PenkethBoy 2063 Posted August 21, 2017 Author Share Posted August 21, 2017 Focus on the basic functions Admin authentication ISP WAN setup Basic internal default VLAN firewall best practices for IPv4 firewall best practices for IPv6 pick private IP subnets DHCP IPv4 (and reservations) DHCP IPv6 (normally pass through) DNS service for IPv4 and IPv6 Then make a backup. Save it off main system in case of a crash and burn. If you ever have a crash and burn you can keep the flash drive you used to load PFSENSE to reload it. You get an option to import the backup and be back to your last known good configuration. Once you are up and running you can focuse on enhanced features and expanding the services you host on your firewall. DNSSEC and DNSBL integration (provides enhanced security for DNS queries and blocks queries for known bad network nodes. Automatic blocking of known malicious public IP addresses. DDNS service (used to bind your WAN IP address to a domain you own) NTP service. (helps ensure that your logs are uniform in log times) SNMP v3 (if you intend on monitoring) setup a CA for your secondary services. VPN to your home when away and need to access your home resources. Private VPN for your home clients to keep your browsing habits private. Let's encrypt Acme client (allows your to get publicly trusted SSL certificates.) Reverse proxy to host and protect your internal resources that need to be accessible to the public Internet. Squid web proxy with A/V built in. Take good notes. Screenshots also help. You will likely need authentication to third party services. Make sure that you have a good repository for these accounts. Let us know if you need any help. I have done it more times than I can remember. Sent from my iPhone using Tapatalk Yeah hours of fun Will be back with questions i am sure Link to comment Share on other sites More sharing options...
Guest asrequested Posted August 21, 2017 Share Posted August 21, 2017 I really need to look more closely at my VPN options. 1 Link to comment Share on other sites More sharing options...
Tur0k 143 Posted August 22, 2017 Share Posted August 22, 2017 I really need to look more closely at my VPN options. I know that PFsense can be configured to connect to the ones I use with the openvpn package. Sent from my iPhone using Tapatalk Link to comment Share on other sites More sharing options...
Guest asrequested Posted August 22, 2017 Share Posted August 22, 2017 I know that PFsense can be configured to connect to the ones I use with the openvpn package. Sent from my iPhone using Tapatalk The Unifi has a whole bunch of options. I just don't know what the hell I'm doing, or what they do lol Link to comment Share on other sites More sharing options...
Swynol 375 Posted August 22, 2017 Share Posted August 22, 2017 you could also look at Sophos UTM, very similar to pfsense. it also depends what you enable on pfsense as to what hardware you need. when you start adding on VPN, DPI, HTTP and HTTPS scanning it will start to have a bigger hit on cpu. it also depends on your external connection. With Sophos UTM with everything turned on i was recommended an i3 6100t its 35w and handles my 100/20 line fine. I scan every packets that comes in for malware/virus i decode all HTTP and HTTPS traffic leaving my network and log it. I also have Intrusion protection on and country blocking. I dont currently use the inbuilt VPN as I use my Unifi setup for that. Link to comment Share on other sites More sharing options...
PenkethBoy 2063 Posted August 22, 2017 Author Share Posted August 22, 2017 I looked at the next level up of hardware to the Mini PC i bought - i5/i7 mobile cpu power and they remain an option for the future if i run out of horsepower - but were three times the price - so not a compelling sell at the moment - besides i have old unused cpu's and m/b that would be free to build something more powerful with no outlay although probably not as energy efficient. If anybody is thinking of doing the same as me then i would suggest watching the Video's from Mark Furneaux https://www.youtube.com/playlist?list=PLE726R7YUJTePGvo0Zga2juUBxxFTH4Bk I'm part way through Part5.1 as i dont have the hardware yet so will finish when the mini pc arrives Part4 is very good for all those who use networks but don't fully understand them (as its not your day job) - @ - might be worth an hour of your time - cleared up a few areas for me that i have wondered about but did not have enough interest to investigate further Link to comment Share on other sites More sharing options...
PenkethBoy 2063 Posted August 22, 2017 Author Share Posted August 22, 2017 @@Swynol so are you using an i3 and is it heavily used with all the options you have enabled? i have a 200/20 line pfSense has a lot of plugins available - not sure how many i might use but a couple look interesting out the gate for analysis/reporting which will probably demand some horsepower - will have to wait and see Link to comment Share on other sites More sharing options...
Tur0k 143 Posted August 22, 2017 Share Posted August 22, 2017 (edited) I currently get Comcast 200 Mbps WAN service to my home with on speed tests I am getting consistent 240 Mbps downloads and 12 Mbps uploads. With all the above working on my firewall mini pc (case looks just about the same as that white one I linked except mine is black. I have an older Intel 5the gen CPU i5-5200u (dual core hyper-threaded 2.2GHz base /2.7 GHz turbo). It has 8GB of RAM and a 64 GB SSD. I don't see much CPU or memory being consistently used. My CPU utilization rarely spikes above 4%. Memory only increases if I am running NTOP. My CPU isn't much more powerful than the N3150, and it technically has 2 fewer cores. The 5200U does support hyperthreading and has better L1/L2 management though. Given my hardware, the only 2 bottle necks I see is the high average temp 27.8 Celsius (technically the max temp on my CPU is 105 C). But even an elevated temp will cause my CPU to protect itself and reduce voltage to the CPU to reduce temp. If it becomes a problem i will cut holes in the case and add fans for ventilation. I am kinda glad I didn't get the i7 model. The other problem I foresee bumping up against would be the Realtek on-board NICs. In practice I prefer Intel/star tech/rosewill expansion card NICs. The real world difference would be 650+ Mbps versus 800+ Mbps sustained throughput over a long period of time so I won't have trouble with this until I want to do gigabit WAN service. Sent from my iPhone using Tapatalk Edited August 22, 2017 by Tur0k Link to comment Share on other sites More sharing options...
