Confessions of a pfSense Newbie ...

[YeOldeStonecat]

What's your favorite?.

Untangle
http://www.untangle.com/
Astaro
http://www.astaro.com/
ClearOS
http://www.clearfoundation.com/Software/overview.html
(which is also more than just a firewall, it's a UTM gateway combined with a server..sorta like open source version of Small Business Server)

I've run them all. I use Untangle at a lot of clients of mine (I do SMB networks for a living). Astaro free version has dual AV engines plus a spyware blocker module (they have a free full version that can be used for home networks of up to 50). Untangle free version has a single AV engine (just clam)..but also has a spyware blocker module, and their paid bundles adds the very effective Kaspersky AV scanner.

Check out the features of the Astaro Network Security product
http://www.astaro.com/solutions/network-security

Astaros "free for home users" page is here
http://www.astaro.com/landingpages/en-worldwide-homeuse

At clients that I've used these at...I have had a big reduction in malware problems. Most other things are very equal across clients behind UTMs ...WSUS to manage Windows updates, Eset NOD32 antivirus, etc. So it's a fair comparison to show how well a UTM does help out business networks.

I've also used Endian....years ago, and liked it.
http://www.endian.com/us/

Now, I love PFSense, have praised it for many years, but to me..it's a Ferrari of routers. Wicked fast, great QoS, etc. And it's had a growing "plug in" market..some of which can make it a ..sorta...wanna be UTM. But they're marginal plug ins. If a UTM is what you want...my view is go right to the ones that have been designed from the ground up to be UTMs.

 

[Dennis Wood]

Great information there. I've yet to experiment with any of these...and there's no substitute for field performance from someone actually "swinging hammers" at this game for a living I'd say the single biggest reason I started looking at pfsense is the ability (assuming all the code is working!) to filter at layer 7, specifically to priorize SKYPE traffic which we actually want to priorize..not block. The rest of the packages I'm playing with were an attempt to duplicate Draytek's comprehensive Smartmonitor system which reports on everything from email to P2P traffic.

We're getting close. I'll likely do a roll-up of everything once the dust clears here.

 

[GregN]

With reservations, it appears as though Snort is up and running under pfSense 2.0 RC3

I'm probably going to wait a little while longer to upgrade from 1.2.3 Stable.

Anyone taking the bait?

 

[Dennis Wood]

I still have two new boxes that are completely non-production meaning as time permits, I'll be carrying on testing now that SNORT is up again. I still would not recommend pfsense RC2.x in a dual WAN scenario as many functions are still pretty buggy. I've taken the pfsense boxes completely offline as far as production goes as there are still issues with even simple stuff like dynamic dns, and load balancing (even with no packages installed). Many issues exist still with QOS which in my opinion are still not worth wasting too much time on (meaning buggy).

The Draytek boxes and Smartmonitor remain stable and effective, albeit missing the bits that I'd like to add, namely integrated proxy, antivirus and layer 7 QOS. That said, I'm confident that the Pfsense package will mature over the next year to hit all these bases. As time permits I've been having a good look at YeOlde's suggestions in an effort to evaluate them.

 

[GregN]

I still have two new boxes that are completely non-production meaning as time permits, I'll be carrying on testing now that SNORT is up again. I still would not recommend pfsense RC2.x in a dual WAN scenario as many functions are still pretty buggy. I've taken the pfsense boxes completely offline as far as production goes as there are still issues with even simple stuff like dynamic dns, and load balancing (even with no packages installed). Many issues exist still with QOS which in my opinion are still not worth wasting too much time on (meaning buggy).

Dennis,

What is your impression of core functionality in RC3? Looked at it, tried it?

I'm waiting for a stable release ( QOS, Load Balancing and failover for Multi-WAN, Package logging support ) and Snort all running - I suspect RC3 ain't it, but hope springs and all that....

 

[Dennis Wood]

As far as core functionality in the dual WAN mode goes I'd say there are way too many issues with a bare pfsense 2.0 RC3 install to even consider using it in production. For example, a recent update broke my DSL (PPPOE) connection..something I'd consider core, although this was fixed in the last snapshot. QOS is pretty much broken from what I can tell..so again, no point in using RC3 if layer 7 filtering or QOS is important. Snort's not working on AMD64 versions yet either...just tried it. I'd guess there's a few months (at best) to go before your core wish is satisfied.

Squid, Squidguard and HAVP work fine in a single WAN scenario, and SNORT seems to be working half-baked for i386 versions... so if those packages were required, I think you'd be fine with RC3, as long as you didn't update it too often (see my previous PPPOE comment!). If torrent performance and/or raw routing speed is a priority in dual WAN mode, I'd say try RC3 too.

With respect to "raw" routing speed, it's noticeably snappy when compared to the Draytek's we're using.

 

[asiajason]

As far as core functionality in the dual WAN mode goes I'd say there are way too many issues with a bare pfsense 2.0 RC3 install to even consider using it in production. ...

...it's noticeably snappy when compared to the Draytek's we're using.

