Need insight for setting up pfSense to my existing business network.

[Kert]

Hello everyone,

My message might look long and thats because I tried to put every information on it so everyone can benefit from it and trying to minimize Questioning and answering over all. But if you have anything to ask please do.

This looks like a great community, I am new here and hopefully I will be around here from now on.

I have been researching heavily to build a system for our business network at office which will enable me to;(short-term goals)
- block porn,youtube etc.(basic firewall)
- see how much each IP/Computer in network downloaded and uploaded over all(traffic monitor)

I also have long term goals;
- setup VLAN (where I can use internet to act like I am in a Local Network)
- sniffing features for emails,skype,facebook chat.(not neccesary)
- Setting policy for not letting office computers to Install software(might not be related to pfsense)

In my research it looked like pfSense was correct decision for long-term. Although, its not easy to configure and setup for me.

Personally, I am not very good at linux and networking. So I am trying to break this into steps so I can install it to network without creating a havoc and then configure it to reach my short term goals.

So, I will give detailed information about my current network setup.( I didnt set the current network, but still feel free to judge and critize)
Here is the network diagram I draw;
http://i60.tinypic.com/j0e3jn.png
http://www.image-share.com/ijpg-2728-181.html

Please let me know how can I hook pfsense to network, without problem.

Current IP's of clients are 10.0.0.25 alike, so we are using DHCP server at 10.0.0.1 I believe its DHCP feature of windows 2003 server that we have. So that ip 10.0.0.1 is what we use to run programs from server.

I can change the IP's of computers that will be given by pfsense, althuogh I will have to configure ERP software that we use so it gives an access to IP. This part is not hard so I want to give best IP networking structer possible for long term.

The router I am using has DHCP setting turned off and NAT setting is actiaved for just port forwarding which is no big deal.

The hardware of my pfSense box is;(pfSense installed)
pentium 4
1gb ram
40gb hdd
1 realtek ethernet
1 on motherboard ethernet
(i can get more ethernet card if neccesary)

Is this hardware enough to handle 16 computer + 1 server we dont have high internet traffic so I assume it will be enough at least for the only 2 feature that i will use which I stated above. Please critize.

With the current systems second modem/router(2) we are just exporting information from server to send it to our B2B e-commerce website. So, I guess its best that I also hook that to pfSense, but I dont have to do it right away. My first goal is to hook pfSense to network without any daily usage change, then I will start configuring.

The current router(1)'s ip is 10.0.0.10 and I have pfsense on 10.0.0.100(which is not connected to network)

My WAN IP on pfsense is 192.168.2.224

I have researched a lot but as you guys can see I have some unique conditions, thats why I need insights from experienced users so I can set this up correctly.

Maybe its too easy to set up (fix ip's of clients, fix ERP config for new IPS, allow all traffic to run though without any rules before configuring) but, I just act paranoid because I prefer to foresee a possible error that might come up.

I lack the experience and depth of knowledge about pfsense so, I cant make step-by-step setup guide my self. I ask for your help.

Thank you very much in advance.

Note : feel free to advise anything related to any information on this post or ask me any question you want.
I apologize about my syntax's and grammar.

Respectfully,
Mert

 

[goodcooper]

this may not be the best opportunity to play around with pfsense, if you don't have the knowledge to deploy a router (all pfsense is), i probably wouldn't use a business network as your guinea pig, especially if you're nervous about downtime...

why not try pfsense in your home environment first?


if you're adamant about deploying at this office, just configure it the same way your router is currently, with the sam LAN and WAN IP.... then just unplug your router and plug this in....


just from the tiny bit of information you're sharing, i see a few problems with your network... first, it looks like you're double nat, if your router WAN ip is 192.168.x.x and your LAN ip is a 10.x.x.x, you've got double nat here... not ideal

your edge routing device (the size of your network is such that you really only need a single routing device) should have a public ip address

also, "block porn, youtube" is not really a function of a basic firewall.... well, maybe blocking youtube.... these are the features of a more robust system, to get this functionality out of pfsense you should be looking at installing squid proxy and configuring a web filter for it....

