Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Using an OPT to monitor pfSense

    Hardware
    3
    3
    3478
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • E
      EmanuelG
      last edited by

      Hi people, did someone configure an OPT Nic for monitoring the pfSense box?  I mean to send snmp data in that nic, or pflow, or just for sniffing the box? or maybe to use it for authentication against a AAA Radius server?

      I'm interested in this aproach and I would like to know if anybody has similar scenario? I just need some light if this is possible and/or how this may be done correctly.

      Thanks in advance people!

      Emanuel Gonzalez
      Guatemala

      "I hear and I forget. I see and I remember. I do and I understand."
      Confucius

      1 Reply Last reply Reply Quote 0
      • C
        cmb
        last edited by

        @EmanuelG:

        Hi people, did someone configure an OPT Nic for monitoring the pfSense box?  I mean to send snmp data in that nic, or pflow, or just for sniffing the box? or maybe to use it for authentication against a AAA Radius server?

        I'm interested in this aproach and I would like to know if anybody has similar scenario? I just need some light if this is possible and/or how this may be done correctly.

        possible, sure.  You'd need to segment your management machines off on that OPT network though.  Probably not a bad idea, especially if we're talking about a corporate environment.  IMO, it's a good idea to segment management machines (including IT staff machines) from the users and not allow users to initiate connections to those machines (should be no need for that).  I do something similar at work, though pfsense isn't involved (redundant L3 gigabit switches).

        On the pen tests I've done, many times some IT person's machine ends up being the weakest link, and compromising it starts a domino effect ending with the complete compromise of the entire network.  (compromise a weak desktop, grab passwords for everything else, or use the privileges they have on the network if running with an admin account, and game over.  if even that much is required)

        I won't get on my soap box any further.  Segmenting IT is a good idea, and I'll leave it at that.  ;D

        to configure this:

        • assign an OPT interface

        • give it an IP on a different subnet from your LAN

        • setup DHCP appropriately (if desired)

        • setup a permit * firewall rule for the initial testing

        • verify functionality (internet connectivity, connectivity between interfaces in both directions)

        • tighten firewall rules appropriately

        • test firewall rules

        1 Reply Last reply Reply Quote 0
        • B
          billm
          last edited by

          Hell, IS shouldn't even be part of the corporate network.  You'd be amazed at how many fewer support calls you get once IS get's off the corporate network.  Magically, things stop crashing.

          –Bill

          pfSense core developer
          blog - http://www.ucsecurity.com/
          twitter - billmarquette

          1 Reply Last reply Reply Quote 0
          • First post
            Last post