FreeBSD apps to load behind pfSense?

coffeecup25

I have a spare 2.5 Gb multi port pc that I plan to configure to pfSense. It's partly for fun and partly to have a backup for my current pfSense router.

My existing pfSense router has a 2nd isolated subnet for IoT on a spare port. I also have Adguard Home working on it thanks to an article I found on the internet. The spare will also be configured this way.

My question is: What other background applications other than Adguard Home would be a good idea to run in the background without compromising the security of pfSense? FreeBSD appears to have a lot that can be loaded behind pfSense. DLNA and samba are possibilities but low priority as I use other devices that do both better.

What's out there that would be interesting and mostly safe?

KOM

@coffeecup25 I would never add extra stuff to the firewall like that. That just increases the attack surface. Instead, I would make that box a Proxmox host, then install virtualized pfSense, containerized Pi-hole, and whatever else you want.

coffeecup25

@KOM Thank you. I substantially agree.

But Adguard Home loading behind pfSense raised the question in my head. I can't see how it could cause harm unless the entire Adguard company was compromised, which seems unlikely. OPNsense offers an option to do the same thing with a little hand holding from within the router program. The risk seems minimal there.

I even have Adguard Home servers working on my Windows file servers as native Windows programs, although they mostly just sit there because pfSense has it loaded within now. Moving it to pfSense seemed safe while removing a layer of complexity. Everything is now self-contained within the router / pc

But it raised the possibility about something else with the same risk level being available and useful in the context of a router. The apps I am thinking about would be common ordinary FreeBSD apps

Thanks, again.

LukasInCloud

I agree with @KOM since adding extra applications can increase security risks; it's wise to be cautious. And I understand your point about Adguard Home seeming safe, especially since it's working well on your pfSense. It might be worth looking into other FreeBSD apps. What apps are you considering for now?

coffeecup25

@LukasInCloud Nothing in particular. I looked at the FreeBSD apps list online and nothing jumped out, but there appear to be thousands and many do things I never thought of. I only skimmed it briefly.

I also understand the inadvisability of using a router as an app server. But I also line up on the side of never putting the router in a hypervisor, and lots of people do that without a second thought. So rules are meant to be broken sometimes.

I found an article on the internet from a person in India that walked me through the Adguard Home install. The only difficulty for me was assigning dns ports correctly so pfSense could coordinate with it. I created my own problems there by selecting dns servers differently than suggested.

I'm open to suggestions. What seems like a natural fit? Or an interesting one?

Gertjan

@coffeecup25

Think about this one :
Why did Netgate chose to use FreeBSD as the base OS ?
I'll take any answer ^^
Now, let's add one more step : why did Netgate use FreeBSD, and changed some of the core essentials ? Like not using /etc/xxx as the main place for all its own configuration settings and all the added FreeBSD packages ? And more : why are some default library folder moved to other 'non standard' places ?
The thing is : when you install any avaible FreeBSD native package, this package will presume that it is installed on a native FreeBSD, and that you used the ISO that you took from here : https://www.freebsd.org/where/

It all boils down to : pfSense uses FreeBSD. pfSense is not FreeBSD.

Enough for the bad news.
Now some good news.
All this is open source. So not they (FreeBSD, pfSense, etc) decide what happens with your system. You decide. After all, an ancient law applies : you do your things. You assume your stuff.
So, make it happen ^^

Still, if you could pull this one off : install X-11 on pfSense ( )

Plan Z ... wait, sorry, not Z, that one is already taken, Plan W (!) : why do you need pfSense ?
Install FreeBSD from the source mentioned above, add, if it's not already included, the 'pf' package (the firewall) and add unbound, and some more, and make your own 'FreeBSD firewall'. True, you have to make your own GUI, but why should you ?? Do what has been done for the last x decades : edit the needed configurations files and you could have a very comparable firewall router with no nasty "no more FreebSD package restrictions" ^^

@coffeecup25 said in FreeBSD apps to load behind pfSense?:

I'm open to suggestions. What seems like a natural fit?

Another point of view : pfSense ... a couple of hundreds of thousands of users (installed firewalls), so as many firewall admins, and some of them are experts in this domain.
If that one and only obvious FreeBSD package was missing, and everybody would gain with its by using on its ... wouldn't it already be there ?

coffeecup25

@Gertjan I think your point was that pfSense is not a complete freeBSD implementation so not all FreeBSD apps will work in it. If so, it's a good one. After that I got a little confused with your explanation.

I'm nowhere near skilled enough to build a fork of pfSense. Figuring out the dns interactions between pfSense and Adguard Home was my limit.

Adguard Home works fine in freeBSD because they offer a freeBSD implementation and I possibly lucked out when it worked in pfSense. Although the internet said it would work because others were successful in loading it.

Adguard Home doesn't need a gui. It uses html like pihole uses when pihole is installed in ubuntu server, my old ad blocker.

Windows made Hyper-V / ubuntu server - pihole unstable when Microsoft was still pushing upgrades to Windows 11. Unattended restarts on my home servers would halt for an ad before Hyper-V loaded and having no dns brought down my whole network. I went back to pfBlockerNG after that but found the interface too difficult to work with when I'm on the hunt to block or unblock a new site. Adguard Home on OPNsense works good but I disliked learning a new router. They put everything in different places. Hence my efforts with pfSense and Adguard Home.

I was thinking along the lines of apps that also did not need a gui. Sorry to be unclear about that.

bmeeks

Don't think of applications in isolation. With a package installation, you almost never install only a single binary. Most packages have a lot of dependencies. These are various shared libraries the binary needs to function. It can include database tools, additional libraries for graphs or fonts or translation, text handling tools, and even complete interpretive languages. For example, I once looked at a log exporter client that I was considering using with the Snort package until I found out that log export client needed Java as a language dependency. Installing that single log exporter binary package would have pulled a complete Java installation down and installed it on the pfSense firewall as a required runtime dependency! Very bad indeed .

This is the problem with installing extra packages on your firewall. The dependencies that get automatically installed by the pkg utility will greatly amplify the potential attack surface. Plus, you now will have "non-pfSense" libraries on your firewall. And if one of those is later discovered to contain a critical vulnerability, you might never know because if the library is not part of the standard pfSense installation, you won't get any security notices from Netgate about it.

For example, Adguard Home installs a complete Go language package on your firewall because Adguard Home is written in Go. See the dependency here: https://www.freshports.org/www/adguardhome/. That Go 1.2.4 package is then going to pull in its own list of dependencies and bring onboard more potential attack surfaces. Here is the list of Go 1.2.4 language dependencies: https://www.freshports.org/lang/go124/. Scroll down the linked page and find the RUNTIME Dependencies list. And I won't keep going, but it is very likely the dependencies for Go 1.2.4 will in turn pull down some of their own runtime dependencies. And if one of these runtime dependencies is the same as one pfSense uses but just happens to be a slightly newer version, then you can completely bork your pfSense installation when that newer library gets installed over top of the existing one from pfSense. That's why installing packages from third-party repos (even from FreeBSD itself) is very risky.

SteveITS

There also may be other approaches such as redirecting DNS to a VM on LAN, similar to:
https://docs.netgate.com/pfsense/en/latest/recipes/dns-redirect.html

coffeecup25

@bmeeks Thank you.

Your points are excellent. I believe I will back off from adding more supplemental apps. Adguard Home works with OPNsense as a 3rd party add-on without complaint so I will leave that alone for now. But I will also keep an eye out for issues with that configuration.

Worst case is a reinstall of pfSense and a restore of the backup configuration. My Windows Adguard Home servers are available if needed.