pfSense computer bulid

[ddaenen1]

Depending on how the box is setup you initially may need to go into the unit using the console mode before you can access its setup using the GUI. If that's the case you will need an HDMI cable so you can use a HDTV as a monitor and a USB keyboard.

That's one of the reasons i chose for the R210 as it has idrac6 which allows me full remote access.

 

[ddaenen1]

Thanks for the heads-up. I only have about 10 devices with static IP's so shouldn't take long.

Just reading about Suricata and pfBlockerNG. I can see my wife divorcing me by mid-March!

 

[Val D.]

Just reading about Suricata and pfBlockerNG. I can see my wife divorcing me by mid-March!

If you survived the Nuclear Reset, plan Sanitize Network operation - new IPs, new SSIDs, new wife... all never used before.

 

[ddaenen1]

If you survived the Nuclear Reset, plan Sanitize Network operation - new IPs, new SSIDs, new wife... all never used before.

I downloaded and installed pfblockerNG-devel today but actually i am a bit concerned switching it on, even after watching Lawrence Systems setup guide. Seems to me that much can go wrong and whilst i want to make our network more secure, i wouldn't want the family's surfing experience to be negatively impact such as websites that not load (properly) anymore, etc. Going to flip the switch a first time when i am alone in the house

 

[Fingers]

I downloaded and installed pfblockerNG-devel today but actually i am a bit concerned switching it on, even after watching Lawrence Systems setup guide. Seems to me that much can go wrong and whilst i want to make our network more secure, i wouldn't want the family's surfing experience to be negatively impact such as websites that not load (properly) anymore, etc. Going to flip the switch a first time when i am alone in the house

Anything that breaks, look in the logs/reports and whitelist.

 

[Val D.]

I downloaded and installed pfblockerNG-devel today but actually i am a bit concerned switching it on

The package doesn't come with any feeds pre-loaded. You have to tell it first what you want to block. We shop online, we bank online, we use Amazon Prime and Netflix, my daughters search for things a lot (high school and university materials), data is uploaded and downloaded, Skype/Viber are in active use, VoIP phone... no complaints. I have "Plan B" and "Plan C" procedures though in cases something stops working when I'm not around:

"Plan B" is a global disaster escape plan. It is a pre-configured AIO router. Turn pfSense off, turn AIO on, very simple. The entire network is restored in 2 minutes time, same SSIDs, same IPs per device, printers, phones, everything. "Plan B" was my life insurance policy during setting up pfSense. My ISP provides 2 x IPs, so "Plan B" and pfSense may coexist peacefully on the same modem. "Plan B" is good for hardware malfunctions also, things break, you never know.

"Plan C" is a temporary local client escape plan. If something gets blocked by error in pfSense, it comes to play. It had to be used few times in the early stages, but I fixed what was causing issues. It's a good thing to have "Plan C", it's user friendly and very simple - drill through pfSense with a VPN tunnel initiated at the client. What pfSense can't see, it can't block. Now, the VPN itself may become blocked on the way by someone else, but it's only a temporary escape plan, not perfect.

If you want, I can make your life much easier by sharing the "home use" settings I came up with in both pfBlockerNG and Suricata. And I actually use IPS in Suricata (blocking). I have about 250GB traffic weekly and I see about 50.000 blocked IPs and DNS requests in pfBlockerNG, plus about 50 blocks hanging all the time in Suricata (they change, my blocking is for 1h) and still Internet works just fine. No complaints whatsoever in last month. We may come together with something even better and this will benefit all the people following this thread.

Anything that breaks, look in the logs/reports and whitelist.

No. This is a full time job. Not a good idea to rely on whitelisting things one by one.

 

[Fingers]

No. This is a full time job. Not a good idea to rely on whitelisting things one by one.

I'm a home user not a network admin for a company, and have been using pfsense for many years with pfblocker and snort, together with multiple VPNs and VLAN's, apart from the initial setting up and tweaking when adding any new lists, it rarely needs touching for day to day use.

Its no big issue, no drama, it works fine.

 

[Val D.]

apart from the initial setting up and tweaking when adding any new lists, it rarely needs touching for day to day use.

OK, this is something different then. You already did a research and selected what you need and in this case whitelisting of selected items only is acceptable. If you start with something like automatically generated monster aggregate feed though and leave default rules on IDS, by the time you whitelist something or make a rule exception 10 new blocks pop-up in next 30 seconds... and your wife is approaching you with a cast iron frying pan in her hands in next 60 seconds.

 

[Fingers]

Hmm maybe you need to change your wife and not the firewall

 

[Val D.]

Hmm maybe you need to change your wife and not the firewall

The example above is for fun, of course. If it was a real situation though, a new firewall route is highly recommended. Even the most fancy boxes come much cheaper than wife upgrade. After wife upgrade, one may not be able to afford a second-hand Wireless-G router off eBay.

