Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Zone (interface) Protections

    Scheduled Pinned Locked Moved General pfSense Questions
    7 Posts 2 Posters 888 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M
      michmoor LAYER 8 Rebel Alliance
      last edited by

      Hello,
      Curious if there are any plans to have what other firewalls have regarding zone protection mechanisms written in on the software.
      Examples of such things would be:
      Flood Protection
      Recon Protection
      Packet buffer Protection
      Of course, there are no concepts of Zones but interfaces but just the question is still the same.
      All of these rely on some sort of threshold to be met before traffic is dropped. I do have customers that have/need ports open on the WAN side so having some type of mitigation there would be helpful.
      Just curious.

      Thanks

      Firewall: NetGate,Palo Alto-VM,Juniper SRX
      Routing: Juniper, Arista, Cisco
      Switching: Juniper, Arista, Cisco
      Wireless: Unifi, Aruba IAP
      JNCIP,CCNP Enterprise

      1 Reply Last reply Reply Quote 0
      • stephenw10S
        stephenw10 Netgate Administrator
        last edited by

        You can set limits on the WAN side rules to prevent abusive connections. For example:
        https://docs.netgate.com/pfsense/en/latest/firewall/configure.html?highlight=state%20limits#maximum-state-entries-this-rule-can-create

        Steve

        M 1 Reply Last reply Reply Quote 0
        • M
          michmoor LAYER 8 Rebel Alliance @stephenw10
          last edited by michmoor

          @stephenw10 this is pretty good. Is there a method within pfsense for creating a baseline? Say I want to graph how many connections happen within a given hour so I can apply the correct setting for Max connections per second

          Also curious is there any plans to create some basic reporting scripts in the future? Reports of many kinds such as (connections per second, top destinations, etc)

          Firewall: NetGate,Palo Alto-VM,Juniper SRX
          Routing: Juniper, Arista, Cisco
          Switching: Juniper, Arista, Cisco
          Wireless: Unifi, Aruba IAP
          JNCIP,CCNP Enterprise

          1 Reply Last reply Reply Quote 0
          • stephenw10S
            stephenw10 Netgate Administrator
            last edited by

            There are some stats available via Status > Monitoring but not detailed enough to tune an individual rule like that.
            You probably want to use something more like vnstat or darkstat.

            https://docs.netgate.com/pfsense/en/latest/monitoring/graphs/bandwidth-usage.html

            Steve

            M 1 Reply Last reply Reply Quote 0
            • M
              michmoor LAYER 8 Rebel Alliance @stephenw10
              last edited by

              @stephenw10 Thanks. I have darkstat installed now so will see what info it brings.
              vnstat I don't see as an available package but its probably installed as its a dependency for other traffic tools.

              One last question - for the Traffic Totals tool, it just details the total amount of bandwidth utilized on each Interface. Is there a practical reason why one would want this? For example, I have a WAN RX of 120GiB. How is this data actionable? And what does the Ratio mean, for example, 0.11 or 0.07.
              The documentation doesn't give any insight to this but it feels useful here just not sure how.

              Firewall: NetGate,Palo Alto-VM,Juniper SRX
              Routing: Juniper, Arista, Cisco
              Switching: Juniper, Arista, Cisco
              Wireless: Unifi, Aruba IAP
              JNCIP,CCNP Enterprise

              1 Reply Last reply Reply Quote 0
              • stephenw10S
                stephenw10 Netgate Administrator
                last edited by

                The traffic totals tool was created to monitor data usage for users who's ISP set limits. So it shows you the per week and per month total use.

                M 1 Reply Last reply Reply Quote 2
                • M
                  michmoor LAYER 8 Rebel Alliance @stephenw10
                  last edited by

                  @stephenw10 Gotcha. Ok thanks Stephen for answering my questions and providing guidence.

                  Firewall: NetGate,Palo Alto-VM,Juniper SRX
                  Routing: Juniper, Arista, Cisco
                  Switching: Juniper, Arista, Cisco
                  Wireless: Unifi, Aruba IAP
                  JNCIP,CCNP Enterprise

                  1 Reply Last reply Reply Quote 0
                  • First post
                    Last post
                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.