Filtering IP's in bridge mode
I have not used pfSense before, but have read some of the docs and was thinking of getting a Netgate SG-1000 to use for IP filtering outside my firewire in BRIDGE mode.
I have a SIP phone system (Allworx) that does not provide any IP filtering that sits outside of my network firewall. The traffic comes in from a AdTran switch that is managed by my phone company which will not give me access to it. The problem is that I periodically have people that hammer my phone server trying to gain access via brute force tactics. I was thinking that I could hook up one of the Netgate SG-1000 boxes, set it up in BRIDGE mode (to reduce potential network issues), and just block certain IP's as they became a nuisance. Obviously if they are very determined it will turn into wack-a-mole, but think this will eliminate many of them.
My reading is that I can filter IP's while still in bridge mode. Is that correct? Does this sound like a viable solution for my problem?
I used to complain to their ISP's but not many of them care any more and most attacks are coming from IP's out of the county so there is sometimes a language barrier.
It will be a nuisance for me to access the SG-1000 in that situation because I cannot access it directly from my main network (because it hooks up outside my firewall directly to the phone server). I would probably have to disconnect the phone system in order to manage the IP block list on the SG-1000. But it is just a hacker once every month or two that really becomes a persistent pain.
Thanks in advance for your thoughts!
That should work OK. How much traffic (think Mb/sec) would this unit be expected to filter?
You will probably want to consider some arrangement with a managed switch so you can tag an inside VLAN to one of the ports for a management interface. I would assign LAN to that VLAN so you keep some things like anti-lockout rules working in a sane manner.
I would personally rather use something with three physical interfaces (inside bridge member, outside bridge member, and management) for that use case but it should be able to be made to work with just the two physicals + VLANs.
Make an alias containing the IP addresses you wish to block
On the outside bridge member:
Block traffic sourced from that alias
Pass traffic to the PBX address only (or selectively pass traffic)
On the inside bridge member:
Probably a pass any rule.
There should be no pfSense interface assigned to the bridge itself and neither of the bridge members should be assigned IP addresses. They can both be "None."
Be sure these sysctls are set in System > Advanced, System Tunables
Those are the default settings.
Traffic should be minimal. We only have 6 employees. My understanding an average call is about 50-60k of bandwidth and usually only a few calls going at a time.
I like the idea of a port for management, but the cost of the device goes up quite a bit for the convenience. I'll have to give that careful consideration though as it probably will be a hassle to not have it!
Thank you for your detailed and quick response!
VLANs could work. You should also be able to keep the management on a separate physical interface by bridging two VLANs on the WAN physical for the transparent, filtering bridge.
You will probably also want to set a default gateway and DNS server to something on the LAN so the unit can resolve names and get to the internet. pfSense these days kind of needs that for updates, packages, etc.
It would probably be several steps, and require a managed switch (or three ports and two unused VLANs on an existing switch), to get to where I would want it:
Tag two VLANs on WAN
Bridge the two VLAN interfaces
An untagged port on each VLAN on the switch would be the inside and outside ports of the filtered bridge. A port with both VLANs tagged would go to pfSense WAN
Set WAN to IP Address None/None and delete the gateway from the interface. This can probably even be disabled.
Create a gateway on LAN that points to the edge routed gateway for internet. Set it as the default gateway in pfSense. Think of pfSense LAN as another inside device here. Don't set a gateway on the LAN interface config.
Set at least one DNS server in System > General that the firewall itself can use to resolve names.
I might be missing something but I think that should generally work. There should be no problem with the traffic volume you are expecting on the SG-1000. Any managed switch should do. Something like a D-Link DGS-1100-08 (about $35 US) would be more than enough. JSYK I have never actually built one like that. There might be a couple other things that need to be done. Interesting use case for an sg-1000.
I'm using a 2 port 2220 in a bridged setup and have assigned an IP address to the Bridge IF for management. I filter on the Bridge IF instead of the members.
What would be the benefit of assigning a Management VLAN - vs - using the Bridge IF for Management ?
As for filtering BingoWasHisName could also use pfblockerNG to block entire country ranges -or better whitelist a selected country to reduce the number of brute force attacks.
Because the management IP address in his case will be a WAN address. There is simply no need to hang the management interface out on the public internet.
An inside management address would be far superior in that case.
There is currently no firewall between the pbx device and the internet to run pfBlocker on.
Well, some of this is getting out of my pay grade :) I think I am getting the gist of it though and I'm sure it will make more sense when I actually try to configure it.
So is gcu_greyarea suggesting that a higher end appliance will be able to work in bridge mode and provide enhanced filtering by blocks of IP's? What is "Bridge IF"?
Sorry for the ignorance
Thanks Derelict for your reply.
@ BingoWasHisName - As far as I understand it you won't need a "high end" appliance. An appliiance with 3 ports might suit your requirements better as it would be easier to setup. E.g. you could use one port as a management interface.
As far as "enhanced filtering" is concerned I was referring to pfblockerNG, which would allow filtering based on geography (via maxmind). I don't know if this package is available on ARM(SG-1000).
"Bridge IF" means bridge Interface. E.g. In my config I have assigned an IP addres to the LAN-WAN bridge, which is ok because it is behind my iSP provided router and not exposed to the public.
Couldn't a USB ethernet adapter be used for management via the USB OTG port?
A VLAN would be better than USB.
Obviously, but a USB adapter is a lot cheaper than a managed switch.
Managed switch is $35 US. Spending a couple extra dollars to NOT use a USB adapter is probably worth it. It would be to me.
Interesting, seems I'm well out of date on managed switch pricing. I had no idea you could get tiny 5 port models now for peanuts.