How important is WAN protection in this case?



  • I've been rethinking my router and the security packages that are installed. This is mostly to avoid the need to buy more powerful hardware if I upgrade my home internet speeds to 400mbits or 1gbits. Advice is wanted.

    Current hardware is a Shuttle DS68U, wirh 3855U processor, passmark about 1500. 8GB/120GB. It works great now at 150/10 and also worked great at 250/20 not long ago. Packages are pfBlockerNG, OpenVPN (3 servers, low usage), and Snort. I believe it would work great at 1gbit as a router with low usage OpenVPN servers only. Suspect the other two packages in full use would stress it out excessively.

    My only open ports are for OpenVPN, which is secured down to the device/certificate match level. The're also on non-standards ports which never see hacking attempts since moving them, so far.

    I also have an i5 based home server and recently installed pi-hole in a VM for experimentation. It blocks over 1.3 million sites. I disabled DNSBL and geoblocking and WOW, I can see the screens refresh a little snappier. Lots of blocking and easy to whitelist.

    Finally, my questions.

    Adding pi-hole got me thinking. With such a low exposure of ports (OpenVPN only) and the protection I think their configuration supplies, do I need any support from packages that block at the WAN level.

    Does basic NAT and SPI protect me well enough for the WAN, as all unsolicited inbound traffic should be rejected? Will pfBlockerNG (and SNORT) offer something else/better in this case?

    For grins I disabled WAN geo-blocking (everyone except US) and saw a decrease in processor activity. I also disabled DNSBL due to the pi-hole server doing the same work with more sites. The IP list part was changed to outbound LAN only and I see no hits, probably because of pi-hole.

    Same questions apply to SNORT. LAN sees only a little activity, Most days none. WAN sees a lot but do I need it given this description of my system?



  • I don't think so. Everything from wan is blocked by default unless you open ports. Same for snort.



  • @Hugovsky Thanks. I agree. But, something weird, about the same time I posted the main topic, I noticed an OpenVPN probe on port 2488, which is not used. What a coincidence. It's been dead there for weeks, otherwise. The IP traced to Hong Kong, Latvia, and maybe more.



  • Port scans are normal on the internet side. There's a lot of information and a set of "Golden rules" in a topic about suricata, I think. Try to search for it. It has a lot of good and useful information.




  • LAYER 8 Global Moderator

    Running snort on your wan if you only have openvpn open is a waste of time and resources..

    All unsolicited traffic to your wan from internet is dropped out of the box... Who cares if comes from china, us, can, fr, iran, who cares? Its all just noise!!

    Changing ports for your openvpn servers does nothing other than reduce log spam..

    If your openvpn server is secured - who gives two shits if some bot or something hits it.. If you have openvpn setup correctly and using tls auth, they don't get very far unless signed by your tls key anyway.. so really no resources.. And just a tiny hit to your log spam..

    If you were running services to the public like web servers behind pfsense - then ok IPS might make sense... But sorry if you only have openvpn open.. Running an IPS makes no sense.. And sure and the hell not worth the time an effort to maintain it correctly.

    If you are already using pihole then you prob don't need pfblocker outbound.



  • @johnpoz Thank you for your reply. I suspected as much and snippets within pfSense said the same thing. But comments here and there implied perhaps SNORT on the LAN was useful or SNORT outbound on the WAN was a good idea. In my case, I blocked only useful sites on port 80 or tivo trying to call home. So, it looked ambiguous at best.

    Re the original questions about pfBlockerNG, it was very helpful prior to pi-hole but I was blown away at pi-hole's responsiveness on the i5 server, whitelisting, and sites available. The new version of pfBlockerNG looks pretty good, but I didn't want to buy an i5 router just to use it at high speed unless absolutely necessary. Plus, the home server has lots of unused capacity.

    I'm using tls-auth for OpenVPN and each device has a unique user-id and certificate, which must match the device. You can't get in unless you have a device with a matching certificate and know the user-id associated with the device/certificate. Seems pretty good to me. If it can be done even better, I'd like to know how so I can add it in.



  • I also use OpenVPN on WAN and have stopped using SNORT.
    However I do use pfblockerNG to block other counties from trying to connect to my VPN Server.
    If I go travel I will just open the country I'm going to visit. So far this has been working reliably.



  • @gcu_greyarea I also used geoblocking but I turned off with the liklihood of removing pfBlockerNG if pi-hole continues to work well. I noticed the processor load went down with it off. I considered it belt and suspenders protection. But it does not look necessary at this time.


