Helping a complete newb understand IPS/IDS with pfSense


  • Hello community,

    I'll preface this by saying that I'm mostly completely new with this type of stuff. pfSense especially. Sure, I tinkered and tried to understand what an off the shelf router I have at the moment can do and that type of stuff, but as soon as started reading up on the rabid hole that is pfSense, I got a bit overwhelmed.
    In the following weeks I'll start dipping my toes in pfSense waters which I'm quite excited about. I'll be setting it up for my home network which a pretty basic setup. It consists of a TV, Unraid server, a few phones and a few laptops.
    The plan is to set pfSense in a such a way that it replaces my (years ago last updated) router, runs my VPN server and maybe IDS/IPS. This last part, however, is where I get lost and need some help as I'm trying to understand how these things work with pfSense or if extra hardware is needed.

    So the way I'm understanding the concepts of IPS and IDS (and DMZ) is like this;

    • a DMZ is just an added layer before stuff reaches your local network. However, what I do not understand is that most of the reading I've done on the topic of DMZ seems to imply that someone having a visit inside your DMZ is a given. Now if there is a public server running inside the DMZ, I understand how this can/will happen.
      But what about a home network setting, where you don't have (want) anything exposed to the www. Can the DMZ still be set up with an IDS, to monitor for trouble without anything exposed to the www? Is this where Snort/Suricata packages come in? Does it even make sense to have a DMZ in a basic home setting… or can these packages be set up effective without it?
    • For a proper DMZ setup at least a second router is needed, right? But how does Snort/Suricata monitor whats going on inside the DMZ if its running on the same machine as the firewall to the LAN side? Isn't that a security risk? Or is it fine because it monitors stuff on a different NIC port? Does pfSense have some kind of isolation between NIC ports?
    • If you, however, do not have a second router and pfSense is your only firewall between the www and lan, you can set up some sort of IPS system. How is that system different then the firewall itself, what does it do differently?

    Sorry, a million question. I hope the questions (and the assumptions I made) make sense.
    Thank you for taking the time to read (and comment)!


  • Hi,

    pfSense has a build in VPN server for remote management, and, why not, give access to your LAN based devices (if these accept remote connection).
    VPN became lately a total buzz word ... I advise you to look at the VPN related video's from Netgate (they have a Youtuve channel with every subject explain step by step).

    IDS : to reduce a long story in two words : forget it.
    If you insist, first, use your favourite info source, make your self very comfortable (because this one will last for days) and get to know what 'SSL' (TLS) really is.
    Now you know that IDS was fun, in the past, when all traffic was travelling 'in clear' - these days it's all encrypted : only most DNS traffic is still visible, and even that changes these days. mails, web access, SSH, whatever : it's encrypted in a way the Mossad, NSA en KGB - or whatever these guys are called these days - can't access it - not without throwing a multi billion installation on it.

    And yo want to IDS/IPS ?

    Still, please, I'm just trying to make you understand what needs to be done. Do not believe my words, again : look up the (some) details.

    DMZ : that was - on of - my boys dream : hosting my web/teamspeak/mail server.
    It took a moment or two to understand that I would be needing a something called a DMZ.
    A couple of clicks later I understood that the off the shelves basic ISP router wasn't up to the task. To day, ISP router let you set a .... DMZ ..... IP ( ? !!?).
    Or, a DMZ is a separated ... isolated ... network like 192.168.10.0/24 NOT 192.168.10.20 (an IP), although 192.168.10.20could be the IP of a web server that operates in the network 192.168.10.0/24.

    pfSense let you create more then one LAN type interface, and it will be called OPT1, OPT etc. rename them in "Pincky" or "DMZ" and you're done.
    The rest of the setup is : create firewall rules that enforces a typical DMZ type of operation.

    See https://docs.netgate.com/pfsense/en/latest/book/intro/interface-naming-terminology.html#dmz
    Or a good Netgate Youtube video about the subject.

    A DMZ network has one or more NAT rules (IPv4 still exists these days) that let Global Internet user actually visit - contact - connect to - you server type devices, situated on your DMZ.

    Finally : I decided to create my own DMZ in the middle of world's biggest "MZ " The internet itself. Like everybody else. A motivation was also that hosting servers behind a ISP line normally just plain s*cks ("big" dwonload, but small "upload").
    I rented dedicated servers on the Internet to host my servers. The most incredible thing is : you won't be bothered with firewall rules any more. Just the servers apps like apache2, nginx, postfix, bind, teamspeak, etc. Mastering these will eat up a part of your actual live time (be warned).