What is Reddit's opinion of
pfSense?
From 3.5 billion Reddit comments
➔ pfSense website
By popularity on Reddit, this Service is:
100 reviews of this app found across Reddit:
Yea, I got one of these and ended up fixing it for good.
My son gave his friend our WAP password for his phone and then the little punk friend decided to go on a downloading spree. How does one give out give out the WAP password and still remain safe?
Let me tell you.
I set up a PFsense router. with an openVPN connection to the Netherlands.
All my machines have a static IP address. Anything requesting a DHCP address gets sent through the VPN and comes out the Netherlands. I'll never see another Rightscorp notice again.
edit: If you set one of these up, make sure to have the DHCP clients use openDNS or Google and NOT your DNS server on the router or provider. Also create a rule blocking all traffic from the DHCP clients to the WAN, to ensure the WAN traffic gets blocked in case the VPN goes down.
Yes - you're looking for PFSense. There are other options too, but I'm a big fan of that one. I use something similar as my current router, a Core i3 PC with a pair of dual-port server NICs, running PFSense. It has no problem handling NAT, firewalling, Squid proxy, blocking lists of known bad actors, etc.
> I would pay good money for a box I could install in front of my wifi router!
Pfsense+squid+adserver list added to squid blacklists:
https://forum.pfsense.org/index.php?topic=68575.0
Costs no money past using pfsense. Here is their hardware page, although there are cheaper options out there:
https://www.pfsense.org/hardware/index.html
Another guide from a pay blacklist source:
http://blog.squidblacklist.org/
Looks like you can pay a one time $250 for lifetime access if you like a curated list you dont have to care about, or Im sure you can find tons of free options instead.
There's a couple of things you could do. If you had two separate internet connections, you could use load balancing to get a faster connection by combining the two. Connectify Dispatch works great for that.
If you want a faster connection to your local network, you could use LACP teaming to bond the two connections together to make a 2Gbps virtual interface. You will need a switch that supports LACP though, and it's tough to take full advantage of this unless you have multiple client machines download files from your computer. Another benefit of this is if one port happens to fail, it will continue to run off the other port. Really only helpful for servers though that need 100% uptime.
Of you could turn the computer into a simple Pfsense router.
Or you could just bridge the connections in Windows making them act similar to a switch. Gives you the possibility to plug other ethernet devices into it, for example if you want to use your laptop simultaneously at your desk, you could plug it into the other ethernet port if your don't have a switch nearby.
> the device they use needs further explanation
Probably an MitM proxy like this one. It's very simple to do: you just need to install a custom SSL cert on the phone, which allows any gateway with the corresponding SSL key to decrypt all the traffic. The same tech is used by many corporate firewalls to also inspect HTTPS traffic, and decent prosumer firewalls like pfSense can do it, too.
There are other people in the thread going on about SSL certificate pinning (which can prevent the above MitM interception), but Google don't appear to be using hard pinning: I've seen plenty of people use Google services from Android and Chrome on corporate networks that have such SSL-intercepting firewalls without issue. I just MitM'ed a couple of Google apps on my iPhone without any problems.
> It is a scare piece.
It's certainly at least a bit stupid. The phone is recording your location via GPS, which is obviously unaffected by turning of WiFi and pulling the SIM.
Download it, try it, enjoy it.
If you have BSD / Unix experience, awesome, it'll give you even more control over it. If you don't, no worries, the router has a web interface, and it's REALLY straightforward and has a lot more features and power than a bog-standard router (hell, you can run an OpenVPN server on it, plus IPSEC, plus monitoring and traffic logging, plus QoS - this is the kind of thing you'd pay Cisco / Juniper a couple of grand for).
First pick an opensource firewall
Here i will help... Buy one of these
https://www.pfsense.org/products/
Then lock out Microsoft
Start by adding these address to your Firewall.
- dns.msftncsi.com
- ipv6.msftncsi.com
- win10.ipv6.microsoft.com
- ipv6.msftncsi.com.edgesuite.net
- a978.i6g1.akamai.net
- win10.ipv6.microsoft.com.nsatc.net
- en-us.appex-rf.msn.com
- v10.vortex-win.data.microsoft.com
- client.wns.windows.com
- wildcard.appex-rf.msn.com.edgesuite.net
- v10.vortex-win.data.metron.life.com.nsatc.net
- wns.notify.windows.com.akadns.net
- americas2.notify.windows.com.akadns.net
- travel.tile.appex.bing.com
- www.bing.com
- any.edge.bing.com
- fe3.delivery.mp.microsoft.com
- fe3.delivery.dsp.mp.microsoft.com.nsatc.net
- ssw.live.com
- ssw.live.com.nsatc.net
- login.live.com
- login.live.com.nsatc.net
- directory.services.live.com
- directory.services.live.com.akadns.net
- bl3302.storage.live.com
- skyapi.live.net
- bl3302geo.storage.dkyprod.akadns.net
- skyapi.skyprod.akadns.net
- skydrive.wns.windows.com
- register.mesh.com
- BN1WNS2011508.wns.windows.com
- settings-win.data.microsoft.com
- settings.data.glbdns2.microsoft.com
- OneSettings-bn2.metron.live.com.nsatc.net
- watson.telemetry.microsoft.com
- watson.telemetry.microsoft.com.nsatc.net"
Or just use linux... But you know Fuck Microsoft and their bullshit.. Just starve them of the data and use the shit out of their products for free.. Make them regret giving it away for free. It is the best solution..