again, i would not recommend playing around with this on a live business network

also, your "sniffing" features, probably can't be done as most of those sites you're listing are https sites...

also, yes, you won't be able to control what software people are installing with pfsense, that would be a function of your domain controller (if you have one) or something installed on your workstations...

also i think you're confusing VLAN with VPN....

also, your diagrams don't really match, which is kind of confusing

 

[Kert]

this may not be the best opportunity to play around with pfsense, if you don't have the knowledge to deploy a router (all pfsense is), i probably wouldn't use a business network as your guinea pig, especially if you're nervous about downtime...

why not try pfsense in your home environment first?


if you're adamant about deploying at this office, just configure it the same way your router is currently, with the sam LAN and WAN IP.... then just unplug your router and plug this in....


just from the tiny bit of information you're sharing, i see a few problems with your network... first, it looks like you're double nat, if your router WAN ip is 192.168.x.x and your LAN ip is a 10.x.x.x, you've got double nat here... not ideal

your edge routing device (the size of your network is such that you really only need a single routing device) should have a public ip address

also, "block porn, youtube" is not really a function of a basic firewall.... well, maybe blocking youtube.... these are the features of a more robust system, to get this functionality out of pfsense you should be looking at installing squid proxy and configuring a web filter for it....

again, i would not recommend playing around with this on a live business network

also, your "sniffing" features, probably can't be done as most of those sites you're listing are https sites...

also, yes, you won't be able to control what software people are installing with pfsense, that would be a function of your domain controller (if you have one) or something installed on your workstations...

also i think you're confusing VLAN with VPN....

also, your diagrams don't really match, which is kind of confusing

Hi, goodcooper.

Thank you for taking time.

The second modem was missing from the diagram because its not related to LAN or Network, it just export information from server and upload it to our b2b ecommer site. I did not want to hook it to pfsense at first. And the floor was missing on the old diagram, so just to show the HUB i made another with floors.

So you would advise I make my router passthrough mode? but my modem might not support it.

 

[iroc409]

How big is your business? Most businesses use something like Cisco or Juniper for the router & firewall, and run a proxy to block unwanted content. A "basic firewall" doesn't inspect for porn sites.

I'd look at setting up a proxy to do web filtering on your current server. There are free products like Squid/Dansguardian. However, having a business, I'd call up Websense or someone like that and have a supported, installed product.

Another option is to get something like a Sophos UTM. You can buy one from a reseller that will install & support the device for you. It will do everything in one perimeter device (good AV, IPS, web filtering, firewalling, DNS/DHCP, routing, etc). If it's a small office, you can probably get away with one of their smaller appliances, which start out under $500.

You'll pay more for a commercially supported device, but in the long run if your business is important to you, time (and downtime) is money. You can spend your time focusing on your business, instead of hacking your way through something you don't know.

This isn't to say you shouldn't learn, but let the pros handle your network while you learn at home. If you went with a Sophos device, you can set up the free home edition at your house. You can pay for a reseller to support the device until you're comfortable enough to take over after you've had enough time with it at home.

 

[boss99]

Instead of something as technical as PFSense, why not use Untangle? It'll provide much of functionality that you're looking for.

 

[Kert]

Instead of something as technical as PFSense, why not use Untangle? It'll provide much of functionality that you're looking for.

Hey Boss ,

I checked untangle and I think its free version does not have traffic monitoring(how much download and upload made by each pc) which I need.

Am I wrong?

Also, I guess it needs more hardware and I specified my hardware in my first post. Do you think, it will be ok for 16-17 pc and a server?

 

[Kert]

How big is your business? Most businesses use something like Cisco or Juniper for the router & firewall, and run a proxy to block unwanted content. A "basic firewall" doesn't inspect for porn sites.

I'd look at setting up a proxy to do web filtering on your current server. There are free products like Squid/Dansguardian. However, having a business, I'd call up Websense or someone like that and have a supported, installed product.

Another option is to get something like a Sophos UTM. You can buy one from a reseller that will install & support the device for you. It will do everything in one perimeter device (good AV, IPS, web filtering, firewalling, DNS/DHCP, routing, etc). If it's a small office, you can probably get away with one of their smaller appliances, which start out under $500.

