Is pfsense actually any good what-so-ever?

[n_K]

So I thought I'd play around with it.

I've spent probably about 2 whole days trying to get it to work, firstly there's no vmware appliance as it says there is on the homepage, so I went with the ISO install method for x64.

Install went fine, rebooted and picked some IPs, 192.168.10.10 for WAN, 192.168.12.10 for LAN. I actually had to turn it off and change some settings, despite saying 'Preparing for VMWare Install...' during the install, I assume that meant it included vmware tools so vmxnet3 would be supported out the box! Nope, no support for vmxnet at all. Switched both network cards to e1000s.

Anyway, the proxy system is an utter pain in the arse, and the inability to install packages from the commandline (I've got no more public IPs, so I eventually got the proxy working with an apache proxy). Installed snort, though the install seems broken, put in my snort code and enabled SNORT rules and emerging threats, updated a few times and it got emerging threats but it completely ignores updating the normal SNORT rules, the SNORT update log was always empty too.

Anyway, that was the pain of snort out the way, the actual wall is that no matter WHAT settings I use for WAN/LAN and NAT/Rules I CANNOT get it forwarding ANY traffic from WAN -> LAN. I looked on the state list and it shows the connections as 'SYN SENT | CLOSED'. Right about now, I'm just tempted to forget I ever saw it because it really does seem to have been far too good to be true.

So does anyone have any advice/experiance/suggestions of things to do to get a simple damn NAT working? IE from 192.168.10.10:80 -> 192.168.12.4:80? I originally thought it'd work without needing to act as a NAT if I'm honest, e.g. just assign it an IP and allow traffic to flow through but use snort to block any rubbish that shouldn't be there and have each other server behind it still have their normal public IPs.

[+BudMan]

So I have been running pfsense for years and never an issue..

I currently run it via vm on vsphere 5 for my physical network.

"Preparing for VMWare Install...' during the install, I assume that meant it included vmware tools"

Why would you think that?? Did it say it was installing the Tools? And no there is no vm appliance -- which is clearly stated on the link off their main page

"There are currently no VMware appliance downloads, simply install from the iso as usual."

As to getting a simple nat working -- its pretty difficult ;) You click NAT under firewall menu and put in what you want.

If I had to guess where you having your issue is the private IP you have on the WAN, there is a default rule that would block private IPs on the wan.

This would clearly block your traffic before it could get to your forward rule.

Why would you have a double nat in the first place - ie private on the wan?

And you can get vmxnet3 drivers to work, just install the official tools. But to be honest e1000 works just fine, I was using the vmxnet3 but did not see any real improvement and ran into a bug in using an ipsec client behind the router. It might have to do with the odd naming of the interfaces.

I have left them on my pfsense box if ever want to switch back to them.. Makes it easy to switch back and forth that way, etc.

vmx3f0: flags=8802<BROADCAST,SIMPLEX,MULTICAST> metric 0 mtu 1500

options=403bb<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,TSO4,TSO6,VLAN_HWTSO>

ether 00:0c:29:4b:2f:44

media: Ethernet 10Gbase-T

status: active

vmx3f1: flags=8802<BROADCAST,SIMPLEX,MULTICAST> metric 0 mtu 1500

options=403bb<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,TSO4,TSO6,VLAN_HWTSO>

ether 00:0c:29:4b:2f:4e

media: Ethernet 10Gbase-T

status: active

I believe the issue might have to do with that 3f0 and 3f1 in the name -- there was post about it on the pfsense forums a few days back, related to why vlans were not working with those nics.

More than happy to help you get a pfsense router up an running -- I love the distro and have had no issues with it, and a few other users here on neowin run it as well without any problems.

[n_K]

I gave up with pfSense, it wouldn't work and forward any traffic. The SNORT for it was a bit tosh too, apparently it updated emerging-threats but not the normal VRT rules using my oink code, and the SNORT info page never showed any details on what versions of files were installed plus the update log was always empty. If I'm honest, I see it as a OK-ish starting base product that really needs updating and fixing to be what it says it is on the box.

After all the hassle I went with arch with my own customised grsec and selinux kernel, 3 ethernet's with 2 being IP-less and creating a bridge then using SNORT and iptables together on them... Took an incredibly long time to get right and working but it runs fine now! Although I'm not impressed that I need promisious mode enabled on all the switches that the VM is attached to :(.

I was quite surprised at the fact there's nothing at all that I found on google about setting up SNORT to be an IPS and act as a 'passive switch'-type mode at all, there was a few things on snort-inline which are from 2006 and don't work with the current SNORT and I wasn't able to find out how to use afpacket anywhere :s.

[+BudMan]

"I gave up with pfSense, it wouldn't work and forward any traffic."

And I showed you why that most likely was..

