Is pfSense the right product for my requirements



  • Although I am a newbie to firewalls, it is not as if I am technologically illiterate–many years ago I complete a degree in Computer Science. After much struggling with the installation process of pfSense I do believe that I have installed pfSense 2.0.1 amd65 version on a Dell Optiplex Pentium D 3.4GHz--probably over specified, but it is a spare PC at the moment. I plugged a D-link ethernet adapter into the PCI slot and there is a Broadcom ethernet on the mother board. I have connected another Optiplex PC running Ubuntu to the D-Link port using a crossover cable and the Broadcom port goes into a Netgear wireless bridge. I can even 'assign the interfaces' with pfSense agreeing that the WAN is the Broadcom and the LAN is the D-link. Now after this assignment process I get:

    WAN (wan) ->bge0->192.168.8.18 (DHCP)
    LAN (lan)->re0->NONE

    Now this doesn't mean alot to me, other than my Ubuntu machine sitting behind the firewall does not see any connection, neither to the firewall and not to the internet. If I connect the Ubuntu machine directly to the wireless bridge, no problems, I am back on the internet. Connect the Ubuntu machine via the pfSense firewall, nothing.
    So two questions:
    1. Is there a problem with the configuration
    2. Is pfSense for internet gurus? Is there something simpler out there that someone like myself should use, as I have to admit I find pfSense rather difficult to understand and the documentation not very helpful.



  • @newtofirewalls:

    So two questions:
    1. Is there a problem with the configuration
    2. Is pfSense for internet gurus? Is there something simpler out there that someone like myself should use, as I have to admit I find pfSense rather difficult to understand and the documentation not very helpful.

    1. Yes, see later.
    2. Yes, but also for "ordinary" people with a bit of networking knowledge.

    It could be useful to you to read some of the pfSense HowTos and watch the tutorials on http://doc.pfsense.org

    Your configuration problem: the pfSense LAN interface needs to have an IP address in order that the Ubuntu box can forward packets to it so pfSense can forward them to the internet. It is a long time since I configured a pfSense box from a fresh install but my recollection is that the initial configuration of the LAN interface is with an IP address of 192.168.x.x and with DHCP server enabled on the LAN interface. I expect with that configuration you should have been able to connect your Ubuntu system to the pfSense LAN interface using a cross over cable, boot the Ubuntu system and be able to connect to the internet.

    That you apparently don't know what DHCP is or why interfaces need IP addresses suggests to me that you would be well served by spending some time upgrading your networking knowledge a little before attempting further configuration of a pfSense box. A useful place to start MIGHT be to lookup Wikipedia on topics "IP address" and "IP routing". For now you can ignore anything on IPv6 (IP version 6).



  • Hi WallabyBob,
    I tried your suggestion, that is I configured the LAN with an IP address. I enabled DHCP (I do have an understanding of what that is, sorry if I gave the wrong impression) I gave the LAN a range of 192.168.1.100 to 192.168.1.200, and pfSense came back informing me that the LAN had an address of 192.168.1.100. So far so good. I had my Ubuntu machine plugged in already, and amazingly it notified me that it was now connected. Wonderful!
    However, still no internet connection on my Ubuntu machine. So I tried putting in 192.168.1.1 into the address field on the web-browser and that does not get me into the configuration web-page, neither does 192.168.1.100 appear to do anything useful.
    So I am still at a loss.
    I have spent most of the day attempting to get pfSense going. Thanks for your help so far. I will have a look at the documentation on the web site as you suggested, but unless there is anything else you can suggest I will look at some of the other products, SonicWall, SmoothWall, Untangle etc, perhaps there is something simpler? Any suggestions?



  • @newtofirewalls:

    I tried your suggestion, that is I configured the LAN with an IP address. I enabled DHCP (I do have an understanding of what that is, sorry if I gave the wrong impression) I gave the LAN a range of 192.168.1.100 to 192.168.1.200, and pfSense came back informing me that the LAN had an address of 192.168.1.100.

    The LAN IP address should be outside the range allocated to DHCP.

    @newtofirewalls:

    So far so good. I had my Ubuntu machine plugged in already, and amazingly it notified me that it was now connected.

    I'm not sure exactly what "connected" means in this context. It could mean DHCP has received its configuration information. The Ubuntu shell command```
    ifconfig -a

    
    @newtofirewalls:
    
    > However, still no internet connection on my Ubuntu machine. So I tried putting in 192.168.1.1 into the address field on the web-browser and that does not get me into the configuration web-page, neither does 192.168.1.100 appear to do anything useful.
    
    If you have a valid network configuration and type the pfSense LAN address into the location bar of a browser you should get to the pfSense login web page, though you probably need to use _https://_ rather than _http://_.


  • Dear Wallabybob,
    Thanks for your help and interest. I started reading the pfSense book last night, and after some internet research I decided to try Untangle. I downloaded it on my office computer and then walked the CD over to my router-pc. That package has a graphical interface and I had no difficulty installing it, so now I am writing this response through the Untangle firewall. I will experiment with Untangle, and if there are functions that it does not have that I require I may  come back and explore pfSense again.
    THanks for your help

    BTW: I get the impression that pfSense is a powerful piece of software and congratulations to all involved. However, it may also be the case that you lose potential users because of the difficult to understand interface. I found a couple of reviews of pfSense where even the experts were baffled for a number of hours as to how to make it work. Perhaps a few people that are interested may want to study a little about the field of 'useability' and design a better interface. I would be happy to explore a revised system.
    All the best and good luck
    George



  • You're comparing apples and oranges really. If Untangle does the job for you, you aren't exactly in our target/primary market. It seems to be a decent small office solution, but beyond that it's entirely inadequate. Where we're more of a Cisco ASA alternative, and nearly all our config interface and concepts are very comparable to an ASA's (though ours came first) and similar class devices.