Hi Dennis - I've read up many of your posts, good info indeed! Per GregN's suggestion at my thread, I am in need of a Dual Wan solution in a school setting, and considering my options. In short, a Draytek or a pfSense.

We're in an old building and only able to get 1.5mbps PPOE DSL connections. I want to either add another 1.5 connection, or, more daring, have a 3g/4g usb for our 2nd wan connection (which can give between 2m-40m). (4G/LTE was just released here in Hong Kong) using load balancing to increase our bandwidth.

I was considering the pfSense, but looks like there are issues. I like the packages you can install, and I'm sure things will be better in the future. We could also do probably fine with the basic dual wan load balancing for now. However, adding a 3G usb adaptor - I don't know how easy that is. So, I was also considering the Draytek 2910, and that seems to be the best dual wan for our needs (for the 3G on the 2nd wan - huge list of supported usb dongles).

We're only doing simple browsing, and no need for layer 7 / QOS / etc... in fact, TOS on the 3g plans here in Hong Kong usually prevent using Skype / torrents anyway. So we would need to drive that traffic over Wan1 only though...


Since you're a current Draytek user in Dual Wan production (I read elsewhere some of your posts regarding your experiences) can you comment on your experiences with the Draytek for basic dual wan? I assume the 2910 is more basic than what you've been using, but I think it's very close as far as the core goes.

And of course, if you think the pfSense is good for what I'm describing, insight on that (with 3g capabilities) would be helpful.

Thank you kindly for your insight!

 

[Dennis Wood]

The Draytek 2950s have been solid dual WAN boxes, and adding a Windows XP box with SMARTmonitor is extremely effective in terms of monitoring everything. You'd have an easier time either adding a second DSL connection, or using a 3G/4G modem plugged into the WAN2 connection in terms of hardware compatablity. The Drayteks have a lot of options (including a few subscription services) that would make the school job pretty easy to deal with in terms of filtering. Inbound VPN, including iPhone VPN (very important for us) has been reliable.

Unless you have a lot of time to configure/play, in my opinion, pfsense for dual WAN is not quite there. I say this because basic routing (no packages) performance is excellent, however you will want to lock down your school pipe and load balance too. Pfsense does not play nice with SQUID (URL blocking) in a dual WAN setup right now. I do believe however that having a pfsense box (where you can have 3 or 4 WAN connections), Proxy server, AV and a full SNORT setup is potentially a one box solution for connectivity in the very near future. If you're able, I'd put the Drayteks into production, and build yourself a pfsense box or two to play with...pretty much what I'm doing right now.

Greg, on another note, I finally have a working SNORT setup (albeit with no blocking) on the AMD64 platform. See this: http://forum.pfsense.org/index.php/topic,39677.30.html I had to run an SSH command, and uncheck "Block Offenders" to get the service running. As you know, running without "Block Offenders" is pretty useless, but at least we're making progress

 

[GregN]

Greg, on another note, I finally have a working SNORT setup (albeit with no blocking) on the AMD64 platform. See this: http://forum.pfsense.org/index.php/topic,39677.30.html I had to run an SSH command, and uncheck "Block Offenders" to get the service running. As you know, running without "Block Offenders" is pretty useless, but at least we're making progress

I'm surprised on the platform differences...how is load balancing?

Any rumbling when we'll see the 2.0 General Release?

 

[Dennis Wood]

I've been testing load balancing a few ways. Torrents (with UPNP enabled) seem to be a good test, particularly if there are plenty of seeds/peers present. It's obvious that both WAN connections are being maxed out.

HTTP is a bit of a different animal in that when "sticky connections" are turned off, a typical round-robin approach is used. This however makes most web surfing a problem as servers will drop connections when two IPs are used. Load balancing on any of the routers I've used seems to boil down to manual rules as very few network applications tolerate switching WAN IPs. Because SQUID doesn't work as well as SNORT does on multiple WAN connections, you end up on one interface anyway, at least for HTTP requests. The fact that traffic shaping doensn't seem to work right now doesn't help much either in terms of shaping multi-wan traffic.

Fault tolerance with a properly set up load balancing setup works well too.

 

[asiajason]

The Draytek 2950s have been solid dual WAN boxes, and adding a Windows XP box with SMARTmonitor is extremely effective in terms of monitoring everything. You'd have an easier time either adding a second DSL connection, or using a 3G/4G modem plugged into the WAN2 connection in terms of hardware compatablity.

Thanks Dennis;

However, correct me if I'm wrong, but it appears the 2950 doesn't support 3g/4g (no usb). so therefore, the SmartMonitor is not available... Is the only major difference the lack of USB and a gigabit switch? (AFAYK)

 

[Dennis Wood]

The 2950 has 5 Gigabit LAN ports, 2 x 100Mbit WAN ports. If I understand the question correctly, your issue would be potential throttling when using the modem connected to a 100Mb WAN port instead of USB, correct? The 100Mb port is good for something like 12MB/s which is a very fast connection. I'd venture to say a 3G or 4G modem could not even come close to that speed in real world performance. I personally don't like using modems connected via USB because a failure down the line may mean hardware that doesn't work with your router's USB supported matrix.

