Using an OPT to monitor pfSense



  • Hi people, did someone configure an OPT Nic for monitoring the pfSense box?  I mean to send snmp data in that nic, or pflow, or just for sniffing the box? or maybe to use it for authentication against a AAA Radius server?

    I'm interested in this aproach and I would like to know if anybody has similar scenario? I just need some light if this is possible and/or how this may be done correctly.

    Thanks in advance people!

    Emanuel Gonzalez
    Guatemala



  • @EmanuelG:

    Hi people, did someone configure an OPT Nic for monitoring the pfSense box?  I mean to send snmp data in that nic, or pflow, or just for sniffing the box? or maybe to use it for authentication against a AAA Radius server?

    I'm interested in this aproach and I would like to know if anybody has similar scenario? I just need some light if this is possible and/or how this may be done correctly.

    possible, sure.  You'd need to segment your management machines off on that OPT network though.  Probably not a bad idea, especially if we're talking about a corporate environment.  IMO, it's a good idea to segment management machines (including IT staff machines) from the users and not allow users to initiate connections to those machines (should be no need for that).  I do something similar at work, though pfsense isn't involved (redundant L3 gigabit switches).

    On the pen tests I've done, many times some IT person's machine ends up being the weakest link, and compromising it starts a domino effect ending with the complete compromise of the entire network.  (compromise a weak desktop, grab passwords for everything else, or use the privileges they have on the network if running with an admin account, and game over.  if even that much is required)

    I won't get on my soap box any further.  Segmenting IT is a good idea, and I'll leave it at that.  ;D

    to configure this:

    • assign an OPT interface

    • give it an IP on a different subnet from your LAN

    • setup DHCP appropriately (if desired)

    • setup a permit * firewall rule for the initial testing

    • verify functionality (internet connectivity, connectivity between interfaces in both directions)

    • tighten firewall rules appropriately

    • test firewall rules



  • Hell, IS shouldn't even be part of the corporate network.  You'd be amazed at how many fewer support calls you get once IS get's off the corporate network.  Magically, things stop crashing.

    –Bill


Locked