Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    PfSense as a Traffic Flow Monitor

    Scheduled Pinned Locked Moved Firewalling
    6 Posts 5 Posters 3.3k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • A Offline
      amithad
      last edited by

      Hi,

      The thing that I'm going to explain might be a stupid idea; but I need some suggestions from you all.

      I have an OpenBSD firewall and it cannot be changed. It is configured with another same kind of an OpenBSD firewall with our head office. Head office and branch office communicated each other through OpenBSD inbuilt IPSec VPN.

      Though I try to get some bandwidth usage details from the existing firewall, it seems pretty hard. I thought of implementing a pfSense firewall  in between my LAN and the existing firewall just to monitor LAN traffic.

      Internet <-------> OpenBSD PF Firewall <----------> pfSense Firewall  <------> LAN

      My Idea is to use keep the LAN IP addresses and the IPsec VPN intact as follows

      PF Firewall Internal IP (192.168.0.7)<----> pfSense External IP(192.168.0.6) <=====> pfSense Internal IP (192.168.1.5)------> LAN

      Will the above setup possible to achieve my requirement? or are their any other idea's?

      Thanks :)

      1 Reply Last reply Reply Quote 0
      • J Offline
        JuantonJohn
        last edited by

        If I follow, you would be double natting; but that should work.  If exsiting bsd box is port forwarding, that's an issue.
        May have to add a route so it can find the IPsec tunnel.

        Even easier and what I'm doing right now; add the pfSense box as a second edge device.  I'm having to add a second static internet ip.  Then just change the gateway of all devices to point to pfsense new ip. Add route to pfSense so devices know how to get to the IPsec tunnel.

        Hope this helps.

        1 Reply Last reply Reply Quote 0
        • DerelictD Offline
          Derelict LAYER 8 Netgate
          last edited by

          NAT can be disabled on the internal pfSense for that use case. The OpenBSD pf would have to know to NAT for 192.168.0.0/24 and 192.168.1.0/24.

          You could probably do something with a transparent bridge, too, if all you want is traffic graphs.

          Chattanooga, Tennessee, USA
          A comprehensive network diagram is worth 10,000 words and 15 conference calls.
          DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
          Do Not Chat For Help! NO_WAN_EGRESS(TM)

          1 Reply Last reply Reply Quote 0
          • johnpozJ Offline
            johnpoz LAYER 8 Global Moderator
            last edited by

            Wouldn't it be easier to just export flows from that router or a switch even?  Or just connect a span port to say something running ntop?

            Running traffic through another firewall/router to monitor flow doesn't seem like the most efficient method.

            An intelligent man is sometimes forced to be drunk to spend time with his fools
            If you get confused: Listen to the Music Play
            Please don't Chat/PM me for help, unless mod related
            SG-4860 25.07.1 | Lab VMs 2.8.1, 25.07.1

            1 Reply Last reply Reply Quote 0
            • J Offline
              jc2it
              last edited by

              @johnpoz:

              Wouldn't it be easier to just export flows from that router or a switch even?

              Years ago I did this to track usage of the WAN bandwidth. Back when it was scarce. This netflow tracking took me a bit to wrap my head around, partly because I was green at the time, but it worked well enough to find unneeded services and turn them off, or reschedule them to different times.

              Here is an OpenBSD example that might help. I have not followed this procedure, but it looks good. It does an OpenBSD equivalent to the RH version I implemented a long time ago.
              https://www.pantz.org/software/flowtools/configflowtoolspfflow.html

              1 Reply Last reply Reply Quote 0
              • A Offline
                amithad
                last edited by

                Dear All,

                It's a pleasure to get a help, from a forum like this. I have no words how to thank you all for your great suggestions and information.

                Thank you again for your great help …..!!!

                :)

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.