Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Traffict monitor/capture with pfSense

    Scheduled Pinned Locked Moved General pfSense Questions
    4 Posts 2 Posters 3.1k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • Q
      quyda
      last edited by

      HI all,

      Im new to this forums and am having a headache with my small office network sending spam to our mail provider, consequently, they block our (static) IP.
      1. They wont white list the IP
      2. They cant provide username who send failed authentication.

      I've been scanning our computers with at least 2 products (AVG & Malwarebytes FREE) and both report nothing dangerous.
      So I'm thinking of using pfSense to
      1. Track down SMTP packet
      2. Block web access (according to URL, or keyword)
      3. Schedule the block (eg, allow during lunch time, block during work hours)

      Will I be able to achieve those steps with pfSense
      Could you steer me into the right place to read & learn?

      Thanks
      Q
      Ps. Can I install pfSense to HDD-less machine, eg, install to USB flash drive?

      1 Reply Last reply Reply Quote 0
      • stephenw10S
        stephenw10 Netgate Administrator
        last edited by

        Hi,
        Yes you can do all of that.

        1. You can run a packet capture on the LAN interface filtered for port 25 until you find the offending client.
        2. You can run Squid/Squidguard to block URLs. Keyword filtering is slightly more tricky, I believe you can do it with the Dansguardian package but I've not tried it.
        3. You can apply firewall rules on a schedule.

        You can install to a flashdrive but if you do it restricts what you can do. Specifically running Squid in a cache/filter arrangement is not possible (without killing the drive!). It is possible to run it as filtering only but it's more complex to setup.

        Steve

        1 Reply Last reply Reply Quote 0
        • Q
          quyda
          last edited by

          OK so I have setup pfsense on an old PC which wasnt very hard to follow.
          I've tried the Packet Capture function, one thing I wish is to be able to monitor more than one IP/ports, so for now I have to monitor everything and then filter out IP/ports, but I need to monitor a whole day traffic of 10 users rather heavy emailing (30-40 in & out emails/user/day), I'm using a 500GB HDD, I hope it's big enough. (I also know that I can limit by packets but I want to capture all)

          Also, Is there a way to filter pfTop result (by IP or port) from within WebGUI interface?

          Any advices? (on how to capture ONLY 2 ports, or 2 IP addresses)
          Thanks
          Q
          Ps. I just found out the Alias under DNS Lookup, it would be great if pfTop works with Alias, is there a way to do that?

          1 Reply Last reply Reply Quote 0
          • stephenw10S
            stephenw10 Netgate Administrator
            last edited by

            If you want to do something slightly more custom you're probably better off using tcpdump directly from the CLI:
            http://doc.pfsense.org/index.php/Sniffers,_Packet_Capture

            I'm not too familiar with it, I'd usually read the man page every time  ::), but perhaps something like:

            tcpdump -i fxp0 -c 500 port 25 or port (your second port) >> capturefile.log

            Steve

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.