So I built a PFsense box this weekend.. After much trial and error I got it working. It's probably the most non-intuitive thing I have worked with since Watchguard. The install is a joke, and often errors out, and/or doesn't detect NIC's properly. In some cases you need to manually edit the loader to recognize NICs. Which of course in my case I needed to do. Second you need to load into it, and then enable the secondary NIC (LAN) because the install only allows you to designate the Primary NIC (WAN). Nothing about it is intuitive, or well done, the GUI while good, isn't helpful. For example if you enable HPAV you need to disable transparency in Squid. Etc. None of this is indicated in the FW, so you need to research it on the internets. After I got it running default, nothing enabled I placed it on my network. The problems started immediately, it broke my PBX-VOIP, and refused to allow my encrypted PBX pipe through. Essentially my VOIP is highly secure, and starts a 2048-Bit encrypted VPN everytime I pick up the phone, and generates a new key for the handshake. There is a 3 second pause when you pick up my phone while the handshake takes place, and the VPN is negotiated. PFsense was having NOTHING to do with that, even with all forwards correctly entered. Second, games started breaking.. First Steam complained, then War Thunder refused to update, even with all ports correctly passed through. Research indicates PFsense is well known for 'breaking' stuff, including random games, etc. Throughput on some speed tests was terrible, and fine on others, consistency was lacking. After 3 hours of putting in policies/rules/forwards, nothing much was working correctly in the home. Which reminded me of my nightmares with Sopho's UTM. My conclusion so far is Pfsense while good for pure businesses, and limited homes, is probably not a good choice for consumers, even tech savvy consumers. It seems to break too much right out of the box. I assume I MAY be able to get it working if I spent a couple days poking through it. Which at some point I may attempt to tackle it again. The problem is, Untangle works out of the box after a few clicks on the installation, and doesn't block legitimate traffic out from the WAN. Once untangle fixes their anemic IPS, it will be a contender again - which apparently is in Beta right now. Anyone have any comments/suggestions? I want to bring Pfsense back into the mix if I can overcome how utterly picky and network breaking it is!
I can't help you with the PBX issue but with War thunder have you tried to open these ports? https://gaijin.zendesk.com/hc/en-us/articles/200070211--War-Thunder-game-ports Did you find any other issue?, I know that pfsense can be a pain but once you get it working you will never remove it.
Raiden, do you have a lot of experience with Pfsense? I want to give it another go this weekend, and would like to have resources on hand. I know these Distros are largely self-supported, and 'on your own' types of adventures, but if I run into serious issues I'd like an ear. That's fine if you can't, I think I know a network engineer that works at a major pentest firm that was a Pfsense guru, but I haven't talked to him in almost a year.
Not a lot, I have done some testing in a virtual machine, but I'm waiting for the new braswell-SOC to purchase a board and setup a server with this: Hypervisor: KVM (Proxmox VE) -VM1: pfsense -VM2: Ubuntu or similar with Kodi and arkOS The idea is to use PFsense as a router, and maybe even as an AP with WifiN or I will buy a standalone AP
I've been working on a new Pfsense box since I got off work. I talked with our IT Team Leader, and got some tips. Essentially he said working on L7 appliances they always plug in a LAN/WAN Allow Rule before the Deny/Deny. He said with most Distros they put in a WebConfig Anti-Lockout Rule, then Deny/Deny. So what I really need to do is plug in a Allow/Allow/All rule for Egress on the LAN in stage 1, that should avoid issues with most of the appliances and special applications, if I set it to ANY service. I dropped a new Pfsense box off of a switch on the LAN for testing, so far so good. This won't be a production box, it's just for testing. I will migrate to a Dell Poweredge converted to Pfsense as a UTM server when I feel I am ready to go live. Pfsense is extraordinarily powerful from the looks so far, I dug into it pretty deep tonight. It has everything I want - reputation based IP blocking, Region Blocks, IBlocklist support, AV scanning, and most importantly, IPS w/Emerging Threat Databases. I won't get excited yet, if I can't get my complex PBX-VOIP working within 30 min of going live (whatever day I decide to go live), then I will need to pull it. I've not successfully brought my PBX server up under ANY UTM distro other than Untangle! (which drives me nuts) My PBX is essentially a NSA-Busting setup I put together with help from the VOIP engineers at work before I got certified as a VOIP engineer. What it does is generate a 2048-Bit Encrypted VPN everytime I pick up a phone (3 second delay for dialtone), this is end-to-end encryption with my trunk host, which then tosses out into a node cluster. Essentially making all of my calls unsnoopable. But it is VERY problematic to punch it through some of these UTM's, even with proper ports. I think it's related to back end SIP and RTP issues.