Edit most of you know that host file edits dont make a difference as they are hard coded into DNS.aspi and cannot be bypassed through the host file.. External firewall and route them to 0.0.0.0
>You was from Denmark right
yep... it was kinda hard getting the pfsense box... first i had to go to https://store.pfsense.org/ and then i had to click BUY! can you imagine that?
you could also go to https://www.pfsense.org/partners/locator.html and find a local reseller. :)
As an alternative, you can do this on an amd64 or x86 platform with PfSense which is a very popular FreeBSD based firewall appliance.
https://www.pfsense.org/download/
PfSense has available a number of packages built from open source projects to install additional functionality, for instance antivirus and caching proxy.
Since it's based on a PC platform, you can build a router with as much or as little processor, RAM and disk as you wish. This allows you to run what is considered by many a commercial grade firewall on a device which consumes no more power than the TP-LINK router.
Another advantage of being PC based is that you can run it as a virtual machine.
I'm running pfSense. It's very flexible, and a good learning experience for me. I've got it configured to block ads at the router level via the firewall and DNS based blocking, so the vast majority of ads (including phone ads!) are gone without having to install anything on connected devices.
thanks!
the desktop parts is a firewall/router running pfsense for load balancing between multiple (slower) internet connections
the laptop parts is for gaming almost classic titles like the very first Command & Conquer, Red Alert, Quake 3, Abe's Odyseee/Exodus... for these older games that you'd spend hours and hours, it made sense to have a lower power rig to save on electricity.
> when you talk about pfSense you're really talking about the UI atop freeBSD.
Many people have this opinion, all of them are wrong. There are actually a lot of patches to FreeBSD base and some of the packages, in addition to the GUI. The "GUI" is also the configuration layer (the same PHP runs both).
In answer to OP: yes, there has been a fair amount of attention on the PHP GUI in the last year. You can see where people have reported bugs, we've fixed them, and made new releases.
If you're saying wanna-be admin as in you want to learn how to do these things, the best way to do this is to set yourself up a pfSense router and learn how to use it. It's open source and you can install it on pretty much any machine with two NICs and do what you're after. I had it running on a old celeron PC for years that served my entire home network, sometimes with three youtube videos and netflix going all at the same time without noticable issues.
You set up OpenVPN on the pfSense router, connect to that from anywhere, then interact with the rest of your network like you're plugged into it locally. This way, the only thing that's exposed is the OpenVPN port, which is going to require keys to get into.
If you're ~~extra paranoid~~ security minded, you can go on to harden your servers inside your network to add additional hurdles to attackers. If your router is compromised, sure an attacker is in your network, but now they've gotta take the extra step of breaking into your server.
Security by obscurity is dead. Picking a non-default port number isn't going to help you. Botnets scan everything all the time now, attacks are automated. It used to be you had to have something of value to really worry about attacks, but nowadays they're just looking for another zombie to add to the horde.
-rwsr-xr-x is likely using pfsense. You can install it on an old computer and use that as a router instead of buying a whole new device. There are several ways to do this inside of pfsense like using DNS, Squid / Squidguard like above, and Dansguardian. Check out /r/PFSENSE and https://www.pfsense.org/ if you're interested.
I'm going to have to disagree with this, especially in regards to small businesses.
A firewall is typically used as a perimeter security device, and should remain separate from any other systems hosting content, especially when said content is available to the internet.
It doesn't take much hardware to build a pfSense based security appliance (software is free), and run your hosting services on another system.
Binned a Sonicwall for a pfSense box at my previous employment. I'm currently using pfSense running on a re-purposed Citrix CAG just for captive portal public wifi. We have ASAs so I'll take what's been said here on board and see how far off the EOL is.
You are assuming that PHP is inherently bad, please prove that. PHP is just like any other language, they all great and suck at the same time -- every language is going to have things that people like and dislike.
In pfSense, PHP is used for the the GUI and as well as "backend" packages as you described. However, it is just a wrapper to shell/bash scripts, command lines and generates build config files (XML). All the heavy lifting is done by other sub-systems either in kernel or user space (OpenVPN for example) not using PHP.
You can learn more about the history of pfSense below: https://www.pfsense.org/about-pfsense/ https://m0n0.ch/wall/index.php
For the 3.x roadmap I believe the team wants to switch to Python. More information here: https://www.netgate.com/blog/further-a-roadmap-for-pfsense.html
If you want to create a package, then part of it needs to be done in PHP. The GUI needs to know how to call your package, either natively within PHP or fork/exec'ing your process. Keep in mind, pfSense supports a number of different environments such as: low resources boxes with limited CPU, Memory and Storage on different architectures (x86 and ARM) to high end boxes with many CPU, Gigs of Memory and storage.
/adam
Well the PFsense sizing guide on their website recommends multiple cores at more than 2GHz each when working with over 500Mb/s speeds.
I think you've done well to get the performance that you have out of that poor little atom ;-)
I personally think you will be fine with a quad core xeon at 1.6GHz or so (or two dual cores) as for 100-500Mb/s they recommend one core at 2GHz.
Just make sure you get good Intel network adapters - I've had decent experiences with getting Realtek ones up to 1Gb/s but it seems I'm in a minority.
Because it's a fully fledged, opensource, software firewall that can run on any number of hardware configurations with a shitload of services, addon support and super good firewalling.
Try these on for size:
https://www.pfsense.org/download/
https://cumulusnetworks.com/downloads/#product=Cumulus%20VX
There are others, but each of these will accomplish what you're looking for. pfSense is a firewall, but traditional firewalls are just security-hardened routers that deny by default instead of permit by default. However, I brought up pfSense because it has a web-based GUI interface, and based on some of the things you said in your post, this might suit you better than trying to configure VyOS or Cumulus Linux via the command-line.
