Hardware for pfsense

Steve_bullockuk · 22 May 2017 at 16:56

Vimes said:
I did end up going back to a router tho.

Interested to know why.

ibpalle · 22 May 2017 at 17:21

I used to have a bit of kit to run my Home Smoothwall version on but moved to a VM once I started using the web filter portion of the product. Works really well as I have a file server running 24/7. Basically just a VirtualBox install on my Fedora server and then 2 NICs on the file server. One is the File server LAN interface and bridged as the LAN interface of the Smoothwall as well. 2nd interface is not brought up by the file server OS but bridged to the external side of my Smoothwall VCM, which then connect to a PPPoE fiber modem. Works great and the file server is a Xeon based system with 6 cores so it handles the Smoothwall, a Zentyal server (SMB type system) and a workstation for downloads etc.

Vimes · 22 May 2017 at 17:35

Steve_bullockuk said:
Interested to know why.

Underpinning anything else that I write is a weak and feeble brain. So after taking that into consideration....

All that I wanted from a pfsense box was a means to maximise my connection whilst using a VPN with AES 256 CBC encryption. Regardless of what else it could do that was my primary need. I was very happy with a consumer router before I started to use AirVPN but I thought, somewhat wrongly given my throughput, is that the only way to maximise my connection was to build a pfsense box.
Even by building that box I still needed a wireless solution so a router, as an AP, was still going to be connected and running.
However I could not get my head around the size of the pfsense box and the UI, for me it was far too elaborate and complex for what I would ever need.

I then found that either a Netgear R7800 (dual core 1.7ghz) a Linksys ACS1900 (dual core 1.6ghz) or a Linksys WRT3200 (dual core 1.8ghz with hardware decrypt being offered in DD-WRT) could give me a maximum throughput and the virtues of having a consumer router running DD-WRT.

Each to their own etc but for me the R7800 works fine for what I want it for, and was even more attractive when Amazon had it on sale.

lmfy2k · 23 May 2017 at 09:56

@ChrisD. what kind of throughput are you getting through the pfsense device? have you tried Openvpn as client yet?

ChrisD. · 23 May 2017 at 10:14

lmfy2k said:
@ChrisD. what kind of throughput are you getting through the pfsense device? have you tried Openvpn as client yet?

Haven't measured anything specific but it maxes my FTTC connected with ease. Haven't set up OpenVPN as of yet.

ChrisD. · 29 May 2017 at 11:54

Just configured it so that I can access my Vigor 130 from the pfsense box, took about 5 minutes using the online documentation. Really happy with it so far.

zoomee · 30 May 2017 at 10:46

pc-guy said:
Sophos is terrible. we have sophos on our firewall at work. it didn't catch some ransomeware which resulted in half of our networked drives being encrypted. It also doesn't detect some viruses. It often times throws up false positives on cookies. It is truly dire piece of software. It shouldn't be allowed to exist as it is next to useless - in fact it is probably worse than not using an anti-virus as the user will be aware that they are not protected, but having sophos gives user false sense of security thinking he or she will be protected in fact it is offers very little protection.

Well it's hardly an enterprise setup we need at home lol.

As an overall firewall/dhcp server/ IPS scanner/ Web Proxy and VPN gateway its a complete package that just works out of the box compared to pfsense. It doesn't require seperate resource hungry components (like snort) to offer far more features. Ransomware is something that is pulled through via an email or something - even our fortigate and mcafee setups at work can't catch them so its nothing that worries me.

I've had a complete reduction of attacks to ZERO on my NAS box since using Sophos - full control over the kids browsing and a hell of a lot more - only restriction is your limited to 50 devices - which isn't an issue at home (I used up about 33 in total).

ChrisD. said:
We are running Sophos AV on our email gateway at work and we can't get it to pick up the EICAR test virus.

To quote Sophos:

The EICAR test string is not a virus, it is an industry standard detection test. Sophos Anti-Virus will report its presence as EICAR-AV-Test virus.

Once you start adding the same level of components to pfsense it needs far more resources than Sophos to continue ticking over. Working in the IT security industry, I know individuals that can get around pfsense firewalls in 5 minutes flat. (Sophos takes them a lot longer but I have a honey pot setup too for that instance lol).

My Braswell NUC sits at 20% CPU useage, 40% RAM and Pagefile useage - hardly resource hungry for all the bits I have enabled.

ChrisD. · 30 May 2017 at 10:48

zoomee said:
I know individuals that can get around pfsense firewalls in 5 minutes flat.

With physical access?

zoomee · 30 May 2017 at 10:55

ChrisD. said:
With physical access?

Nope and sorry I can't divulge anymore information than that. It's a bold claim I know but it just goes to show no firewall is completely hack free if your in the industry- Sophos took him 20 minutes to get around which is why I feel slightly safer with it. He recommended it above pfsense which was a surprise for me! (and also influenced my reasoning for sophos).

ChrisD. · 30 May 2017 at 11:00

That is an extremely bold claim considering it's in wide use in the industry.

Armageus · 30 May 2017 at 11:07

ChrisD. said:
That is an extremely bold claim considering it's in wide use in the industry.

Short of a few cross site scripting exploits that affect the web gui, I can't see that there have been any major exploits discovered in PFSense.

@zoomee I assume your "industry individuals" have reported these exploits?

zoomee · 30 May 2017 at 11:40

Armageus said:
Short of a few cross site scripting exploits that affect the web gui, I can't see that there have been any major exploits discovered in PFSense.

@zoomee I assume your "industry individuals" have reported these exploits?

There was also a brute force attack method that worked but I think has been patched since.

He wouldn't divulge his methods to me bud, but I trust him fully - and in all honesty I didn't want to know due to time and me being paro enough as it is!
That's all enterprise level stuff anyhow chaps - don't let me scaremonger normal consumers

ChrisD. · 30 May 2017 at 12:09

zoomee said:
He wouldn't divulge his methods to me bud

Most pen testers/security people just run off the shelf software. Anyone with half a brain can do it and if there was a known exploit then that doesn't surprise me. It's why most places I work with that want to be secure run a dual vendor firewall solution.

If he's good enough to be writing his own stuff then without knowing particular details, he must be in a pretty decent position at the company.

Steve_bullockuk · 30 May 2017 at 12:13

Is 'pfSense v Sophos UTM' the new 'IOS v Android'?

zoomee · 30 May 2017 at 12:15

I'm sure there was a third one I was looking at too...... - make that iOS v's Android v's Windows Phone

anyways - here yaar chaps: http://www.backtrack-linux.org/ - test away

I think the third was untangle I was looking at: http://alternativeto.net/software/pfsense/