You'll pay more for a commercially supported device, but in the long run if your business is important to you, time (and downtime) is money. You can spend your time focusing on your business, instead of hacking your way through something you don't know.

This isn't to say you shouldn't learn, but let the pros handle your network while you learn at home. If you went with a Sophos device, you can set up the free home edition at your house. You can pay for a reseller to support the device until you're comfortable enough to take over after you've had enough time with it at home.

Hello Iroc,

Thank you for your input and time.

As I stated in my first message we have 16-17 pc and a server.
I think I should've explained what the term ''basic firewall'' meant for me, so we can have mutual terms for clean communication. What I meant was not using complex features of firewall(pfsense). All I need is ''porn, facebook, youtube '' blocking in this context.

You can use squid and squidguard in PfSense. Web filtering is not critical, I just wanted to use it because pfSense already has it in the package or at least an infrastructure to install it.

I live in Middle-East. Sophos is not serving here. Although even if it did, I would prefer to use pfsense first to try if I can be satisfied with a free product.

For now the reason I choose pfSense is, it has traffic monitor and web filtering. Also it has long term capabilities.

What would you guys offer me for Traffic Monitoring over LAN network. Also check my network diagram if you want.

 

[peanuthead]

Hello Iroc,

Thank you for your input and time.

As I stated in my first message we have 16-17 pc and a server.
I think I should've explained what the term ''basic firewall'' meant for me, so we can have mutual terms for clean communication. What I meant was not using complex features of firewall(pfsense). All I need is ''porn, facebook, youtube '' blocking in this context.

You can use squid and squidguard in PfSense. Web filtering is not critical, I just wanted to use it because pfSense already has it in the package or at least an infrastructure to install it.

I live in Middle-East. Sophos is not serving here. Although even if it did, I would prefer to use pfsense first to try if I can be satisfied with a free product.

For now the reason I choose pfSense is, it has traffic monitor and web filtering. Also it has long term capabilities.

What would you guys offer me for Traffic Monitoring over LAN network. Also check my network diagram if you want.

Are you looking for just a bandwidth monitor or traffic/packet inspection? If just looking for a bandwidth monitor then you can look to Solarwinds (free for 30 days then you need to pay for it) or look at Networx. (https://www.softperfect.com/products/networx/) There is also Nagios, Cacti, and NTop are some of the best ones out there. They are free, and require a bit of Linux knowledge to install. I would personally run an Untangle router and use one of the tools above if the two together will satisfy your needs. Untangle does make it user to set most of that up. I did the same thing for a local company here to keep their peeps from going to porn sites and youtube videos.

 

[Kert]

Are you looking for just a bandwidth monitor or traffic/packet inspection? If just looking for a bandwidth monitor then you can look to Solarwinds (free for 30 days then you need to pay for it) or look at Networx. (https://www.softperfect.com/products/networx/) There is also Nagios, Cacti, and NTop are some of the best ones out there. They are free, and require a bit of Linux knowledge to install. I would personally run an Untangle router and use one of the tools above if the two together will satisfy your needs. Untangle does make it user to set most of that up. I did the same thing for a local company here to keep their peeps from going to porn sites and youtube videos.

Are you looking for just a bandwidth monitor or traffic/packet inspecation? If just looking for a bandwidth monitor then you can look to Solarwinds (free for 30 days then you need to pay for it) or look at Networx. (https://www.softperfect.com/products/networx/) There is also Nagios, Cacti, and NTop are some of the best ones out there. They are free, and require a bit of Linux knowledge to install. I would personally run an Untangle router and use one of the tools above if the two together will satisfy your needs. Untangle does make it user to set most of that up. I did the same thing for a local company here to keep their peeps from going to porn sites and youtube videos.

Thanks a lot for your input Mr.Peanuthead.

I checked the softwares you suggested once before joining this community and now I have done it again.

if I will be separating the platforms, I prefer to have one that can be installed on windows, preferably our "server" and can be reached from any computer in the network with a interface page that can be logined with password like routers "192.168.1.1". Do you have any knowledge which can be done close to the way I explained?