Within ESXi, you can more accurately simulate a real production network by creating multiple vSwitches. Each vSwitch does not require a physical network interface to be attached, just one or more port groups. You can then create router VMs with multiple vNICs, and attach each vNIC to a different port group on the different vSwitches.
I use a pfSense firewall at home. There is a plugin called pfBlockerNG that allows for Geo-IP blocking very easily. Click to install the plugin, select the countries you want to block (or select all and unselect the ones you want to allow), and activate it.
Pf Sence can do all you ask for,performance is not an issue as long as the pc running the router has enough ram(1 gig) and a decent cpu. All the documentation and some examples can be found here: https://www.pfsense.org/ The os is very powerful and can require a bit of getting use to because it is based on bsd but with a bit of practice it is easy.
A good VPN that doesn't store logs should suffice. Check out /r/VPN. ~~The best thing you can do is buy a router that supports custom Linux firmware such as dd wrt and apply the VPN directly on it so no data is leaked.~~ VPN Software should suffice it seems. You could repurpose an old pc and make it into a linux router with pfsense (this stuff is amazing) : https://www.pfsense.org/
There are also ways to have a failsafe so if the VPN fails, no data is leaked. Furthermore, if you pirate, a seedbox or using Usenet and downloading via SFTP would be very secure : /r/torrents, /r/seedbox, /r/Usenet, /r/privacy.
edit: changed router info. Also, you should look for a VPN with one or more servers/gateways that are located near AU to ease bandwidth loss.
Personally, I'm a fan of Ubiquiti's EdgeRouters. Honestly, I haven't had any experience with other routers (minus crappy consumer grade Netgear and Buffalo), but the EdgeRouters can still do a lot.
It's got a full GUI, you can SSH, TELNET I believe, SNMP, etc.
Another option is to build your own with PfSense, which is very much in depth but it's got quite a learning curve (at least for me).
Also, I'm sure you know this by now but these are only routers, you'll need a wireless AP to go with these.
PfSense: https://www.youtube.com/watch?v=RrQrt8r_uYg https://www.pfsense.org/
While there's a time and a place for solutions such as pfSense, the situation OP describes is probably best served by a commercial, hardware-driven solution. Nexgate's support offerings are also questionable for such an environment: 8-hour SLA, 1-hour max ticket time, "high level" troubleshooting for non-Nexgate devices, etc. https://www.pfsense.org/get-support/software-support.html
Set up an OpenVPN server. You could install it on your existing Ubuntu VM (guide) or you could spin up a new VM and use something like pfSense.
You'd only have to forward a single port on your router (default is UDP 1194) and you need a certificate as well as a username/password to connect so it's secure. You can pick the level of encryption to use and it's very strong.
You'd then connect in from whatever device (there are OpenVPN clients for almost all platforms) and access everything via its normal LAN IP address. It's basically like you're directly connected to your home network.
No. The minimum hardware requirements are just 1 GB of disk (not 1 TB, just 1 GB). Almost any type of disk is fine if you're just using it as a firewall/router replacement, since there's very little disk I/O after startup. Even a thumb drive can work, but they're usually not terrible reliable for long term.
If you look at the prebuilt hardware that pfSense sells, it's all with eMMC flash drives or SSD drives, but that's for reliability, not speed.
However there are optional packages that will create a lot of disk I/O and use a lot of disk space - squid, for example. If you're planning on installing them, then you need more space, and need to pay attention to disk performance.
You can install pfSense on a small, slow disk, and then also add a large, fast disk for squid (or other packages) if you like.
You might also sling the gold membership for those that want to support the project, but don't necessarily need to buy hardware (or have hardware lying around and feel the appliances are "too expensive") or are non-commercial entities.
$100 a year, for me, is much better spent than drinking and tinkling out Charbucks. Y'all probably have a much better profit margin on that than the hardware, too, right?
If you have a spare PC and the technical skills to install an additional NIC, you can set up a very bad-ass router (we are talking >1 million entry state tables here) that puts pretty much anything under $1000 to shame using pfSense. Throw in a nice 5-10 port switch and a Ubiquiti AP and you are good to go for right under $100.
Check out /r/PFSENSE
I'm not sure if it does ALL of the things you need, but I'm using pfSense pfSense (As a firewall)
BandwidthD will show you who is using how much, OR what domains are getting used how much.
RRD graphs show usage over various periods 8 hours, 1 day, 1 week, 1 month, 3 months, 1 year.
It can also do throttling of various types and blocking of domains.
Edit: I think it can do most of that. It wouldn't exactly generate reports, but you can go look at the data and prind the graphs and tables.
First and foremost, don't host websites over port 80 if you plan on exposing that to the internet. Check out Let's encrypt to secure your web traffic. As for virtual machines, how will you be exposing those to external incoming connections? What operating systems do you plan on using? Don't expose port 3389 RDP to the internet without some sort of PKI in place and strong authentication. Also check out pfsense for a pretty solid open source firewall. Make sure everything has the latest security updates and is patched regularly. While your intentions are admirable, I would say that exposing anything to the internet is taking a risk. If you get a solid firewall with NIDS, you should be relatively safe. I can't speak for consumer brand firewalls (I have Comcast but I got rid of their devices because I am a control freak) but it may meet your needs as well. Monitor who is accessing your stuff diligently.
​
Edit: Spelling
Correct. We're aiming for early September with no fixed release date, in case there are unexpected events or security updates. You can give it a try right now, install 2.4.4 development snapshot. We could use the help with testing.
