Anyone using PFSense as a firewall?
- Thread starter pete_c
- Start date
pete_c
Guru
Moving towards a direction of playing with multiple WAN and multiple LAN connections and yes I am using managed switches (not done yet with the endeavor).
I have a few network devices that I play with and my /25 subnet is getting full these days.
Today have been adding packages; going slow with these pieces.
Much easier to see available packages and update than to hand edit and modify Smoothwall.
I have a few network devices that I play with and my /25 subnet is getting full these days.
Today have been adding packages; going slow with these pieces.
Much easier to see available packages and update than to hand edit and modify Smoothwall.
I have been using m0n0wall for many many years (uptime is also expressed in years), which pfSense is based one, and you really can't go wrong. The unit at my office is a custom build, and has 10 interfaces. At home, I use an old P2 266 without any moving parts to power my networks.
I'm planning on building a pfSense VM, but I also like Astaro, as it's free for IT folks at home, so not sure yet which route I'm going to go (since Astaro is expensive as hell in a corporate environment).
I'm planning on building a pfSense VM, but I also like Astaro, as it's free for IT folks at home, so not sure yet which route I'm going to go (since Astaro is expensive as hell in a corporate environment).
pete_c
Guru
Yesterday locked myself out of my PFSense box configuring the ports on it.
I had to go back to the console connection to fix what I did. This though is helping me learn PFSense.
Moving it to the rack (basement comm closet) this week and connecting it to the KVM (Raritan IP 116).
Might move this thread over to a blog and write a DIY with pictures on setting up the PFSense firewall with the 6 NICs.
I had to go back to the console connection to fix what I did. This though is helping me learn PFSense.
Moving it to the rack (basement comm closet) this week and connecting it to the KVM (Raritan IP 116).
Might move this thread over to a blog and write a DIY with pictures on setting up the PFSense firewall with the 6 NICs.
I started with m0n0wall, moved to pfSense, and for the last 3 years have been running Vyatta. pfSense does make setup easy with the WebGUI and has nice graphs for bandwidth usage. However the CLI is powerful in Vyatta and allows for quick configuration. It actually resembles Juniper's JunOS CLI.
I am using a Supermicro X7SPE-HF-D525 board which has an Atom D525 processor and a Transcend SSD. The nice thing about this model board is the IPMI controller has KVM over IP. You can attach an ISO image and install remotely. Power consumption is around 22 watts.
I just saw Ubiquiti released their EdgeRouter Lite, which is based on Vyatta and also includes their custom WebGUI. For under $100 this might be the way to go as I paid way more than that for my setup.
I am using a Supermicro X7SPE-HF-D525 board which has an Atom D525 processor and a Transcend SSD. The nice thing about this model board is the IPMI controller has KVM over IP. You can attach an ISO image and install remotely. Power consumption is around 22 watts.
I just saw Ubiquiti released their EdgeRouter Lite, which is based on Vyatta and also includes their custom WebGUI. For under $100 this might be the way to go as I paid way more than that for my setup.
pete_c said:
If you have a large block of public IPs then 1:1 NAT is the easiest. Incoming traffic to public IP 1.1.1.10 will translate to 192.168.1.10. Additionally outgoing traffic from 192.168.1.10 will leave as public IP 1.1.1.10. If your public IPs are limited then create inbound NAT rules specifying the ports to translate. This allows you to have 1.1.1.10:80 go to 192.168.1.10:80 and 1.1.1.10:443 go to 192.168.1.20:443. Outbound traffic from these devices will utilize the outbound NAT rules and share a public IP.
For secondary firewalls inside your network you do not want to use NAT. Either setup a router with another network subnet and place firewall rules on the interfaces, or bridge two NICs and setup firewalls rules. The bridge is easier as you don't need another subnet, but the router limits the broadcast domain and isolates the networks.
pete_c
Guru
Thanks Guys!
Moving this OP over to a blog today. Will be "playing" with all kinds of stuff as I had mostly hand tweaked the Smoothwall firewall editing and adding stuff manually. So far I am seeing that PFSense all ready includes and includes options for everything; "kitchen sink" and more.
Early work endeavor days here related to hand writing little rules sets IPChains, manually NAT (PITA nat tables) way back.....most recently stuff like learning and writing the in house mechanisms of use for say F5's after learning about them and taking classes et al....have to go slower these days as I am not in a rush and slowing down a bit these years....
Moving this OP over to a blog today. Will be "playing" with all kinds of stuff as I had mostly hand tweaked the Smoothwall firewall editing and adding stuff manually. So far I am seeing that PFSense all ready includes and includes options for everything; "kitchen sink" and more.
Early work endeavor days here related to hand writing little rules sets IPChains, manually NAT (PITA nat tables) way back.....most recently stuff like learning and writing the in house mechanisms of use for say F5's after learning about them and taking classes et al....have to go slower these days as I am not in a rush and slowing down a bit these years....
NAT is enabled by default when you define both a WAN and a LAN interface during the initial setup. if you want to use pf without NAT, you can disable it by setting the NAT configuration to Manual, and then removing all of the outbound NAT rules that were automatically created.
Firewall > NAT > Outbound (iirc)
Also, 'pfctl -d' from the console will temporarily disable the firewall in the event that you lock yourself out. Firewall will be re-enabled as soon as you make a change which initiates a config reload (almost any change does this.).
...v
Firewall > NAT > Outbound (iirc)
Also, 'pfctl -d' from the console will temporarily disable the firewall in the event that you lock yourself out. Firewall will be re-enabled as soon as you make a change which initiates a config reload (almost any change does this.).
...v
Similar threads
