Suricata Run pfSense on second Asus router or thin client?

  • ATTENTION! You'll notice a Prefix dropdown when you create a thread. If your post applies to one of the topics listed, please use that Prefix for your post. When browsing the thread list you can use the Prefix to filter the view.
  • ATTENTION! As of November 1, 2020, you are not able to reply to threads 6 months after the thread is opened if there are more than 500 posts in the thread.
    Threads will not be locked, so posts may still be edited by their authors.
    Just start a new thread on the topic to post if you get an error message when trying to reply to a thread.

JaimeZX

Senior Member
EDIT: Just realized I had "Dell" when I meant "HP." Dell T730 is a rack-mount server. :p

Hey guys... a bit torn between two Courses of Action here. Looking for some insights.

COA 1:
==WAN==ASUS1+Skynet & Diversion===ASUS2 (Routing) + Suricata===LAN/WLAN

COA 2:
==WAN==HP T730 w/ pfSense === ASUS+Skynet & Diversion (Routing) ===LAN/WLAN

COA 3:
==WAN==ASUS1+Skynet & Diversion === HP T730 w/ pfSense == ASUS2 (Routing) == LAN/WLAN


Pros of COA 1:
* Less monitoring of Suricata required because Skynet doing a lot of pre-filtering
* Cheapest: I already have two Asus routers
Cons of COA 1:
* AC3100 less capable than T730 (or T620+, for that matter); may not be able to keep up with heavy packet inspection

Pros of COA 2:
* More secure than COA 1
* Skynet might not have much to do
* HP can also pick up the VPN server duites
Cons of COA 2:
* Suricata gonna be a lot busier without Skynet filtering; probably more results to sort through

Pros of COA 3:
* Skynet & Diversion pre-filter for Suricata, reducing load
* No more expensive than COA 2
* HP can also pick up the VPN server duties
Cons of COA 3:
* Most complex; need to deal with three devices
* Most power consumption

Thoughts here? I have a strong affinity for Skynet and recommend it to everyone in the breath following "get an Asus router" but I also love the idea of heuristic filtering and more extensive logging in Suricata... and a separate box with 4-8GB of RAM & a 1.6GHz/dual-core CPU has a lot more ooomph than the AC-3100 w/ 2x 1.4GHz & 512MB.

I NEEEEDS TEH SECURITEHHS
 
Last edited:

rgnldo

Very Senior Member
COA 4:
==WAN==ASUS1+Skynet+Unbound (without ads filter by dns with DNSSEC enabled) == ASUS2 AiMesh

COA 5:
==WAN==Dell T730 w/ pfSense === ASUS mode AP ===LAN/WLAN/WIFI

On pfSense, change the default behaviour to drop all packets. Allow essential connections: DNS, HTTPS, NTP, ICMP type 8, WHOIS and other access ports specific to the IP of the local network.
 
Last edited:

JaimeZX

Senior Member
COA 4:
==WAN==ASUS1+Skynet+Unbound (without ads filter by dns with DNSSEC enabled) == ASUS2 AiMesh

COA 5:
==WAN==Dell T730 w/ pfSense === ASUS mode AP ===LAN/WLAN/WIFI

On pfSense, change the default behaviour to drop all packets. Allow essential connections: DNS, HTTPS, NTP, ICMP type 8, WHOIS and other access ports specific to the IP of the local network.
OK... I'll need to look into Unbound to better understand COA 4. Not sure how your COA5 is different from my COA2, except leaving out Skynet & Diversion. ?

what kind of throughput are you expecting through suricata?
Well, right now we have 200MBit service, which the T620+ might just barely be enough for, but I only see that getting faster in the future. Still looking into the T730 capacity.
 

rgnldo

Very Senior Member
what kind of throughput are you expecting through suricata?
I use Suricata 5.0.4 without any problem. I recommend the more reliable INLINE mode.

OK... I'll need to look into Unbound to better understand COA 4. Not sure how your COA5 is different from my COA2, except leaving out Skynet & Diversion. ?
If DNSSEC is enabled, I don't recommend blocking ads.
 

New2This

Regular Contributor
I use Suricata 5.0.4 without any problem. I recommend the more reliable INLINE mode.


If DNSSEC is enabled, I don't recommend blocking ads.
Why don't you recommend enabling the ad blocker?

what about using Pihole then instead ? And keeping Unbound
 
Last edited:

JaimeZX

Senior Member
I use Suricata 5.0.4 without any problem. I recommend the more reliable INLINE mode.
I like this very much; I remember in the original Suricata thread you suggested Suricata didn't play well with Skynet, and in your COAs 4 & 5, above, you clearly haven't included it. In your COA 4, I'm not even sure why there is a second Asus. (?) Meanwhile in your COA 5, there's nothing before pfSense. I'm guessing you figure Suricata on its own (or Suricata + pfBlockerNG) is sufficient? I'm just recollecting the discussion that most of our Asus routers didn't have the horsepower to inspect every packet at gigabit speeds... thoughts?
If DNSSEC is enabled, I don't recommend blocking ads.
Why?
Thank you for your time and cycles.
 

steelskinz

Regular Contributor
Just to be clear, actually i use WAN=>OPNsense 6 ports for lan computer/NAS/with one=>or ASUS AP (all wireless). It's in not a good idea as i read correctly ?
---------------------------------------------------------------------------------------with one=>Docker with AdGuardHome for DNS with DNSSEC on (same as pihole)

Second question it seems that you prefer pfsense over OPNsense it is because we can't have pfblockerNG on OPNsense ? I use Sensei and i can't find the same thing on pfsense.
 

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top