Pfsense..

Discussion in 'other firewalls' started by Mayahana, Mar 2, 2015.

  1. Mayahana

    Mayahana Banned

    Joined:
    Sep 13, 2014
    Posts:
    2,220
    So I built a PFsense box this weekend.. After much trial and error I got it working. It's probably the most non-intuitive thing I have worked with since Watchguard.

    The install is a joke, and often errors out, and/or doesn't detect NIC's properly. In some cases you need to manually edit the loader to recognize NICs. Which of course in my case I needed to do. Second you need to load into it, and then enable the secondary NIC (LAN) because the install only allows you to designate the Primary NIC (WAN). Nothing about it is intuitive, or well done, the GUI while good, isn't helpful. For example if you enable HPAV you need to disable transparency in Squid. Etc. None of this is indicated in the FW, so you need to research it on the internets.

    After I got it running default, nothing enabled I placed it on my network. The problems started immediately, it broke my PBX-VOIP, and refused to allow my encrypted PBX pipe through. Essentially my VOIP is highly secure, and starts a 2048-Bit encrypted VPN everytime I pick up the phone, and generates a new key for the handshake. There is a 3 second pause when you pick up my phone while the handshake takes place, and the VPN is negotiated. PFsense was having NOTHING to do with that, even with all forwards correctly entered. Second, games started breaking.. First Steam complained, then War Thunder refused to update, even with all ports correctly passed through. Research indicates PFsense is well known for 'breaking' stuff, including random games, etc. Throughput on some speed tests was terrible, and fine on others, consistency was lacking.

    After 3 hours of putting in policies/rules/forwards, nothing much was working correctly in the home. Which reminded me of my nightmares with Sopho's UTM. My conclusion so far is Pfsense while good for pure businesses, and limited homes, is probably not a good choice for consumers, even tech savvy consumers. It seems to break too much right out of the box. I assume I MAY be able to get it working if I spent a couple days poking through it. Which at some point I may attempt to tackle it again. The problem is, Untangle works out of the box after a few clicks on the installation, and doesn't block legitimate traffic out from the WAN. Once untangle fixes their anemic IPS, it will be a contender again - which apparently is in Beta right now.

    Anyone have any comments/suggestions? I want to bring Pfsense back into the mix if I can overcome how utterly picky and network breaking it is!
     
  2. lordraiden

    lordraiden Registered Member

    Joined:
    Jan 30, 2006
    Posts:
    3,085
  3. Mayahana

    Mayahana Banned

    Joined:
    Sep 13, 2014
    Posts:
    2,220
    Raiden, do you have a lot of experience with Pfsense?

    I want to give it another go this weekend, and would like to have resources on hand. I know these Distros are largely self-supported, and 'on your own' types of adventures, but if I run into serious issues I'd like an ear. That's fine if you can't, I think I know a network engineer that works at a major pentest firm that was a Pfsense guru, but I haven't talked to him in almost a year.
     
  4. lordraiden

    lordraiden Registered Member

    Joined:
    Jan 30, 2006
    Posts:
    3,085
    Not a lot, I have done some testing in a virtual machine, but I'm waiting for the new braswell-SOC to purchase a board and setup a server with this:

    Hypervisor: KVM (Proxmox VE)
    -VM1: pfsense
    -VM2: Ubuntu or similar with Kodi and arkOS

    The idea is to use PFsense as a router, and maybe even as an AP with WifiN or I will buy a standalone AP
     
  5. Mayahana

    Mayahana Banned

    Joined:
    Sep 13, 2014
    Posts:
    2,220
    I've been working on a new Pfsense box since I got off work.