puithove 208 Posted August 26, 2017 Share Posted August 26, 2017 I'll just mention this because I think it's kinda funny. Definitely not the ideal hardware, but demonstrates what can be done - I mainly did it to see if it would work at the time, and it has worked well enough that I've just kept it around. I previously had pfSense running on a little tiny Atom based mini-pc. Its dual nics though were crap, and I wasn't able to push enough bandwidth with it. The weak processor also couldn't encrypt packets fast enough for VPN causing another bottleneck. One day I got fed up and started looking at equipment I had laying around... Spotted an old 2009 Mac Mini. You might be thinking... "But it only has one NIC" - and you'd be right. So since I also run Tomato on my Asus router (really operating as an accesspoint), I had already setup VLANs for my home and guest networks... so I setup another for the cable modem port, and created a trunk port to tag all the vlans and send to the single nic on the mini. So pfSense can receive the tagged vlans on the single nic, and route between the ISP and the internal networks. The old core duo and the Intel NIC are able to easily push enough packets for my 100Mb connection - including VPN encryption. Works better than I thought it would. Fun little experiment has been serving me well enough for a couple years now. 1 Link to comment Share on other sites More sharing options...
Swynol 375 Posted August 27, 2017 Share Posted August 27, 2017 @@Swynol so are you using an i3 and is it heavily used with all the options you have enabled? i have a 200/20 line pfSense has a lot of plugins available - not sure how many i might use but a couple look interesting out the gate for analysis/reporting which will probably demand some horsepower - will have to wait and see No the i3 on full load i.e. using the entire bandwidth maxes out around 10% cpu. I run esxi on it and at the moment i only have the UTM on it. but at least i know i have head room for another VM if i need it. 1 Link to comment Share on other sites More sharing options...
PenkethBoy 2063 Posted August 29, 2017 Author Share Posted August 29, 2017 Well the beast ( ) has arrived - 8 days from China and would have been 6 but for Bank Holiday weekend A few pics for those interested Front Back Inside (as delivered) Memory and SSD installed (screws to the lid) Looks well made and feels solid. 1 Link to comment Share on other sites More sharing options...
Tur0k 143 Posted August 29, 2017 Share Posted August 29, 2017 Sweet!!! Let us know how it goes. Sent from my iPhone using Tapatalk Link to comment Share on other sites More sharing options...
PenkethBoy 2063 Posted August 29, 2017 Author Share Posted August 29, 2017 Small bonus - although listed as a N3150 the processor is a N3160 small bump in processor speed and better (internal) graphics chip - not that the GPU matters for pfSense Just installing Win 10 to stress test as have widows tools and not familiar with linux equivalents Appears to be keeping quite cool when under load Link to comment Share on other sites More sharing options...
PenkethBoy 2063 Posted September 1, 2017 Author Share Posted September 1, 2017 Well that was easy - quick install from USB - quick wizz through the basic interface - pick Wan and Lan interface - reboot - login to web config - follow wizard and here i am 30-45 mins with a bit of double checking of reference docs and videos Got lots of config on the billion options to do but that can wait for a bit Bonus is that pfSense is seeing the wifi card so have the option of a WIFI interface Hardware runs cool - even after an extended Handbrake run when doing a burn in - did not get to 45c - idle at 32c - case is slightly warm to the touch as its the heat sync In Win10 the pc was responsive and relatively snappy - so would be fine as a basic pc for browsing - tried Emby Server and its fine Just got to fight with my WRT1900ACS to play nice as an access point as its being a PIA - but thats for tomorrow or a large hammer Happy Camper 1 Link to comment Share on other sites More sharing options...
PenkethBoy 2063 Posted September 7, 2017 Author Share Posted September 7, 2017 Ok have had my wifi back for a few days after winning the fight with the Netgear 1900ACS to become a AP and not fight with pfSense for ownership of the network So Question for the pfSense users out there what packages do you use with pfSense? testing 1) apcupsd - UPS support 2) pfBlockerNG 3) ntopng - looks amazing am also looking a Suricata and Snort Link to comment Share on other sites More sharing options...
iamspartacus 40 Posted September 28, 2017 Share Posted September 28, 2017 (edited) Just to touch on a few comment I've seen in this thread. VPN pfSense is great for use as an OpenVPN client to a VPN service. I've thought about moving to Sophos UTM (I use it at work) for years but that's the one feature they don't have that I can't live without. I have 3 always up client OpenVPN connections to PIA that I've grouped into a single Gateway group. I then have firewall rules sending traffic from certain hosts out that gateway group. Works great for getting full speed 300Mbps downloads on my line over VPN. pfSense Hardware I have a pfSense box at home based of a SuperMicro A1SRi-2758F (Avoton 8-core). It can handle a 300Mbps OpenVPN connection fully saturated without the CPU jumping above 35%. I also have a pfSense box configured at my parents house based on a Celeron J1900. Works great. I have a 150Mbps Site-to-Site VPN between my house and there's and the Celeron easily handles that line speed via VPN fully saturated. pfSense Packages I don't run a ton of packages but I use the following: Avahi Darkstat OpenVPN Client Export pfBlockerNG Snort Squid Edited September 28, 2017 by iamspartacus Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now