"I see it as a OK-ish starting base product"

I don't have a reason to run snort on my home network currently, so have not played with it on pfsense in a while - didn't have any issues with it when I did. What package where you trying to install? And kind of hard to see traffic for snort to look at if you were blocking private IPs on your wan? Not sure how you would of gotten it to update signatures if you were blocking private ip on your wan interface and your wan was on a private ip space -- did you have internet access working on it at all? But as far as you having issues with snort (a package not part of actual distro) I don't see how that reflects on the actual product of pfsense. Where on the "box" does it say its designed as an IPS?

http://www.pfsense.org/

pfSense is a free, open source customized distribution of FreeBSD tailored for use as a firewall and router. In addition to being a powerful, flexible firewalling and routing platform, it includes a long list of related features and a package system allowing further expandability without adding bloat and potential security vulnerabilities to the base distribution. pfSense is a popular project with more than 1 million downloads since its inception, and proven in countless installations ranging from small home networks protecting a PC and an Xbox to large corporations, universities and other organizations protecting thousands of network devices.

Where does that mention IPS? Looking on the feature page

http://www.pfsense.o...id=40&Itemid=43

Again not seeing mention of Full Blowin IPS? Not even seeing it mentioned at all.. So where is it on the box? Same goes with proxy feature of squid -- this is a "package" not built in feature. And you don't need a proxy to be a great firewall/router!

"Although I'm not impressed that I need promisious mode enabled on all the switches that the VM is attached to"

You wouldn't unless you want it to see all the traffic on that switch ;) Comes down to what traffic you would want snort to see. And how its connected to your physical network, and what your physical switches support, mirror/span ports, etc.

as to using afpacket on snort.. Do you have DAQ, did you built it with DAQ support?

As to your rules issue - do you have a VRT subscription? Not sure what rules you were wanting to grab with snort on pfsense?

I just checked my oinkcode and still worked

budman@ubuntu:/tmp$ wget http://www.snort.org...snipped>6a86394

--2012-05-12 09:43:06-- http://www.snort.org...<snipped>a86394

Resolving www.snort.org (www.snort.org)... 23.21.68.83

Connecting to www.snort.org (www.snort.org)|23.21.68.83|:80... connected.

HTTP request sent, awaiting response... 302 Found

Location: http://s3.amazonaws....ipped>TYV6aI%3D [following]

--2012-05-12 09:43:08-- http://s3.amazonaws....foZjHnTYV6aI%3D

Resolving s3.amazonaws.com (s3.amazonaws.com)... 72.21.195.97

Connecting to s3.amazonaws.com (s3.amazonaws.com)|72.21.195.97|:80... connected.

HTTP request sent, awaiting response... 200 OK

Length: 17738637 (17M) [binary/octet-stream]

Saving to: `650292155171<snipped>86394'

Maybe I will fire up snort on pfsense -- have not played with it in a while.

[n_K]

I setup pfSense and removed all 'block wan' etc. and it still didn't forward traffic. I've got some more coding to do now and then I'll get this compiled, deploy it then I'll create a new VM and put pfSense on and see what it does.

'Where does that mention IPS? Looking on the feature page'

IPS is a feature of SNORT. SNORT is an IDS.

'You wouldn't unless you want it to see all the traffic on that switch...'

That's the problem, VMSwitch doesn't act like a real switch, switches are layer 2 devices but VMSwitch seems to be a layer 3 device and forwards only to the interface based on IP, if you remove an IP from an interface but have the VM acting as a switch, without promisious mode it gets no traffic at all, but with proisious it's getting a lot of traffic it shouldn't be :/.

'as to using afpacket on snort.. Do you have DAQ, did you built it with DAQ support?'

afpacket worked in that snort started up fine and used it, but I've no idea what the hell to do with it or how to configure it or do anything with it, so I compiled the nfq daq and used that instead.

'As to your rules issue - do you have a VRT subscription? Not sure what rules you were wanting to grab with snort on pfsense?'

The free rule set. I've tried with pulledpork and the other largely used one but didn't find them all that great, and both failed to set the rules up properly so I made my own script to download, change alert -> block, remove useless/bogus rules and update the SO rules.

'Maybe I will fire up snort on pfsense -- have not played with it in a while.'

It was using the official snort package for pfsense from the list... I did also find it a pain in the utter arse to get internet on pfSense too, it doesn't support SOCKS proxy at all so I had to setup an apache proxy for it on my other server (limitation of only having 5 public IPs) and go through that, but only HTTP traffic works, no FTP or HTTPS :/

[+BudMan]

"IPS is a feature of SNORT. SNORT is an IDS."

Just did a search on this page

http://www.pfsense.o...id=40&Itemid=43

No snort mentioned.. Where and what does it say, and were are you reading it?

"it doesn't support SOCKS proxy"

Who and the F uses a proxy for a router/firewall to access the internet?? I think your not actually understanding the purpose of what pfsense is to be used for.. If what you want is a prebult ids/ips vm appliance than grab that - that is not what pfsense is meant to do.

As to proxy support for its internet connection -- just at a lost to understand that? If what you want is to chain proxies -- again pfsense is not a proxy. There is a package to add proxy support too it, which can be chained - squid. But that is not what pfsense is actually designed todo. So no if your trying to use a product for something its not designed to do, its not going to shine.

