PPPoE and pfSense as transparent firewall



  • Hello All,

    I am new to pfSense.  I was originally thinking of using a Edgerouter Lite for my needs, but I read it doesn't support transparent firewall.  Now I am checking if pfSense meets my needs.

    I have Comcast internet PPPoE.  I want to use pfSense as a transparent firewall because I want to leave the other hardware in my home setup undisturbed where I can put pfSense as man-in-the-middle to inspect and filter traffic at will.  I have two basic use scenarios.  I don't want to use double/multi NAT.

    1. [Comcast internet]–[pfSense HW]–[WiFi router]–[home PCs]
    2. [Comcast internet]–[WiFi router]–[pfSense HW]–[IOT like SmartHome hub]

    In scenario 1, the bandwidth through pfSense HW will be less than 100/100 Mbps (DL/UL).  I don't plan to use VPN.

    My goals are to use IDS/IPS (snort/suricata) and web proxy filtering (goal not for caching) (squid/squidGuard) and pfBlockNG.  I want to analyze the traffic and filter unwanted traffic.  I think my WiFi router phones home.  I am curious what information or how much information maybe sent to who, since it is cloud based Eero.

    Secondary question is whether SG-2220 would be sufficent hardware?

    Thank you.



  • Hi

    @newbie16:

    Secondary question is whether SG-2220 would be sufficent hardware?

    SG-2220:
    Storage 4GB eMMC Flash on board
    RAM 2GB DDR3L

    If you want Snort + Squid/SquidGuard + pfBlockerNG you need (my opinion); >= 20GB storage, and >= 4GB RAM

    Regards.



  • Hi Javcasta,

    Thank you for the memory recommendation for the packages I am interested.

    Do you or anyone else know if pfSense in transparent firewall mode prevent the function of snort/suricata + squid/squidGuard + pfBlockNG?

    The IP address of the pfSense HW will be on the LAN (inward facing interface), no IP address on the outward side interface.

    Thank you.



  • Hi

    I have never implemented a transparent firewall with pfSense, i do not know :)

    Maybe this guides, help you:

    https://community.spiceworks.com/topic/479720-pfsense-transparent-firewall-setup-guide
    https://forum.pfsense.org/index.php?topic=50711.0

    Regards.



  • 1. [Comcast internet]–[pfSense HW]–[[b]WiFi router in AP mode]–[home PCs]

    In scenario 1, the bandwidth through pfSense HW will be less than 100/100 Mbps (DL/UL).  I don't plan to use VPN.

    I don´t know if Comcast is selling you a pure modem or how the Internet is brought in your house, but please
    I would be going the first way and turn the WLAN router into the WLAN AP mode.

    My goals are to use IDS/IPS (snort/suricata) and web proxy filtering (goal not for caching) (squid/squidGuard) and pfBlockNG.

    The SG-2240 will be more sufficient to realize that all and a small mSATA with 64 GB will be serving
    the rest of your wishes.

    I want to analyze the traffic and filter unwanted traffic.  I think my WiFi router phones home.  I am curious what information or how much information maybe sent to who, since it is cloud based Eero.

    WireShark is here your friend in combination with a small Netgear GS105E or GS108E with a mirrored port
    for sniffing for that traffic.

    Secondary question is whether SG-2220 would be sufficent hardware?

    I would go for the SG-2440 this is a little bit stronger then the SG-2220 in my eyes.

    Please don´t get me wrong here at this poiint but you will be also lucky with the;
    Jetway NF9HG-2930 ~$200 (amazon.com)
    mSATA 64 GB ~$50
    8 GB RAM ~$40
    M350 case ~$40
    external PSU ~$15

    in total ~$345 (€) more RAM and in my eyes a little more snappy.
    Will be the best bet if you have the money and will be able or willing to spend it for that firewall.
    But id later the VPN point is coming into that game you should be also right sorted with the SG-2440.



  • Hi.

    Interesting :)

    @BlueKobold:

    Jetway NF9HG-2930 ~$200 (amazon.com)
    mSATA 64 GB ~$50
    8 GB RAM ~$40
    M350 case ~$40
    external PSU ~$15

    in total ~$345 (€) more RAM and in my eyes a little more snappy.
    Will be the best bet if you have the money and will be able or willing to spend it for that firewall.
    But id later the VPN point is coming into that game you should be also right sorted with the SG-2440.

    Regards



  • Salute Javier,

    My goals are to use IDS/IPS (snort/suricata) and web proxy filtering (goal not for caching) (squid/squidGuard)

    Based on that needs I was thinking the SG-2200 is to small and not powerful enough or
    is coming with to less storage. And the lack of the AES-NI, if this is not really a big thing
    would be also matching for the Jetway board, but the Jetway board is able to route nearly
    1 GBit/s at the WAN interface! You are able to build a small UTM device for a small company
    with that board!



  • Hi.

    One interesting box.

    Quad-core, 8GB RAM, 32GB SSD, 4GB ethernet ports
    2016 Firewall Micro Appliance With 4x Gbe Intel Lan Ports for PFSense 8G RAM 32G storage : $227.00 + $33.24 shipping
    https://www.amazon.com/gp/product/B01K2L3FYO/ref=ox_sc_act_title_1?ie=UTF8&psc=1&smid=ALPYNZEJ0WG1A

    Rergards.