I'd recommend a pfSense appliance. Buying straight from them will get you support as well and the available packages can provide some fantastic security benefits including Snort, IP blocking by category (country, known bad, etc). This appliance here sounds about perfect for your situation: https://www.pfsense.org/products/product-family.html#sg-2440
We also have a subreddit for pfsense if you want to ask questions there: /r/PFSENSE
The only thing you would be using Cloudflare for in this instance is IP address masking. I've had sftp, Kolab, Nextcloud and all manner of other random internet accessible services without Cloudflare over the years. You are probably not going to need it.
My advice is to get a good firewall up and running. pfSense and ipfire are fantastic options, I personally use ipfire at home and at work.
With a firewall in place you can filter out a fair amount of crap before it ever gets close to fail2ban. But yes fail2ban is probably a good idea
The computing power of consumer grade routers tends to be pretty low (low cost, low power ARM or MIPS CPUs, for example). Slow CPUs can have bad multitasking or high processing times for individual tasks, and so can't handle the numbers of concurrent connections some home networks could potentially generate, or increase latency. The effects of this are even more noticeable the more services the router can provide (VPN, proxy, load balancing, just to name a few).
A server built to be a router using an OS such as IPCop or pfSense has limitless capacity and functionality opportunity.
To add to this, its called a State Table. Basically each connection your computer makes has to be written down and remembered, if i remember correctly thats 1kb per state, so if you have a generic router that has say 16megs of ram, not only is the router having to set aside space for the onboard OS but it also has to remember what connections are being used, settings etc. Like Borizz says, some States can stay open indefinitely.
For example if you use bittorrent at all you are probably using anywhere from 100 - 500 connections (thats 500 states in the table, that would mean you are using 500kb of your ram...) now compound that with multiple wireless devices and you can start to see how things add up.
I use a custom box utilizing PFsense OS with 512megs of ram and a 1ghz processor... needless to say, i never have any issues anymore because it manages everything for my WAP.
pfSense would be a natural evolution for you. You can roll your own on self-supported hardware, roll your own on 1st tier hardware, or purchase a fully supported solution from one of pfSense's recommended vendors. The vendors include support for hardware and software, or software support can be purchased separately.
pfSense is a fully commercially supported product- it is not simply an enthusiast-only amateur product. Their commercial support staff are firewall experts- not just pfSense, but familiarity with top-tier offerings.
I'm a huge fan.
PfSense will do most of what you want to do out of the box.
It's way more fun doing it yourself though. Your terminology seems on point as far as I can tell. I used that same guide you linked to the when built my home brewed router. It was good as a general guide, the iptables configuration was a bit basic and the network configuration is different in newer versions of ubuntu server. Consider debian server too. It is very lean and I find the network configuration for static ip's and routes simpler.
Does not sound like you want openwrt, I think you want pfsense if you are looking for enterprise grade gateway and lots of control.
any old pc with two nics can run it and run circles around anything arm based, buts thats ugly and huge and wastes power.
I bought one of the qotom boxes from aliexpress, i5, ssd, 4GB ram, intel nuc 4x ports, passively cooled at 7W power consumption
Setting up the basics plus few packages like captive portal or pfblockerng as alternative to pihole is relatively easy.
Here is a good youtube series about it
If driver support is in 11.2, try our latest 2.4.4 snapshots.
https://www.pfsense.org/snapshots/
I know it says 11.1 but that's an error, we'll update it ASAP. pfSense development snapshots version 2.4.4 are based on FreeBSD 11.2-RC since June 1st. https://twitter.com/pfsense/status/1002558800900034560
You should give pfSense a shot. It's an excellent open source router/firewall software you can run on a variety of devices or as VM. A Site-to-Site VPN should get you started on your setup here.
The announce list was recently deprecated in favor of a "newsletter" (differnet delivery mechanism other than mailman), but all others are maintained. You can sign up for the newsletter here: https://www.pfsense.org/download/
Well, everything. https://www.pfsense.org/ for firewall and vpn purposes.
Most likely as a small, ressource efficient host for every web application like the internal landing page, wikis, chat applications, backup controller, deployment controller, search engine, logging, sql host, pretty much everything thats not normally done with a windows domain controller (DHCP, DNS, Active directory and stuff.)
I don't understand why this question keeps coming up without people finding Netgate gear. It's literally on the very front page of https://www.pfsense.org. Or in the section at the top titled Products. Or on the side bar of this very subreddit. I just don't get how people can "search and not immediately see anything".
They are the primary supporters/owners of pfSense, the product you buy from them is high quality and guaranteed to support the newest versions of pfSense.
As a rule of thumb, no device should be directly connected to the internet unless it has been specifically developed for that purpose.
Set up a VPN gateway and let users connect to the gateway, which then gives them access to the internal network (including the NAS). There are plenty of appliances available for running a VPN gateway (from cheap consumer-grade Chinese TP-Links to enterprise devices from Cisco). One of the most popular choices for home and small business environments is pfSense, which is free and can run on a wide range of PCs. A sub-$50 small form-factor PC from eBay is good enough to run it.
I have many years with pFsense and it was our "managed services" firewall back-pocket for clients that did not want to purchase a Fortigate.
The best thing about the software is that you can use your own hardware:
https://www.pfsense.org/hardware/
Also, a plug for the BSD Perimeter guys who are top-notch for paid support:
You'd be best off doing some research on your own to find one that works best for your own needs. The one I'm most familiar with is called pfsense but there may be better options for what you're looking for.
I actually find the aliases system to be pretty easy to deal with, and you can also insert dividers in the rule sets to split them up into more visual blocks (ie, "all web related rules here"). But having a naming convention for aliases to make them easier to find helps, ie a system for how you name them. However, since there is a search function in the fields where you enter them, that too makes finding the right alias easy when creating a rule.
