Can some explain this to me?
-
I posted about this last week in the NAT forums but still waiting a response. I'm sorry for being a noob but I'm encountering a huge chocking off of internet traffic and I am hoping someone can explain why. Essentially, I get the box setup up with DNS, DHCP, NTP and snort and let it run a little bit to settle; a past poster told me once to start small so this constitutes my starting base line. My goal for the unit is to add OpenAPP Preproc, WAN IP Rep to snort and either PfBlockerNG or Squid. Without these additions, pfsense runs flawlessly but as soon as I add any one of the packages and configure them, the internet chokes out over a period of a few hours but I don't see anything abnormal going with the box itself. Memory and CPU usage seem normal, Logs don't appear excessive in size so I give it a reboot and as soon as pfsense comes back online, the internet is fine for about 2 minutes until choking out again. Is it possible that something is conflicting or not configured properly when add any of the packages? At first I thought is was a combination of all the addon packages I wanted to install but due to trial and error, if I add any single one of them and configure, I get the slow down.
Anyhow, I'm happy to go through all my settings if anyone can assist me.
Thanks in advance.
-
most packages don't act up when they are in their default state (=not configured).
snort & pfblocker have somewhat of a learning curve and can possibly cause disruption of your interwebs.personally i would start with a clean system. see if that works reliably. add one package at a time & keep track of what you do/want to do. then ask why setting x or y doesn't get the intended result.
-
What hardware you are using? (CPU, RAM, storage, NICs, MoBo,…)
What pfSense version do you using?
Are you using the NanoBSD version on an USB pen drive?
What is your storage? (SSD, mSATA, HDD, USB Stick,eMMC, SDCard, CFCard,...)
Squid and Snort are not really packets called "set it up and forget it" they can be really hard fine tuned
and more or less pending on this configuration your pfSense box will be slow down more or less too.
And also the pfSense it self will be able to be fine tuned matching the hardware. -
Here is a few screens from my current system. I was thrown together over a year ago from used parts. The Hard drive is a 1TB 7200 barracuda. I'm building a new one tomorrow when the motherboard comes in. It will consist of a Intel DQ77KB motherboard, Intel Celeron G1610 CPU, 8GB Kingston SODIMM, 120 Samsung 840 EVO Pro SSD, Dynatron t459 CPU cooler, iStarUSA 1U D-118V2-ITX server chassis. I'm considering adding a Dell iDRAC 5 card for remote management but not sure it will work.
For my current system you can see the components in the attached screens.
-
By the way, I revised my first paragraph. I typed it originally using my phone and it read terrible. Please take a read over the revisions.
-
For pfBlockerNG and Snort, anything that gets blocked will be reported in the 'Alerts' Tab. You need to review these Alerts tabs to remove any false positives.
Snort, should be initially setup in 'non-blocking' mode. This way it will still report its activity to the Alert tab, but it will not block anything. This can be defined in the 'Global Settings' Tab. Once you run snort for a few weeks, you can tune the Rules so that they are appropriate for your network. Then you can enable 'Blocking Mode'.
As said above, start with the base system debugging, then add one package at a time or you can chase your tail, unless your more comfortable with debugging the issues….
You can see the following threads for some additional details:
https://forum.pfsense.org/index.php?topic=102470.0
https://forum.pfsense.org/index.php?topic=86212.0
https://forum.pfsense.org/index.php?topic=78062.0 -
Got my new build up and running. Just posted a few photos as well. I used my baseline backup to install and get this new system up. I'm gonna tear into your suggestions tomorrow evening.
-
For pfBlockerNG and Snort, anything that gets blocked will be reported in the 'Alerts' Tab. You need to review these Alerts tabs to remove any false positives.
Snort, should be initially setup in 'non-blocking' mode. This way it will still report its activity to the Alert tab, but it will not block anything. This can be defined in the 'Global Settings' Tab. Once you run snort for a few weeks, you can tune the Rules so that they are appropriate for your network. Then you can enable 'Blocking Mode'.
As said above, start with the base system debugging, then add one package at a time or you can chase your tail, unless your more comfortable with debugging the issues….
You can see the following threads for some additional details:
https://forum.pfsense.org/index.php?topic=102470.0
https://forum.pfsense.org/index.php?topic=86212.0
https://forum.pfsense.org/index.php?topic=78062.0By chance do you have a good advanced guide for setting up DNS, DHCP as well as overall system tuning?
