New build for pfsense

[Fingers]

I like to tinker with stuff and learn new things. First off, I really dont need anything powerful like pfsense, as my RT-AC5300 is plenty for the household usage. But the truth is, I just WANT to bulid, configure and get a bit more hands on. My netwoking knowledge is woefully inadequate, so I am using this opportunity to advance my skills and embark on a steep learning curve along the way.

I will need to run:

squid
snort
ovpn

I have the following parts already in hand to use for the build, Could anyone let me know if they can see something that is not suitable:

Fractal Design Node 202 Mini-Itx Case
ASUS H110M-R Motherboard Intel H110, Micro ATX
Intel Pentium G4400 3.30GHz
ARCTIC Freezer 11 LP - 100 Watts Intel CPU Cooler
Intel D50868-003 Dual Port PCIe x4 Gigabit Ethernet Card - EXPI9402PTBLK
SanDisk SSD PLUS 120 GB
Timetec Hynix IC 4GB DDR4 2133MHz
Netgear ProSAFE 8-Port Gigabit Switch GS108
SeaSonic SS-300SFD 300W SFX12V Power Supply


I already have these parts, so costs will be nil. but as a Noob I would appreciate advice from experts. Since my wife is always moaning about the aggressive looks of the RT5300, I have decided to sell it and use the 'BT whole house' AP set up. This is the only thing I will be purchasing.

https://www.shop.bt.com/learnmore/bt-branded-products-and-services/bt-whole-home-wi-fi/

I will be using TPlink AV1200 powerline adapters to connect these

 

[Xentrk]

I like to tinker with stuff and learn new things. First off, I really dont need anything powerful like pfsense, as my RT-AC5300 is plenty for the household usage. But the truth is, I just WANT to bulid, configure and get a bit more hands on. My netwoking knowledge is woefully inadequate, so I am using this opportunity to advance my skills and embark on a steep learning curve along the way.

I will need to run:

squid
snort
ovpn

I have the following parts already in hand to use for the build, Could anyone let me know if they can see something that is not suitable:

Fractal Design Node 202 Mini-Itx Case
ASUS H110M-R Motherboard Intel H110, Micro ATX
Intel Pentium G4400 3.30GHz
ARCTIC Freezer 11 LP - 100 Watts Intel CPU Cooler
Intel D50868-003 Dual Port PCIe x4 Gigabit Ethernet Card - EXPI9402PTBLK
SanDisk SSD PLUS 120 GB
Timetec Hynix IC 4GB DDR4 2133MHz
Netgear ProSAFE 8-Port Gigabit Switch GS108
SeaSonic SS-300SFD 300W SFX12V Power Supply


I already have these parts, so costs will be nil. but as a Noob I would appreciate advice from experts. Since my wife is always moaning about the aggressive looks of the RT5300, I have decided to sell it and use the 'BT whole house' AP set up. This is the only thing I will be purchasing.

https://www.shop.bt.com/learnmore/bt-branded-products-and-services/bt-whole-home-wi-fi/

I will be using TPlink AV1200 powerline adapters to connect these

With the 2.5 release, a CPU that supports AES-NI is required. So check that one. I looked at Intel website for that CPU and it says AES-NI is supported.

Once you get the WAN and LAN interfaces setup, the next step should be to set up the OpenVPN client if that is what your requirement is. I then suggest you configure pfBlockerNG. This will block advertisements and you can use it to block bad websites and malware. My config is similar to this setup but does have some additions, inc luding some of the hosts file in use by AB-Solution and other script writers on this forum and what others recommend in the pfsense forum:

http://supratim-sanyal.blogspot.com/2017/04/pfsense-pfblockerng-ultimate-list-of-ip.html

I installed squid. But it was creating issues with my streaming media channels so I removed it. Not sure it is really required for a household network. You may want to read up on suricata vs snort. Both are IPS/IDS. You should not have both installed at the same time. I tried suricata but had to many issues with it blocking websites so I uninstalled it. I am taking a break from it right now and may pick it up later. pfBlockerNG will block most of the bad stuff anyway.

This post on Taming the suricata Beast post is 30 plus pages long. The person who started the thread had a consolidated guide in the works. But then he got in a car accident and dropped off the forum.
https://forum.pfsense.org/index.php?topic=78062.0

I may pick it up another day. I don't have any services or ports exposed to the web and pfBlockerNG takes care of a lot of bad stuff as well. There are some youtube videos on it. But the more I dug into it, the more I realized it is a beast. I hesitated to follow some of the instructions in the post I referenced above since they were over three years old.

A pfsense fork is OpnSense. I may consider it in the future if someone can come up with a similar package like pfBlockerNG or AB-Solution. If you type pfsense vs opnsense in a web search, you will quickly understand why it was forked.

