PFsense alternative to UTM server features
-
please i will like to know if there is alternative to pfsense based on UTM servers like untangle that has web applicationeg anti virus, anti spam, web filter, ad blocker etc.
is there any addons or alternatives to these features in PFsense. am talking of some layer 7 features(web applications)?Newbie in the house.
thanks.
-
So you are looking to replace pfense with something else? If so, it's a little odd to be asking on a pfsense forum, no?
-
So you are looking to replace pfense with something else? If so, it's a little odd to be asking on a pfsense forum, no?
dont misunderstand me. i am new here and i want to install PFsense very soon. now i want to know if there is a way one can enjoy the features of some UTM servers which are under layer 7 just like untangle server.
just asking because those features are worth it, eg web filters, antivirus, anti spam, adblocker, etc. -
You are best to run untangle in transparent mode behind pfsense.
you will get the hardened firewall with the pf scrub in pfsense.
You can add packages through simple to use package installer in the pfsense gui.
Add country block, ip block, SNORT, and pfsense 2.0 that has not realeased yet will add L7 filters as well.
I currently run my systems this way and it has work flawless for me since the Untangle project released to 2007.
You are best to stick with pfsense as your edge firewall though and run the Untangle behind it.
If this does not fit your needs, Look at Endian, ClearOS, or Astaro.
Hope this helps.
-
@darklogic82 please can you make your more simple for me to understand, i am a complete novince in all, are you saying that i can integrate untangle with PFsense or the other way round PFsense into untangle?
please elaborate more in a simple language.
i am already making arrangements to order the definitive guide PFsense book which is going to help me out.thanks for coming in.
-
So here is an example of how I have things setup:
Internet <–-> ISP Router <---> pfSense <---> Untangle In Transparent Mode <---> LAN
You will need at least 2 machines with 2 networks cards in both machines LAN/WAN.
One machine is for pfsense and the other machine is for the Untangle.
The default install of an Untangle system will ask if you want to install the system as a router firewall or in transparent bridge mode. You will want to choose Transparent mode. This will pass all traffic through the Untangle system as if it is not even there, but you still get all the great filtering aspects of it.
The pfsense system will be in front of your Untangle system. The pfsense system is what will be doing all your NAT and Firewalling from the Internet. You set your pfsense box as the DHCP server which can pass seamlessly through the transparent Untangle system to your Internal Host. Your Untangle box will only have 1 local IP assigned to it for management purposes. Your pfsense box will have the internal local IP, which would be your gateway IP and will either do DHCP or Have a static IP on the WAN/Internet interface.
Do not set your host to point at the Untangle system IP for a gateway. The IP assigned to the Untangle system will only be there for management reasons! You will want to point your machine gateway to the pfsense LAN IP and not the Untangle management IP.
Example: Internet <--- ISP router <--- WAN Interface IP <--- pfSense <--- LAN Interface IP 192.168.1.1 <--- Untangle Management IP 192.168.1.2 <--- Internal Network.
Hope this is a little more clear.
-
that is more clear and awesome as well, i so much like that idea is just that i am a newbie and need to do much home works, woudn't mind if you can give me hands and links or ebooks that will help me out. i will love to be a professional Network systems administrator. that is what i have passion for. i also need a mentor, at least i can practice now that i am managing an internet cybercafe.
thanks so much.
-
"Internet <–-> ISP Router <---> pfSense <---> Untangle In Transparent Mode <---> LAN"
So you mentioned you put untangle in bridge mode.. But what about pfsense? Looks like a double nat to me when you put in ISP router in front of your pfsense. Did you mean to say modem? Is this a business type setup where your isp router is giving you public ips on its lan side?
In most home setups, a ISP router would be doing NAT. And you clearly say your pfsense box is doing nat as well - so you got a double nat there - not something you would normally want.
-
ISP Router or Modem means the same thing. Some Routers/Modems do NAT some do pass through, some even act as home wireless devices if requested from your ISP. ISP in general is your "Internet Service Provider", which I assume you know. The modem AKA router would still have a mangement IP on it either way. It simply routes traffic wether it does NAT or not. Cisco 101 CCNA & CCNP
My router is simply in passthrough mode, which means I can assign a public IP to the WAN interface of my pfsense box, and all traffic is routed/passthrough my ISP router/modem. At no point and time do I perform NAT twice. I do have additional security appliances further in my network that will NAT or PAT a second time to hide addtional internal networks.
I have successfully done NAT numerouse times at the gateway level, but only for the fact of port knocking and triggering to redirect to a different network from the edge firewall. There is nothing wrong with doing NAT twice if you know what you are doing.
My setup I described in no shape or form is doing NAT twice.
-
Your use of the term isp router is the confusing part, to the home user – which is why I brought it up.
I deal alot with home users and when you say router, its pretty much a given that NAT is being done, I have never seen one that was not setup for NAT out of the box. And then its rare that you can even turn it off. -- when a ISP gives the user what they call a "modem" its rarely the case except for cable - I would call it a gateway (modem/router combo).
