Pfsense firewall in Production

N

nev_neo

n00b
Joined
Mar 14, 2011
Messages
45
Hey All,
I am sort of new to linux-based firewalls, although I have played around with iptables a while back.
I was planning on replacing our ASA's at one of our backup centers with a couple of pfsense firewalls. Now i'm sure hardware wise i'll be fine (using old dell poweredge servers) but what i am concerned about is the actual firewall capability.

Would I be able to do 1-1 NAT on the pfsense and also make sure only certain ports are allowed access ?
I've read someplace that 1-1 NAT circumvents the firewalling and opens all ports up.

Let me know what you Gurus think.
 
Meh, Linux, NetBSD, they're still *nix-based. Close enough for the OP's usage.

And 1:1 Nat for your scenario just creates the traffic association between a single of multiple external IPs to a given internal IP. It doesn't necessarilly open up anything, just a traffic director.
 
Thanks for the replies guys.

Has anybody here used Pfsense as a firewall for a Public class C network ?
 
I use two pfsense boxes in active/standby mode to protect a public slash-28. It works great for my needs, although the data center only has 100 megabit links upstream so I haven't been able to give them more than 100mbit/sec of traffic.

You can setup firewall rules to block everything except a few select protocols and ports, do 1:1 static NAT, and all that from its web configuration interface.
 
Christopher,
That is exactly what I need to do - except this is for a /24 network.
Initially it will be a 100mbit up/down, but eventually we might need to go higher.
I had planned on using dual ASA 5520's (failover) but I would rather use pfsense with its snort capabilities.
Would a dual-proc dell 1650 running P-3 xeons at 1.4Ghz and 2 GB ram be able to handle it ?

Also, does pfsense make use of whitelists ??
I did setup a VM running pfsense 2.0.1 but didn't really play with all the settings.

CARP - would I need to redo all settings in the failover server too or would it get all info from the primary.
 
Regarding physical horsepower. A box with half the specs of the Dell 1650 would still be enough, until you add in Snort to the equasion. Might look down the road at bumping up the RAM after install and configuration to be safe.

Whitelists? In what way? With Snort?, Basic IP ACLs?
 
nev_neo said:
I was planning on replacing our ASA's.
Click to expand...

OMG the Cisco guys in here are gonna rage and punch babies, and kill kittens. Its all your fault.

As far as specs.... If all you're doing is routing/firewalling that server is plenty fine. Unfortunately pfsense is single threaded so that 2nd core will goto waste until you install some add-on packages. Pretty sure Snort will use that 2nd core. Snorts a memory hog too :(
 
Nate7311 - Whitelists would be external IPs that do not get filtered/firewalled by pfsense/snort.

jadams - thats interesting, did not know snort is a memory hog.
How bad would the performance hit (if any) be ?
 
You should be able to exempt certain IP's in the firewall rule setup. No problem.

Regarding Snort, it depends on the # of connections and the complexity. It does need a fair amont of RAM.


Why the change away from the ASA's? Moving to something you are more familiar with, or is there a limitation that you are fighting?
 
The ASA's don't have any IDS/IPS - and we don't have the budget to purchase that.

Might need to move back though - once the NEED for IPv6 becomes unavoidable.
 
nev_neo said:
Thanks for the replies guys.

Has anybody here used Pfsense as a firewall for a Public class C network ?
Click to expand...

Do you mean class c or /24? It should work fine.

I know someone else doesn't care about the difference between Linux/FreeBSD based firewalls, but they are vastly different....
 
Robstar said:
Do you mean class c or /24? It should work fine.

I know someone else doesn't care about the difference between Linux/FreeBSD based firewalls, but they are vastly different....
Click to expand...
Isn't Class C = /24 ?
and I apologize for implying pfsense is linux. can we move on now ?
 
jadams said:
OMG the Cisco guys in here are gonna rage and punch babies, and kill kittens. Its all your fault.