    I talked with our IT Team Leader, and got some tips. Essentially he said working on L7 appliances they always plug in a LAN/WAN Allow Rule before the Deny/Deny. He said with most Distros they put in a WebConfig Anti-Lockout Rule, then Deny/Deny. So what I really need to do is plug in a Allow/Allow/All rule for Egress on the LAN in stage 1, that should avoid issues with most of the appliances and special applications, if I set it to ANY service. I dropped a new Pfsense box off of a switch on the LAN for testing, so far so good. This won't be a production box, it's just for testing. I will migrate to a Dell Poweredge converted to Pfsense as a UTM server when I feel I am ready to go live.

    Pfsense is extraordinarily powerful from the looks so far, I dug into it pretty deep tonight. It has everything I want - reputation based IP blocking, Region Blocks, IBlocklist support, AV scanning, and most importantly, IPS w/Emerging Threat Databases. I won't get excited yet, if I can't get my complex PBX-VOIP working within 30 min of going live (whatever day I decide to go live), then I will need to pull it. I've not successfully brought my PBX server up under ANY UTM distro other than Untangle! (which drives me nuts) My PBX is essentially a NSA-Busting setup I put together with help from the VOIP engineers at work before I got certified as a VOIP engineer. What it does is generate a 2048-Bit Encrypted VPN everytime I pick up a phone (3 second delay for dialtone), this is end-to-end encryption with my trunk host, which then tosses out into a node cluster. Essentially making all of my calls unsnoopable. But it is VERY problematic to punch it through some of these UTM's, even with proper ports. I think it's related to back end SIP and RTP issues. :doubt:
     
  6. Mayahana

    Mayahana Banned

    Joined:
    Sep 13, 2014
    Posts:
    2,220
    I think I have Pfsense working well enough in the lab to move it to production.

    One of the major bugs is that HAVP doesn't work. Well.. It works only if you install the beta of Squid3, it won't work with any other Squid, or Stand Alone. This apparently was a bug introduced in 2.2 they never bothered to patch.

    A few other little issues I seemed to have worked around. I will be 'testing' it on a limited run tonight to see if I can punch my VOIP through. If I succeed, then I will likely go-live tomorrow.
     
  7. Mayahana

    Mayahana Banned

    Joined:
    Sep 13, 2014
    Posts:
    2,220
    Pfsense failed in production. The menu structure of the GUI is pretty clustered, which frustrates me. The main issue was it wasn't handing DHCP accurately, and the ARP tables were messing up, and stable WAN outbound wasn't achieved. I had to pull it off of the production rack. Very frustrating. I'm persistent, but this is getting unacceptable. Also there is are a significant number of bugs in Pfsense that seem to languish. Same with Endian.

    I can get Pfsense running fine in a lab/test environment, but not properly on a production network. I will try to reach out to some Pfsense guru's I used to know, and if they can assist in setup, then I can take it from there. Or I think I will just stick with Untangle, toss the Beta on with SNORT, and wait for my ITUS to arrive.. My son is a huge Untangle fan, and with good reason - it works - it's 100% stable, and has no known bugs. (and insane throughput)
     
  8. Mayahana

    Mayahana Banned

    Joined:
    Sep 13, 2014
    Posts:
    2,220
    Pfsense won't work for me.. Heck I can't even get one up and running accepting WAN/LAN connectivity. It's not rocket science, but it just doesn't work for some reason. It may be my gear.... Install Pf, configure the NIC's, and login to the portal maybe adjust a few policies... That's really all there is to it, but it won't work correctly, regardless of what I do. I've watched 4-5 videos on it, and followed the steps EXACTLY (and I was following them before watching videos). But it simply will not work, while I can easily get any other one working...

    This will be my 4th attempt to go live with Pfsense, and my 4th failure.
     
  9. MikeMT

    MikeMT Registered Member

    Joined:
    Feb 7, 2015
    Posts:
    63
    Location:
    Malta
    My thoughts have always been that Pfense will perform on almost any old gearo_O in my past experience the Pfsense setup to me was a pain in the rectum & I went the Untangle route instead, until I discovered how to quickly deploy Sophos UTM rules correctly.

    Best of luck mate.
     
