Ubiquiti USG-3P to PFSense

stephenw10

You must have NAT somewhere between your public IP and the private internal subnets in order for clients to be able to connect out and replies to know where to come back to.

By default both the USG and pfSense will apply outbound NAT only one of them needs to. The USG needs to do it in your setup because it has the public IP to NAT to.

You can disable outbound NAT on the USG as long as it has static routes to the subnets behind pfSense.

Steve

MacUsers

@stephenw10 said in Ubiquiti USG-3P to PFSense:

You must have NAT somewhere between your public IP and the private internal subnets in order for clients to be able to connect out and replies to know where to come back to.

yeah, of course!!
I meant to ask: is it better to do the natting on pfSense and disable on USG or otherway round. As the natting is enabled on USG, is it safe to completely disable on pfSense? do I need to anything else as well, if NAT is disabled on pfSense?

-S

stephenw10

You have to have NAT enabled on the USG because it has the public IP.

You can disable NAT on pfSense as long as the USG has static routes to the subnets behind pfSense and is setup to NAT those.

NightlyShark

@macusers For most small scale (under 20 users) intents and purposes, you actually don't need both devices, they complicate setup, add latencies and cause headaches. PfSense can do everything USG does, a lot faster (depending on the hardware) and a lot more reliably.

But, all that is always, just my opinion.

MacUsers

@nightlyshark said in Ubiquiti USG-3P to PFSense:

@macusers For most small scale (under 20 users) intents and purposes, you actually don't need both devices, they complicate setup, add latencies and cause headaches. PfSense can do everything USG does, a lot faster (depending on the hardware) and a lot more reliably.

But, all that is always, just my opinion.

Your are absolutely correct! that USG was sitting duck and as my rst of the equipements are all UniFi, I thought it would be nice to fiil the empty space on the Controller dashboard.

On a seperate note, what can I do for the DPI (and possiblly IDS) on pfSense?

-S

stephenw10

Use Snort or Suricata. https://docs.netgate.com/pfsense/en/latest/packages/snort/index.html

NightlyShark

@stephenw10 Is there a free (and functional) Snort licence (I think Snort is Cisco, right?)?

bmeeks

@nightlyshark said in Ubiquiti USG-3P to PFSense:

@stephenw10 Is there a free (and functional) Snort licence (I think Snort is Cisco, right?)?

If you mean the Snort Subscriber Rules, then there are two options. There is a free version that you can get by simply registering an email address. That will give you an Oinkcode which is the license key you need to input into the Snort GUI. There is also a paid version of the rules and associated Oinkcode. That license is $29.99 USD annually for individual home use, or around $300 USD annually (if I recall) for commercial or business use. The difference in those two rule packages is that the free license version only gets new rules added after those rules have been in the paid version for 30 days. Or stated differently, new rules are added to the free license version 30 days or more AFTER they were added to the paid version. So, the free version will NOT have detection for the newest zero-day and similar exploits once discovered.

A third free option, but not nearly so useful, is the Snort GPLv2 Community Rules. Those are 100% free and require no registration. But that package only contains rules the Snort Vulnerability Research Team (VRT) has released into public domain. That means those rules are usually quite old.

When choosing Rules to enable on the GLOBAL SETTINGS tab in Snort, if you have a paid Subscriber Rules Oinkcode, then you do NOT need to use the GPLv2 Community Rules. They are included as part of the rules package that downloads using your paid subscriber Oinkcode.

NightlyShark

@bmeeks How does Suricata compare to Snort? I have never used DPI/IDS up to this point, but I feel it is time I did.

bmeeks

@nightlyshark said in Ubiquiti USG-3P to PFSense:

@bmeeks How does Suricata compare to Snort? I have never used DPI/IDS up to this point, but I feel it is time I did.

Neither is "better" in terms of security. They differ mainly in the amount and detail of available logging, and Suricata is natively multi-threaded whereas Snort is single-threaded. That means Suricata can perform better when using multi-queue NICs as it will launch multiple processing threads.

There is one significant feature difference. Snort offers the OpenAppID feature which is a type of Layer 7 DPI (deep packet inspection) that can detect and alert on many types of traffic that corporate entities like to restrict. For example, it can detect most P2P traffic, Facebook, Reddit and other social media connections, and multimedia streaming plus a few other odds and ends. In a home network, OpenAppID is really not that useful in my view because that traffic is usually wanted and used at home. So I would not factor OpenAppID into my calculation for a home network.

Suricata can use most of the Snort Subscriber Rules, but there are a few hundred that use rule syntax Suricata does not understand. If enabled, those rules will produce an error in the suricata.log file produced at startup, and those rules will not be loaded and used.

NightlyShark

@bmeeks Thank you very much, you really did just reduce my time-to-deploy (at home yes, but still) by 4 or more hours by cutting out the try-outs.

NightlyShark

@macusers What @stephenw10 said, and, the really comprehensive answers of @bmeeks to questions that I had, but for sure, you would have, too.

bmeeks

@nightlyshark said in Ubiquiti USG-3P to PFSense:

@bmeeks Thank you very much, you really did just reduce my time-to-deploy (at home yes, but still) by 4 or more hours by cutting out the try-outs.

I forgot to mention that Suricata is designed to feast upon the Emerging Threats rules package. The Emerging Threats team (now part of Proofpoint) contributed heavily in both people and money to launch the Suricata and OISF project.

You will see options in the GLOBAL SETTINGS tab for both Snort and Suricata to enable Emerging Threats rules. ET-Open is free without any registration. ET-Pro is paid and is quite expensive (over $600 USD annually last time I checked).

NightlyShark

@bmeeks Thank you again, I don't even know at what point I would find out about that. Would probably take me a couple months.

MacUsers

@bmeeks said in Ubiquiti USG-3P to PFSense:

Neither is "better" in terms of security. They differ mainly in the amount and detail of available logging, and Suricata is natively multi-threaded whereas Snort is single-threaded. That means Suricata can perform better when using multi-queue NICs as it will launch multiple processing threads.

Since v3.0, Snort has multithreading capabilities.

bmeeks

@macusers said in Ubiquiti USG-3P to PFSense:

Since v3.0, Snort has multithreading capabilities.

Snort on pfSense is still the 2.9.x version, and that is single-threaded. There are currently no plans to update to the 3.0 Snort branch. If you want multithreaded performance, for now your only option is Suricata on pfSense.

You cannot use any parts of Snort 3.x on pfSense. It will badly break both the Snort 2.9.x package, and even Suricata, should you attempt to download and use Snort 3.x rules packages.

MacUsers

@bmeeks
yes, your are right. Didn't notice it's still stuck at v2.9.20