And if you want incomprehensible and nightmarish, try something like a Cisco firewall on the CLI. Compared to that, pfSense is a dream. I really have few issues with pfSense's UI now, there's a learning curve but I think it's already pretty good compared to everything else I've seen.
But I think a rule that literally says that traffic to "Mailservers" is open on "MailPorts" is pretty comprehensible. Also, if you hover over either alias, a pop-up appears that shows you every IP under that alias. So readability of firewall rules in pfSense is not something I find objectionable, rather the opposite.
CARP clustering in a virtual environment might be an issue, as CARP involved broadcasts and the like. I've never tried setting it up virtual, but try /r/pfSense if you need help, or indeed https://forums.pfsense.org - and since your org looks like it's a bit larger, buying support from pfSense directly to set this up is absolutely an option. They have 24/7 support available if you need it, see https://www.pfsense.org/get-support/
I would consider getting pfSense Gold. You get access to a well maintained book as well as a large archive of videos - each 1-2 hours on a specific topic.
https://www.pfsense.org/our-services/gold-membership.html
You also get auto-config backups which are handy.
You're getting both hardware/software support AND warranty by buying with Netgate. If something should go wrong, they offer 24/7 support. Plus, you're supporting the pfSense community at the same time. Also, the SG-1000 comes with 1 year of pfSense gold. Benefits listed here: https://www.pfsense.org/our-services/gold-membership.html
I'll piggy back a question here, does only the SG-1000 come with gold, or do the other appliances?
Normally, I'd ask questions about requirements to help us understand what functionality you require, and meander towards a solution that way. But I'll just skip to the end and point in the most common directions:
https://www.pfsense.org/products/
https://www.sophos.com/en-us/products/unified-threat-management/tech-specs.aspx#
Thanks, yes there is a huge amount of cheap Intel aluminum mini-PC, more powerful for about the same price.
However this device is obviously oriented toward network application so the J1900 is plenty enough. While most people only need 2 NICs, the 4 NICs on this device makes it special (niche?), I like the idea of removing my Gigabit switch next to my router. Also, RAM/mSata/Wifi is dead cheap.
There is a similar $400 device from pfsense https://www.pfsense.org/products/product-family.html#sg-2440 I'm sure it's a very fine device but the price is way above what I want to pay for my router at home, also it's bigger.
The reality is you should invest some time in learning at least the basics of networking and network security as well as find a product you are willing to put the time into. A good foundation will take you pretty far and your access to forums where you can feel comfortable asking questions will help get you the rest of the way there.
If you have some spare hardware sitting around you could build yourself a vyos or pfsense machine to keep it on the cheap.
OR
pfsense offers hardware based solutions that are well within your price range. Depending on overall throughput they might not work but you never know until you try it.
It looks like you have a good AP already - why not a real router? Depending on the route you want to take it might be time to invest in a Cisco router (if that is the road you are going down). If you are a true tech junkie maybe look into a Routerboard or a Ubiquiti Edge Router. Or for real shits and giggles use two of those nic's on your Hyper-V server for a Linux Router (pfSense or similar).
It's a basically a package of FreeBSD (unix) along with the configurations for running a router all packaged up into a nice installer with a web based front end. You toss it on an older piece of hardware with 2 or more network cards in it and it runs as a router. I used to run it on an old P4 system and I eventually invested in buying a relatively inexpensive Atom server that also runs an in house Minecraft server.
My current IKEA brand network center with file server peeking out on the right.
The nice thing with the QoS is it's really configurable but also has a wizard to help you get a basic setup with prebuilt rules for a ton of different games and applications.
It can be complicated to configure but a basic install is really easy and it's a good way to learn more about networking.
I have actually thought about doing a write up on how to set something like this up.
One word: pfSense. If you aren't using it as a router/firewall already it has a load to offer, though in that sense it isn't "lightweight".
There is an option called "Register DHCP leases in DNS forwarder" which does exactly what you need. DHCP clients when requesting a lease will provide their hostname, which pfSense will then register in the DNS forwarder, so anyone on any OS can then type "ping dragon-pc" and get it resolving to an IP.
For sake of argument you can run pfSense just as a DNS and DHCP server if you needed to, or if you're familiar with virtualisation it's fully virtualisable. But seriously, it's an awesome router/firewall with lots of stuff that is very useful at LANs, like seeing a live traffic graph broken down by computer and how much it is using.
Yeah, this won't really work that well!
You will need a spare computer (desktop) that has at least 2 network ports in it!
You would install "pfSense" and use that for your firewall:
Sounds like you want a web proxy for their devices, that would give you much more insight (albeit, since most of the internet is HTTPS nowadays, you're only going to see the base domain and not the full URL).
You might be able to set up a simple open Squid proxy to start on your raspberry pi and configure their devices to point to it, and then review the logs. Or, alternatively you could set up something like a cheap pfsense firewall.
FWIW, there's a whole page at the pfSense page dedicated to hardware requirements, with a table graduated by connection speed. Cross-referencing your needs with the last table on the page shows you'll need a 2.0+ GHz multicore CPU with server class hardware and PCI-e NICs.
In the download options on https://www.pfsense.org/download/ there's a serial console option. I've never used it but I assume it's for installing the machines that don't have VGA ports or are inaccessible. I assume it follows the regular installer and just sends the data out the serial port. With that said I assume that it draws screens with ASCII characters but the text will be embedded in there as ASCII text. You might have a better experience letting it draw the screen and then having your screenreader read the text rather than having your screen reader echo each character as it is sent to your terminal emulator ( PuTTY?)
