Using pfSense with a L3 core switch

[avtella]

I have been running pfBlockerNG for a couple years now. I am quite happy with it. Foremost, it is much easier to set up than SNORT (which i tried for several weeks) and SNORT requires much more time to tune and tweak whereas pfBlockerNG works almost out of the box with IPV4 and DNSBL. Maybe in the end SNORT can do more but for now, i am still contemplating if i need more security such as IDS/IPS. For now, i am not convinced yet. Maybe it will come one day.

You could just use ntopng to monitor traffic flows to go alongside with pfblockerng, to keep it simple if it’s for home use. ntopng has layer7 functionality. Lot of traffic is encrypted anyway so it may not be worth the hassle for a full fledged IDS/IPS setup for home.

If using Snort/Suricata and wanting to enable blocking I would suggest only alerts on WAN and blocking enabled LAN (after some testing) side and tweak from there or you’ll get overwhelmed. I suppose pfblocker rules might help cut out some of the stuff that has Suricata/Snort to deal with.

I used this guide video as a starting point, when I tested snort and later Suricata for which they have one as well:

 

[ddaenen1]

I want QUAD9 to be totally responsible for DNS.

It has always been my understand that unbound on pfSense is the faster way to resolve and the fact that it directly connects to authoritative servers is more secure. Also in order for pfBlockerNG to work, the use of unbound is required. Just saying...

 

[avtella]

It has always been my understand that unbound on pfSense is the faster way to resolve and the fact that it directly connects to authoritative servers is more secure. Also in order for pfBlockerNG to work, the use of unbound is required. Just saying...

You can use unbound in “forwarding mode” and have pfBlockerNG work. Unbound in “resolver mode” is slower for uncached queries, at least for me it was a noticeable difference, it will be faster once a lot of your regular queries are cached. I also use forwarding but with Cloudflare DNS with TLS enabled. In terms of being more secure your right.

 

[coxhaus]

You can use unbound in “forwarding mode” and have pfBlockerNG work. Unbound in “resolver mode” is slower for uncached queries, at least for me it was a noticeable difference, it will be faster once a lot of your regular queries are cached. I also use forwarding but with Cloudflare DNS with TLS enabled. In terms of being more secure your right.

So, in terms of noticeable difference are you talking wired or wireless? My random web pages are fast off msn in Windows 11 using wireless faster than Windows 10.

Could you expound on more secure? It seems like a few years ago there was an issue with a root server somewhere related to China. Thy sucked a bunch of data or pointed it somewhere else. I would never use Cloudflare for anything I am doing.

I started with unbound pointing to QUAD9. I did not notice any difference when I changed. I will look at pfBlockerNG to see if I really want to run it. As I stated above I will probably run SNORT and not pfBlockerNG but if I change my mind it is good to know that I need to use unbound.
I don't have the best times on the net but these are better than DSL. I am still hoping for AT&T fiber as it is just a few blocks away.

The top is my pfsense WAN gateway and the bottom is my L3 switch gateway.

 

[avtella]

So, in terms of noticeable difference are you talking wired or wireless? My random web pages are fast off msn in Windows 11 using wireless faster than Windows 10.

Could you expound on more secure? It seems like a few years ago there was an issue with a root server somewhere related to China. Thy sucked a bunch of data or pointed it somewhere else. I would never use Cloudflare for anything I am doing.

I started with unbound pointing to QUAD9. I did not notice any difference when I changed. I will look at pfBlockerNG to see if I really want to run it. As I stated above I will probably run SNORT and not pfBlockerNG but if I change my mind it is good to know that I need to use unbound.
I don't have the best times on the net but these are better than DSL. I am still hoping for AT&T fiber as it is just a few blocks away.
View attachment 50229

I have nothing against Q9, I use Cloudflare as it’s faster for me, it does have alternate DNS servers with filters as well. I was not aware of the root server issue thanks for pointing that out.

