I Quit Using pfsense

[MichaelCG]

Most consumer devices don't behave too well in an Enterprise environment in the first place....that is one reason most of us security guys despise when we get the request to get consumer devices put on the network and punched through the firewalls.

If your firewall is stateful...how is blocking anything on the WAN going to work on restricting internal DNS queries? I know on the Enterprise stuff, blocking DNS on the WAN interface will NOT stop a rogue DNS client since the outbound access is there, the response is permitted as part of the stateful connection.

 

[System Error Message]

You can implement enterprise features, its all about how you implement it. For instance, hijacking local DNS traffic to ensure your DNS server is used regardless of user setting. Transparent web proxy configurations allow caching and additional filtering. Implementing security while making it invisible is the way to go so the clients dont see any difference between your network and another.

The major difference between an enterprise network and regular home network is layer 2 security. By implementing fully managed switches, filtering on both layer 2 and 3 on the local side to prevent someone from hacking from LAN. While this would be rare in a home network you can implement it for no additional benefit as 99% of your worries are on WAN as you cant stop an infected client from using your network (i.e. if you have kids and they get malware from else where, theres no stopping that), but you can detect the behaviour and block malware traffic from communicating to the internet which is pretty helpful to prevent spyware, although you should do this for your windows too. Honestly how many of us actually use windows services in windows 10? So even if bing gets blocked for instance its no biggie.

you can also block VPN very easily too if you dont want internal clients making tunnels about. If it is a work place this is fine if you want to ensure people do work but you will need to make exceptions for some and your own VPN tunnels for people to connect to your office remotely.

So a lot of enterprise features i would call bad because i hate specific blocking. I dont like getting a list of things to block (you see many guides on people showing you how to block entire countries). Its a lot better to block via behaviour rather than a known list. This also applies to anti viruses, you dont want an anti virus that can only detect known malware, you want it to detect based on software behaviour too (many custom ROMs for android have this feature in the firmware itself in preventing bad behaviour from apps (many programmers simply suck)). I see many posts on mikrotik forums about specific blocking and i keep telling them that its a bad idea to block a whole website like facebook or youtube for instance when its the apps that are the problem and not the actual site itself as many use it to coordinate even businesses too and social media is part of businesses as well. With youtube theres a lot of helpful content as well.

So if you want good security for your network, just remember these few tips.
1) detection (configurable routers and some can show your network clients even if they are rogue, but you do need to set it up), logging and traffic list help here
2) force the use of your local resources (DNS, NTP, web, layer 2, DHCP, etc)
3) block via behaviour rather than known lists (why do you think IDS and IPS exists?)
4) use specific whitelists, not blacklists
5) never blanket block (this includes protocols)

 

[coxhaus]

Most consumer devices don't behave too well in an Enterprise environment in the first place....that is one reason most of us security guys despise when we get the request to get consumer devices put on the network and punched through the firewalls.

If your firewall is stateful...how is blocking anything on the WAN going to work on restricting internal DNS queries? I know on the Enterprise stuff, blocking DNS on the WAN interface will NOT stop a rogue DNS client since the outbound access is there, the response is permitted as part of the stateful connection.

Consumer devices may actually do stuff for you trying to help which you did not want. You got me posting a question out on Cisco's small business web site about blocking DNS.

 

[System Error Message]

Consumer devices may actually do stuff for you trying to help which you did not want. You got me posting a question out on Cisco's small business web site about blocking DNS.

You dont want to block it, simply hijack and redirect.

DNS supposedly runs as a service on router which uses input/output even for forwarding queries but query forwarding without using router's DNS service counts as normal traffic forwarding which you can block if you block TCP and UDP port 53 on forward.

 

[coxhaus]

If you are blocking your router then you can add an ACL to allow router out.

I am still trying to figure out stateful firewall with UDP since UDP is a one way conversation and whether the return conversation is considered one way also and will it over ride ACLs.

 

[Nullity]

If you are blocking your router then you can add an ACL to allow router out.

I am still trying to figure out stateful firewall with UDP since UDP is a one way conversation and whether the return conversation is considered one way also and will it over ride ACLs.

I thought most stateful firewalls had good support even for things like UDP & ICMP.

With pfSense, if I allow outbound DNS it statefully allows the response. If I allow outbound ping it statefully allows the response.

 

[coxhaus]

OOPS. My DNS ACLs should be on the LAN side not WAN side. I guess I am getting old, srewed up setting this router up.
I just changed my ACLs to the LAN side instead of WAN and they work. I plugged in 8.8.8.8 on a workstation and DNS failed.

 

[coxhaus]

You dont want to block it, simply hijack and redirect.

DNS supposedly runs as a service on router which uses input/output even for forwarding queries but query forwarding without using router's DNS service counts as normal traffic forwarding which you can block if you block TCP and UDP port 53 on forward.

If you just wanted to use your router's DNS you could lock your network where all your local clients would have to use your router for DNS.

 

[System Error Message]

If you just wanted to use your router's DNS you could lock your network where all your local clients would have to use your router for DNS.

which is better than devices not working on your network. A lot of these cases you cant even change the settings, for example nowhere does it allow you to specify a DNS server in google chrome.

 

[coxhaus]

which is better than devices not working on your network. A lot of these cases you cant even change the settings, for example nowhere does it allow you to specify a DNS server in google chrome.

If you run google chrome doesn't it use Windows DNS server setup on the PC?

I have not run google chrome for many years. I had it installed on a young Windows 7 PC many years ago and I was hacked through chrome's sound files. I don't run it any more.