  • LAYER 8 Global Moderator

    Here is the thing - blocking country X from hitting your service is not really security.. At best it reduces log spam.. If the service is secure, its secure doesn't matter what the location of the source IP is..

    You could be exploited from IP in country X or country Y, or Z, etc..

    What you should be worried about is if the service you provide to the public is actually "secure" not that what is the country of origin of the IP..

    Sure if want to reduce who can talk to service X, there is nothing wrong with that.. But when it comes down to it - why not just limit who can talk to it via whitelist vs blacklist.. Where are you going to hit your openvpn service from.. Your cell phone - ok put in the IPs of your cell provider, your work - ok put in that IP..

    Problem is hey where might you need to vpn into your box from.. The whole US - well F that is a lot of IPs, that could have bad guys in them.. Are those IP lists correct???? What if your at a starbucks down the road and the IP you get for public is listed as being in china or something and you can not get in??? This happens all the time.. geoip is far from correct.. So now your at the starbucks trying to watch something off your plex server via your vpn.. And F you can not get in!!! What the F was the point of setting up vpn if you can not get in when you need to get in?

    So what is better - just make sure your vpn is secure.. And how gives to shit what the source IP of the bot is that might probe it to not getting anywhere anyway.. Or that you can not get in from starbucks down the road that isp ip range is mis labeled as being from china? ;)

    If you are going to open a service to the public, then your opening it up to the public.. Or your going to lock it down to specific sources.. You running a package that updates its lists every freaking hour, and sucks up huge amount of resources to maintain huge lists of IPs based on country seems like a lot of stuff that could go wrong if you ask me.. And what does it matter if your vpn server is secure?? So you stop X % of possible bad guys from talking to it.. But what if the bad guy is from the country you allow? All that extra resources got you what exactly??

    Now if your opening up services to the public where there could be lots of sorts of exploits - ok IPS to check for exploit A, B and C, etc.. because your webserver could be open to all kinds of different exploits - hey lets check the packets talking to your web app.. for different signature..

    But your running a openvpn service.. The package hast to match your tls to even get to even really start the conversation.. So why bother checking signature of other things??

    The big issue is users hear buzz words IPS, and blocking bad places etc.. But they don't really think it through..

    IPS and IP based filter for sure have their uses... And are great tools that make a lot of sense for the proper use.. You running a vpn server so you can get into your home network.. Prob sorry does not really justify need of ips and geo ip blocking.. Lets keep in mind your not a dod facility ;) I do this shit for a living, have to deal with all the restrictions and to be honest love this stuff and its fun to me.. And I don't waste my time running this sort of shit on my home network - because it just doesn't make sense for this sort of deployment.. And I do host up my plex server to family and friends for example.. But you know what is easier than opening it up to the public - is just to have them give me their IP addresses and only these IPs can talk to my plex box ;) not the whole freaking internet - guess what if they are at starbucks then they can not access it ;)

    So yes thinking about the resources and time and effort required to do you security is very valid thing to think about vs spending time and effort and money to run xyz when its not really justified...

    To be honest and no offense to the bbcan with his great package - but the current way it works where it can open up a any rule on the wan is BAD!!! and that little issue could be far worse in overall security then saying only country X can talk to your port forwards..

    So yes users should think long and hard, and think about their own understanding of how it all works before just clicking on package x or y and thinking that makes them more secure than just out of the box..

    However I do use pfblockerNG to block other counties from trying to connect to my VPN Server.

    Did you whitelist country X with pfblocker? what are the rule on your wan, did it place an any rule on your wan with source of alias.. Or did you use just the alias pfblocker creates in your own rules... The current setup of pblocker creates an any rule for dest.. So unless you really paid attention you could of exposed your web gui to the all the IPs in your whitelist... Post up your wan rules and we can see..



  • Did you whitelist country X with pfblocker?

    Yes, I whitelisted the country and also checked the “Custom DST Port” in the “Advanced Inbound Firewall Rule Settings” in pfBlockerNG.
    This will ensure that only the OpenVPN server port will be exposed on WAN. I do log successful connections as I’d like to know who (IP) connected and when.
    I haven’t really noticed any performance penalty due to pfBlockerNG. When idle CPU sits at 2 percent or below and memory doesn’t appear to be a problem either.
    Outbound I use piHole.
    I understand that security consists of the sum of various technologies and processes. PfBlockerNG and IDS/IPS may be overkill for a home setup, but most people just want to learn about technology.
    The way I go about it is to trial a feature and evaluate if I benefit from it. PfSense is great to learn about core technology (e.g. Snort) and then learn how others implement it (e.g. Sophos UTM) or make it a proprietary “feature”.


