Converting a Cisco Ironport C170 to Opnsense router

[avtella]

I think you’re pretty close. You actually can a use third party DNS, I use the unbound resolver in forwarding mode (w/TLS enabled) with Cloudflare and pfblocker works fine, Q9 was just noticeably slower for me.

When they say you need to use the resolver (unbound) for pfblocker that’s true it needs to be used vs the dedicated forwarder, but unbound itself can be used as a forwarder by checking the “DNS Query Forwarding” option.

 

[coxhaus]

When they say you need to use the resolver (unbound) for pfblocker that’s true it needs to be used vs the dedicated forwarder, but unbound itself can be used as a forwarder by checking the “DNS Query Forwarding” option.

I like what you are saying. I assume using unbound as a forwarder will mean all outside DNS will come from QUAD9 if for example you are using QUAD9 for DNS?

DNS is just a chain so you can string them together. So, I hope you are not saying unbound will resolve outside DNS and if it can't resolve then it will send it to QUAD9.

So, is pfblocker unbound only blocking local DNS queries by using a list that it is fed for bad DNS?

 

[avtella]

It will use whatever you set when the forwarding option is enabled, if you don’t set any DNS then it will just use the ISP default. Now in the settings page there is a DNS override option which I leave disabled, if enabled then it essentially bypasses your set DNS options and uses the ISP by default. I’ve attached images of my DNS setup. The second line under each of primary and secondary IPv4 and v6 cloudflare adresses is for TLS.

 

[coxhaus]

It will use whatever you set when the forwarding option is enabled, if you don’t set any DNS then it will just use the ISP default.

So, it is yet another block IP list that is for DNS? Where does the list come from?

 

[avtella]

I’m sorry I didn’t get that if you could rephrase it. I won’t claim to be the most knowledgeable but am trying my best to explain so please bear with me if I’m not being clear on things.

 

[coxhaus]

I just watched a pfblocker install for 3.0. It is what I originally said in that it blocks by IP. There is no data being analyzed just blocking by IP. I did not mean to imply it is a simple process as it is very extensive. And there are several feeds off the internet for what IPs to block. It also blocks by DNS port 53. All domains are broken down by IP and whether it is 100,000 IPs it does not matter as it is IP. There are classful IPs and they can be blocked like that. One block on a class A IP address can block 16,000,000 IPs. So, I am not thinking 1 IP at a time.

 

[avtella]

It’s not just a IP block list not sure which video you used. Also yeah there is no data being analyzed, it’s not like Sensei. The DNSBL part of pfblocker is an additional part aside from IP block lists, it can use your base list to block variants of the given addresses. I also use the TLD blocking section within that, good for malicious site blocking. There’s also stuff like regex etc.

The Lawrence Systems videos are pretty good and what I use when I was first getting into it a few years back.

I’m probably not doing a great job explaining lol, so sorry.. but an image of items blocked by DNSBL part of pfblocker on my unit.

 

[Tech9]

pfBlockerNG is fully configurable for IP or DNS blocking with own, community, subscription or mixed blocklists. Multiple free blocklists are available in GUI. It works with Unbound (default DNS Server in pfSense) as Resolver and Forwarder. Suricata and Snort are also fully configurable with own, community, subscription or mixed rules. Presets are available in GUI. Suricata is more efficient in multi-threaded processing. For beginners or testing warning only is highly advisable, when changed to blocking 1h is a good value. Remove common protocol errors rules to keep the logs clean. For SSL inspection (MITM approach) use Squid. Instructions are available online. It creates issues with more sophisticated end-to-end encryption verification. Not advisable for critical applications. My advice for home network is IP blocking firehol_level1, DNS blocking whatever you find fit, Suricata for obvious threats LAN only, no SSL proxy, limiters with codel perhaps (experiment what works best for you). The firewall blocks all incoming WAN traffic by default. If you want to see who's knocking on your door run Suricata for WAN as well and enjoy the logs. Use apcupsd if you have APC UPS. Look at ntopng if you are curious. Service Watchdog is good to have. WireGuard is available, but I can't recommend it for business setups. You can play with it at home.

 

[coxhaus]

SNORT will also show you who is knocking on your front door if you are using the WAN interface. And SNORT requires tuning. It is not a set and forget system.

 

[ddaenen1]

I read up on Snort and Suricata yesterday. Decided to install Suricata on the test pfsense+ router and have a go with it on LAN. I already use pfBlockerNG on my main pfsense CE router and it still amazes me how much stuff it blocks out.

 

[inf]

Ive been playing with pfSense and OPNsense for the past week and testing them out and deciding which i will actually put on my DS20U.

I think I will go with pfSense. Just one question, are the updates very slow? I mean I did upgrade from CE 2.6.0 to Plus 22.01 which went pretty fast. But updating from 22.01 -> 22.05 is really slow.

Also installing extra packages from the UI feels sluggish compared to OPNSense.

Is there any settings I could change or what could be the problem.

EDIT: This is on a gigabit fiber connection which works fine considering speeds (about 940 / 940)

 

[Tech9]

I read up on Snort and Suricata yesterday.

Last time I checked Snort it had whole bunch of preset rules available like basic, home network, etc. Easier than Suricata. Try both (one at a time, of course) and see what works best for you. They do the same thing and you have processing power even for single-threaded. Monitor your network for a week in warning only and adjust accordingly. Switch to block for 1h when you are happy with the results and monitor for another week. Fine tune, if needed.