 

[Chrisgtl]

When I turn my 86U into the access point is there any benefit to running Merlin or should I stick with OEM firmware?

 

[avtella]

Last week I went overboard after getting fed up with my experiences with consumer routers and decided to try pFsense. Ended up a buying Xeon D-1541 SuperMicro unit to use as a NAS/Router combo (using ESX), it’s essentially just a rear IO version of the Netgate XG-1541. Turned my RAX120 into a switch/AP and I’m pretty happy so far with the results. I really like pFblockerng, with Top Level Domain blocking enabled and the large number of lists I have, my unit is using 4.5 gigs of RAM so if you want to use the TLD blocking feature make sure you have sufficient RAM. I’m going to use ESX and then reinstall pFsense alongside FreeNAS.

After this it’s gonna be hard for me to ever switch back to a consumer router.

The Lawrence Systems YouTube channel was really helpful with getting started with pFsense and pFblockerNG, great tutorials if anyone needs.

On the flip side I do see L&LD had issues multiple times.

 

[L&LD]

@avtella, posts like this are giving me the itch to try pfSense again.

 

[avtella]

@avtella, posts like this are giving me the itch to try pfSense again.

You’re using Asus with Merlin so that’s still pretty good so I can see less of an incentive for you to switch, I had it worse, I was coming from NG stock lol, no real granular settings or options like VPN profile imports etc, combined with buggier firmware pushed me over the edge.

 

[CrystalLattice]

Jim Salter tested pfsense and found it useless: https://arstechnica.com/gadgets/201...ild-faces-better-tests-tougher-competition/3/ . The Er-pro finishing 1st runs Vyatta, (you could run VYOS[almost same] for free) virtually. 2nd place was plain ubuntu server diy. 3rd place finisher was Openwrt, which has a much larger community in case of free consultation. All can run in VM.

 

[SwampKracker]

I decided to give my Asus router a chance to be my firewall (it was always just an access point) after a hard drive failure in my ClearOS box. It was not always smooth sailing due to various firmware issues. Plus, security is "good enough" as minimal development is put into making the router more secure or more capable as a security device. It is all about the next bell or whistle which I never use.

Rather than going down the scripts path (great job by the creators!) on under-powered hardware to make the router a better firewall, I decided to try pfsense on much more powerful hardware. pfsense did not disappoint me. Everything that I would expect from a commercial firewall is there.

I am never using Asus or Netgear hardware for my firewall ever again.

 

[Val D.]

When I turn my 86U into the access point is there any benefit to running Merlin or should I stick with OEM firmware?

I personally would run stock Asuswrt version 45717. It has pretty stable WiFi drivers. You don't need any Asuswrt-Merlin functions.

Jim Salter tested pfsense and found it useless

He was reviewing DIY firewall in 2016. The hardware he used is not ideal, the OS he used is many versions behind current builds.

 

[CrystalLattice]

I personally would run stock Asuswrt version 45717. It has pretty stable WiFi drivers. You don't need any Asuswrt-Merlin functions.



He was reviewing DIY firewall in 2016. The hardware he used is not ideal, the OS he used is many versions behind current builds.

yes, this is the ONLY data we have. There's no reason to think that FreeBSD networking has improved much since. Ever since about Linux kernel 3, Linux has been the preferred networking software over BSD. This old data, which is the only data, shows why. Personally, I like my downloads to complete seamlessly. They'll do that with vyatta, vyos, or ubuntu. Nothing else has been proven to work from a practical test perspective. If you have better data, please show it off.

 

[Val D.]

Personally, I like my downloads to complete seamlessly. They'll do that with vyatta, vyos, or ubuntu. Nothing else has been proven to work from a practical test perspective.

I'm sorry, I have no idea what are you talking about.

Do you have any experience with pfSense? In this thread we discuss "pfSense computer build" options. If you just stopped by to tell others to forget about it because it isn't working properly by design, than thank you. I'm going to update my notes and keep an eye on it.

 

[Val D.]

@avtella, posts like this are giving me the itch to try pfSense again.

Try it again, but don't give up early. Go slowly one step at a time. At one point you'll see very familiar things like full optional versions of AiProtection and QoS (done in house with no 3rd party help and no data sharing), Diversion and Skynet with everything under the hood in your control, Unbound with full options whatever you like, detailed usage stats per interface, protocol, application, etc. all running on much faster hardware than any consumer router can offer, with no limits. You are using now easy setup shrunken down to fit router hardware versions. Think about the ability to build something like your own version of the firmware. It is going to be different than anyone else's, but built according to your requirements by you. It will take time, but I believe you'll be interested to learn new things. And this is the router part only. Then you have switches, dumb, smart, managed, PoE, VLANs, L2/L3. Then you have access points, many available to choose from, based on your needs. It's a different world to explore.