Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Evaluating PFSense and Best Practices

    Scheduled Pinned Locked Moved General pfSense Questions
    5 Posts 4 Posters 1.8k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      scarja
      last edited by

      Hello everyone,
      We are evaluating the use of PFSense in our company. I downloaded and ran a quick install to have a look at it, we won't pass to gold memberships untill we are sure it is what we want\need.

      Our requirements are:
      1. Company firewall
      2. VPN server
      3. Transparent proxy with active directory user log

      I think 1 is just a question of configuration and not a big problem.

      For 2 we would like to have a VPN configuraton that is compatible with all the standard VPN feature you can find in an OS (all Windows, MacOS, IOS, Android ecc have a VPN configuration menu). Up to know we haven't been able to use VPN with anything but Windows as we are using VPN Cisco client with a Cisco ASA 5510.

      For 3 we would like to have a transparent proxy to avoid the anoying problem of having to configure proxy parameters on client PCs. But we require to log all internet traffic using IP + Active Directory user name. We would also like it to (if possible) authenticate through NTLM or similar, we don't want pop-ups asking for authentication. As far as I can see with the proxy squid package we can enable a transparent proxy but then the authentication features become disabled, we aren't that bothered about authentication (anyone accesses internet in the end) but we want to log who does what with the active directory username.

      Can we fill our requirements using PFSense? Is all of this "PFSense best practice"?

      Thank you,
      James

      1 Reply Last reply Reply Quote 0
      • K
        kejianshi
        last edited by

        First 2, yes for sure.  The 3rd, I never tried.

        1 Reply Last reply Reply Quote 0
        • C
          chris4916
          last edited by

          @scarja:

          3. Transparent proxy with active directory user log

          …/...

          For 3 we would like to have a transparent proxy to avoid the anoying problem of having to configure proxy parameters on client PCs. But we require to log all internet traffic using IP + Active Directory user name. We would also like it to (if possible) authenticate through NTLM or similar, we don't want pop-ups asking for authentication. As far as I can see with the proxy squid package we can enable a transparent proxy but then the authentication features become disabled, we aren't that bothered about authentication (anyone accesses internet in the end) but we want to log who does what with the active directory username.

          This doesn't work and will never work and is not related to pfSense

          transparent proxy means "No user related information" meaning also no link or possible relationship with active directory.

          If you do need do deal with any user related information, would it be log, profiling, group membership or whatever, then proxy must be explicit.
          Technical solution to your concern with proxy configuration client side is WPAD  8)

          Jah Olela Wembo: Les mots se muent en maux quand ils indisposent, agressent ou blessent.

          1 Reply Last reply Reply Quote 0
          • M
            muswellhillbilly
            last edited by

            @chris4916:

            Technical solution to your concern with proxy configuration client side is WPAD  8)

            Or use a proxy.pac file for the same purpose (auto client configuration). We use this at my office (230 users) and it works fine.

            1 Reply Last reply Reply Quote 0
            • C
              chris4916
              last edited by

              @muswellhillbilly:

              @chris4916:

              Technical solution to your concern with proxy configuration client side is WPAD  8)

              Or use a proxy.pac file for the same purpose (auto client configuration). We use this at my office (230 users) and it works fine.

              To be more accurate:
              this is not WPAD or proxy.pac

              WPAD does nothing more than providing in a (more or less) standard way access to… proxy.pac

              WPAD RFC (unfortunately still draft as far as I know) describes how to push to devices information that will permit to load an use proxy.pac file

              Jah Olela Wembo: Les mots se muent en maux quand ils indisposent, agressent ou blessent.

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.