the same. SSH uses port 22 by default, which is perfectly fine between LAN networks, but computers outside of my home should never be allowed to access my computers over port 22. Therefore, ports like port 22 are closed down and deflect incoming connections from the outside. And yes, most routers close down unnecessary ports by default, but they don’t let you run your own DNS Server.
DNS stands for Domain Name System, and it is how “google.com” becomes an IP address, like 1.2.3.4, for example. You wouldn’t want to memorize a bunch of IP addresses, so DNS servers exist to catalogue the IP addresses of servers that host websites and other services that you might use. For example, a DNS knows that facebook.com generally translates to a range of IP addresses, like 66.220.144.0 – 66.220.159.255. By running your own DNS Server, however, you get to decide what happens to certain IP addresses. For example, let’s say I open a risky link that was emailed to me by someone. What happens? The webpage loads, but I don’t see anything presented on the screen. Is that it? Can I close out of the website and expect that everything will be okay? Absolutely not, of course, but here’s the beauty of a personal DNS: If that site tries to load something that has been catalogued by someone else as a malicious source, my DNS will block the connection. If you look online, you’ll find dozens of lists with tens of thousands of IP addresses, all of which have been flagged for spam or malicious activity. By loading those lists into my own personal DNS server, I can have an up-to-date list of IP addresses that I know I don’t want anywhere near my computers or devices. This is the functional principle of in-browser services like AdBlock Plus or uBlock Origin, but it sits further up the information stream. If I connect to a website on my phone, for example, AdBlock Plus won’t help me, but a network-wide DNS will.
Finally, I’ve been throwing around the term “LAN” a lot. What is that exactly? The acronym stands for Local Area Network, and you can think of it as a pool of local devices. In most cases, homes have just one LAN network, and it connects all devices via WIFI or ethernet cables attached to the router. When the router can handle the sending and receiving of data packets from multiple devices, all is well. However, when those data packets are being sent and received so frequently by so many devices, the router can start to slow down. I have multiple LAN networks, which are separated by different network ports on my router. My primary LAN network, designated by subnet 192.168.1.0/24 (which means 192.168.1.0 to 192.168.1.254), is for only the computers at my work desk. They may be constantly sending and receiving data, but there are only a handful of computers on the network, so the probability of bottleneck-inducing conditions is lower than when there are dozens of computers on a single LAN. I have two other LAN networks: one for my wireless access points, and one for my lab setup. The lab setup is busy doing Rosetta@Home work, so it’s always sending and receiving data, and therefore, it’s important that the data packets from those computers don’t interfere with the data packets from my personal computers. For example, I don’t want tons of packets dropping while I’m in Zoom class!
I hope you enjoyed this x-ray into my network! Next, I want to cover how it all works in a little more detail. Stuff changes a lot around here. Maybe I decide that one computer is better suited for a task that another computer is currently working on. So I swap them. Maybe I also have power consumption considerations that force me to move things around. So while computers change around a lot, I’m finally happy with how things are set up (and how cables are managed, sort of), and I’m ready to show it off!
Back to Projects