 

[Fingers]

Thank you very much, most helpful and gives me plenty to read, pfblockerNG does indeed look like a better choice. I double checked and the G4400 is AES-NI compliant.

 

[Fingers]

One question I have, I noticed on one of the blocking lists ( firehol_level1), Choopa.net is on there with quite a few IP's. PIA VPN uses these servers based in London. Forgive me if this is a stupid question, but if I set the blocker up and I want to use ovpn and the IP is on the list, wont this block all traffic?

If so, Im guessing the whitelist is the way around this?

 

[Xentrk]

One question I have, I noticed on one of the blocking lists ( firehol_level1), Choopa.net is on there with quite a few IP's. PIA VPN uses these servers based in London. Forgive me if this is a stupid question, but if I set the blocker up and I want to use ovpn and the IP is on the list, wont this block all traffic?

If so, Im guessing the whitelist is the way around this?

Correct, the whitelist feature should take care of it. I have not seen any PIA customers report issues with pfBlockerNG any the pfsense forums.

 

[Xentrk]

Keep me updated once you get your router built and running. The cpu in my appliance does not support AES-NI. So I will need to replace it when pfSense 2.5 is out. Qotom has some routers on Amazon and Aliexpress with Intel i3, i5 and i7 chips in them. If I had the parts laying around like you did, I would do a build. But with boxes at this price, it is hard to resist. pfSense 2.4 will be repleased soon and has some performance improvements for OpenVPN with the AES-GCM tunnels.

https://www.netgate.com/blog/pfsense-software-version-2-4-release-highlights.html

 

[Fingers]

I should have some free time over the weekend, so I should be up and running then.

 

[Fingers]

Router is built and up and running. I did install snort an is just set up for LAN. It is not yet blocking anything as I have only been running it for a day or two so wanted to iron out all the false positives first. I paid for a premium oinkcode and am using the connectivity setting on the IPS policy setting. It seems to be running stable. I have just installed pfblockerng, so will do some research as to how to go about the best set up for me. I currently only have one port forwarded for my Ubuntu server.

 

[selenajohn]

Thank you very much, most helpful and gives me plenty to read, pfblockerNG does indeed look like a better choice. I double checked and the G4400 is AES-NI compliant.

 

[Fingers]

Well I have pfBlocker running great, ive tested it and its showing alerts just fine. My question is, do I need snort as well? I am a home user with eventually mabye a handfull of ports open. What I mean is, is snort better suited to business use and more overkill for a regular home set up?

 

[Xentrk]

Well I have pfBlocker running great, ive tested it and its showing alerts just fine. My question is, do I need snort as well? I am a home user with eventually mabye a handfull of ports open. What I mean is, is snort better suited to business use and more overkill for a regular home set up?

From the research I did, suricata performs better than snort. But snort is updating their architecture. If you do expose ports open, then you should probably use one or the other.
http://wiki.aanval.com/wiki/Snort_vs_Suricata

You should look at the pfSense IPS/IDS forum and do some reading before making a decision.
/ https://forum.pfsense.org/index.php?board=61.0

My attempt at getting Suricata to work right failed. I need more time to work on it. It was blocking to many valid sites I go to such as news sites for example. I have yet to find a really good write-up on it. I want to pick it up again when I have more time.

I was very hopeful that the Taming the Beast thread would help. https://forum.pfsense.org/index.php?topic=78062.0. But the guy who wrote the guide got in a car accident and never surfaced again.

Lawrence Systems did a nice video on Suricata.

Here are some other references
https://www.reddit.com/r/PFSENSE/comments/6bxbve/suricata_setup_guide/

 

[System Error Message]

From the research I did, suricata performs better than snort. But snort is updating their architecture. If you do expose ports open, then you should probably use one or the other.
http://wiki.aanval.com/wiki/Snort_vs_Suricata

You should look at the pfSense IPS/IDS forum and do some reading before making a decision.
/ https://forum.pfsense.org/index.php?board=61.0

My attempt at getting Suricata to work right failed. I need more time to work on it. It was blocking to many valid sites I go to such as news sites for example. I have yet to find a really good write-up on it. I want to pick it up again when I have more time.

I was very hopeful that the Taming the Beast thread would help. https://forum.pfsense.org/index.php?topic=78062.0. But the guy who wrote the guide got in a car accident and never surfaced again.

Lawrence Systems did a nice video on Suricata.

Here are some other references
https://www.reddit.com/r/PFSENSE/comments/6bxbve/suricata_setup_guide/

Thats because suricata does not process rules the same way snort does. Snort is actually a lot more effective than suricaata.

This explains why snort is better than suricata and why suricata is faster. Essentially if you are gonna use an IDS or IPS you should make sure that it does what you want. Suricata cant process the rules given in that example so it leaves out some things. If security is your concern you really should use snort rather than suricata.