Things the forum needs to fix.
-
after all pfsense is a HOME firewall.
Yeah, you kind of lost me here. pfSense is certainly not what I would consider a personal firewall, although it can certainly be used as one.
Some information can seem contradictory due to different scenarios or circumstances. For example, floating rules aren't something you need to worry about just yet.
I do agree that the forum stickies are a total mess with ancient content going back years.
-
Now that the packet filter is not core-locked, pfsense even better for industrial purposes.
-
after all pfsense is a HOME
Interesting,
I See pfSense as a replacement for commercial products used in the SMB segment not as a home use product.
I also see many "techies" use the product at home but dont expect that many none tech type people using it at home.Just because its free, dosnt mean its 'cheap'.
We are using it in HA mode in our data center. We replaced a Sonicwall HA system with pfSense and I am liking it much better then the previous setup.
There are plenty of good knowledge in this forum and many willing to share it.
Plus the pfSense guys are active here and helpful too. -
The forum, as a source of documentation or a database of static knowledge, is a poor medium. That's what the Doc Wiki is for:
https://doc.pfsense.org
And what the book is for ( https://portal.pfsense.org/gold-subscription.php )
What the forum is good for is a place of discussion where people can take general knowledge and apply it to specific configurations, of which few are rarely the same.
Information may conflict because different people run their networks different ways. Some environments are stricter than others, and others prefer things easier to manage.
I would prefer there be fewer sticky posts and more pointers to the wiki, but that's me.
-
I disagree with you KOM. In today's age most homes can have up to 30 devices connected to the internet. Standard "Walmart" home routers are not up to the task and that is the cause much of the identity theft and "Malware" infections we read about today in the news.
A good "Home" pfSense router/fire wall running just snort/suricata in blocking mode with pfBlockerNG and the basic "Malware" lists can prevent a GOOD part of the "Malware" and "Hijack" sites out there and will go a log way to keep those devices clean. Snort VRT home subscription is just 29.95 a year. All of this a 15 year old can install.
It's really funny when one of my friends/family/kids friends bring their laptops and infected Android phones from their unprotected homes, snort and pfBNG go crazy with alerts, sometimes even making their phones and lap tops useless.
We DO need a simple "Home" setup Wiki page or Youtube video. If most homes ran pfSense, it would put a lot of the "We'll clean your PC" companies out of business.
Let's picture a large company that would REQUIRE that it's employees run a basic "real" firewall setup in their home before their devices can be brought on property. Every home should be running pfSesnse or something similar.
@KOM:
after all pfsense is a HOME firewall.
Yeah, you kind of lost me here. pfSense is certainly not what I would consider a personal firewall, although it can certainly be used as one.
Some information can seem contradictory due to different scenarios or circumstances. For example, floating rules aren't something you need to worry about just yet.
I do agree that the forum stickies are a total mess with ancient content going back years.
-
Yes there are many scenarios but i think it would be nice if some users would post there basic home settings
or there would be some recommendations for example on stuff like Squid Memory cache size based on RAM.
I believe for home use the needs between people do not differentiate to much.
I think there are allot of people here who have experience on what works best.Allot of stuff here is years old and as fdisk said if you look around it seems like you need a killer machine.
-
all pfsense is a HOME firewall. Little things.
So no.
Our company has several clients using many of these and even in nested configurations across the country.
Methinks you are posting angry.
Don't post angry.
-
Topics like "New Alix board for 2013" still pinned on top…
And we're in 2015... -
I really think you are over reading. Your hardware is fine if you have two Network ports on the machine. Just do the default install, it installs the rules you need by default.
Add the Snort package. Go to snort.org and get a free Oinkmaster code. Add that to "Global Settings" in Snort. Go to the "Updates" tab and click "Update". Add a LAN interface on "Snort Interfaces". On "Lan Settings" click Enable, Block Offenders, Kill States, in "Lan Categories" tab click "Resolve Flow Bits", "Use IPS Policy" and on "IPS Policy Selection" choose "Conectivity". Hit Save.
Log into your current wireless router and set it up as an access point. Just Google your router brand and "setup as access point" and follow those instructions there.
You now have 100 times the home network security that any commercial "Walmart" router has and a basic "UTM" as you mentioned in you post. Then you can start reading the more in depth posts to add more functionality, or just leave it like it is.
PS. If you need help, PM me I'll walk you through it.
Like looking at hardware req's I was concerned that my old- dell optiplex 745 duo-core 3ghz, 3gigs ram wouldn't be enough.
-
I agree with the OP. Some of the docs are woefully out of date. An example would be the minimum hardware requirements. The hardware listed was becoming obsolete a decade ago. This does a disservice to potential new users who are trying to get good supported hardware. From that page, I could assume that my AMD 5350 with 8G RAM could handle any pfSense usage scenario (I doubt it though).
