• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

pfSense inpath DPI / setup question

Scheduled Pinned Locked Moved General pfSense Questions
9 Posts 3 Posters 1.7k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • G
    Gomo
    last edited by May 29, 2023, 1:08 PM

    Hello all,

    to start off, I've never worked with pfSense or any DPI capable solutions yet and was wondering if / how it would be possible to use pfSense only for the purposes of DPI? Ideally I would like to have pfSense between my ISP modem and my route of choice (MikroTik atm) -> pfSense would be at the red circle in the drawing.

    Is setup like this possible? which wouldn't disrupt my MT port forwarding, NAT, subnets, etc. Can it even be configured "in-path" in such way?

    Apologies if I'm asking silly questions. Also, I wouldn't want to switch to pfSense as a main router, DHCP, etc, at least not for now.

    DPI.png

    Thanks!

    N D 2 Replies Last reply May 29, 2023, 3:13 PM Reply Quote 0
    • N
      NollipfSense @Gomo
      last edited by NollipfSense May 29, 2023, 8:24 PM May 29, 2023, 3:13 PM

      @Gomo said in pfSense inpath DPI / setup question:

      Is setup like this possible?

      FWIW, I got into pfSense for exactly what you're wanting to achieve back in 2016. At the time, and still is, running IDS/IPS on Mikrotik is, I find, cumbersome. So, my setup is Internet > ISP modem > pfSense > Mikrotik RB450x4 > switch > Apple Extreme > clients...even double natted, no problem. Mikrotik is my LAN boss.

      pfSense+ 23.09 Lenovo Thinkcentre M93P SFF Quadcore i7 dual Raid-ZFS 128GB-SSD 32GB-RAM PCI-Intel i350-t4 NIC, -Intel QAT 8950.
      pfSense+ 23.09 VM-Proxmox, Dell Precision Xeon-W2155 Nvme 500GB-ZFS 128GB-RAM PCIe-Intel i350-t4, Intel QAT-8950, P-cloud.

      1 Reply Last reply Reply Quote 0
      • D
        Dobby_ @Gomo
        last edited by May 29, 2023, 6:20 PM

        @Gomo said in pfSense inpath DPI / setup question:

        Hello all,

        to start off, I've never worked with pfSense or any DPI capable solutions yet and was wondering if / how it would be possible to use pfSense only for the purposes of DPI?

        DPI = Deep packet inspection? Or talk you about
        IDS/IPS with Suricata or snort? What you want to
        run on pfSense TCPDUMP or suricata/snort?

        Ideally I would like to have pfSense between my ISP modem and my route of choice (MikroTik atm) -> pfSense would be at the red circle in the drawing.

        Is this a real modem? Or also a real router?

        Is setup like this possible? which wouldn't disrupt my MT port forwarding, NAT, subnets, etc. Can it even be configured "in-path" in such way?

        I would assume super many peoples are doing it!
        Me too! IN another way and setup but like that!

        Apologies if I'm asking silly questions. Also, I wouldn't want to switch to pfSense as a main router, DHCP, etc, at least not for now.

        pfSense can routing for sure, but it is a firewall
        with firewall rules and on top it can be tuned
        to be acting as a fully UTM devices with AV scanning, proxy`s to the DMZ and the LAN
        and on top doing IDS/IPS.

        #~. @Dobby

        Turris Omnia - 4 Ports - 2 GB RAM / TurrisOS 7 Release (Btrfs)
        PC Engines APU4D4 - 4 Ports - 4 GB RAM / pfSense CE 2.7.2 Release (ZFS)
        PC Engines APU6B4 - 4 Ports - 4 GB RAM / pfSense+ (Plus) 24.03_1 Release (ZFS)

        G 1 Reply Last reply May 29, 2023, 6:28 PM Reply Quote 0
        • G
          Gomo @Dobby_
          last edited by May 29, 2023, 6:28 PM

          @Dobby_
          It's a modem and I'm talking mainly about DPI.

          Is there a way to achieve this without pfSense being main router? because I wouldn't want that. Also, double NAT doesn't sound too great either.

          D N 2 Replies Last reply May 29, 2023, 6:45 PM Reply Quote 0
          • D
            Dobby_ @Gomo
            last edited by May 29, 2023, 6:45 PM

            @Gomo said in pfSense inpath DPI / setup question:

            @Dobby_
            It's a modem and I'm talking mainly about DPI.

            Let us say you install a small switch and a
            RaspBerry PI connected to the switch too.