Untangle doesnt have traffic monitoring in free version am I right? And I heard untangle requires more resource and more hardware. Please check my hardware above.

Which one did you chose for that local company? How was your experience?

 

[boss99]

Hey Boss ,

I checked untangle and I think its free version does not have traffic monitoring(how much download and upload made by each pc) which I need.

Am I wrong?

Also, I guess it needs more hardware and I specified my hardware in my first post. Do you think, it will be ok for 16-17 pc and a server?

The RAM may be a little low, but it'll definitely help. If you're looking for traffic per individual node, you may need a netflow collector. I'm currently using scrutinizer, which is free and gives me a really good idea of what's happening on my network currently, but if you need historical info, Cacti or some other SNMP poller would be better for you.

What are you using as a router right now? Can you provide a network diagram?

 

[Kert]

The RAM may be a little low, but it'll definitely help. If you're looking for traffic per individual node, you may need a netflow collector. I'm currently using scrutinizer, which is free and gives me a really good idea of what's happening on my network currently, but if you need historical info, Cacti or some other SNMP poller would be better for you.

What are you using as a router right now? Can you provide a network diagram?

Hello again Boss,

The diagram was on my first post.

""" http://i60.tinypic.com/j0e3jn.png
http://www.image-share.com/ijpg-2728-181.html """"

my router is airties rt-205 it has bridge mode but doesnt support ddwrt AFAIK.

Yeah I need to know how much each IP or PC NAME downloads and uploads in total.

I couldnt find scrutinizer you were mentioning of. Was it from PLIXER? can you give me direct link to free version or the detailed name?

 

[Kert]

Are you looking for just a bandwidth monitor or traffic/packet inspection? If just looking for a bandwidth monitor then you can look to Solarwinds (free for 30 days then you need to pay for it) or look at Networx. (https://www.softperfect.com/products/networx/) There is also Nagios, Cacti, and NTop are some of the best ones out there. They are free, and require a bit of Linux knowledge to install. I would personally run an Untangle router and use one of the tools above if the two together will satisfy your needs. Untangle does make it user to set most of that up. I did the same thing for a local company here to keep their peeps from going to porn sites and youtube videos.

I checked Nagios Core the free one if i am correct and wasnt able to find traffic monitoring feature, can you show me with a link. ( I even checked the demo)

here is the monitoring windows PC's cant see internet traffic monitoring.

http://nagios.sourceforge.net/docs/nagioscore/4/en/monitoring-windows.html

About nagios core, i checked the plugins as well but was lost, couldnt pinpoint something to my needs. Might be my lack of understanding.

Does HTTP monitoring on Nagios Core shows what website each of the PC's in network goes into?

I also checked Zabbix I guess its not meant for a system like ours, check my diagram. and correct me if you can.

 

[peanuthead]

What if you give Networx a shot?

 

[Mackintire]

Instead of something as technical as PFSense, why not use Untangle? It'll provide much of functionality that you're looking for.

This is exactly what I was thinking about suggesting.

 

[Kert]

What if you give Networx a shot?

Hello,

I checked it but wasn't sure about "Monitoring of multiple computers" and can you guys check it too. Although, I already decided to give it a try, I wasnt sure about router monitoring.

AFAIK I will have to install this application to all of the computers individually, and open some ports. Will this be able to exclude network (LAN) traffic from the data reports?

 

[Kert]

This is exactly what I was thinking about suggesting.

do you have any experience with it? Can you share some of it in contrast of my previous message ?

 

[MrGuvernment]

Untangle does reporting on bandwidth in the free reporting module and can do so by IP address.

Download untangle and pfsense and first run them in a virtual machine to get familiar with them

Also i would ditch the realtek NICS and get some intel nics, they just play so much smoother with linux based routers/firewall systems.

 

[Kert]

What if you give Networx a shot?

Hello Peanut,

I installed networx and I ran some tests. Althoght it looks unstable in some ways. I kinda like it and find it useful.