New user
-
Hi!
this topic fits in a lot of places so I decided to post it here.
I was looking for a good hardware router/firewall for about 6 months and last night, I discovered pfsense…
I just thought: WOW!! This is exactly what I need!
As I said, I am new to it, and I have no experience with freeBSD or UNIX...., not at all! But I do have a lot of networking knowledge. Do I need any kind of BSD experience in order to really use it? I mean, it says no, but what is it really in a normal use?
Also, I was thinking about the firewall, how is the NAT implemented?? Is it ip based (I doubt it :roll: ), but seriously, is it port based (where an outgoing connection would make an entry in a table and any incoming one would be check with the ports numbers only?) or is it port AND IP pased (where both are checked)?
In other terms (and I don't use them because they are the source of a lot of confusion), is it Full Cone NAT? Address restricted cone nat or port (and address) restricted cone nat?
Also, how is the ICMP messages implemented in the NAT? Is it simply with the ICMP sequence numbers? It is also looking at IPs?? (it gets back to my last question)
My other question is about the firewall itself. Is it a simple firewall that looks at the ip and ports and allows/blocks traffic? Or is there more advanced things like a "SPI" that would look at the tcp flags to see if they are valid, and look at the sequence numbers to see if they are normal??
Last question for you : I was thinking about MTU and IP fragmentation yesterday and I think I got confused but all the IPV6 stuff I've been reading lately. In ipv4, the routers can do ip fragmentation right?
I ask that because I plan to use pfsense with a pppoe connection. My modem is used as a dumb modem so pfsense needs to handle the pppoe.
In the best case senario, I would change the mtu values on my computers and on pfsense, in order to be small enough to pppoe. But, if I stay at 1500 on my computer, is pfsense able to fragment the ip packet in order for it to fit in a pppoe frame? Is pfsense able to also accept incoming fragmented IP frames?In the event where I send a packet that needs fragmentation, will pfsense's firewall look at the packet as a whole (before fragmentation) of at the individual fragmented pieces (it would be stupid :roll: but you know... just in case)?
If it gets a fragmented packet from the wan side, same question, will it be reconstructed, checked agains't the firewall, and then fragmented again and sent to my computer (if there is a need to)?
In another category: how are the settings saved and how often is the hard drive accesses? I live in a place where power is very unstable. Of course, the computer would be on a UPS, but sometimes it is not enough. In the event where the computer is turned off by a power outrage, what will happend to the settings? Is the disk only accesses to boot and to read/write the settings?
Thanks a lot for your great help
Alex
-
Do I need any kind of BSD experience in order to really use it? I mean, it says no, but what is it really in a normal use?
No, networking experience is was needed. to translate it to the pfSense webgui the pfSense book will help alot.
http://www.pfsense.org/index.php?option=com_content&task=view&id=40&Itemid=43
http://www.openbsd.org/faq/pf/
http://www.openbsd.org/faq/pf/nat.html#worksPPPoE are support on wan.
If you enter a value in this field, then MSS clamping for TCP connections to the value entered above minus 40 (TCP/IP header size) will be in effect. If you leave this field blank, an MTU of 1492 bytes for PPPoE and 1500 bytes for all other connection types will be assumed.
Settings are saved to config.xml and will not be affected by a power outrage.
The version I would recommend you to start with pfSense 1.2.3 RC3
-
pfSense is based on FreeBSD but the packet filter used in FreeBSD is "pf" which has been ported from OpenBSD, so they have the most complete documentation on pf itself.
You don't need to know much, if anything, about FreeBSD to use pfSense. You can do almost everything you'd ever need to do inside of the GUI and never see or care about the underlying OS.