Have you use the PFsenses interface in a web browser before? I worked with many different Screen readers and I'm afraid the way the web interface is constructed it would be very difficult to run with the screen reader. well you can SSH to pfsense there is very limited functionality unless you're added in the raw configuration files which is no fun.
I do know in the system settings you can choose alternate web interface settings. I would encourage you to explore those and see if any of them are more screenreader friendly.
PS. if you attempt a serial consul install you will need a null modem cable or null modem adapter to connect the two devices together.
I haven’t seen them since the re-design of the logo. I heard that they come with appliances, but I heard that like 6 months ago. Idk if that’s still the case or not.
If you intend to get them printed, you probably want to be extra careful - that’s one of their big things per this document.
As I read it, keep any logos away from customer stuff; toss it on your laptop or something instead
Here's the best fix ever!
1) https://www.amazon.com/gp/product/B01AJEJG1A/ref=oh_aui_detailpage_o03_s00?ie=UTF8&psc=1
2) Then.. https://www.pfsense.org/download/
Everyone should build their own routers!
I'm with /u/clickwir, I wouldn't put my network in a container or VM either (even with a dedicated NIC). Especially if you plan to fiddle around with other containers or VMs on that host.
You should start by looking at pfSense's requirements when deciding where to put it. Keep in mind those are for basic routing. If you plan to add squid and other services to pfsense you'll need more horsepower.
I'd personally use https://www.pfsense.org/
And for the hardware I'd use something like this (because it has more network adapters then your 'ol regular PC: https://www.amazon.com/gp/product/B019Z8T9J0
Well, a good place to start for great bang for the buck would be a pfSense appliance, but not sure what your strange setup is for.
If you can get one fiber in, you can use that to get 10 gigabit Internet. Assuming someone offers that.
You can roll your own hardware with pfsense and get that throughput. Some guidelines here: https://www.pfsense.org/products/#requirements
Might be cheaper than purchasing an appliance. That being said, I have a Sophos box and love it!
Here's a link to the pfSense hardware requirements, based on your specs I would virtualize pfSense that way you get your bang for your buck, you can use it for other things
Sure!
The SG-1000 is the hardware to install pfSense on. It's like your R8, only a different shape and with no wireless.
To cut a long story short: what you usually buy (eg, your R8) is a combination of things.. It's a firewall, a router, a switch and a wireless access point all in one.
There's a basic run-down on pfSense here: https://www.pfsense.org/getting-started/
pfSense is software designed to do the routing and firewall parts, and it's got a lot of features, many of which the R8 will have (like DHCP server, for instance). Often routers like the R8 will have limitations based on their hardware, or because the vendor wants you to buy their more expensive equipment (soft limit).
If you have an old laptop spare, you can install pfSense on it using a USB key. After it walks you through some basic configuration steps you'll be able to access it over the network, where you should get a login page (admin/admin) - now you can play around to learn what's available. There's plenty of help and documentation online if you want to accomplish something in particular like QoS.
Otherwise ask me, or in /r/pfSense :)
*Edit - for your two APs you could use any switch, really.
Second edit - or since you already have some UniFi gear, maybe look at the UniFi Security Gateway? It's a nice compromise between something like the R8 and a pfSense setup.
>I would like to purchase a secure modem/router...
I would go for pfSense router.
>(not sure which OS is best)
Qubes OS is the best option. Easier to play with and configure than OpenBSD.
>For a phone...
You can also e.g. buy a Nexus 6P from a second hand shop or from other people selling it and then flash it with CopperheadOS.
To support gigabit OpenVPN traffic you will need a modem quad core Intel CPU that supports AES-NI. A generation or two old i7 or i5 will likely provide the best value. I just checked eBay and found some i5 6500 and 6600k CPU's for $180.
The athlon XP system you have will fall to its knees with OpenVPN at those speeds and/or if you enable a few packages such as snort or suricata. For example I use Suricata with a 100Mbps connection and the dual core 1.7ghz Atom CPU I use pegs to 100%. I had to actually back off on the rulesets I use to ensure I don't throttle the internet connection.
The other consideration is the network adapters. You will want dedicated Intel NIC's because they have better driver support in BSD and have hardware off-loading to improve throughout.
Here is the official pfsense guidance on hardware. https://www.pfsense.org/hardware/#requirements
Do you even need to run in on a physical hardware unit? pFsense runs very happily on a VM with basic resources (this is what I do). Failing that the Product Comparison - https://www.pfsense.org/hardware/ - will tell you that a SOHO network will happily run on something as basic as an ARM or Atom CPU with 512MB-2GB RAM. It doesn't need anything powerful.
Of course, if you're going for a 2 gig wired fiber then you'll need something a bit more powerful, but pFsense can handle it.
You will want to setup your VM to use a bridged adapter. This way the VM has its own IP on the network instead of translating one from your host PC.
The reason i don't suggest the VM and VPN on the same host is mostly to prevent leaks, because i don't trust kill-switches.
Say your VPN tunnel goes down, even for a sec, you will sending clear packets. A kill-switch is designed to stop this but sometimes it fails. The other reason is malware / active attacks on your system. Because the VM you are working in saves no VPN creds (Doesnt even know you are using a vpn) you are safer.
The solution is using PfSense. Its a router .iso you can boot in a VM. You create a sub-net on your network the routes all traffic from the VM you are working on to another separate VM that hosts the VPN. Now if your VPN goes down, your sub-net will come to a stand still because it's hard-coded to use the VPN tunnel only (You couldn't get a clear packet through if you tried).
