Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    More control on egress

    Scheduled Pinned Locked Moved Traffic Monitoring
    5 Posts 3 Posters 965 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • QinnQ
      Qinn
      last edited by

      I would like to have more "grip" on what goes out my private networks to the internet.

      I can think of 2 approaches;

      1. As everything is blocked by default, I could start with a few protocols/ports like http, https, POP, SMTP and IMAP and gradually add more. Major drawback, users will start complaining and I still don't really know what's using these ports.

      2. Start with Snort of Suricata as an IDS not IPS.

      Can anyone point me in the right direction?

      Cheers Qinn

      Hardeware: Intel(R) Celeron(R) J4125 CPU @ 2.00GHz 102 GB mSATA SSD (ZFS)
      Firmware: Latest-stable-pfSense CE (amd64)
      Packages: pfBlockerNG devel-beta (beta tester) - Avahi - Notes - Ntopng - PIMD/udpbroadcastrelay - Service Watchdog - System Patches

      1 Reply Last reply Reply Quote 0
      • KOMK
        KOM
        last edited by

        Is this for a household or business? How many users? What is your goal for traffic control, ie why do you want to control what goes out?

        1 Reply Last reply Reply Quote 1
        • QinnQ
          Qinn
          last edited by

          Household, well not many users, but 55 nodes (tablets, desktops, labtop, IoT's, printers, etc.). Goal controlling and maybe blocking what goes out.

          Hardeware: Intel(R) Celeron(R) J4125 CPU @ 2.00GHz 102 GB mSATA SSD (ZFS)
          Firmware: Latest-stable-pfSense CE (amd64)
          Packages: pfBlockerNG devel-beta (beta tester) - Avahi - Notes - Ntopng - PIMD/udpbroadcastrelay - Service Watchdog - System Patches

          1 Reply Last reply Reply Quote 0
          • johnpozJ
            johnpoz LAYER 8 Global Moderator
            last edited by johnpoz

            IDS not going to give you idea of all traffic - only going to tell you traffic it thinks is bad.. Ie what triggers via a signature, etc. Much of which will be false positives..

            If you want to get an idea on what ports are used.. Just log your outbound default any any rule.. Send this to syslog for easy parsing, etc.

            Just curious with so many different nodes - do you have these devices broken out into different vlans... For example you mention iot - do you have that isolated and locked down in any way?

            What your going to find is pretty much all traffic going to be http/https.. Unless you have a lot of console game play or something? Are you actually using pop/smtp? You use fat clients for emails? Ie like outlook or thunderbird or something?

            Most of the traffic is prob going to be https traffic - so unless you plan on doing mitm on your own devices.. Other than say seeing that iot device phoned home via https to some amazon IP your not going to get much info, etc.

            You prob get better idea of what your devices are doing by just logging your dns queries they do.. And how often they do the queries, etc. I would just just logging unbound, etc. But while it can log every query - not a real easy to see and understand interface to this log. Running say pi-hole as your networks dns, and then just having that forward to pfsense unbound will be an eye opener on where your clients are going.. And you can block ads and nonsense sites with it as a bonus ;) Tie that with your logging of outbound traffic for the different ports and yeah you will have a lot of info to work with on what you can stop, be it dns based or port based at the firewall, etc.

            An intelligent man is sometimes forced to be drunk to spend time with his fools
            If you get confused: Listen to the Music Play
            Please don't Chat/PM me for help, unless mod related
            SG-4860 24.11 | Lab VMs 2.8, 24.11

            QinnQ 1 Reply Last reply Reply Quote 1
            • QinnQ
              Qinn @johnpoz
              last edited by

              @johnpoz Hi John first congrats with the Moderator status 👍

              @johnpoz said in More control on egress:

              Just curious with so many different nodes - do you have these devices broken out into different vlans... For example you mention iot - do you have that isolated and locked down in any way?

              Yes, these nodes are across 10 VLAN's (to name but a few IoT, Printers, Guests etc.). The reason is just as you mentioned, IoT's are locked down. Printers for instance are accessible from LAN, WLAN and Guest and to let them be accessible for IOS I have Avahi Enabled (Bonjour/Zeroconf proxy).

              @johnpoz said in More control on egress:

              What your going to find is pretty much all traffic going to be http/https.. Unless you have a lot of console game play or something? Are you actually using pop/smtp? You use fat clients for emails? Ie like outlook or thunderbird or something?

              Yes, pop/smtp is used, maybe soon IMAP .

              @johnpoz said in More control on egress:

              Most of the traffic is prob going to be https traffic - so unless you plan on doing mitm on your own devices.. Other than say seeing that iot device phoned home via https to some amazon IP your not going to get much info, etc.

              You are right https will not be readable and MiTM (man-in-the-middle) is not what I am planning on my own devices ;)

              Hardeware: Intel(R) Celeron(R) J4125 CPU @ 2.00GHz 102 GB mSATA SSD (ZFS)
              Firmware: Latest-stable-pfSense CE (amd64)
              Packages: pfBlockerNG devel-beta (beta tester) - Avahi - Notes - Ntopng - PIMD/udpbroadcastrelay - Service Watchdog - System Patches

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.