  • LAYER 8 Global Moderator

    @gcu_greyarea said in How important is WAN protection in this case?:

    but most people just want to learn about technology.

    If that is the goal then sure pfsense with IPS is a great platform... But to be honest that doesn't seem like the case in most of these posts you see about IPS..

    They seem to think they can click a button and be "extra" secure..



  • Just a note. If your WAN connection has a data cap say 10GB. Then you need to be careful with what ports you expose and to whom, I have seen two cases of business with less than 20GB caps get stung by leaving the ssh port open, they were using certificate authentication so figured it wasn't a risk of a brute force breaking it. Some hacker found the SSH port and started brute forcing it slowly from multiple IP addresses and over the course of the month kept going and used up about 60% of their data cap.

    We got hired to check as the business owner was going nuts and wanted to know what was going on. He figured the ISP was screwing him.

    So in summary what you use will depend on factors around your setup, what your running, what your speeds are etc. There is no one size fits all answer, think hard about the risks and rate them and there impact, and spend money/time accordingly.



  • @conor said in How important is WAN protection in this case?:

    Just a note ......

    Your example is a rare case, but very valid. I've seen an identical situation where traffic existed, so said the ISP, the quantity of traffic being used raised every day without an initial explanation.
    Then I had a close look at who was "nocking on the front door" ...

    When some one has to use such an ISP (concrete example : satellite connections) that you shouldn't accept any connection from the outside. No exceptions.



  • Thank you everyone for joining in. An article somewhere in the pfSense documentation that covers this idea more concisely would be great.

    This question is asked a lot and rarely answered as well as above. I researched it before asking here.

    I, too, started with pfSense years ago with the intention of adding security while playing with a new toy. Now with gigabit service so common I had to think it through a little better because I didn't want my router to be the most powerful computer in the house due to all the filtering that it was doing. I'm pretty charged up with having an i5 home server. My home network is a low use system that has a lot of feature because it is my hobby. No open ports other than OpenVPN. Going through OpenVPN is the only way to access the network from outside the home. Of course, a network with lots of open ports and/or lots of users with no special concerns, such as employees or members, would have much different security needs.

    Ad blocking may distress owners of websites, but sorry, not sorry. They have become so obnoxious that I feel no remorse getting rid of them with pfBlockerNG and, now, pi-hole. It's also a form of network security. A big one.



  • @Gertjan said in How important is WAN protection in this case?:

    @conor said in How important is WAN protection in this case?:

    Just a note ......
    

    Your example is a rare case, but very valid. I've seen an identical situation where traffic existed, so said the ISP, the quantity of traffic being used raised every day without an initial explanation.
    Then I had a close look at who was "nocking on the front door" ...

    When some one has to use such an ISP (concrete example : satellite connections) that you shouldn't accept any connection from the outside. No exceptions.

    Good point. Unfortunately I suspect a lot of people find that out the hard way.


  • LAYER 8 Moderator

    @Gertjan said in How important is WAN protection in this case?:

    @conor said in How important is WAN protection in this case?:

    Just a note ......
    

    Your example is a rare case, but very valid. I've seen an identical situation where traffic existed, so said the ISP, the quantity of traffic being used raised every day without an initial explanation.
    Then I had a close look at who was "nocking on the front door" ...

    When some one has to use such an ISP (concrete example : satellite connections) that you shouldn't accept any connection from the outside. No exceptions.

    To add to @conor and @Gertjan: One has to also remember, that you can't change the traffic that will arrive on the WAN port. Yes you can block all, of course! But that doesn't mean a scan, tried DOS or any other repetetive connection won't cost you traffic anyway as most providers will measure what enters/leaves your interface. An open SSH port will attract more attention, that's a given. But anyway the "noise floor" of internet traffic/packages will be there be it blocked or not. So one always have to remember that.

    Normally on such lines you should have a toggle or possibility to block all traffic incoming on the provider side (or blackhole that and only allow perhaps a few IPs) but no ISP will likely give you that much power ;)

    It's always fascinating to install a new firewall with customers and showing them the first few minutes of blocked packages. ;)

    Greets



  • @coffeecup25 said in How important is WAN protection in this case?:

    This question is asked a lot and rarely answered ....

