pfsense equivalent of shield in bridge mode

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
11 messages Options
Reply | Threaded
Open this post in threaded view
|

pfsense equivalent of shield in bridge mode

Turrican
Hi all, Shield related (loosely)

I'd really love to build a pfsense box to replace my shield running in bridge. Part of the allure for me of the shield was it's (relative) ease of use. I've purchased a 4 nic fanless PC with plenty power and installed pfsense. I've lost count of the number of guides I've read but can't get it to work the same as the shield. I really want a lot more of my 200mb internet connection to play with but am only getting around 40 with the shield in place. Pfsense seems to be the way to go.

Anyone achieved this? Or have a better suggestion? I'm still using the shield bu appreciate it's life is probably limited and guess the likelihood of the unit being able to achieve higher throughput is unlikely now that ITUS have gone.

Thanks for reading

Running Bridge Mode
v1.51 SP1 + Hotfix Mar 9
Reply | Threaded
Open this post in threaded view
|

Re: pfsense equivalent of shield in bridge mode

Wisiwyg
I'm playing with this right now, too.

Firstly, on our Shield, Snort is running in 'in-line' mode, meaning its looking at the live stream. This is due to some magic in the way Shield was designed with Snort running as a softswitch. That's why internet will go down if Snort restarts. The Sheld doesn't restart, just Snort.

To do the same thing on a pfSense box, you have to run the latest version of Suricata with the 2.3.X Development version of pfSense. In the 2.3.X version, Released or Development, in-line packet filtering with Suricata is dependent on the latest version of netmap that enables this. This version of netmap doesn't work with older versions of pfSense and doesn't work with Snort - yet. But, this latest version of netmap has its own issues. There is a released version Suricata (3.1.1) that is supposed to aid in resolving the issue for FreeBSD, which is what pfSense is based on, but that is awaiting release by the package maintainer for pfSense.

Long and short of it... pfSense can't quite equal what the Shield is providing, yet. But it isn't too far off. Plus, it could provide other features, like geographic blocking. Care to block the entire country of Russia, China and Pakistan? Check out pfBlocker-NG for pfSense. You can also add on a VPN service to run this all through. Want to have channel bonding/link aggregation to double/tripple throughput? OK.

But all of these features come at a price - it isn't simple to set up or easy to maintain like the Shield.

edit: Suricata 3.1.1 just released today!  
Shield Pro v1, Chaos Calmer, FW 1.51 SP1, v8.3.2, Bridge Mode
Reply | Threaded
Open this post in threaded view
|

Re: pfsense equivalent of shield in bridge mode

Turrican
This post was updated on .
Thanks for the response.  As I suspected. I guess if it was easy, the shield would not have been born :)

I'll keep using it for now until such times as I can figure out pfsense/Suri  or a good guide emerges to help out.  

If you do manage to get Suri running in-line, and you care to share your experiences, that would be greatly apprecaited!

Thanks again for your response .

Running Bridge Mode
v1.51 SP1 + Hotfix Mar 9
Reply | Threaded
Open this post in threaded view
|

Re: pfsense equivalent of shield in bridge mode

Wisiwyg
An update... The package maintainer has just released a 'beta' version for pfSense 2.3.3_development using the latest Suricata 3.1.1_1. Still not ready for prime-time, but slowly getting there.
Shield Pro v1, Chaos Calmer, FW 1.51 SP1, v8.3.2, Bridge Mode
Reply | Threaded
Open this post in threaded view
|

Re: pfsense equivalent of shield in bridge mode

Turrican
Great news! Thanks for the update

Running Bridge Mode
v1.51 SP1 + Hotfix Mar 9
Reply | Threaded
Open this post in threaded view
|

Re: pfsense equivalent of shield in bridge mode

Wisiwyg
So, it looks like a fork of pfSense, OPNSense, has Suricata 3.1.1 working as its primary IDS engine, not Snort as pfSense has. Details here: https://opnsense.org/

I'm trying it out now on a separate i5 box...
Shield Pro v1, Chaos Calmer, FW 1.51 SP1, v8.3.2, Bridge Mode
Reply | Threaded
Open this post in threaded view
|

Re: pfsense equivalent of shield in bridge mode

breda
Hi, Wisiwyg what kind of box are you using?  pfSense, OPNSense,

Thanks
Reply | Threaded
Open this post in threaded view
|

Re: pfsense equivalent of shield in bridge mode

Turrican
In reply to this post by Wisiwyg
sounds great Wisiwyg, going to try this out.

Running Bridge Mode
v1.51 SP1 + Hotfix Mar 9
Reply | Threaded
Open this post in threaded view
|

Re: pfsense equivalent of shield in bridge mode

Wisiwyg
In reply to this post by breda
breda wrote
Hi, Wisiwyg what kind of box are you using?  pfSense, OPNSense,

Thanks
I was using pfSense for months, going along with each update. But the Suricata implementation has been lagging behind. So when I read about the OPNSense version, I clean installed over the pfSense installation.

My box is a SFF Dell Optiplex 790 i5 quad, 3.1ghz, 8gb, 240gb SSD, dual & single Intel NICs. Its kind of overkill, but I wanted to also add on a VPN later and didn't want to start on something that didn't have the horsepower to crunch everything.

So far, the OPNSense installation has been relatively easy to set up and tweak to get everything running. I have the GeoIP and Suricata IPS components turned 'on' and they seem to be working. The GeoIP part simply blocks entire countries - Russia, Ukraine, China, India, Pakistan - you get the picture. The Suricata component then examines what's left.

It isn't in 'production' yet - playing with it on a DMZ port passthrough. But it seems to be functioning in straight-up router mode. I haven't investigated bridge mode yet, but will eventually want that so I can keep the Parental Control functions of my Asus AC68U router that I really, really like.

My Shield is still in place  and it still 'dies' as Snort hits some memory limit and restarts. Its very annoying and inconvenient at times, such that I simply pull the plug and bypass the Sheld. I later go back and plug it back in.
Shield Pro v1, Chaos Calmer, FW 1.51 SP1, v8.3.2, Bridge Mode
Reply | Threaded
Open this post in threaded view
|

Re: pfsense equivalent of shield in bridge mode

user8446
Administrator
Hopefully OPNSense will have other architectures besides x86 soon! It seems very polished, more so than PFSense.

Wisywig -

How did you determine the Snort resets was a memcap issue? The few times I have seen it nothing logs and haven't figured it out.
Still waiting for someone to update snort to the latest version on OpenWRT or Lede as there have been many bugfixes since 2.9.7.2
Running in bridge mode, 1.51 SP1 fw
Reply | Threaded
Open this post in threaded view
|

Re: pfsense equivalent of shield in bridge mode

Wisiwyg
user8446 wrote
Hopefully OPNSense will have other architectures besides x86 soon! It seems very polished, more so than PFSense.

Wisywig -

How did you determine the Snort resets was a memcap issue? The few times I have seen it nothing logs and haven't figured it out.
Still waiting for someone to update snort to the latest version on OpenWRT or Lede as there have been many bugfixes since 2.9.7.2
Yes, that's part of the problem... I don't see anything leading up to it in the logs - it just shows a restart. So IDK for sure. I'd love to see Snort updated on OpenWRT / LEDE, or someone get the updated Snort working on our setup. I really like the Shield, the concept of what it should do, but would like to have trouble-free function.
Shield Pro v1, Chaos Calmer, FW 1.51 SP1, v8.3.2, Bridge Mode