It should only take an extra hour or so to do, and only a few extra mins on startup, its well worth it.
This is a very dense guide Don't be intimidated by it, because its actually very simple. Just remember what you are trying to do:
3 VM's: Linux(i suggest debian), PfSense and whatever OS you want to work in.
Debian-VM(Running OpenVPN) --Traffic is passed to--> PfSense-VM(makes a new subnet) --> VM3(workstation)
You can add as many VPN's along the way for more security, using more VM's.
Tada Compartmentalized!
Edit: Network settings for Vm's: VM1(Bridged) pfsense(1:Bridged 2:Internal Adapter:pfs-sk) VM3(Internal Adapter:pfs-sk)
Edit 2: pfs-sk can be whatever you name it. Shoot me a line if you need a hand with anything.
Unfortunately I can't recommend anything, however what you're describing is something that PFSense (a powerful router software) box could do, however the raspberry pi couldn't do this in any real sense because it lacks multiple ethernet ports, and probably the horsepower to run it. If you have an older computer with two NICs you could potentially set something up.
Edit: pfsense
These little guys work well, have AES-NI support, and have 4 NICs + IPMI (aka iLo).
SuperMicro A1SAI-2550F. 4 core Atom with 4 NICs.
SuperMicro A1SAi-2750F. 8 core Atom with 4 NICs.
Here are some speed specs for the Atoms/RAM (the pfSense boxes that are sold use Atom processors): https://www.pfsense.org/hardware/
8 2.4GHz cores + 64GB RAM should get you into wire-speed gigabit land easily on a server with an assload of connections.
The i7 processor is overkill for a router (or so I've read).
If you want to saturate a 1Gb/s connection you MIGHT have a problem with non-Intel NICs (I can't tell from your link who makes the NICs). Several people with less than 1Gb/s connections have reported no problems with Realtek NICs, but the preference for Intel NICs persists.
For a hardware guide look at the pfSense website. The SG-2440 model might suit you and you can use its specs as a guide. It has a dual-core Atom C2358 1.7GHz processor. This processor has QuickAssit and AES-NI which speed up encryption/decryption for VPN thoughput. You can get more details about this box at the Netgate website.
If you want to know if an Intel CPU has QuickAssist and AES-NI you can check it at ark.intel.com.
Economically it's only a matter of time till you lose, because that old beast is going to cost you a lot more on the power bill each month than a more modern platform.
It likely will perform just fine, though that depends on what speed you want to support and which pfsense features you want to use.
https://www.pfsense.org/hardware/
says that hardware should get you into hundreds of mb/s.
What are you wanting to get from your VPN?
Personally, I think pfSense and OpenVPN are a great combination. With my setup I can access my home network anywhere I have my laptop or, with the Android app, on my phone. This means Windows File sharing, Remote Desktop without having to open up my firewall to RDP. I also find it useful for when I'm at a customers site being able to bypass passive proxy servers (which a couple clients have setup incorrectly and mess up SSL connections).
I bought one of these bad boys, along with a spare laptop hard drive and setup was a breeze. This particular model has a cooling fan which is a little louder than I like, but it's not in my office anymore so it's not a problem. It has dual gigabit NICs that work with FreeBSD without any additional effort. Can't speak for how they work under serious load since it's only a 48Mb/s connection.
They're generated, you can see the effect live on this website https://www.pfsense.org/ (it's networking software, SFW)
The javascript they're using with written by a company called GreenSock, this is their example showcase http://greensock.com/examples-showcases
If they want reliability and can spend the money for it you can buy routers straight from the pfSense store that even come with a couple of support incidents for free for a year. https://www.pfsense.org/hardware/
Another great perk of pfSense is CARP which is basically hardware failover in case one of their routers dies. It'd be pricier and it's probably overkill for them but if they want it, it's an option. If you wanted to go cheap though, grab a pair of edgerouter lites for each office, setup a few IPSEC VPN tunnels, configure VRRP and that's $400 in hardware for 2 offices and a rather redundant setup for dirt cheap comparatively.
Honestly I think in this case the client doesn't have a clue what's reasonable in terms of hardware cost to get this set up, don't take that to mean that your coworker was trying to cheap out on it.
Did you look at this page? I have been in the process of pointing all the internal links I can towards that.
There were 2167 lines added and 1951 lines removed to the book in the last 30 days. (We have been focusing on getting 2.3 out during this time though)
You also get access to the archive/library of past hangouts: https://www.pfsense.org/videos/
>Finally the gold subscription isn't easy to add to my wish list for a gift. All of these factors just make it so hard to gift pfSense knowledge.
Unfortunately there isn't a gift card mechanism in place. For now the person would have to sign up and give you the creds....or just give you $99 gift card for Gold.
Run far away. Source: Did SMB consulting for 8 years.
Try this: https://www.pfsense.org/hardware/
You can also virtualize or whitebox it, the support is amazing, and it simultaneously has more / better features and a simpler interface (dealing with SonicWall ACLs is a massive pain!)
First, check your router to see if this feature is already built in.
If not, you will have to get your own router that has this feature included in software.
I personally use pfSense and it tracks usage 24/7, and with other plugins, I can drill-down that usage per-device on the network.
If you want to install/support it yourself you can just get the box from Netgate. But at least try to add a gold membership to support the project ;)
While it might be a bit of overkill you should look into pfsense. It could take over your router functions as well as dhcp etc etc.
If you wanted to be really fancy you could also then use snmp to send the data to something like grafite and graphana. Here is a thread I created on the pfsense sub to show some of the setups possible. or here is an image ifg you dont care about others.