As for security/privacy I’ll just paste the firewalla team’s explanation, better than I can provide:
“Unbound uses DNSSec to validate DNS results and prevent man-in-the-middle attacks. Because Unbound itself is a DNS resolver, it will connect to different DNS servers for different domains. No single public DNS server will have all your DNS records, thus protecting your privacy.”

Now obviously Q9 still has advantages like malware block/filtering and you seem to trust it so you could keep things as is. As I said before forwarding mode works with pfBockerNG so you can leave unbound as it is now.

As for noticeable slowness (wired testing), the last time I used unbound in it’s default resolver mode (in 2020) uncached queries were in some instances like a second+ vs like a 100-200 milliseconds at worst with unbound set to forwarding mode with Cloudflare. It doesn’t seem like you ran into such issues so resolver mode would probably be fine for you. Additionally I had issues with DNSSEC causing some sites not working, again this was three years ago so maybe things have changed.

 

[coxhaus]

As for security/privacy I’ll just paste the firewalla team’s explanation, better than I can provide:
“Unbound uses DNSSec to validate DNS results and prevent man-in-the-middle attacks. Because Unbound itself is a DNS resolver, it will connect to different DNS servers for different domains. No single public DNS server will have all your DNS records, thus protecting your privacy.”

Now obviously Q9 still has advantages like malware block/filtering and you seem to trust it so you could keep things as is. As I said before forwarding mode works with pfBockerNG so you can leave unbound as it is now.

I am thinking there is no real security advantage in the USA using unbound or DNS forwarding for man-in-the-middle attack using any of the major ISPs in the US. You can have root server redirections also. I think QUAD9 has tie ends in most major US ISP networks.

I think QUAD9 does have an advantage as it is filtering DNS traffic and keeping up with what is going on in the DNS world real time much better than I can.

 

[sfx2000]

am thinking there is no real security advantage in the USA using unbound or DNS forwarding for man-in-the-middle attack using any of the major ISPs in the US. You can have root server redirections also. I think QUAD9 has tie ends in most major US ISP networks.

I've been using unbound for a while, and have built this into my private OpenWRT builds - better than dnsmasq, and does do all the dnssec/DoH/DoT chocolatey smoothness...

 

[coxhaus]

It looks like SNORT 3.0 is lacking as there is nobody to upgrade the old SNORT package to the new multi-thread one so it is not even in the works for pfsense. I assume Opensense is the same. Cisco is very much ahead in IDS/IPS world. I will not be loading the old SNORT in pfsense. I would have thought the SNORT package was keeping up. At some point SNORT may die for pfsense as the SNORT team, (Cisco owned), may stop back porting to SNORT 2.9x. SNORT 3 has been out since 2021.
From what I read is the new SNORT 3.0 is multi-thread and requires extensive re-write and there is nobody to complete the work.
I have lost interest in SNORT for pfsense. I may start looking at Untangle again because I know IDS/IPS works well. I think they have limited the IPs for home use.
I wish Cisco would sell me TAC support for a baby Firepower firewall. It has all the modern SNORT built in.

 

[avtella]

Unless I’m mistaken Arista changed the IDS/IPS engine to Suricata. Distrowatch also shows the older 4.1 version of Suricata in the package list of the latest builds of Untangle. pf/OPN are both on 6.XX versions. As long as patching is up to date, unless you are losing any critics features it may not matter, granted snort 3.0 has multi threading. On the other hand you did have a good experience with Untangle and you probably don’t have to turn as many knobs for IDS/IPS.

In regards to Cisco gear. Would you not get a Cisco discount from any current employees that you may know?

 

[coxhaus]

It has been too long since I worked. All my friends have retired also like me. I buy it just like everybody else.