  10. Mayahana

    Mayahana Banned

    Joined:
    Sep 13, 2014
    Posts:
    2,220
    Interesting you mention this.. Building out a Sophos UTM box right now. Hopefully I can get my VOIP punched through it, and I can go live with it.

    Pfsense is ... Bad. IMO.

    As for Sophos, the first round I installed one asking for a license.. I assume I installed the wrong one, I distinctly remember them offering a free home version.
     
  11. MikeMT

    MikeMT Registered Member

    Joined:
    Feb 7, 2015
    Posts:
    63
    Location:
    Malta
    M... The home license is free with life long updates you just have to register with a real email address @ their site & they send the lic file instantly.

    FYI here is an example that I grabbed from a Sophos forum site on how to implement Sophos Natting & Firewall up for torrents as it took me out of the grey area of how to set all rules & got me up & running with my first install very quickly. This was after I had spent many hours trying to implement rules without any success. Hopefully it will point you in the right direction for other apps.



    https://www.astaro.org/images/sophos/statusicon/post_old.gif 04-25-2012, 08:52 PM
    https://www.astaro.org/images/icons/icon1.gif uTorrent Guide
    After spending 2 days trying to make uTorrent work behind Astaro 8 I finally managed to solve it. Here is how I did...

    Astaro gurus out there - feel free to comment on this...am I doing anything stupid here?

    1. Create the Definition for the computer running uTorrent

    Definition and Users -> Network Definitions -> New Network Definition ->

    Name: uTorrent host (or whatever you want to call your seedbox)
    Type: Host
    Interface: Any
    IPv4 Adress: 192.168.10.100 (or whatverver LAN address your seedbox has)
    Comment: Whatever you want


    2. Create the Service Definition

    Definition and Users -> Service Definitions -> New Service Definition ->

    Name: uTorrent
    Type of Definition: TCP/UDP
    Destination port: 55555 (or whatver port you have set in uTorrent)
    Source port 1:65535
    Comment: Whatever

    3. Create NAT Rule

    Network Security -> NAT -> DNAT/SNAT -> New NAT rule

    Traffic Source: Any
    Traffic Service: uTorrent
    Traffic Destination: External (WAN) Network - (I dont really understand why it shouldn´t be Any to Internal......but it must be External)
    Nat Mode: DNAT
    Destination: uTorrent Host (the host definition created under p. 1 above)
    Destination Service: uTorrent (the service definition created under p. 2 above)
    Automatic Firewall rule: On

    Turn it on, i.e. press the red/green switch

    4. Create the outbound firewall rule

    Firewall -> New Rule

    Source: uTorrent Host
    Service: Any
    Destination: Any

    Turn it on, i.e. press the red/green switch

    This will open all outbound communication from the uTorrent host

    5. Create the inbound firewall rule

    Firewall -> New Rule

    Source: Any
    Service: uTorrent
    Destination: uTorrent Host

    Turn it on, i.e. press the red/green switch

    ----------------------------------------
     
  12. Mayahana

    Mayahana Banned

    Joined:
    Sep 13, 2014
    Posts:
    2,220
    I am blown away by Sophos UTM!!! I have it fully operational, and have my Encrypted VOIP punched through.

    I have both AV engines running at the gateway (Sophos+Avira). I have setup my own Web Categories (porn, gambling, threats, etc). I'm now working on port forwarding for my security server. Pfsense is a joke compared to this. Sophos is a professional package. One cool then - I have Web-Reputation filtering now, anything 'bad' reputation wise is filtered, and it's getting 100% of every malware domain I throw at it. Best of all - it has PUA/PUP detections in multiple areas, ranging from Web to AVs.

    Also, every virus/trojan/exploit I have tried is stopped at the gateway. This thing is phenomenal! A true Layer 8 Firewall with ATP. I almost feel godlike having this in my home. :D
     

    Attached Files:

  13. Mayahana

    Mayahana Banned

    Joined:
    Sep 13, 2014
    Posts:
    2,220
    OMG this has Endpoint Deployment and Management built in....