PS
How is google chrome going to work on large corporations networks if they have their DNS hard coded? Large corporations are going to have their own DNS server which will be required to access local corporations devices and will be setup on all the workstations.

 

[coxhaus]

When blocking DNS I am not sure whether you need to block TCP. DNS is mainly UDP. It may be wasted CPU cycles trying block the TCP side. I don't know what the experts say now days. 20 years ago we only blocked UDP.

Any comments?

PS
I am thinking if we need to block DNS on TCP we don't need allow it through so all we may need is a block and no permit which would save CPU cycles. I think all valid DNS is on UDP.

 

[System Error Message]

If you run google chrome doesn't it use Windows DNS server setup on the PC?

I have not run google chrome for many years. I had it installed on a young Windows 7 PC many years ago and I was hacked through chrome's sound files. I don't run it any more.

PS
How is google chrome going to work on large corporations networks if they have their DNS hard coded? Large corporations are going to have their own DNS server which will be required to access local corporations devices and will be setup on all the workstations.

yes i've had issues before when browsing local resources without DNS hijacking.

 

[coxhaus]

Sounds like you need setup your local DNS for your local devices if you are have trouble find devices. google chrome should just work with what ever you setup. DNS should make no difference with google chrome.

There is not a setup in google chrome for DNS because the windows PC is in control of the NIC and DNS settings.

 

[MichaelCG]

Correct in that UDP and ICMP don't generally have a true state...so most stateful firewalls use a "virtual" state with a timer for most of these services. So for UDP DNS, it sees the request leave and then starts a timer for say 60 seconds that allows for a response to come back. If that timer expires, the response is considered out of state and dropped.

As for DNS...you need to block UDP and TCP. Even though UDP historically is the primary service and back in the day TCP was only used for zone transfers....TCP is perfectly valid for client traffic these days. If a response or query is large, it will use TCP instead of UDP. I do not remember what that size limit is off the top of my head...I just know that we for sure see UDP and TCP through the firewalls these days and when we only permit UDP, we get some wonky behavior from various clients.

 

[sfx2000]

I've been using both DNS Resolver and DNS Forwarder on pfSense - one of the nice things about pfSense is the flexibility of assigning ranges and DNS per VLAN, and reduce the risk of DNS leakage when using OpenVPN or L2TP/IPSec.

Somebody posted a very good walk-thru on pfSense setup and configuration with multiple VLAN's and VPN setups.

https://nguvu.org/pfsense/pfsense-baseline-setup/

I can understand though why people are looking to migrate out of pfSense when using repurposed machines - pfSense 2.4 requires a 64bit CPU, and pfSense 2.5 is going to require AES-NI along with 64-bit support - which on older builds, this can be a problem.

 

[Deepcuts]

Went IPFire a long time ago and never looked at pfsense since. It might not have all the bells and whistles of pfsense but it is faster and easier to understand and use.
Plus, you don't have to jump through hoops to make voip work. Voip was the biggest let down for me on pfsense.

 

[coxhaus]

I've been using both DNS Resolver and DNS Forwarder on pfSense - one of the nice things about pfSense is the flexibility of assigning ranges and DNS per VLAN, and reduce the risk of DNS leakage when using OpenVPN or L2TP/IPSec.

Somebody posted a very good walk-thru on pfSense setup and configuration with multiple VLAN's and VPN setups.

https://nguvu.org/pfsense/pfsense-baseline-setup/

I can understand though why people are looking to migrate out of pfSense when using repurposed machines - pfSense 2.4 requires a 64bit CPU, and pfSense 2.5 is going to require AES-NI along with 64-bit support - which on older builds, this can be a problem.

I don't use VLANs on pfsense. My VLANs are handled by my Cisco layer 3 switch, SG300-28. My switch just hands off straight packets with no tags to pfsense so the write up on using VLANs in pfsense will not help as it does not apply in my case. Pfsense is not aware of VLANs in my network. I recommend you read it and figure out what I am saying.

My Xeon is a 64 bit processor. I am not going to migrate to 2.5.

 

[john9527]

I've been using both DNS Resolver and DNS Forwarder on pfSense - one of the nice things about pfSense is the flexibility of assigning ranges and DNS per VLAN, and reduce the risk of DNS leakage when using OpenVPN or L2TP/IPSec.

Can you expand on this a little more (maybe an example?). One of the things I'm struggling with is to assign different nameservers for openvpn vs WAN connections.

 

[sfx2000]

Can you expand on this a little more (maybe an example?). One of the things I'm struggling with is to assign different nameservers for openvpn vs WAN connections.

It helps to visualize the OVPN interface as another WAN connection - so with two different namespaces, define VLANx and VLANy, and assign DHCP vars accordingly... unbound is kinda neat like that, but dnsmasq should be able to do this as well I believe (could be wrong however)

 

[sfx2000]

I don't use VLANs on pfsense. My VLANs are handled by my Cisco layer 3 switch, SG300-28. My switch just hands off straight packets with no tags to pfsense so the write up on using VLANs in pfsense will not help as it does not apply in my case. Pfsense is not aware of VLANs in my network. I recommend you read it and figure out what I am saying.

My Xeon is a 64 bit processor. I am not going to migrate to 2.5.

Understood - not everyone needs a full-blown networking lab for a home network - that Xeon was burning power doing simple routing when it could be doing more for other things.

My little Rangeley box - it's overkill for home networks - nice to have, esp. with pfSense - but again overkill...

And pfSense - flexibility is what it is, and sometimes at the cost of usability... done right - it's a high performance package...