Loading... |
Reply to author |
Edit post |
Move post |
Delete this post |
Delete this post and replies |
Change post date |
Print post |
Permalink |
Raw mail |
112 posts
|
Hi all, Shield related (loosely)
I'd really love to build a pfsense box to replace my shield running in bridge. Part of the allure for me of the shield was it's (relative) ease of use. I've purchased a 4 nic fanless PC with plenty power and installed pfsense. I've lost count of the number of guides I've read but can't get it to work the same as the shield. I really want a lot more of my 200mb internet connection to play with but am only getting around 40 with the shield in place. Pfsense seems to be the way to go. Anyone achieved this? Or have a better suggestion? I'm still using the shield bu appreciate it's life is probably limited and guess the likelihood of the unit being able to achieve higher throughput is unlikely now that ITUS have gone. Thanks for reading
Running v2 Firmware
|
Loading... |
Reply to author |
Edit post |
Move post |
Delete this post |
Delete this post and replies |
Change post date |
Print post |
Permalink |
Raw mail |
87 posts
|
I'm playing with this right now, too.
Firstly, on our Shield, Snort is running in 'in-line' mode, meaning its looking at the live stream. This is due to some magic in the way Shield was designed with Snort running as a softswitch. That's why internet will go down if Snort restarts. The Sheld doesn't restart, just Snort. To do the same thing on a pfSense box, you have to run the latest version of Suricata with the 2.3.X Development version of pfSense. In the 2.3.X version, Released or Development, in-line packet filtering with Suricata is dependent on the latest version of netmap that enables this. This version of netmap doesn't work with older versions of pfSense and doesn't work with Snort - yet. But, this latest version of netmap has its own issues. There is a released version Suricata (3.1.1) that is supposed to aid in resolving the issue for FreeBSD, which is what pfSense is based on, but that is awaiting release by the package maintainer for pfSense. Long and short of it... pfSense can't quite equal what the Shield is providing, yet. But it isn't too far off. Plus, it could provide other features, like geographic blocking. Care to block the entire country of Russia, China and Pakistan? Check out pfBlocker-NG for pfSense. You can also add on a VPN service to run this all through. Want to have channel bonding/link aggregation to double/tripple throughput? OK. But all of these features come at a price - it isn't simple to set up or easy to maintain like the Shield. edit: Suricata 3.1.1 just released today!
Shield Pro v1, Chaos Calmer, FW 1.51 SP1, v8.3.2, Bridge Mode
|
Loading... |
Reply to author |
Edit post |
Move post |
Delete this post |
Delete this post and replies |
Change post date |
Print post |
Permalink |
Raw mail |
112 posts
|
This post was updated on Aug 02, 2016; 12:17pm.
Thanks for the response. As I suspected. I guess if it was easy, the shield would not have been born :)
I'll keep using it for now until such times as I can figure out pfsense/Suri or a good guide emerges to help out. If you do manage to get Suri running in-line, and you care to share your experiences, that would be greatly apprecaited! Thanks again for your response .
Running v2 Firmware
|
Loading... |
Reply to author |
Edit post |
Move post |
Delete this post |
Delete this post and replies |
Change post date |
Print post |
Permalink |
Raw mail |
87 posts
|
An update... The package maintainer has just released a 'beta' version for pfSense 2.3.3_development using the latest Suricata 3.1.1_1. Still not ready for prime-time, but slowly getting there.
Shield Pro v1, Chaos Calmer, FW 1.51 SP1, v8.3.2, Bridge Mode
|
Loading... |
Reply to author |
Edit post |
Move post |
Delete this post |
Delete this post and replies |
Change post date |
Print post |
Permalink |
Raw mail |
112 posts
|
Great news! Thanks for the update
Running v2 Firmware
|
Loading... |
Reply to author |
Edit post |
Move post |
Delete this post |
Delete this post and replies |
Change post date |
Print post |
Permalink |
Raw mail |
87 posts
|
So, it looks like a fork of pfSense, OPNSense, has Suricata 3.1.1 working as its primary IDS engine, not Snort as pfSense has. Details here: https://opnsense.org/
I'm trying it out now on a separate i5 box...
Shield Pro v1, Chaos Calmer, FW 1.51 SP1, v8.3.2, Bridge Mode
|
Loading... |
Reply to author |
Edit post |
Move post |
Delete this post |
Delete this post and replies |
Change post date |
Print post |
Permalink |
Raw mail |
344 posts
|
Hi, Wisiwyg what kind of box are you using? pfSense, OPNSense,
Thanks |
Loading... |
Reply to author |
Edit post |
Move post |
Delete this post |
Delete this post and replies |
Change post date |
Print post |
Permalink |
Raw mail |
112 posts
|
In reply to this post by Wisiwyg
sounds great Wisiwyg, going to try this out.
Running v2 Firmware
|
Loading... |
Reply to author |
Edit post |
Move post |
Delete this post |
Delete this post and replies |
Change post date |
Print post |
Permalink |
Raw mail |
87 posts
|
In reply to this post by breda
I was using pfSense for months, going along with each update. But the Suricata implementation has been lagging behind. So when I read about the OPNSense version, I clean installed over the pfSense installation. My box is a SFF Dell Optiplex 790 i5 quad, 3.1ghz, 8gb, 240gb SSD, dual & single Intel NICs. Its kind of overkill, but I wanted to also add on a VPN later and didn't want to start on something that didn't have the horsepower to crunch everything. So far, the OPNSense installation has been relatively easy to set up and tweak to get everything running. I have the GeoIP and Suricata IPS components turned 'on' and they seem to be working. The GeoIP part simply blocks entire countries - Russia, Ukraine, China, India, Pakistan - you get the picture. The Suricata component then examines what's left. It isn't in 'production' yet - playing with it on a DMZ port passthrough. But it seems to be functioning in straight-up router mode. I haven't investigated bridge mode yet, but will eventually want that so I can keep the Parental Control functions of my Asus AC68U router that I really, really like. My Shield is still in place and it still 'dies' as Snort hits some memory limit and restarts. Its very annoying and inconvenient at times, such that I simply pull the plug and bypass the Sheld. I later go back and plug it back in.
Shield Pro v1, Chaos Calmer, FW 1.51 SP1, v8.3.2, Bridge Mode
|
Loading... |
Reply to author |
Edit post |
Move post |
Delete this post |
Delete this post and replies |
Change post date |
Print post |
Permalink |
Raw mail |
Administrator
288 posts
|
Hopefully OPNSense will have other architectures besides x86 soon! It seems very polished, more so than PFSense.
Wisywig - How did you determine the Snort resets was a memcap issue? The few times I have seen it nothing logs and haven't figured it out. Still waiting for someone to update snort to the latest version on OpenWRT or Lede as there have been many bugfixes since 2.9.7.2
Running the latest OpenWrt stable release
|
Loading... |
Reply to author |
Edit post |
Move post |
Delete this post |
Delete this post and replies |
Change post date |
Print post |
Permalink |
Raw mail |
87 posts
|
Yes, that's part of the problem... I don't see anything leading up to it in the logs - it just shows a restart. So IDK for sure. I'd love to see Snort updated on OpenWRT / LEDE, or someone get the updated Snort working on our setup. I really like the Shield, the concept of what it should do, but would like to have trouble-free function.
Shield Pro v1, Chaos Calmer, FW 1.51 SP1, v8.3.2, Bridge Mode
|
Free forum by Nabble | Edit this page |