In the home broadband market, the terms makers and ISP uses for devices can be frustrating when dealing with the customers. If they say router, its safe to assume nat.. When they say modem you have to check - since most likely its not just a modem but a gateway - nat is prob going on. What is confusing for users is the devices that only have 1 ethernet port but still do nat, etc.
Just wanting to clarify is all, as to nothing wrong with doing double nat -- I disagree.. Unless there is a SPECIFIC reason to do such a thing, it only makes the things more complex, and very confusing for the user wanting to do port forwards, etc. I see issues all the time when users want to add more ports to their network and the idiot at the computer store sells them another router -- they plug it in and now there is a nat between their devices on the first device and the second. So file sharing and such does not work, they can not figure out why X does not work, they forwarded the ports on the 2nd device, etc. etc.
Even when you fully understand that there is more than one nat between you and the public net, etc. I just don't see the point why anyone would really want to do it. It just complexes up the setup for no reason IMHO.
-
Excuse me for butting in, but I wanted to add my unsolicited .02 here.
Darklogic is trying to be of assistance and answer the poster's question. I don't recall the OP stating that their question was regarding a home setup. (IMHO, two firewalls is a bit much for a home setup.) There are plenty of people using pfSense for business deployments in which it is common to have an ISP router not running NAT before the firewall. I agree that double-NAT is problematic, but it is unwarranted to criticize Darklogic for using the term router correctly- just because most home routers also do NAT does not mean that saying router implies NAT… -
I did not mean to criticize, I was just asking for "clarification" is all.
And in what world would a complete novice as the user clearly stated he is have anything to do with a work setup.
I agree with you, there are many uses and many deployments in the business network for pfsense setup, but there are also many home users using it. I have it in place if a few business location myself, but also use on my home network, and so do many of my computer/network literate friends
Again did not mean to criticize his use of the term in anyway, in a work setup I would assume that the isp router (border router) he mentions would not be doing nat.. Again was just asking for clarification, since I assumed the OP was in a home type setup.
Darklogic I hope you did not take my question the wrong way, I surely did not mean anything by my post.
-
johnpoz,
I did not take your post the wrong way. No worry, I am not a thin skinned person who takes things personally. I understand that people have their own personal experiences with things, and I say stick with what works for you. No one person will know and understand things the same way as another "to a point".
dotdash,
I am glad you seen my point in terminology, that is kind of the Cisco side of things coming out of me a long with projects like Vyatta, which is as close to Cisco I have ever seen in an open source project. I still find myself drawn toward pfsense and have always since the 1.0 days. The ease of use with a pfsense system is amazing and tops all others.
Johnpoz,
These days if I had to choose over a Cisco PIX, ASA, some other network security device, or pfsense, hands down I will take a pfsense system with a DELL Poweredge server with all the bells and whistles. Pfsense is great and will keep out your unwanted hackers, intruders, breaches, security analyzers, or whatever you may want to call them. But, pfsense is not equipped to handle UTM based services at the moment. The project is getting close, but not quite there yet. That is why I was explaining to the user how he could accomplish what he was looking for and have the best of both worlds. I feel that these days if you don’t use something such as Untangle to help filter your Internet usage, you are going to get in trouble even if you have just a SPI firewall. No one firewall is good enough unless you have something doing UTM based services such as IDS/IPS, SPAM filtering, Phishing filtering, Spyware/Malware filtering, Web filtering, Protocol filtering. And even after all this you still run a risk of having something go wrong.
I agree on sales people selling someone a router saying this is what you need is wrong when they don’t know the users home setup and having issues forwarding ports, but to be honest, I can’t think of an ISP that issue out modems/routers that do NAT and actually give the home users access to it in order to make changes unless it is at least a business class service and even that is questionable. I believe this is done to prevent users from hosting services and forcing them to upgrade their ISP service to at least business class to get this kind of ability so they can make more money. I primarily see this in DSL services. And for those that don’t have this issue, well they simply say hey I don’t care about the static IP’s I will use a service such as dynamic DNS.
Anyways we could hash out the semantics all day long. I just feel it is important to realize that everyone has an opinion that may be correct if it works for them. We all have our own perks.
-
hmm! my post got to the extent i did not expect, i really appreciate you guys effort in responding to my post, though at a point i was lost….lol.
@darklogic82- i have said it earlier on, please i need a mentor. In our internet cafe, we use ISP modem----Untangle, then mikrotik hotspot configured as DHCP client as our WIFI biller while untangle is the DHCP server for our LAN.
i have successfully ordered for PFsense: definitive guide.i am very grateful for your replies
thanks so much.
-
OK, so what do you need help with? Ask the question/s and I will do my best to help assist in your setup needs.
Take Care,
Matt
-
@darklogic82:
OK, so what do you need help with? Ask the question/s and I will do my best to help assist in your setup needs.
Take Care,
Matt
Thanks for giving me your assurance to assist, i will PM you ASAP when i am fully ready.
thanks so much.