PfSense and Ubiquiti
-
I am sorry to hear that you USG-3P couldn't hand your internet. My work friends own the USG-3P, I actually make fun of them not owning the Pro saying they aren't "PRO" enough! Anyhow one them has Rogers Gbit Fiber internet, granted switches max out at 1Gbit/sec the doesn't have any problems getting close to those speeds.
In the past when pfSense was version 2.3.x I was talking to guy on the USG forum who was trying to do what I looking to still do. He found that pfSense wasn't very good at it at the time and the only other firewall software that worked best was Sophos XG which he said was a walk in the park compared to doing it with pfSense. Now that we are on 2.4.x, and I have invested in my WatchGuard XTM 5 (put a faster CPU and 8GB of RAM in it) I would like to keep it a bit longer if that's possible. I have looked that Sophos XG documentation and for what I use pfSense for right now setting it up on the Sophos looks much easier than what I had to go through to get it setup this way. lol
I appreciate your offer on the USG-3P but it's not PRO enough for me. :P
And yes DPI is one of the things am interested in, and possibly VPN…but that's another project down the road.
Thanks,
-
the usg-3p could handle the 500/50 fine as long as it didn't turn the shaping which turns off the hardware offload.. If you left hardware offload on it handled the 500 without any issue..
If you want dpi, then just install the ntop package all the dpi you could want ;) And pfsense also has layer 7 filtering back… with the snort package..
https://www.netgate.com/blog/application-detection-on-pfsense-software.html -
the usg-3p could handle the 500/50 fine as long as it didn't turn the shaping which turns off the hardware offload.. If you left hardware offload on it handled the 500 without any issue..
If you want dpi, then just install the ntop package all the dpi you could want ;) And pfsense also has layer 7 filtering back… with the snort package..
https://www.netgate.com/blog/application-detection-on-pfsense-software.htmlIt's not the same, I already have it installed. And I already have Ubuiqiti gear in my environment.
My environment now. The main switch on the backside and the UAP's are in the ceiling.
https://youtu.be/w8LTeGWgU8w -
I have unifi gear as well, I have 3 AC ap in my home.. Love um… But the dpi info just some eye candy, there was nothing of actual use there in tracking down anything to be honest.. ok client X did 2.3GB of data type XYZ.. When and to where exactly would very useful... I didn't see that sort of breakdown
From what I was reading though was a way to put the usg be it the 3p or the pro models in monitor mode for the dpi info.. Wouldn't you be able to just span a port to it on your switch if you wanted it to report on traffic type, etc.
As to vpn - hands down this is just clickity clickity in pfsense to setup.. be it server or client.. and policy routing using or not use client vpn again click click..
if you gave some exact details of how you want to leverage the unifi.. Be happy to discuss..
-
What do you know about setting up pfSense 2.4.2 VPN (OpenVPN) using Windows 2016 NPAS for RADUIS?
I tried it once already and it didn't work out well.
Thanks,
-
Works fine.
If you can successfully authenticate using Diagnostics > Authentication you should be able to leverage that server with OpenVPN.
-
Is there a good walk through setting it up?
The stuff I have seen pre-dates pfSense 2.3.x and server 2008.
-
Everyone's AD is different enough that making a walkthrough is pretty much useless.
General stuff though:
Create a RADIUS client in NPS for the pfSense source address and password
Set up a RADIUS Authentication server pointing to that.
-
How many vpn users will you have that using radius to auth makes sense? This is not a home setup I take it then? Yeah Derelict is right what does the diagnostics auth section tell you?
-
How many vpn users will you have that using radius to auth makes sense? This is not a home setup I take it then? Yeah Derelict is right what does the diagnostics auth section tell you?
I think I need to take a break from this fourm. Instead telling what I want or what I should do you should offer to help me to get there. This isn't directly at only you (Johnpoz) but everyone who has contributed to this thread what I want or should do. I have found myself having to fight a battle here which I should have to do.
Thanks,
-
Good luck then.. But you have not actually asked a question that can just answer.. Other than can you put your unifi in front of pfsense.. Sure do that - do it via double nat, or turn off nat in pfsense and setup transit to pfsense want from your unifi router be it the pro line or the usg, etc. Personally do not get what that gets you exactly? And seem more like a discussion on how you can integrate unifi with pfsense - but with out some specific on that integration seems more of discussion.
This is not really a ask a question get an answer forum. This is a discussion forum, not an interface for your support tickets ;) If you want such support open a ticket with pfsense using your support subscription.
Not sure what openvpn auth to windows AD has to do with unifi as example discussion..
The ntopng info is vastly more useful than the eye candy the dpi gives in unifi.. How exactly are you trying to integrate your unifi with pfsense. And be more than happy to answer that specific question - but software there has not been a specific question to answer from my take.. Its a discussion..
Do you really need specific help putting pfsense behind usg - it would work out of the box in double nat setup, just like putting pfsense behind any other sort of nat router.. Do you need help on creating a transit network between your edge usg doing nat, and turning off pfsense from doing nat? Problem with the nat option is your dpi info would just show pfsense wan IP doing all the traffic.
-
Yeah I am not exactly sure what OP expects to happen here. A complete AD authentication design consultation from a forum member?
-
Enable NPS in AD
-
Create an NPS client for pfSense
-
Create a RADIUS authentication instance in pfSense
-
Test in Diagnostics > Authentication - get it working there.
-
Enable that for OpenVPN.
-
-
LDAP works with OVPN too.
-
Yeah I am not exactly sure what OP expects to happen here. A complete AD authentication design consultation from a forum member?
The main pont was this sentence:
I actually make fun of them not owning the Pro saying they aren't "PRO" enough!
He wants to make a "PRO" looking thing to be able to boast to his friends. This whole topic and OP has nothing to do with real issues and solutions.
If somebody can't understand (including friends) that pfSense is more "PRO" than anytning containing "PRO" in its name, let them go… -
Ah so he wants to brag to his buds hey I run "pro" usg and pfsense - so I am extra "pro" hehe
Think you hit it on the head..
-
That's why I'll never, ever buy a BMW. 8)
