Evaluating PFSense and Best Practices



  • Hello everyone,
    We are evaluating the use of PFSense in our company. I downloaded and ran a quick install to have a look at it, we won't pass to gold memberships untill we are sure it is what we want\need.

    Our requirements are:
    1. Company firewall
    2. VPN server
    3. Transparent proxy with active directory user log

    I think 1 is just a question of configuration and not a big problem.

    For 2 we would like to have a VPN configuraton that is compatible with all the standard VPN feature you can find in an OS (all Windows, MacOS, IOS, Android ecc have a VPN configuration menu). Up to know we haven't been able to use VPN with anything but Windows as we are using VPN Cisco client with a Cisco ASA 5510.

    For 3 we would like to have a transparent proxy to avoid the anoying problem of having to configure proxy parameters on client PCs. But we require to log all internet traffic using IP + Active Directory user name. We would also like it to (if possible) authenticate through NTLM or similar, we don't want pop-ups asking for authentication. As far as I can see with the proxy squid package we can enable a transparent proxy but then the authentication features become disabled, we aren't that bothered about authentication (anyone accesses internet in the end) but we want to log who does what with the active directory username.

    Can we fill our requirements using PFSense? Is all of this "PFSense best practice"?

    Thank you,
    James



  • First 2, yes for sure.  The 3rd, I never tried.



  • @scarja:

    3. Transparent proxy with active directory user log

    …/...

    For 3 we would like to have a transparent proxy to avoid the anoying problem of having to configure proxy parameters on client PCs. But we require to log all internet traffic using IP + Active Directory user name. We would also like it to (if possible) authenticate through NTLM or similar, we don't want pop-ups asking for authentication. As far as I can see with the proxy squid package we can enable a transparent proxy but then the authentication features become disabled, we aren't that bothered about authentication (anyone accesses internet in the end) but we want to log who does what with the active directory username.

    This doesn't work and will never work and is not related to pfSense

    transparent proxy means "No user related information" meaning also no link or possible relationship with active directory.

    If you do need do deal with any user related information, would it be log, profiling, group membership or whatever, then proxy must be explicit.
    Technical solution to your concern with proxy configuration client side is WPAD  8)



  • @chris4916:

    Technical solution to your concern with proxy configuration client side is WPAD  8)

    Or use a proxy.pac file for the same purpose (auto client configuration). We use this at my office (230 users) and it works fine.



  • @muswellhillbilly:

    @chris4916:

    Technical solution to your concern with proxy configuration client side is WPAD  8)

    Or use a proxy.pac file for the same purpose (auto client configuration). We use this at my office (230 users) and it works fine.

    To be more accurate:
    this is not WPAD or proxy.pac

    WPAD does nothing more than providing in a (more or less) standard way access to… proxy.pac

    WPAD RFC (unfortunately still draft as far as I know) describes how to push to devices information that will permit to load an use proxy.pac file