            Internet > Modem > switch w/RAPI > MT/RB > LAN

            No one takes care on the PI because it is fully exposed to the internet!

            Is there a way to achieve this without pfSense being main router? because I wouldn't want that.

            Why, it could be also another device for sure.
            But a pfSense is delivering much more or better
            capabilities to you.

            Also, double NAT doesn't sound too great either.

            In IPv6 there is no real NAT like before in former
            days, but the MT RB is doing with IPv4 behind the
            pfSense firewall for!

            The RB is doing in normal;

            • netfilter = SPI
            • network address tranlation = NAT

            You could not set up NAT but go with plain
            routing instead for sure, but as todays RBs
            will be super fast (RB1100AHx4, RB450Gx4 RB850Gx4, CCR or RB5xxx series will be rock
            solid and routing really fast!

            #~. @Dobby

            Turris Omnia - 4 Ports - 2 GB RAM / TurrisOS 7 Release (Btrfs)
            PC Engines APU4D4 - 4 Ports - 4 GB RAM / pfSense CE 2.7.2 Release (ZFS)
            PC Engines APU6B4 - 4 Ports - 4 GB RAM / pfSense+ (Plus) 24.03_1 Release (ZFS)

            G 1 Reply Last reply May 29, 2023, 6:50 PM Reply Quote 0
            • G
              Gomo @Dobby_
              last edited by May 29, 2023, 6:50 PM

              @Dobby_ Not sure where you got this whole IPv6 from? There was no mention of IPv6 being used.. I have a static IPv4. And like I've said, I want my MT to stay as a main router.

              If you have a suggestion for the originally described setup, please clearly state on how you'd achieve it.
              I'm sorry, but I'm having trouble understanding you..

              1 Reply Last reply Reply Quote 0
              • N
                NollipfSense @Gomo
                last edited by NollipfSense May 29, 2023, 9:17 PM May 29, 2023, 8:53 PM

                @Gomo said in pfSense inpath DPI / setup question:

                s there a way to achieve this without pfSense being main router? because I wouldn't want that. Also, double NAT doesn't sound too great either.

                In my case, the pfSense/Mikrotik together is my main router; however, all the IDS/IPS is in pfSense, as well as pfBlocjerNG. Mikrotik does DHCP as well as does DNS, with pfSense. If you can, do a custom configuration on the Mikrotik to avoid the double NAT...you must know what you're doing though. Me, I don't mind the double NAT, it's a lot easier than having to reconfigure the Mikrotik from scratch and not break stuff.

                pfSense+ 23.09 Lenovo Thinkcentre M93P SFF Quadcore i7 dual Raid-ZFS 128GB-SSD 32GB-RAM PCI-Intel i350-t4 NIC, -Intel QAT 8950.
                pfSense+ 23.09 VM-Proxmox, Dell Precision Xeon-W2155 Nvme 500GB-ZFS 128GB-RAM PCIe-Intel i350-t4, Intel QAT-8950, P-cloud.

                G 1 Reply Last reply May 31, 2023, 9:26 PM Reply Quote 0
                • G
                  Gomo @NollipfSense
                  last edited by May 31, 2023, 9:26 PM

                  @NollipfSense Posting this for those who are trying to do the same as described above, this setup is called "pfSense transparent bridge" and here's a bit of documentation about it https://docs.netgate.com/pfsense/en/latest/bridges/index.html & https://support.adamnet.works/t/running-on-a-transparent-pfsense-bridge/79. Kind of surprised no one here was able to point me to it.

                  N 1 Reply Last reply Jun 1, 2023, 8:37 PM Reply Quote 0
                  • N
                    NollipfSense @Gomo
                    last edited by Jun 1, 2023, 8:37 PM

                    @Gomo said in pfSense inpath DPI / setup question:

                    pfSense transparent bridge

                    Didn't even entered my mind...thanks for sharing.

                    pfSense+ 23.09 Lenovo Thinkcentre M93P SFF Quadcore i7 dual Raid-ZFS 128GB-SSD 32GB-RAM PCI-Intel i350-t4 NIC, -Intel QAT 8950.
                    pfSense+ 23.09 VM-Proxmox, Dell Precision Xeon-W2155 Nvme 500GB-ZFS 128GB-RAM PCIe-Intel i350-t4, Intel QAT-8950, P-cloud.

                    1 Reply Last reply Reply Quote 0
                    9 out of 9
                    • First post
                      9/9
                      Last post
                    Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
                      This community forum collects and processes your personal information.
                      consent.not_received