Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    PPPoE and pfSense as transparent firewall

    General pfSense Questions
    3
    8
    1602
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • N
      newbie16 last edited by

      Hello All,

      I am new to pfSense.  I was originally thinking of using a Edgerouter Lite for my needs, but I read it doesn't support transparent firewall.  Now I am checking if pfSense meets my needs.

      I have Comcast internet PPPoE.  I want to use pfSense as a transparent firewall because I want to leave the other hardware in my home setup undisturbed where I can put pfSense as man-in-the-middle to inspect and filter traffic at will.  I have two basic use scenarios.  I don't want to use double/multi NAT.

      1. [Comcast internet]–[pfSense HW]–[WiFi router]–[home PCs]
      2. [Comcast internet]–[WiFi router]–[pfSense HW]–[IOT like SmartHome hub]

      In scenario 1, the bandwidth through pfSense HW will be less than 100/100 Mbps (DL/UL).  I don't plan to use VPN.

      My goals are to use IDS/IPS (snort/suricata) and web proxy filtering (goal not for caching) (squid/squidGuard) and pfBlockNG.  I want to analyze the traffic and filter unwanted traffic.  I think my WiFi router phones home.  I am curious what information or how much information maybe sent to who, since it is cloud based Eero.

      Secondary question is whether SG-2220 would be sufficent hardware?

      Thank you.

      1 Reply Last reply Reply Quote 0
      • J
        javcasta last edited by

        Hi

        @newbie16:

        Secondary question is whether SG-2220 would be sufficent hardware?

        SG-2220:
        Storage 4GB eMMC Flash on board
        RAM 2GB DDR3L

        If you want Snort + Squid/SquidGuard + pfBlockerNG you need (my opinion); >= 20GB storage, and >= 4GB RAM

        Regards.

        Javier Castañón
        Técnico de comunicaciones, soporte y sistemas.

        Mi web: https://javcasta.com/

        Soporte scripting/pfSense https://javcasta.com/soporte/

        1 Reply Last reply Reply Quote 0
        • N
          newbie16 last edited by

          Hi Javcasta,

          Thank you for the memory recommendation for the packages I am interested.

          Do you or anyone else know if pfSense in transparent firewall mode prevent the function of snort/suricata + squid/squidGuard + pfBlockNG?

          The IP address of the pfSense HW will be on the LAN (inward facing interface), no IP address on the outward side interface.

          Thank you.

          1 Reply Last reply Reply Quote 0
          • J
            javcasta last edited by

            Hi

            I have never implemented a transparent firewall with pfSense, i do not know :)

            Maybe this guides, help you:

            https://community.spiceworks.com/topic/479720-pfsense-transparent-firewall-setup-guide
            https://forum.pfsense.org/index.php?topic=50711.0

            Regards.

            Javier Castañón
            Técnico de comunicaciones, soporte y sistemas.

            Mi web: https://javcasta.com/

            Soporte scripting/pfSense https://javcasta.com/soporte/

            1 Reply Last reply Reply Quote 0
            • ?
              Guest last edited by

              1. [Comcast internet]–[pfSense HW]–[[b]WiFi router in AP mode]–[home PCs]

              In scenario 1, the bandwidth through pfSense HW will be less than 100/100 Mbps (DL/UL).  I don't plan to use VPN.

              I don´t know if Comcast is selling you a pure modem or how the Internet is brought in your house, but please
              I would be going the first way and turn the WLAN router into the WLAN AP mode.

              My goals are to use IDS/IPS (snort/suricata) and web proxy filtering (goal not for caching) (squid/squidGuard) and pfBlockNG.

              The SG-2240 will be more sufficient to realize that all and a small mSATA with 64 GB will be serving
              the rest of your wishes.

              I want to analyze the traffic and filter unwanted traffic.  I think my WiFi router phones home.  I am curious what information or how much information maybe sent to who, since it is cloud based Eero.

              WireShark is here your friend in combination with a small Netgear GS105E or GS108E with a mirrored port
              for sniffing for that traffic.

              Secondary question is whether SG-2220 would be sufficent hardware?

              I would go for the SG-2440 this is a little bit stronger then the SG-2220 in my eyes.

              Please don´t get me wrong here at this poiint but you will be also lucky with the;
              Jetway NF9HG-2930 ~$200 (amazon.com)
              mSATA 64 GB ~$50
              8 GB RAM ~$40
              M350 case ~$40
              external PSU ~$15

              in total ~$345 (€) more RAM and in my eyes a little more snappy.
              Will be the best bet if you have the money and will be able or willing to spend it for that firewall.
              But id later the VPN point is coming into that game you should be also right sorted with the SG-2440.

              1 Reply Last reply Reply Quote 0
              • J
                javcasta last edited by

                Hi.

                Interesting :)

                @BlueKobold:

                Jetway NF9HG-2930 ~$200 (amazon.com)
                mSATA 64 GB ~$50
                8 GB RAM ~$40
                M350 case ~$40
                external PSU ~$15

                in total ~$345 (€) more RAM and in my eyes a little more snappy.
                Will be the best bet if you have the money and will be able or willing to spend it for that firewall.
                But id later the VPN point is coming into that game you should be also right sorted with the SG-2440.

                Regards

                Javier Castañón
                Técnico de comunicaciones, soporte y sistemas.

                Mi web: https://javcasta.com/

                Soporte scripting/pfSense https://javcasta.com/soporte/

                1 Reply Last reply Reply Quote 0
                • ?
                  Guest last edited by

                  Salute Javier,

                  My goals are to use IDS/IPS (snort/suricata) and web proxy filtering (goal not for caching) (squid/squidGuard)

                  Based on that needs I was thinking the SG-2200 is to small and not powerful enough or
                  is coming with to less storage. And the lack of the AES-NI, if this is not really a big thing
                  would be also matching for the Jetway board, but the Jetway board is able to route nearly
                  1 GBit/s at the WAN interface! You are able to build a small UTM device for a small company
                  with that board!

                  1 Reply Last reply Reply Quote 0
                  • J
                    javcasta last edited by

                    Hi.

                    One interesting box.

                    Quad-core, 8GB RAM, 32GB SSD, 4GB ethernet ports
                    2016 Firewall Micro Appliance With 4x Gbe Intel Lan Ports for PFSense 8G RAM 32G storage : $227.00 + $33.24 shipping
                    https://www.amazon.com/gp/product/B01K2L3FYO/ref=ox_sc_act_title_1?ie=UTF8&psc=1&smid=ALPYNZEJ0WG1A

                    Rergards.

                    Javier Castañón
                    Técnico de comunicaciones, soporte y sistemas.

                    Mi web: https://javcasta.com/

                    Soporte scripting/pfSense https://javcasta.com/soporte/

                    1 Reply Last reply Reply Quote 0
                    • First post
                      Last post