Running EdgeRouter X behind Pfsense
-
@bmeeks Thank you, i tried that but as soon as i enable snort on lan interface i loose internet connection, so i have to login through OpenVPN and disable snort to get my connection back. I think i hurried to upgrade to 2.5 and really ashamed of that. I think the upgrade is the one affecting the connection
-
@OpenWifi said in Running EdgeRouter X behind Pfsense:
@bmeeks Thank you, i tried that but as soon as i enable snort on lan interface i loose internet connection, so i have to login through OpenVPN and disable snort to get my connection back. I think i hurried to upgrade to 2.5 and really ashamed of that. I think the upgrade is the one affecting the connection
I did not mention it specifically in my post above, but you must have a NIC whose driver supports netmap. That is currently a somewhat small list. Your NIC driver name in pfSense must be one of the following families or netmap is not likely to work: em, igb, ixgb, ixl, lem, re or cxgbe. You can see the name of your NIC drivers by going to STATUS > INTERFACES in pfSense. The driver name will be shown in the dark header band for each interface. It will show the interface name in pfSense such as LAN and then in parentheses the NIC driver family name.
-
@bmeeks i have 2 Wan interfaces(em0 and rl0) and 1 Lan(re0), will it work?
-
@OpenWifi said in Running EdgeRouter X behind Pfsense:
@bmeeks i have 2 Wan interfaces(em0 and rl0) and 1 Lan(re0), will it work?
The Intel em0 driver should definitely work. That's the one I tested with, in fact. The Realtek re0 driver is also supposed to work, but Realtek NICs and FreeBSD don't have a good working history together. Lots of issues with the Realtek drivers and those NICs have a poor reputation around here. The rl driver is not on the list of supported driver families.
Do you have a dual or quad port Intel NIC you could put in the box and abandon the Realtek ports? Since you have two WAN interfaces (I assume for redundancy), I would not suggest putting a Snort inline instance on either of them (and that rl driver interface would not work anyway).
Do you have another hardware box you could set up separately and test with. Even an old PC laying around that you could put an Intel network card in and just verify things work? That would then help you decide if it would be worth the trouble to reconfigure the hardware in your production setup.
-
@bmeeks As of this moment i do not have an extra Intel Nic(em0) but i could go and purchase one, although they are hard to get in my area. As long as that would enable blocking of the torrents then i would have no problem purchasing one. Just to clarify, that means the Realtek Nic wont work?
-
@OpenWifi said in Running EdgeRouter X behind Pfsense:
@bmeeks As of this moment i do not have an extra Intel Nic(em0) but i could go and purchase one, although they are hard to get in my area. As long as that would enable blocking of the torrents then i would have no problem purchasing one. Just to clarify, that means the Realtek Nic wont work?
According to the netmap documentation it is supposed to work, but I'm just saying that Realtek support in general on FreeBSD is not great. Do a search here on the forums for "Realtek" and you will see lots of threads about various Realtek driver problems. So I'm not saying the re0 interface won't work, but it would not be my first choice of NIC to use.
-
@bmeeks Could i reassign the Lan (re) interface for the Wan (em), in the case the Realtek doesnt respond?
-
@OpenWifi said in Running EdgeRouter X behind Pfsense:
@bmeeks Could i reassign the Lan (re) interface for the Wan (em), in the case the Realtek doesnt respond?
Sure, but that might confuse the existing Snort configuration. If you do that, and don't have a lot invested in the current Snort configuration, I would just delete all the interfaces from the Snort INTERFACES tab before re-assigning interfaces in pfSense.
After you get the interfaces sorted out in pfSense you could create the Snort configuration fresh. Snort uses the NIC driver name for its configuration and logging sub-directories for each interface, so if the driver name changes that will confuse Snort. Deleting the Snort interfaces and creating them again after you finish the NIC shuffle will be better.
-
@bmeeks Thank you. Would that mean that even for packages such as pfblockerng,ntopng and OpenVpn i would need to reinstall or change some config?
-
@OpenWifi said in Running EdgeRouter X behind Pfsense:
@bmeeks Thank you. Would that mean that even for packages such as pfblockerng,ntopng and OpenVpn i would need to reinstall or change some config?
I can't answer that one with 100% accuracy, but I don't think so. Those packages don't really care about the physical interfaces (at least pfBlockerng does not). Snort and Suricata are a bit different because they must know what's called the "real interface name" in FreeBSD in order to bind to that interface. So you call it WAN, LAN, OPT1, OPT2, etc. in pfSense; but to FreeBSD real interface names are em0, em1, re0, re1, etc. And a VLAN on an interface shows up as a decimal followed by the VLAN ID. Something like em0.10 for a VLAN on interface em0 with a VLAN ID of 10.
-
I have to say I would swap out that rl NIC if you possibly can. It will almost certainly cause you headaches in the future.
https://github.com/freebsd/freebsd/blob/master/sys/dev/rl/if_rl.c#L48
Steve