I think I have Pfsense working well enough in the lab to move it to production. One of the major bugs is that HAVP doesn't work. Well.. It works only if you install the beta of Squid3, it won't work with any other Squid, or Stand Alone. This apparently was a bug introduced in 2.2 they never bothered to patch. A few other little issues I seemed to have worked around. I will be 'testing' it on a limited run tonight to see if I can punch my VOIP through. If I succeed, then I will likely go-live tomorrow.
Pfsense failed in production. The menu structure of the GUI is pretty clustered, which frustrates me. The main issue was it wasn't handing DHCP accurately, and the ARP tables were messing up, and stable WAN outbound wasn't achieved. I had to pull it off of the production rack. Very frustrating. I'm persistent, but this is getting unacceptable. Also there is are a significant number of bugs in Pfsense that seem to languish. Same with Endian. I can get Pfsense running fine in a lab/test environment, but not properly on a production network. I will try to reach out to some Pfsense guru's I used to know, and if they can assist in setup, then I can take it from there. Or I think I will just stick with Untangle, toss the Beta on with SNORT, and wait for my ITUS to arrive.. My son is a huge Untangle fan, and with good reason - it works - it's 100% stable, and has no known bugs. (and insane throughput)
Pfsense won't work for me.. Heck I can't even get one up and running accepting WAN/LAN connectivity. It's not rocket science, but it just doesn't work for some reason. It may be my gear.... Install Pf, configure the NIC's, and login to the portal maybe adjust a few policies... That's really all there is to it, but it won't work correctly, regardless of what I do. I've watched 4-5 videos on it, and followed the steps EXACTLY (and I was following them before watching videos). But it simply will not work, while I can easily get any other one working... This will be my 4th attempt to go live with Pfsense, and my 4th failure.
My thoughts have always been that Pfense will perform on almost any old gear in my past experience the Pfsense setup to me was a pain in the rectum & I went the Untangle route instead, until I discovered how to quickly deploy Sophos UTM rules correctly. Best of luck mate.
Interesting you mention this.. Building out a Sophos UTM box right now. Hopefully I can get my VOIP punched through it, and I can go live with it. Pfsense is ... Bad. IMO. As for Sophos, the first round I installed one asking for a license.. I assume I installed the wrong one, I distinctly remember them offering a free home version.
M... The home license is free with life long updates you just have to register with a real email address @ their site & they send the lic file instantly. FYI here is an example that I grabbed from a Sophos forum site on how to implement Sophos Natting & Firewall up for torrents as it took me out of the grey area of how to set all rules & got me up & running with my first install very quickly. This was after I had spent many hours trying to implement rules without any success. Hopefully it will point you in the right direction for other apps. https://www.astaro.org/images/sophos/statusicon/post_old.gif 04-25-2012, 08:52 PM https://www.astaro.org/images/icons/icon1.gif uTorrent Guide After spending 2 days trying to make uTorrent work behind Astaro 8 I finally managed to solve it. Here is how I did... Astaro gurus out there - feel free to comment on this...am I doing anything stupid here? 1. Create the Definition for the computer running uTorrent Definition and Users -> Network Definitions -> New Network Definition -> Name: uTorrent host (or whatever you want to call your seedbox) Type: Host Interface: Any IPv4 Adress: 192.168.10.100 (or whatverver LAN address your seedbox has) Comment: Whatever you want 2. Create the Service Definition Definition and Users -> Service Definitions -> New Service Definition -> Name: uTorrent Type of Definition: TCP/UDP Destination port: 55555 (or whatver port you have set in uTorrent) Source port 1:65535 Comment: Whatever 3. Create NAT Rule Network Security -> NAT -> DNAT/SNAT -> New NAT rule Traffic Source: Any Traffic Service: uTorrent Traffic Destination: External (WAN) Network - (I dont really understand why it shouldn´t be Any to Internal......but it must be External) Nat Mode: DNAT Destination: uTorrent Host (the host definition created under p. 1 above) Destination Service: uTorrent (the service definition created under p. 2 above) Automatic Firewall rule: On Turn it on, i.e. press the red/green switch 4. Create the outbound firewall rule Firewall -> New Rule Source: uTorrent Host Service: Any Destination: Any Turn it on, i.e. press the red/green switch This will open all outbound communication from the uTorrent host 5. Create the inbound firewall rule Firewall -> New Rule Source: Any Service: uTorrent Destination: uTorrent Host Turn it on, i.e. press the red/green switch ----------------------------------------
I am blown away by Sophos UTM!!! I have it fully operational, and have my Encrypted VOIP punched through. I have both AV engines running at the gateway (Sophos+Avira). I have setup my own Web Categories (porn, gambling, threats, etc). I'm now working on port forwarding for my security server. Pfsense is a joke compared to this. Sophos is a professional package. One cool then - I have Web-Reputation filtering now, anything 'bad' reputation wise is filtered, and it's getting 100% of every malware domain I throw at it. Best of all - it has PUA/PUP detections in multiple areas, ranging from Web to AVs. Also, every virus/trojan/exploit I have tried is stopped at the gateway. This thing is phenomenal! A true Layer 8 Firewall with ATP. I almost feel godlike having this in my home.