As far as specs.... If all you're doing is routing/firewalling that server is plenty fine. Unfortunately pfsense is single threaded so that 2nd core will goto waste until you install some add-on packages. Pretty sure Snort will use that 2nd core. Snorts a memory hog too :(
Click to expand...

even v2 is single threaded?, would the core OS not be SMP by default?
 
LOL.. some people :rolleyes:

Anyways... Back on topic: Been playing around with pfsense on a local VM... liking it a LOT.
Still need to deploy in a test environment and hookup real servers behind it.
Another question - Does anyone know of a faster way of creating rules and exporting/importing them in pfsense ?
 
nev_neo said:
LOL.. some people :rolleyes:

Anyways... Back on topic: Been playing around with pfsense on a local VM... liking it a LOT.
Still need to deploy in a test environment and hookup real servers behind it.
Another question - Does anyone know of a faster way of creating rules and exporting/importing them in pfsense ?
Click to expand...

This one I can answer....not really.
The only 'faster' way is if you setup stuff like nat translations or port redirections first, it should then create the rules for you.

I used to run OpenBSD w/ pf and now moved to pfsense. it took me MANY MANY hours (probably 10-20) to implement all my rules, redirections, nat translations, static bidrectional nat, etc but it was well worth it.
 
I was a little concerns about the Dual PIIIs Xeons.

I've read that 2.0 Ghz Atom processors on PFsense running snort tops out at around 70Mbps in each direction.

So I would assume that a 1.4Ghz PIII Xeon should be fine for a 100mb connection, but may run out of steam when OP upgrades.

From the same source a single core Pentium M 2.0Ghz 533mhz bus will top out around 270mbps in the same setup.

A i3 2100T can handle just over a gigabit connection.
 
You can edit the config file directly, or write a script to output a rule to the correct XML format... so yes if you want to spend a bit of time you could easily speed up rule implementation if you have tons of rules. Once you have the rules set up, it's trivial to move them to a new box or share them to the CARP backup node.

And yes, I have a CARP cluster that is providing firewalling/routing for a public /24, /27, and a /28 (from three different providers). Works great.
 
pfsense is awesome. It should be able to do everything the business routers can. It will even do qos, valans, 1:1 nat, multiple interfaces, you name it.

Snort will work fine on a Pentium 3 with like 128MB of ram, so while it does have a certain footprint it's nothing that serious. The main issue I had with snort is lot of false positives. If you are really serious about wanting it working you can probably tweak it to the point where it wont cause issues.
 
Mackintire said:
I was a little concerns about the Dual PIIIs Xeons.

I've read that 2.0 Ghz Atom processors on PFsense running snort tops out at around 70Mbps in each direction.

So I would assume that a 1.4Ghz PIII Xeon should be fine for a 100mb connection, but may run out of steam when OP upgrades.

From the same source a single core Pentium M 2.0Ghz 533mhz bus will top out around 270mbps in the same setup.

A i3 2100T can handle just over a gigabit connection.
Click to expand...

I3 with 4-8 gig ram n som nice intel nics = powerfull fw
 
timreichhart said:
Then robstar then what pfsense is based on? because last time I checked it was based on FreeBSD which is unix/linux.
Click to expand...
Please, get your facts right. Just because Linux wants to be UNIX and FreeBSD is UNIX, doesn't mean that FreeBSD is Linux.
 
This pissing match is getting pretty far away from the OPs question. We've established that PFSense is based on FreeBSD and is the preferred OS for a firewall...
 
Nate7311 said:
This pissing match is getting pretty far away from the OPs question. We've established that PFSense is based on FreeBSD and is the preferred OS for a firewall...
Click to expand...

No kidding....holy derailment batman, splitting hairs. That's why I just call it "*nix"...be general about it, and move on...bigger and better and most importantly more interesting things to talk about.
 
TCM didnt you see I said UNIX look before you open your mouth I said unix/linux mixure so dont be barking up the wrong tree buddy.