    This is the equivelent of a $10,000.00 Fortinet.
     
  14. MikeMT

    MikeMT Registered Member

    Joined:
    Feb 7, 2015
    Posts:
    63
    Location:
    Malta
    You can understand why I dropped Untangle for it...;)
     
  15. Esse

    Esse Registered Member

    Joined:
    May 26, 2011
    Posts:
    383
    Does it still only support 50 ip:s?

    When I tested it 5 years ago I sat on a 100 Mbit line, but there were some problem with the throughput with all the bells and whistles on.

    Anything you guys could check out?
    I was running it on good enough hardware, so that was not the problem.
    /E
     
    Last edited: Mar 6, 2015
  16. MikeMT

    MikeMT Registered Member

    Joined:
    Feb 7, 2015
    Posts:
    63
    Location:
    Malta
    Hi E/

    The Self Installed UTM Essential V9.1 firewall (only) is unlimited / free for business use: http://www.sophos.com/en-us/products/free-tools/sophos-utm-essential-firewall.aspx

    Sophos UTM Home Edition, featuring Network, Web, Mail and Web Application Security: Supports 50 IP's, Ive never tried the up to 10 centrally managed endpoint AV licenses that have now become available.

    To answer your question re resources / performance. Mine with latest V9 X 64 bit are running on old 2X Core AMD CPU's 4GB DDR2 533 RAM (ASUS all in One Mini Towers) run brilliantly smooth. DHCP, DNS & Web Site Category content filtering are handled by separate servers & cloud services.

    My connections are 80 / 6 Mbits which is fine for our environments which are 95% email. As over on my small rock in the Med, bandwidth costs mega bucks.!!! To give an idea some of the online gaming companies registered here for tax advantages are shelling out €10,000++ / month for their pipes.

    I would consider giving in another test drive if it floats your boat.

    Cheers

    M
     
  17. Esse

    Esse Registered Member

    Joined:
    May 26, 2011
    Posts:
    383
    Thx Mike!
    Did you try a connection test like http://www.speedtest.net/ with and without Sophos connected?

    The 50 ip:s does almost not cut it in home environments nowadays, with everything connected to the internet. (Even Samsungs new washing machine) :)

    Lets see if Mayahana can see some drop in the internet connection throughput department, if I remember correctly he had a pretty fat pipe?
    Maybe we should open a Sophos UTM thread before someone gets frustrated, some hardcore generals in here ;)

    /E
     
  18. lordraiden

    lordraiden Registered Member

    Joined:
    Jan 30, 2006
    Posts:
    3,085
    Last edited: Mar 6, 2015
  19. MikeMT

    MikeMT Registered Member

    Joined:
    Feb 7, 2015
    Posts:
    63
    Location:
    Malta
    Ookla ST (local) displays bandwidth max availability no rise in latency, Ookla ST +PIA vpn to London (UK) no loss bandwidth or latency rise, SoftEther Site to Site VPN (8 x UDP session connections ) = Max Upload no latency rise.

    Can't give any first hand experience on this as I had a load of 2X Core AMD's with nothing to do after we upgraded some workstations a while back. With my specs I roughly get the following from daily charts: Average CPU usage 5% spiking to - 40%, Memory (4GB Installed) floats around the 40% mark.

    You may be in luck, but I did read recently from Sophos main site that users could experience some drag with less. May well also depend on number of IP's monitored, services running & the throughput of traffic?
     
  20. Mayahana

    Mayahana Banned

    Joined:
    Sep 13, 2014
    Posts:
    2,220
    Patch notes say 'significant' performance improvements made on 9.2 then 9.3..

    Apparently the IPS is core sensitive now, etc.

    To me it seems WAY lighter compared to back on 9.0 when I first tried it, and found it unacceptable for my purposes.