That sucks Untangle is behind also on their IDS/IPS. Yes, I think Untangle is not as top notch as it used to be in the past. It had IBM backing back then. I guess Untangle is out if it is lagging in IDS/IPS.
Here are the differences in SNORT as published on SNORT's website. SNORT 3 is written in C++. I took one college course in C++ and it is a lot different than plain C. In some ways C++ seemed simpler because you used a lot of api in libraries. I have no real experience in C. I wrote mainframe code in PL1 for 15 years before PCs.

 

[coxhaus]

Since this is a layer 3 switch thread I thought I would post this on how I setup my pfsense this time since someone asked me on another forum. I thought I would throw it out here as well.

I am not using a transit setup right now. I have in the past. I assign a static IP to pfsense on LAN side with a gateway IP defined on pfsense using the IP on the L3 gateway for the network that connects to a port on my layer 3 switch's DHCP VLAN. No VLANs are defined on pfsense. The L3 switch's DHCP points to the L3 switch for its gateway and intervlan routing is turned on. The L3 switch has a default route statement for 0.0.0.0 0.0.0.0 pointing to the static IP on pfsense. It all works. The LAN side of pfsense firewall needs to allow for all networks on the L3 switch. I have the pfsense WAN interface set as the default gateway for pfsense.
So, all local traffic flows to the L3 switch using an L2 gateway for each network VLAN and the L3 switch routes to the static IP address on pfsense's LAN side for outbound traffic (internet) only. This means the L3 switch will route local traffic at wire speeds internal to the L3 switch without having to send the traffic to pfsense and back to the switch. It is much faster.

I think pfsense could use route statements like Cisco and it would be easier than using all gateways.

I use a Cisco L3 switch.
I am using 23.05.

 

[Christos]

Since this is a layer 3 switch thread I thought I would post this on how I setup my pfsense this time since someone asked me on another forum. I thought I would throw it out here as well.

I am not using a transit setup right now. I have in the past. I assign a static IP to pfsense on LAN side with a gateway IP defined on pfsense using the IP on the L3 gateway for the network that connects to a port on my layer 3 switch's DHCP VLAN. No VLANs are defined on pfsense. The L3 switch's DHCP points to the L3 switch for its gateway and intervlan routing is turned on. The L3 switch has a default route statement for 0.0.0.0 0.0.0.0 pointing to the static IP on pfsense. It all works. The LAN side of pfsense firewall needs to allow for all networks on the L3 switch. I have the pfsense WAN interface set as the default gateway for pfsense.
So, all local traffic flows to the L3 switch using an L2 gateway for each network VLAN and the L3 switch routes to the static IP address on pfsense's LAN side for outbound traffic (internet) only. This means the L3 switch will route local traffic at wire speeds internal to the L3 switch without having to send the traffic to pfsense and back to the switch. It is much faster.

I think pfsense could use route statements like Cisco and it would be easier than using all gateways.

I use a Cisco L3 switch.
I am using 23.05.

How do you block ports from one vlan to another? Is there a firewall between the vlans? I use pfsense firewall for inter-vlan traffic.

 

[coxhaus]

How do you block ports from one vlan to another? Is there a firewall between the vlans? I use pfsense firewall for inter-vlan traffic.

I use ACLs on the L3 switch. Cisco ACLs are very good. You can block down to the port level. And of course by IP or Network even by MAC. They are very extensive.
I don't want traffic to slow down my firewall by having to be routed through the firewall when the traffic is local. I only want my firewall to handle inbound or outbound traffic, basically internet traffic. It keeps the firewall more responsive or faster. And the big plus is the local VLAN traffic routes at line speed on the L3 switch.

 

[Christos]

I use ACLs on the L3 switch. Cisco ACLs are very good. You can block down to the port level. And of course by IP or Network even by MAC. They are very extensive.
I don't want traffic to slow down my firewall by having to be routed through the firewall when the traffic is local. I only want my firewall to handle inbound or outbound traffic, basically internet traffic. It keeps the firewall more responsive or faster. And the big plus is the local VLAN traffic routes at line speed.

