Transparent Firewall With Existing Router



  • Hi,
    I am wanting to buy a pfSense to act as a Snort firewall only. But I have tons of questions to make sure it will do what I need.

    Please see my network diagram:
    http://imgur.com/a/EOKlF

    1. I would like to put the pfSense between my modem and router, so the Snort rules will work on wireless devices (router has wireless capabilities.) This is why I don't want to put the box between my switch and my router. Is this possible?

    2. I am looking at the latest Snort rules online, and they seem to all be ALERT rule only. How can I get it to actually drop malicious traffic? Also, any way to have Snort email me the alerts?

    3. I have looked at multiple guides, but I can't find one definite guide as to how to set this up as only a firewall (and not a router). Can anyone point me to an easy guide for this? Half of the guides say to bridge OPT1 and WAN, and half say bridge LAN/WAN. I am just looking for a really good guide on how to set this up as a firewall only (no routing)

    4. Is it possible for me to keep DHCP server on my router instead of my pfSense? According to https://doc.pfsense.org/index.php/Use_an_existing_wireless_router_with_pfSense it says I need to disable DHCP on my router, but my DHCP server on my router provides really great options that I don't know if pfSense will, like giving every device a new nickname


  • Banned

    I can't offer much but maybe this will help until someone smarter than myself chimes in ;)

    @p1r473:

    1. I would like to put the pfSense between my modem and router, so the Snort rules will work on wireless devices (router has wireless capabilities.) This is why I don't want to put the box between my switch and my router. Is this possible?

    Yes, but there are other ways to do this (they might not work for your scenario but I think it will). You could just use pfsense as your router running snort/suricata and run your current wireless router as an AP for your wireless devices. This would probably be easiest. You wouldn't put pfSense between your switch and router in this configuration. You would attach both your switch and your router (now being used as an AP) to your pfSense, or possibly attach the router/wireless AP to the switch which would be attached to pfSense.

    @p1r473:

    2. I am looking at the latest Snort rules online, and they seem to all be ALERT rule only. How can I get it to actually drop malicious traffic? Also, any way to have Snort email me the alerts?

    I've never used snort, only suricata but from what I understand they are pretty similar so I'm assuming the same applies to snort. On suricata you choose whether rules will work the way they were written to or you can tell it to just drop anything that produces an alert no matter what the rule says.

    @p1r473:

    3. I have looked at multiple guides, but I can't find one definite guide as to how to set this up as only a firewall (and not a router). Can anyone point me to an easy guide for this? Half of the guides say to bridge OPT1 and WAN, and half say bridge LAN/WAN. I am just looking for a really good guide on how to set this up as a firewall only (no routing)

    If you haven't already I would read through this thread, the manager of snort/suricata on pfSense chimes in here.
    https://forum.pfsense.org/index.php?topic=63589.0
    Here's a pdf guide I found on google that might help you:
    http://users.ox.ac.uk/~clas0415/assets/Setting-up-pfSense-as-a-Stateful-Bridging-Firewall-with-commodity-hardware.pdf

    @p1r473:

    4. Is it possible for me to keep DHCP server on my router instead of my pfSense? According to https://doc.pfsense.org/index.php/Use_an_existing_wireless_router_with_pfSense it says I need to disable DHCP on my router, but my DHCP server on my router provides really great options that I don't know if pfSense will, like giving every device a new nickname

    This document is telling you how to use your existing router as an AP like I suggested in 1.
    I'm thinking this will be the best course of action for you unless you know of a reason not to do it this way.

    You can use pfSense to assign nicknames to your devices in DHCP.
    In general, if you are using a SOHO router there is nothing that it can do that pfSense can't do better ;). This is actually one of the primary draws of pfSense, you can use it to turn an old cheapo computer you have collecting dust into a router that would cost hundreds to thousands of dollars if you bought it commercially.

    I hope this helps!



  • I am really trying to avoid putting the router in AP mode. It has so much functionality that I really love

    Is it possible to run snort/suricata inline with pfsense acting only as a transparent firewall?

    Id ideally love to keep my setup the exact same as it is now, and just stick pfsense between my router and modem, acting as a completely transparent firewall, and doing no routing


  • Banned

    Yeah I think so, check out those two links I posted. Do they help you out?



  • I am still learning pfsesnse myself, but I am inclined to agree with pfbasic. I think you would be much better off using your "router" as an AP and pfsense as your firewall/snort box. I have pfsense running on an old laptop (i5 processor, 2 GB memory) between my cable modem and a Gb Cisco switch and I saw a huge performance gain over a similar setup as what you currently have. My Pfsesnse running as DHCP server is assigning names to clients, but you have to check that box under dhcp server settings (default I think).  You could even simplify your network diagram by enabling the DNS features on pfsense and get rid of your DNS server. You don't mention what kind of router you have, but there wasn't anything my Linksys router could do that I couldn't do better with pfsense.

    If you really want to keep using your wireless router as is, then I would suggest a different approach for what you're wanting to accomplish and may not have as many headaches to get it up and running and keep it up and running. I would ditch the idea of using pfsense and build a Ubuntu box running Snort/Barnyard2/Pulled pork setup instead. Personally, I think that's what you're after here (unless there's something else in pfsense you want).

    http://opensourceforu.com/2016/09/growing-popularity-snort-network-ids/

    https://techanarchy.net/2015/01/home-ids-with-snort-and-snorby/