>NICs based on Intel chipsets tend to be the best performing and most reliable when used with pfSense software. By comparison Realtek chipsets perform quite poorly. We therefore strongly recommend purchasing Intel cards, or systems with built-in Intel NICs up to 1Gbps. Above 1Gbps, other factors, and other NIC vendors dominate performance.
You can buy pfSense appliances bundled with support now: store.pfsense.org.
It is in far more enterprise environments than you think, people just tend not to advertise what security products they use ;)
edit: and since we are in /r/ccna there is also pfSense University that just launched online training: pfsense.org/university
just migrated from Sonicwall to a PFSense box last week actually. It was very easy to set up. We do have two ipsec tunnels to our AWS VPC, and setting those up was way easier in pfsense then it was in the sonicwall. Mainly because if you buy the hardware from them it comes with a wizard that does everything, even uses the vpc api to set it up on the aws side.
Web filtering is pretty easy too. You can install Squid and Squidguard from the pfsense package manager and configure it with a blacklist. This is the one I bought.
Unless you need to quickly tunnel to/through home from any endpoint without installing software/configuring VPN, then why not just protect all of your services behind VPN? Open VPN is fairly trivial to stand up, especially if you use a nice router distro like pfsense.
All of my mobile devices have an open vpn client configured to "phone home" and I carry an encrypted usb with openvpnportable on it to access home from any hosts I don't have admin rights to JIC I don't have my laptop/smartphone and I need to hack the planet/save the world from a robot/alien uprising.
Nah, ddwrt is easymode. Hardcore routers run pfSense. It's dd-wrt on steroids. It's x86/64 based so you can throw it on any 'normal' hardware - I use an ATOM based 1U server.
Here are a list of appliances straight from PFSense themselves https://www.pfsense.org/hardware/
Sophos might also do it for you http://www.sophos.com/en-us/products/unified-threat-management/tech-specs.aspx
pfsense is a firewall platform with an integrated openvpn server so unless you intend to use something else as the vpn server you can't really put it in front or behind the pfsense since the pfsense is the vpn server :)
You should look at pfsense: https://www.pfsense.org/ .
It might be a hard sell to you from me and from you to your management, but I think its a comparable solution in a great deal of IT infrastructures. That said I don't know your requirements but I've seen pfsense run on old Pentiums and a couple sticks of ram for 50+ users without any problems. Once you see the features and compare the cost its hard to resist not pitching it as a viable solution.
That said I specialize in small and medium businesses (under 200 people). I try to find those innovative solutions and this is definitely one of them. I started using it as a stop gap measure myself. Worth a look.
If you want to push any serious amount of traffic through the VPN (50+ Mb/sec) you might want look at an i3 for the AES-NI crypto acceleration. I would recommend at least 4 GB of RAM for snort, though this can be controlled with proper selection and tuning of your rules. Quality NIC's are also of great importance to ensure that interrupts and processing get pipelined efficiently for maximum throughput. The pfSense Hardware Guide has some sizing considerations and suggestions that are worth reviewing.
Get an older PC and install Pfsense
Pick up a LTE Modem supported by pfsense
If PC needs it, add an extra ethernet interface or four.
Change your wifi routers to bridge mode and hook them to your shiny new PFSense router.
This PFsense box can now handle your LTE failover, and your VPN stuff and about a zillion more things like Ad blocking DNS, and selective routing (eg: some devices over vpn and others not. some devices over cell and others not), logging, intrusion detection, vlan support, faster throughput, etc...
This will both simplify your setup (less devices) and give you way more features.
Go down the rabbit hole!
What sort of processor/hardware are you using and do you have any monitoring happening on the line?
There is a matrix somewhere of hardware recommendations but I do know there are some limitations to bandwidth, based on the processor speed
Edit: https://www.pfsense.org/products/
Multiple cores at > 2.0GHz are required. Server class hardware with PCI-e network adapters.
This is for 501mb+ bandwidth
Just so I understand....
You're going to host your own VPN service at your friends house (who I am assuming lives in Canada), use a VPN service on a router, connecting back to that VPN service in Canada.
Unless you plan to terminate the connection on the laptop, which many companies won't let you install random VPN profiles/programs on, you will need to terminate the VPN tunnel on the router.
Laptop -> Router -> Tunnel to router at friends house -> Router at friends house -> Out the internet there. Forced tunnel rather than split needs to be used, so all traffic goes over the tunnel and out the Canadian internet connection. You shouldn't have any issues using a corporate VPN solution over this VPN tunnel.
I would recommend a hardware purpose built VPN solution. Netgate sells pfSense powered appliances - https://www.pfsense.org/products/
I'm not sure what kind of Internet connection you have, but I recommend having a seperate machine do a firewall. I recommend pfsense, but there are many others.
Since you only have one machine, I assume you probably want to run everything on it. In that case, you can install something like Proxmox. Proxmox Virtual Environment is an open-source server virtualization management platform.
Once you get Proxmox installed, you can then install pfsense. You dedicate two NIC's (External, and Internal) and this allows you to set up a firewall. Once you set up the firewall, you can install a VPN server on it and be relatively secure with it.
You can make other virtual machines in Proxmox, so you could run a Windows Server, Windows 10, another Linux VM, etc.
There is lots to learn, but that should at least give you some reading material. :)
https://www.pfsense.org/about-pfsense/
pfSense® software is a free, open source customized distribution of FreeBSD specifically tailored for use as a firewall and router that is entirely managed via web interface.
In a nutshell it is a custom operating system that you can install on any PC to turn it into a firewall / router / vpn server.