New pfsense user have couple of questions

  • so i got the pfsense running on pretty decent hardware i7 with hyper threading at 3.4Ghz, 8 GB ram, 256GB ssd, one mini PCI Express Realtek NetExtreme Gigabit card with Broadcom chipset and one on board Gig nic. I am gonna get the intel nice after x mas.

    I have enabled snort on the WAN port. Initially i had all the sources for rules enabled but than even facebook won't load so i went back to the first Snort VRT Rules.

    Now sites load but they are not as fast as they were before. I ran couple of speed test using google and and i am getting about 4-500mbs down and 2-300mbps up. It should be close to 900down and 800up but i am thinking it could be the network cards. So i will hold my judgement till i get those.

    My kids play Roblox and Minecraft etc and they had issues where their characters won't render till i cleared the block list in ips. It has not come back since but that kinda has me thinking what else is not working.

    I also have OpenDNS account and i added it to dyndns but i am not getting blocked on the categories i am suppose to be blocked on. Not sure what the issue there is.

    So far i have noticed that Logging leaves lots to be desired snort blocks the traffic but it won't tell me why?

    firewall blocks rules which i am only guessing is because of the BOGON but it won't tell me which rule number in the firewall blocked the access.

    Any one know if there is a splunk plugin for pfsense so it can make sense of logs? the raw logs are very hard to read and if you forward logs from pfsense it does not keep the pretty format unless i am missing something.

  • Certainly the realtek NICs will be letting you down but you are giving your system a lot of work to do especially if you're in inline mode.

    You really are creating a huge headache for yourself by putting in block rules without training your system first, you should just generate logs first so you can identify actions which you need to allow but that the rules block - also (last I checked) you're bound by single-thread performance in Snort and it has to examine every bit of traffic coming in & out which is a fair amount of work.

    There's a lot to go through but if you really want to go down this route then you could do worse than read through - it'll keep you busy for quite a while.

  • I had to give up the pfsene project over the holidays as these network cards could not handle the load. So i have ordered an Intel dual port Nic the 4 port i have is either dead or is version 1.0 so it didn't work in my box. Any ho thanks for the link even though i thought i knew lots :) i did learn a lot from the posts very informative.

Log in to reply