It would also be nice to see some basic tutorials walking through a non-trivial home setup. An example setup would be a pfsense box with a wireless AP and a switch using the Ethernet ports on the pfsense box. I'd assume this is trivial to setup, but after reading through the forums, I'm no longer sure.
The example setup would be
Ethernet port 1 - WAN
Ethernet port 2 - LAN (switch)
Ethernet port 3 - LAN (WAP)
Ethernet port 4 - Maybe a DMZ -
Everything is "simple' if you have done something a lot.
A master in kung-fu probably thinks it's piece of cake to catch a fly with chopsticks
An experienced welder can merge 2 pieces of steel together while having a chat with a collegue and checking his phone.So while the documentation might not be perfect, its not THAT bad compared to some other docs i've read over the years.
imho if you learn how to crawl before you try to run the 100m in 10secs, then you'll grow into it.the other option is to pay for a gold subscription and receive the "definitve guide' .
-
Some of the docs are woefully out of date. An example would be the minimum hardware requirements. The hardware listed was becoming obsolete a decade ago.
The hardware requirements are definitely due for an update, but what other parts of our documentation are "woefully out of date"? I have spent the last 6 months updating every article on the wiki, if something is still outdated on the doc wiki, I'd like to know so it could be fixed.
-
Here are some items that are out of date or appear out of date because they conflict with other docs.
https://doc.pfsense.org/index.php/What_is_the_best_wireless_card_to_use
The link Madwifi Compatibility list is dead. All the cards seem to stop at 802.11n. This might be a limitation of FreeBSD.https://doc.pfsense.org/index.php/What_is_a_bridged_interface_and_how_would_one_be_used
seems out of sync with
https://doc.pfsense.org/index.php/Use_an_existing_wireless_router_with_pfSense
The first talks about using a bridge to add wifi support, while the other avoids bridges all together.https://doc.pfsense.org/index.php/How_can_I_increase_the_state_table_size
This seems dated because it implies that 1G RAM is huge. It doesn't seem that high for modern hardware. -
I would be extremely happy if the official documentation could include some explanation similar to this (or a more updated version): https://forum.pfsense.org/index.php?topic=24773.msg129341#msg129341
I am personally attempting to simplify the explanation HFSC's exclusive capabilities, so regular users do not need to resort to reading the HFSC white paper(s), but a "good" writeup is months away… :(
(Perhaps a script that calculates m1&d values using standard packet sizes based on a chosen protocol would be easier than explaining HFSC to everyone.)Maybe pfSense should spend time documenting differences from FreeBSD, and otherwise link to FreeBSD/OpenBSD for documentation. No need to reinvent the wheel. Though, I guess pfSense's demographic is different from the full BSD operating systems.
:)
-
https://doc.pfsense.org/index.php/What_is_the_best_wireless_card_to_use
The link Madwifi Compatibility list is dead. All the cards seem to stop at 802.11n. This might be a limitation of FreeBSD.I fixed that page. (Updated the card we all use internally, removed that dead link)
https://doc.pfsense.org/index.php/What_is_a_bridged_interface_and_how_would_one_be_used
seems out of sync with
https://doc.pfsense.org/index.php/Use_an_existing_wireless_router_with_pfSense
The first talks about using a bridge to add wifi support, while the other avoids bridges all together.Those are two COMPLETELY different things. The first is talking about bridging two pfSense interfaces in general, the second is about using an external wireless router not a wireless card, and there isn't even a second interface involved in that second page, so bridging is irrelevant. In that scenario the external wireless router is plugged into the LAN. The two pages are not related in any way.
https://doc.pfsense.org/index.php/How_can_I_increase_the_state_table_size
This seems dated because it implies that 1G RAM is huge. It doesn't seem that high for modern hardware.It's using a simple example there, it doesn't make commentary about how "huge" the RAM is. 1,000,000 states is still huge, regardless of how much RAM is in the box total, and it's a nice round number that makes a good example.
-
https://doc.pfsense.org/index.php/What_is_a_bridged_interface_and_how_would_one_be_used
seems out of sync with
https://doc.pfsense.org/index.php/Use_an_existing_wireless_router_with_pfSense
The first talks about using a bridge to add wifi support, while the other avoids bridges all together.Those are two COMPLETELY different things. The first is talking about bridging two pfSense interfaces in general, the second is about using an external wireless router not a wireless card, and there isn't even a second interface involved in that second page, so bridging is irrelevant. In that scenario the external wireless router is plugged into the LAN. The two pages are not related in any way.
The first page makes much more sense now. I didn't read it as a WIFI card. I interpreted it as an Ethernet port connected to a WIFI router.