 

[ddaenen1]

Last time I checked Snort it had whole bunch of preset rules available like basic, home network, etc. Easier than Suricata. Try both (one at a time, of course) and see what works best for you. They do the same thing and you have processing power even for single-threaded. Monitor your network for a week in warning only and adjust accordingly. Switch to block for 1h when you are happy with the results and monitor for another week. Fine tune, if needed.

Since WAN for my test router will be hooked up to the LAN side of my normal network does it make sense to set up Snort on the WAN side instead of the recommended LAN since WAN on the test router side is actually my primary LAN?

 

[ddaenen1]

Ive been playing with pfSense and OPNsense for the past week and testing them out and deciding which i will actually put on my DS20U.

I think I will go with pfSense. Just one question, are the updates very slow? I mean I did upgrade from CE 2.6.0 to Plus 22.01 which went pretty fast. But updating from 22.01 -> 22.05 is really slow.

Also installing extra packages from the UI feels sluggish compared to OPNSense.

Is there any settings I could change or what could be the problem.

EDIT: This is on a gigabit fiber connection which works fine considering speeds (about 940 / 940)

I went through the same process with the Cisco but didn't experience any lag with the update from 22.01 to 22.05. Haven't installed any packages yet but will do tomorrow and let you know.

 

[Tech9]

does it make sense to set up Snort on the WAN side

I wouldn't bother. There is nothing much to see there anyway behind another firewall. Your test firewall may start freaking out because of LAN type packets flowing through your WAN. You have to actually allow private IP for WAN in settings, otherwise it will block the traffic. More information here:

pfSense® software Configuration Recipes — Preventing RFC 1918 Traffic from Exiting a WAN Interface | pfSense Documentation

docs.netgate.com

 

[Tech9]

pfSense is all about custom configuration. There is no two systems with the same settings. For that reason I can only provide general advice. Netgate documentation is pretty good for getting things going. I can't share any screenshots from my business firewalls - they run custom configurations with paid software and subscriptions. Sharing screenshots from my home firewall is also worthless. pfSense is an entire OS and sharing setting without knowing the rest can be destructive. Also - one of the participants in this conversation is in my ignore list and I don't care what issues he has. My previous experience with this member is like explaining what color TV is to a color blind person. I hope you understand and good luck.

 

[ddaenen1]

pfSense is all about custom configuration. There is no two systems with the same settings. For that reason I can only provide general advice. Netgate documentation is pretty good for getting things going. I can't share any screenshots from my business firewalls - they run custom configurations with paid software and subscriptions. Sharing screenshots from my home firewall is also worthless. pfSense is an entire OS and sharing setting without knowing the rest can be destructive. Also - one of the participants in this conversation is in my ignore list and I don't care what issues he has. My previous experience with this member is like explaining what color TV is to a color blind person. I hope you understand and good luck.

Got it. Thanks for the insights. I will get Snort going tomorrow on the test router - we will see what comes out.

 

[inf]

I went through the same process with the Cisco but didn't experience any lag with the update from 22.01 to 22.05. Haven't installed any packages yet but will do tomorrow and let you know.

Maybe "lag" was a wrong word for it. It looks like the server (Netgate server / repo) for pfSense is just slow?

I am still under the process of updating from 22.01 to 22.05. It needs to download 169 packages (almost done).

There seems to be no "mirrors" for these and the download speed is just slow.

 

[Tech9]

I will get Snort going tomorrow

You'll be fine with your knowledge and experience. It will work, but only for what it can see. Nothing encrypted. pfBlockerNG is perhaps more efficient on a home network. It doesn't care if the data is encrypted or not. Blocklist IP or DNS match - out. This is what TrendMicro's malicious sites blocking is doing in AiProtection on Asus routers. What you can target with Snort is common exploits and malicious behavior. Look at available rules options. This is what TrendMicro's IPS is doing in AiProtection. What TrendMicro doesn't allow is custom configurations - available to you in pfSense. Also your advantage - you don't need 3rd party assistance and data sharing.

For home use similar setup can be re-created on an Asus router with Asuswrt-Merlin firmware support:
- pfBlockerNG IP blocking - Skynet + AiProtection
- pfBlockerNG DNS blocking - Diversion/AdGuard + AiProtection, Pi-hole on RPi as option
- Unbound DNS Server - available as script, plus blocking option
- DNS interception - available as DNSFilter
- NTP interception - available as local NTP server
- DoT to upstream - available even in stock Asuswrt
- PIE schedulers - similar available as Cake (with some hardware limitations)
- networks stats packages - available as scripts in different forms

May not be as reliable (limited hardware home router), not as configurable (less options), requires data sharing (to TrendMicro) and uses wrong storage media (USB stick, SSD for better results), but can de done starting from $100 hardware investment (RT-AC66U B1) and with not much network knowledge. This is what this forum is mostly about.

 

[coxhaus]

Since WAN for my test router will be hooked up to the LAN side of my normal network does it make sense to set up Snort on the WAN side instead of the recommended LAN since WAN on the test router side is actually my primary LAN?

To me I would build this second pfsense to replace my primary one so yes. Once you free up your primary one you can do the same. It gives you a test system. pfsense is going to jump kernels coming up and this system will be handy. They are going to skip 13 and go straight to 14 from what I read these last couple of days after engaging in this thread.

I don't mean SNORT is a bad thing. It is very good. It needs management. I ran it back in the early days I think late 1990s or early 2000. It has been a while. I also ran in pfsense maybe 5 years ago as I am bad with time it was pfsense 2.2.

PS
Some people don't really understand, they work from screen prints.