    I tend to say that this question should not exist. It's 'wrong'.
    pfSense, defaults to the behavior that any firewall/router shows : No incoming connections with an initial outgoing state.
    This means the issue is solved for everybody - even for the rate limited ones. No one will snoop from your expensive bytes.

    Now, when people decide to "open up some ports for incoming connections - connections initiated from the out side" then they should know that there is much more involved then just a "NATting a port in their router and done".
    Every aspect of live, technical, or not, should be questioned. If you don't, chances are good (read : guaranteed in this case) you pay the price.

    "NATting a port" is asking for incoming connection. Very close to incoming troubles ^^
    Up to the admin to ask himself : from who ? From where ? When ? Etc.
    Not asking these questions - and not considering that consequences might exist (this last part is what makes the difference between us and other animals) is a common pitfall. It's a "learning" thing.



  • Sorry to bump an old thread, but reading through it, kinda opened up some questions..

    I have 2 port forwarding rules plus openvpn, so 3 ports open to the internet.

    For the SSH, it's protected by a key file.
    openvpn: keyfile and username/password
    but I also have my home control software running an HTTPS service, and will also run MQTT at some point.
    (I do understand that keyfiles and secure passwords won't make everything 100% secure)

    Now, I moved from UniFi to PFsense, as I actually wanted to use GEOIP blocking and Suricata.
    But reading through this thread sounds like that really wont help!
    But then what are the benefits of PFsense for me, and they seem to be non existent?

    I export the syslog to Splunk, and I have between 5-15.000 incoming connections to my port forwarding rules.
    now, only about 100 of those connections is coming from my country.
    I know that it only takes 1 "good" attack, but considering everything, shouldn't PFBlocker country pass and Suricata help the attack scope?

    What is more "correct" ways to protect yourself?



  • Openvpn is probably ok. My security is similar to yours excepting each user has its own certificate and the user id corresponds to the device and certificate. Also, I use non standard ports for openvpn (3 servers) and days go by without them being scanned.

    I don't use SSH and if I did it would be over a LAN. Never the WAN.

    Geoblocking is iffy but probably not bad. Shut down all countries except the US from inbound WAN. Then you only need to worry about VPNs and malicious US residents. In theory, you don't need it. In practice, it's belt and suspenders. You're using it to protect open ports. Openvpn should be safe as described. If you forward ports, then you have something to protect.

    I can't speak to home automation. When I start to use it I plan to put it on a separate VLAN with no regular network device access. I also plan to never use anything that calls home or requires a port forward. I think ZWave is local to the LAN. WiFi might also be the same.

    Suricata will help with open ports. I used to use Snort but uninstalled it as I have no open ports except for openvpn. All access to everything remotely is via LAN after connecting with openvpn.


  • Moderator

    @blank said in How important is WAN protection in this case?:

    Now, I moved from UniFi to PFsense, as I actually wanted to use GEOIP blocking and Suricata.
    But reading through this thread sounds like that really wont help!
    But then what are the benefits of PFsense for me, and they seem to be non existent?
    I export the syslog to Splunk, and I have between 5-15.000 incoming connections to my port forwarding rules.
    now, only about 100 of those connections is coming from my country.
    I know that it only takes 1 "good" attack, but considering everything, shouldn't PFBlocker country pass and Suricata help the attack scope?
    What is more "correct" ways to protect yourself?

    Each piece is a layer of security. To limit the open WAN ports you can define an alias with the IPs which are allowed to connect. If that is unmanageable, then add a GeoIP alias for only the countries that should be allowed to connect to those ports. Its not recommended to "Block the world" approach. GeoIP can lessen the hits on the open Ports. Next would be to add IP Blacklist(s) of known malicious IPs to be blocked. Following that, you could enable an IPS to block anything else. Check out pfBlockerNG-devel which has an Integrated Feeds tab to help find suitable IP/DNSBL Blocklists.

    pfSense is going to block all unsolicited inbound traffic, and only let open ports thru.... However, that does nothing to help protect the Outbound which is by default wide open. So IP/DNSBL blocklists can block the known bad for Outbound traffic... GeoIP can be hit/miss but all depends on what you want to accomplish and how conservative/aggressive you want to be with your network.



  • By all means keep the custom openvpn port, I find that practice as reasonable, bots and what not scanning services causes spam, the problem is tho if you get used to seeing that spam, then the one day you have a legit attempt at your security you likely to ignore it as you just used to seeing daily spam. Which is why I use custom ports for non public services a lot of the time.

    On the question of things like snort, I wouldnt bother in a situation where the one and only listening service is a private VPN server.


Log in to reply