TCM said:
Please, get your facts right. Just because Linux wants to be UNIX and FreeBSD is UNIX, doesn't mean that FreeBSD is Linux.
Click to expand...
 
MrGuvernment said:
even v2 is single threaded?, would the core OS not be SMP by default?
Click to expand...

Sorry didnt see this the first time around. Yes with v2 on a dual core machine you wont see cpu usage go above 50% (25% for a quad core, etc...). Thats where it will max. To me that means its single threaded.

I think snort and some other packages might utilize a 2nd core.
 
dashpuppy said:
I3 with 4-8 gig ram n som nice intel nics = powerfull fw
Click to expand...
I run exactly this and it will route gigabit wirespeed without issue. But PCI-E is needed.

YeOldeStonecat said:
PFSense on a dual core Atom 525 with Intel NICs did ~230 megs throughput without Snort, still ~205 megs throughput with IDS cranked up.
http://www.smallnetbuilder.com/secu...uild-your-own-utm-with-pfsense-part-4?start=1
Click to expand...
Even without snort i've found the PCI bus starts to hold you back at around 400-500mbps.
 
jadams said:
Sorry didnt see this the first time around. Yes with v2 on a dual core machine you wont see cpu usage go above 50% (25% for a quad core, etc...). Thats where it will max. To me that means its single threaded.

I think snort and some other packages might utilize a 2nd core.
Click to expand...
IIRC its the BSD version currently used that makes it single threaded.
 
bmh.01 said:
I run exactly this and it will route gigabit wirespeed without issue. But PCI-E is needed.
Click to expand...

My project green is getting a new main board CPU and ram with a pci-e nic. Going with a i3 use my spare 8 gig stick and 60 gig ssd. In my green case and will continue with untangle :)

Just looking around for the board tho.
 
@op:

I now have 2 pfsense firewalls up...2.0.1 with ipv4 only and 2.1.0 snapshot with 2 ipv6 tunnels. ipv4 is flawless. The ipv6 snapshot (not stable) still needs a few bugs worked out...
 
MrGuvernment said:
i would of thought BSD would of been multithreaded from the start, like most *nix versions since the beginning of time almost.
Click to expand...

It is - and things that run in the userland can take advantage of that.

However, pf, ipfw, and other firewall packages run in kernel mode - they have to, since the kernel provides IP routing services. I'm not aware of any general purpose operating systems that support multithreaded kernel-mode code.

TCM said:
Which is wrong. Your point?

In a multiple choice test, you don't get to tick all the answers and then proclaim "Yeah, but the correct answer was in there!"
Click to expand...


Exactly. FreeBSD is a *nix operating system. However, FreeBSD is not Linux. So the original statement that it's a 'unix/linux mixture' is just completely wrong, since there is no Linux code at all.
 
cymon said:
It is - and things that run in the userland can take advantage of that.

However, pf, ipfw, and other firewall packages run in kernel mode - they have to, since the kernel provides IP routing services. I'm not aware of any general purpose operating systems that support multithreaded kernel-mode code.




Exactly. FreeBSD is a *nix operating system. However, FreeBSD is not Linux. So the original statement that it's a 'unix/linux mixture' is just completely wrong, since there is no Linux code at all.
Click to expand...

I remember geting an option @ install to install the SMP kernel (pfsense 2.0.1)

Seems to work ok ?
 
Robstar said:
I remember geting an option @ install to install the SMP kernel (pfsense 2.0.1)

Seems to work ok ?
Click to expand...

Right - Linux and FreeBSD kernels support SMP. However, that only applies to user-mode programs, like Firefox, Apache Web Server, and MATLAB.

Packet routing (and therefore, filtering) are performed in the kernel-space of an operating system. This is the part of a (monolithic) operating system that actually supports multiple threads. However, as I recall, the kernel-mode packet routing and filtering cannot be threaded, so therefore, that will not scale up with multiple CPU.
 
You must log in or register to reply here.
Back
Top