pfSense inpath DPI / setup question

Gomo

Hello all,

to start off, I've never worked with pfSense or any DPI capable solutions yet and was wondering if / how it would be possible to use pfSense only for the purposes of DPI? Ideally I would like to have pfSense between my ISP modem and my route of choice (MikroTik atm) -> pfSense would be at the red circle in the drawing.

Is setup like this possible? which wouldn't disrupt my MT port forwarding, NAT, subnets, etc. Can it even be configured "in-path" in such way?

Apologies if I'm asking silly questions. Also, I wouldn't want to switch to pfSense as a main router, DHCP, etc, at least not for now.

Thanks!

NollipfSense

@Gomo said in pfSense inpath DPI / setup question:

Is setup like this possible?

FWIW, I got into pfSense for exactly what you're wanting to achieve back in 2016. At the time, and still is, running IDS/IPS on Mikrotik is, I find, cumbersome. So, my setup is Internet > ISP modem > pfSense > Mikrotik RB450x4 > switch > Apple Extreme > clients...even double natted, no problem. Mikrotik is my LAN boss.

Dobby_

@Gomo said in pfSense inpath DPI / setup question:

Hello all,

to start off, I've never worked with pfSense or any DPI capable solutions yet and was wondering if / how it would be possible to use pfSense only for the purposes of DPI?

DPI = Deep packet inspection? Or talk you about
IDS/IPS with Suricata or snort? What you want to
run on pfSense TCPDUMP or suricata/snort?

Ideally I would like to have pfSense between my ISP modem and my route of choice (MikroTik atm) -> pfSense would be at the red circle in the drawing.

Is this a real modem? Or also a real router?

Is setup like this possible? which wouldn't disrupt my MT port forwarding, NAT, subnets, etc. Can it even be configured "in-path" in such way?

I would assume super many peoples are doing it!
Me too! IN another way and setup but like that!

Apologies if I'm asking silly questions. Also, I wouldn't want to switch to pfSense as a main router, DHCP, etc, at least not for now.

pfSense can routing for sure, but it is a firewall
with firewall rules and on top it can be tuned
to be acting as a fully UTM devices with AV scanning, proxy`s to the DMZ and the LAN
and on top doing IDS/IPS.

Gomo

@Dobby_
It's a modem and I'm talking mainly about DPI.

Is there a way to achieve this without pfSense being main router? because I wouldn't want that. Also, double NAT doesn't sound too great either.

Dobby_

@Gomo said in pfSense inpath DPI / setup question:

@Dobby_
It's a modem and I'm talking mainly about DPI.

Let us say you install a small switch and a
RaspBerry PI connected to the switch too.

Internet > Modem > switch w/RAPI > MT/RB > LAN

No one takes care on the PI because it is fully exposed to the internet!

Is there a way to achieve this without pfSense being main router? because I wouldn't want that.

Why, it could be also another device for sure.
But a pfSense is delivering much more or better
capabilities to you.

Also, double NAT doesn't sound too great either.

In IPv6 there is no real NAT like before in former
days, but the MT RB is doing with IPv4 behind the
pfSense firewall for!

The RB is doing in normal;

• netfilter = SPI
• network address tranlation = NAT

You could not set up NAT but go with plain
routing instead for sure, but as todays RBs
will be super fast (RB1100AHx4, RB450Gx4 RB850Gx4, CCR or RB5xxx series will be rock
solid and routing really fast!

Gomo

@Dobby_ Not sure where you got this whole IPv6 from? There was no mention of IPv6 being used.. I have a static IPv4. And like I've said, I want my MT to stay as a main router.

If you have a suggestion for the originally described setup, please clearly state on how you'd achieve it.
I'm sorry, but I'm having trouble understanding you..

NollipfSense

@Gomo said in pfSense inpath DPI / setup question:

s there a way to achieve this without pfSense being main router? because I wouldn't want that. Also, double NAT doesn't sound too great either.

In my case, the pfSense/Mikrotik together is my main router; however, all the IDS/IPS is in pfSense, as well as pfBlocjerNG. Mikrotik does DHCP as well as does DNS, with pfSense. If you can, do a custom configuration on the Mikrotik to avoid the double NAT...you must know what you're doing though. Me, I don't mind the double NAT, it's a lot easier than having to reconfigure the Mikrotik from scratch and not break stuff.

Gomo

@NollipfSense Posting this for those who are trying to do the same as described above, this setup is called "pfSense transparent bridge" and here's a bit of documentation about it https://docs.netgate.com/pfsense/en/latest/bridges/index.html & https://support.adamnet.works/t/running-on-a-transparent-pfsense-bridge/79. Kind of surprised no one here was able to point me to it.

NollipfSense

@Gomo said in pfSense inpath DPI / setup question:

pfSense transparent bridge

Didn't even entered my mind...thanks for sharing.