Add another pfSense, making home setup a dual fw setup.
-
I have been grumbling for some time, if it would increase security (hacker penetration).
To add another pfSense to my "home setup".I have 3 x Nexcom embedded boards
Intel E3845 w. 4GB Ram , and 2 x Intel 210 netcards.In some "high security" setups i have made we used a dual firewall setup.
But there the idea was: Must use different manuf.Rationale:
1 - If one fw OS had a vuln. the other hopefully hadn't.
2 - You had to implement the rules differently , and maybe you caught a mistake, if you had to do it differently on the "other box" ...We're getting "hammered" here in DK by :
1:
Putins Trolls , because of DK support to UKR2:
Some "DK Fool" decided to burn a couple of Korans.
That unfortunately falls under the law of free speech/expression here , we can't prevent it.
And we're now facing the wrath of ........Most of the attacks from "2" are DDOS, and some web defacing. I don't expose a webserver , and a serious DDOS i can't prevent.
So i'm basically talking about OS/Firewall internal vuln's.
And maybe catch if i "GOOF seriously" in a rule ... But my WAN rules are kept at a minimun.I could put a Nexcomm board in front of my main firewall , and basically let it handle all Internet traffic, an E3845 should be able to handle my 250Mb connection wo probs.
I'd disable NAT (PAT) on the inner main firewall , in order to avoid dual NAT.
And move my OpenVPN daemons to the outer firewall, and do my single (e-mail server portforward) on the outer firewall.But since i'll be using pfSense Plus on both, i'll not get the dual Manuf. protection.
I might benefit from rule creating on "Dual Zones (Fwalls)".I could do it as a "Just because i can" excersize , would only cost the "power" (10W TDP)
But is it worth it ??
Hmmm .... TNSR on the outer ..... Hmmm
Is TNSR free for home usage ??
Can it do OpenVPN Servers , and somewhat "Easy user add" ?
I'd like to keep pfS on the inner./Bingo
-
@bingo600 What is the external exposure...? Seems like that could only be a bad firewall or NAT rule that unexpectedly allowed access to the WAN IP or a device on LAN? In that case I'd myself probably fall into the trap of duplicating rules on both, vs. having someone else create their own ruleset on the inner firewall. I don't think there is much chance of a flaw that allows packets past the firewall.
-
@steveits said in Add another pfSense, making home setup a dual fw setup.:
@bingo600 What is the external exposure...?
That would be someone from the outside trying to get in.
Not plain portscan or the likes.
But someone targeting a "potential Zero Day or known but yet unfixed/unpatched" vuln. in the pfS.Seems like that could only be a bad firewall or NAT rule that unexpectedly allowed access to the WAN IP or a device on LAN?
It's not the rules ... But OS or Intel AMS or .....In that case I'd myself probably fall into the trap of duplicating rules on both, vs. having someone else create their own ruleset on the inner firewall.
I was thinking somewhat the same ... If i make a bad/misunderstood rule on the "inner" it would be likely that i duplicated the mistake on the "outer".
I don't think there is much chance of a flaw that allows packets past the firewall.
I know pfSense is proven & hardened ....
But my "Tinfoil Hat is itching" ... Annnnd i do have this little $55 thingy
I just had to bring one up ...
.
.
.
.
.
.But i also know ... More boxes, more failure possibilities.
IMHO it would only make sense if i go with another OS: TNSR or even "The unmentionable "cousin"...."
Keep'em comming
/Bingo
-
I had been thinking dual pfSense, one metal and the other virtual; however, in my case, it is to get around cg-NAT. I also thought about an option on the virtual of using TNSR (if I get the okay from Netgate) despite my resistance to all CLI...I am a GUI person Apple spoiled.
-
@nollipfsense said in Add another pfSense, making home setup a dual fw setup.:
despite my resistance to all CLI...I am a GUI person Apple spoiled.
I like CLI - Almost all my Linux servers have no GUI installed at all.
I was brought up on a 24x40 TV monitor "Terminal" connected to a Flex09 (MC6809) system.
Then CP/M and then MS-DOS ...Began toying w Linux around 97' , and switched away from Windows around 2005 , been using linux as main OS ever since.
-
The main point is that, if you use two different system (OS)
and two different boxes (hardware) any problem or vuln`
will be hold at the first or second box, or both boxes will
affected!Hardware based:
You use TurboBoost and HT on both machines and HT
is having a problem let us say as an example, so now
it is not really important because both boxes are "open".Problem based:
If you are using something with NAT (a router) in front of
(WAN) and behind that the firewall, you may be able to prevent a DDOS, but an amplified DDOS attack is not
able to hold away! But you will be having let us say less
points if you are using a DMZ with servers inside, such
as web, mail and fileservers (FTP), like a firewall offers
to you.Software based:
If you use a Linux based and a FreeBSD based OS
and both are using OpenSSL............pfSense as the border (WAN) gateway and a mikrotik router with NAT and IPv4 behind the pfSense may be
not that bad. And between them the servers like web
connected servers.Based on your problem (DDOS) I would think it is nice
to go with a router in front of the pfSense, but if servers
such web, mail and ftp will be in the DMZ then I would
go with the pfSense in front of the router.Your both devices may be good for;
- MikroTik RouterOS
- OpenWRT
- TSNR
or as an addon devices like
- Logging server
- Snort or Suricata server
- PI hole and/or AdGuard
- WiFi device`s
A single card or port for the dmz port may be also nice to have no other data are "shared" over this switch chip there.
Caching proxy in front of your lan and reverse proxy in
front of your dmz and nothing is directly connected to
internet, ids in fron of the dmz and the lan will be doing
also something on top of all. -
I can't fight DDOS ... (Only the ISP's can "Scrub those data volumes"
Even back in 2013 i was at a company that had 4 x 100Mbit lines , and they were all flodded.
In the end we had to subscribe to a (rather expensive to activate) "Scrubbing service" at the ISP's.What i hope for by using two different "implementations" would be :
To avoid some "unknown Zero day exploit" or a "Build error" from the manufactor.If I GOOF , in implementing rules .. It really depends.
Did i hit wrong button (maybe correctable in the other fw) or did i misunderstand and implemented the same "error" on both systems (not correctable on he other fw)./Bingo