Use it as a router/firewall and it rocks!

"VMSwitch seems to be a layer 3 device and forwards only to the interface based on IP"

Well yeah I agree with you that you do not see traffic if no IP, real world you would still see the broadcast traffic, etc. -- but keep in mind its not a REAL switch.. So yeah it prob takes some sort cuts, why should it process the packets to the port if there is nothing there to see it from its perspective.

[n_K]

'No snort mentioned.. Where and what does it say, and were are you reading it?'

It's a package, under packages.

"it doesn't support SOCKS proxy"

It wouldn't be on the internet, I'd ideally like it more if I could install packages without having to be on the internet using the stupid web GUI interface, would much rather prefer to SSH in, copy the file packages over and install them that way but no, pfsense doesn't support such a simple feature! So I can use a HTTP proxy which is the only one it supports, and since the only way I can get it working is using apache's mod_proxy, it doesn't support https or ftp, so half the packages don't even download!

'again pfsense is not a proxy'

I agree, I don't want it to act as a proxy, I wanted it to act as a 'passive' network switch that did stateful packet inspection and dropping when traffic seemed dodgy, with no public or private IPs assigned to it what-so-ever.

True about the vmswitch I guess, but it'd be useful if there was an option to allow it or input the IPs you want forwarded :(. I was looking at the nexus e1000 thing from cisco, and if I'm honest, I've still no idea what it does or how it works or even how you'd use it. Then there was the linux kernel's new 'vSwitch' but that sounded even worse than the vmSwitch haha!

[+BudMan]

"I wanted it to act as a 'passive' network switch that did stateful packet inspection and dropping when traffic seemed dodgy, with no public or private IPs assigned to it what-so-ever"

That is not purpose of pfsense - sounds like you want a IDS/IPS box, that is not what pfsense is -- it is a router/firewall

"pfSense is a free, open source customized distribution of FreeBSD tailored for use as a firewall and router."

Now there are some docs around on the site to use it as a transparent filtering bridge - which sounds more what your looking for, etc. But that is not really what is meant to be.

Its like saying this apple sucks, because what you wanted was an orange.

[n_K]

But that is the definition for a router, they usually have inbuilt firewalls in them, and with firewalls comes IPS systems.

But yeah, doesn't matter now since I've got it all running from an arch vm!

[Graimer]

But that is the definition for a router, they usually have inbuilt firewalls in them, and with firewalls comes IPS systems.

But yeah, doesn't matter now since I've got it all running from an arch vm!

IPS isn't a feature that is built into all firewall software. IPS is a feature that's supported by some(many) dedicated firewalls(which costs more then normal home routers). Routers normally include a basic firewall, not a full-blooded firewall.

pfSense is something I haven't tried yet, so I'm not gonna join that debate. ;)

[+BudMan]

"and with firewalls comes IPS systems."

NO!!

Sure a IDPS could be considered a firewall because it is meant to control unwanted traffic from your network, but a firewall does not have to be a IDPS. Nor does a router have to have a firewall in it.

A firewall controls traffic based upon rules - is it reply to something, state. Is the dest port specific, is the source IP specific, etc..

IDPS detects and or blocks bad traffic based either upon signatures or behavior, etc.

Just because its a firewall does not mean its a IDPS at all.

[eXtermia]

You say you are not passing traffic, I pass minecraft server traffic all the time in on mine. is your pfsense behind a NAT firewall modem router from your ISP you may need to forward all traffic to your pfsense router too. (or put it in DMZ settings on modem routers)

Snort is a pain on pfsense I will agree, even more so if you dont customize the rules, you can end up blocking dns queries and more. But I fault it more with snort and not the pfsense.

I use HAVP, and squid on mine no problem. They work really great together. I also load balance 3 wan links, have a OpenVpn connection out when I want to watch netflix overseas. Update about 20 separate dynamic domain names with DynDns on it.

Of course you want to limit how many thing you put in it for security.

Bud talks about proxy above, I have used pfsense both as normal proxy using squid and as a loadbalancer with reverse proxy as well . All seems to work well just don't add to many packages to it as they can conflict and for security as I previously stated.

[eXtermia]

Oh I also have used two IP6 tunnels using hurricane electric (two /64 ranges) free over pfsense. It requires some updates to 2.1 to run but is pretty smooth. Squid doesnt seem to like to run will with ipv6 running however.

[n_K]

Yes the AV scanner got me interested most in pfsense :p but if you look around on snort, it was discontinued about 2 years ago and had a lot of problems which indicated to me pfsense's version of snort is ancient.

[+BudMan]

Would not call it ancient

BTW found this article that is interesting

http://www.smallnetbuilder.com/security/security-howto/31406-build-your-own-ids-firewall-with-pfsense

Build Your Own IDS Firewall With pfSense

Package says its version Stable 2.9.1

I show on the snort page, 2.9.2.3 is current is it not? Sure ok the package is a bit dated, but it is not Ancient ;)