  • Hi cmb, your reply is exactly what my original question is about–the requirements. I have been going through some of the functions in 'untangled' and I am wondering if that does what I want as well. But here is the thing, I installed 'untangled' without any dramas. It only took a half hour to get my software router running and within a few minutes of that I had a computer running behind a firewall. Yet after several days of struggling with pfSense the computer behind the firewall could not see the internet. So what is better? A system that people can not get to running but which has all the bells and whistles? Or a system that only has half the features but at least you can run it?

    Perhaps the answer is in what you wrote...'...more of a Cisco ASA... etc etc...'
    I am sure you know what you are talking about but I have no idea, and it isn't like I don't understand technology either.



  • You didn't even get past the first step. Your lack of knowledge was the problem, not pF. Sorry.  :-\



  • pfSense really isn't hard at all to initially get up and running, especially if you're simply NATing traffic between LAN and WAN. I'm inclined to think the OP might have hit a hardware issue (pfsense being based on FreeBSD is more picky, whereas UT being based on Linux might have dealt with it better).

    Beyond the basics UT and pfsense are quite different beasts, e.g. last time I checked UT didn't support VLANs, which is a prerequisite for certain deployments.



  • Venlaw, thanks for your reply, but simply insisting that I have a 'problem' and pf does not have a 'problem' neither helps me nor those working on pfSense. I can guarantee you that for every question like mine there are 30 others who download software don't get past first base and move on without saying anything. So perhaps you might come down from your seat of perceived superior 'knowledge' and tell me what 'knowledge' I require to get me past the "first step" and I will go out and acquire that 'knowledge'.



  • Can you draw your current network topology?
    Do you have another dhcp server in your network?



  • Here is my attempt at drawing the topology:

    Cable -> (modem/wireless router) –-->PC
                      .              .            |
                      .              .            |-->Printer
                      .              .
    several wireless PCs        .
                                      .
                                      Wireless-Bridge--->pfSensePC-->UbuntuPC

    I hope that diagram makes sense.  The '-->' indicates ethernet connections, while the '.  .  .' indicates wireless connections.

    I can configure the wireless bridge so that I can connect the UbuntuPC directly to the wireless bridge and the UbuntuPC can succesfuly connect to the internet.
    I have also hooked up the pfSensePC to the wireless bridge and after configuring the uplinks to the wireless bridge and the UbuntuPC pfSense also indicates that it can see both. The UbuntuPC also indicates that it has connected to the pfSensePC. However, attempting to see the internet with a web-browser from the UbuntuPC does not work.

    Now--the point about 'Untangle' is that--I can replace 'pfSense' with 'Untangle' and the UbuntuPC can then see the internet through the 'Untangle' firewall. So the point that others in this thread seem to miss is that the rest of the network appears to be functioning properly. Clearly there is something about the installation process with pfSense that is creating the issue.

    Regarding 'dhcp', yes, both the modem/router and the wireless bridge both allocate addresses using dhcp. Again, 'Untangle' operates with 'dhcp' without any problems, so I suspect that is not the issue either, but I am open to suggestions.
    Hope that helps define the problem more clearly.



  • Do you have removed your first firewall rule on wan tab?
    I think that you have inside IP-subnet after your modem, and RFC1918 subnets  are blocked by default in wan tab



  • Metu69salemi, not sure what you mean by the 'wan tab'; are you referring to the pfSense control panel? If that is what you are talking about, the problem is that the UbuntuPC cannot see the pfSense control panel. From memory I think I tried 192.168.1.1 and a couple of other common addresses e.g. 192.168.0.1 etc and there is nothing there.



  • Go to pfsense console and check what is the pfsense lan ip and subnet.
    After that check ubuntupc's ip, subnet and gw.

    
    PFSENSE -- UBUNTU
    ip      --  gw
    subnet  --  subnet
            --  !gw
    
    

    | pfsense | – | Ubuntu |
    | ip: 192.168.0.1 | – | gw: 192.168.0.1 |
    | subnet: 24 | – | 255.255.255.0 or /24 |
    | N/A | – | IP: between 192.168.0.2 and 192.168.0.254 |

    You can also use dhcp-server



  • @newtofirewalls:

    the problem is that the UbuntuPC cannot see the pfSense control panel. From memory I think I tried 192.168.1.1 and a couple of other common addresses e.g. 192.168.0.1 etc and there is nothing there.

    Why did you try "192.168.1.1 and a couple of other common addresses e.g. 192.168.0.1 etc"?

    Why didn't you try the pfSense LAN interface IP address?

    Did you fix the configuration errors I previously pointed out?

    The configuration information you posted earlier differs from the documented initial configuration (http://doc.pfsense.org/index.php/Installing_pfSense) so it seems like you have meddled with the initial configuration without knowing what you were doing.

    Seems like you don't know what you are doing.



  • Thanks, I'll try that as soon as I can.


Log in to reply