Yes if you have much inter-vlan traffic, an L3 switch can help.
But if you need vlans only for security to keep guests and IoT out of the main LAN, then an L2 switch is fine.

 

[coxhaus]

Yes if you have much inter-vlan traffic, an L3 switch can help.
But if you need vlans only for security to keep guests and IoT out of the main LAN, then an L2 switch is fine.

If you look at the traffic flow and you are using L2 then all network VLAN traffic is routed to the firewall and back through the switch. Yes, very small networks can get away with using L2. If you start moving large files to where you are pushing 1 gig then you are going to notice a difference like a NAS. If you are just using web pages then maybe not so much. Bandwidth is key, as you move closer to bandwidth limits the more you will notice the difference.
If you are moving large files on a 1 gig wire to where you are maximizing bandwidth from network vlan1 to network vlan2 you will see a slow down, higher latency on your internet traffic as you hit the bandwidth limit. Gamers will not be happy.

I build infrastructure like I built on my large network when I worked. I like it better.

 

[coxhaus]

I bought a new Cisco CBS switch with POE+ power to run my 3 Cisco wireless APs. I plan to set it up when my granddaughter is gone for a day.
I will use layer 3 switching with pfsense.

 

[Christos]

I bought a new Cisco CBS switch with POE+ power to run my 3 Cisco wireless APs. I plan to set it up when my granddaughter is gone for a day.
I will use layer 3 switching with pfsense.

which access points will you use?
what is your opinion on the Cisco Catalyst 9105? Is it better than the Business line?

 

[coxhaus]

Cisco enterprise lines are higher level than the small business products. But with higher level and quality comes things like they are designed for wiring closets that big business companies have which allows the enterprise products to have noisy fans for better performance as they are tucked away in a closet. This is a luxury that a lot of small businesses don't have. So, I think the small business products are better suited for home use.
Plus, Cisco enterprise level equipment requires TAC support that small businesses can't afford. Neither can homeowners. The software level is going to be much better on Cisco enterprise level equipment. It is going to handle real heavy loads much better which it is designed for. There is a big difference between enterprise and small business level software and hardware. I would prefer a Catalyst switch, but I have installed hundreds of them in the old days and every model was noisy as hell.

I run the Cisco 150 ax wireless small business APs. Again, they work well for me and are reliable. I never really did a lot with wireless back in the old days as it was not very mature back then. We had Cisco Aironet back then. We had video conferencing setup in conference rooms across the state, but they were wired running on ATM through a Cisco LS1 ATM switch. Video streaming was not reliable enough using IP. We have come a long way since then.

 

[coxhaus]

So, I am playing with DNS right now using pfsense and my L3 switch using asymmetrical routing. On my Windows 11 PC I have been trying QUAD9 on the PC vs using the pfsense LAN IP which is my DNS server. I am trying using 9.9.9.9 for DNS for the PC and the traffic flow to me would be it would hit the L3 switch gateway IP for the L3 switch and then L3 route to pfsense from the L3 switch. If I use pfsense LAN IP which happens to be in the same network as my Windows 11 PC , but the IP flow should be L2 to pfsense as they are both in the same network no routing local. Then pfsense forwards to QUAD9 if it is not cached and does not have a local DNS entry. I am not really seeing a difference, so I think pfsense is smart enough to check DNS cache even though I have an outside IP address of 9.9.9.9 for DNS instead of the local pfsense IP address.

Anybody played with this? I am thinking it does not matter which IP address I use for DNS.
I am going to set up my new Cisco L3 switch and I am seeing if I want to make any changes on my L3 switch set up with DHCP.

 

[Christos]

I think pfsense is smart enough to check DNS cache even though I have an outside IP address of 9.9.9.9 for DNS instead of the local pfsense IP address.

There is a way to capture DNS traffic on pfsense and divert all port 53 traffic locally, in order to prevent clients of using external dns servers, but this must be configured manually. It is not by default.
I believe the windows pc is doing come caching when using 9.9.9.9, not pfsense.