Smartmonitor connects to one of the Draytek LAN ports (with port mirroring turned on) and runs on a Windows XP or linux computer. It's much better than anything I've seen on the pfsense package list to date in terms of montoring bandwidth, web, P2P, VOIP, POP etc. protocols.

All that said, when pfsense 2.0 works with multi-wan combined with SNORT, SQUID, SQUIDGUARD and HAVP, I'll be making the switch based on having everthing in one box, and the performance gains which I see already in routing speed, session limit etc.

Cheers,
Dennis.

 

[Dennis Wood]

So finally, some success with pfsense (2.0 RC3) and the pile of packages I was looking for. A few points to update:

1. I've moved to the i386 (32bit) vs amd64(64bit) version of pfsense as the 32bit version works with snort...64bit not yet. Another consideration for 32 bit is the fact that the Jetway NC92-N330 boards I'm using only support 1 x DDR2 DIMM up to 2GB. This means there is no point to using 64bit pfsense to take advantage of fully utilizing 4GB of RAM as I'm already maxed at 2GB.

2. Snort works and blocks offenders on both WAN interfaces. For now at least, all rules are toggled on, performance mode set to AC-BNFA, and the 2GB of RAM showing 31% usage.

3. Havp (AV), Squid (proxy server), Squidguard (web filter) and Lightsquid (web activity reporting) are all working great from the 40GB SSD drive, although all port 80 traffic is being routed to WAN1. This is not so bad though as load balancing port 80 outgoing traffic creates all kinds of problems for web users as their WAN IP continually alternates. I've found in practice even on the Draytek units that port 80 traffic must be directed to one WAN connection, otherwise there are a lot of complaints from users.

4. Load Balancing otherwise appears to work well. My typical torrent test is humming along, pulling connections and "saturating the pipe" from both WAN1 and 2 (UPnP toggled on) , even with 3000 global connections set, and connected torrent peers set to 1500. I can't help but wonder where performance like this (from some otherwise mediocre WAN connections) might take cloud based computing in a peer to peer setup.

Next step would be see if we can get VPN working well, assuming all else remains stable.

 

[crashnburn]

Since SNORT is not working on RC3 would you recommend a new set up be done on a Pre RC3 Release? And upgrade after things become compatible?

 

[GregN]

Since SNORT is not working on RC3 would you recommend a new set up be done on a Pre RC3 Release? And upgrade after things become compatible?

All of these issues have been resolved. PFSense is now on version 2.0.1, and is quite robust.

I highly recommend upgrading.

 

[Dennis Wood]

Yep, the two boxes with 2.0.1 are very stable and working hard every day. The only maintenance item is occasional SNORT issues after updates. I'm finding that certain rule sets may cause snort to fail (working before update, but not after), something easy to resolve by looking at the logs.

Http load balancing with HAVP and SQUID does not work, but that's fine.

 

[GregN]

Yep, the two boxes with 2.0.1 are very stable and working hard every day. The only maintenance item is occasional SNORT issues after updates. I'm finding that certain rule sets may cause snort to fail (working before update, but not after), something easy to resolve by looking at the logs.

Http load balancing with HAVP and SQUID does not work, but that's fine.

Hadn't noticed the lack of load balancing on HAVP and Squid, the session stuff handled this, and I didn't expect otherwise.

From another thread:

Thank you GregN, pfSense would be a great and scalable solution, but I just found out that failover does not support DHCP or PPPoE connections… which is a deal-breaker for me.

Is this the case? Been meaning to investigate, but haven't got around to it.

Glad to see you are around.

 

[Dennis Wood]

Greg, port 80 traffic is the only issue as SQUID grabs these on the WAN interface. Everything else is load balanced. This is not an issue as I've had to direct a fair bit of traffic to specific WAN1 or WAN2 anyway to reduce the issues from users getting bounced between connections. In other words, not much is being actively load balanced.

I can see that connection bonding will fix these issues, so once the technology get's a bit more mature (read less expensive) we'll jump in there. The pfsense box setup will get a lot simpler with only one external bonded connection to address.

Btw, the issues with the last update to SNORT were just resolved. This version adds the ability to kill states and block Source, Destination (or both) IPs in a blocked connection. They're under the Interface tab settings. I can see this was needed as in testing a blocked connection would be maintained as long as the connection was active...now any active (but now blocked) firewall states are killed as well as the connection blocked. An important addition I'd say.

 

[Nnyan]

I've been considering giving pfSense a whirl. Anyone have any performance figures (NAT/OpenVPN)?

 

[Cake]

I have been thinking about trying it for a while too. This is a nice old thread, glad it was pinned. My research( 2015) it seems the latest hardware boxes with Intel chips from China uses a couple watts more then the latest arm cpu's found in consumer routers. Example: http://www.hystou.com/products/mini...on-1037u-htpc-alloy-case-with-usb30-1084.html

I would want to run openvpn, gbde (disk encryption for attached hard drives), and sycthing (freebsd). I would like to find something similar to opensource iSpy for windows, just for ip camera's to write to a hardrive.