OMG this has Endpoint Deployment and Management built in.... This is the equivelent of a $10,000.00 Fortinet.
Does it still only support 50 ip:s? When I tested it 5 years ago I sat on a 100 Mbit line, but there were some problem with the throughput with all the bells and whistles on. Anything you guys could check out? I was running it on good enough hardware, so that was not the problem. /E
Hi E/ The Self Installed UTM Essential V9.1 firewall (only) is unlimited / free for business use: http://www.sophos.com/en-us/products/free-tools/sophos-utm-essential-firewall.aspx Sophos UTM Home Edition, featuring Network, Web, Mail and Web Application Security: Supports 50 IP's, Ive never tried the up to 10 centrally managed endpoint AV licenses that have now become available. To answer your question re resources / performance. Mine with latest V9 X 64 bit are running on old 2X Core AMD CPU's 4GB DDR2 533 RAM (ASUS all in One Mini Towers) run brilliantly smooth. DHCP, DNS & Web Site Category content filtering are handled by separate servers & cloud services. My connections are 80 / 6 Mbits which is fine for our environments which are 95% email. As over on my small rock in the Med, bandwidth costs mega bucks.!!! To give an idea some of the online gaming companies registered here for tax advantages are shelling out €10,000++ / month for their pipes. I would consider giving in another test drive if it floats your boat. Cheers M
Thx Mike! Did you try a connection test like http://www.speedtest.net/ with and without Sophos connected? The 50 ip:s does almost not cut it in home environments nowadays, with everything connected to the internet. (Even Samsungs new washing machine) Lets see if Mayahana can see some drop in the internet connection throughput department, if I remember correctly he had a pretty fat pipe? Maybe we should open a Sophos UTM thread before someone gets frustrated, some hardcore generals in here /E
In what hw are you running sophos? I discard it because I read it requires dual core 2 ghz... which is a lot for what I plan to do, I don't know how it will work in a KVM with in 1 core a 2gb of ram just for home use. EDIT It looks like doesn't require that much.... http://networkguy.de/?p=269 http://www.infinigate.de/fileadmin/...staro/Marketing/DE/Astaro_Sizing_Guide_v9.pdf
Ookla ST (local) displays bandwidth max availability no rise in latency, Ookla ST +PIA vpn to London (UK) no loss bandwidth or latency rise, SoftEther Site to Site VPN (8 x UDP session connections ) = Max Upload no latency rise. Can't give any first hand experience on this as I had a load of 2X Core AMD's with nothing to do after we upgraded some workstations a while back. With my specs I roughly get the following from daily charts: Average CPU usage 5% spiking to - 40%, Memory (4GB Installed) floats around the 40% mark. You may be in luck, but I did read recently from Sophos main site that users could experience some drag with less. May well also depend on number of IP's monitored, services running & the throughput of traffic?
Patch notes say 'significant' performance improvements made on 9.2 then 9.3.. Apparently the IPS is core sensitive now, etc. To me it seems WAY lighter compared to back on 9.0 when I first tried it, and found it unacceptable for my purposes.