PFSense

[Ur_Mom]

I have a question on the PFSense firewall (probably can be universal, though).

I don't want to double NAT, and don't want to use it as a router. I want to be able to do this:

WAN --- Cisco Router --- PFSense ---- LAN ---- Switch

But, the Cisco will have a WAN IP and a LAN IP. The PFSense will have a LAN IP, but the WAN IP will be on the same subnet. Is there a way to do like a promiscuous mode but still have an IP address for management?

I guess my only other option would be double NAT, with the Cisco doing a private IP and the PFSense doing a different subnet and a private IP, too...

 

[Grentz]

What are you trying to gain from having the PFSense box in there?

I dont believe you can do a firewall or gateway setup (pretty much most of the features in PFSense) with the WAN and LAN IPs in the same range....at least easily. This holds true with any of the firewall distros (IPCop, Smoothwall, etc.).

 

[calvinj]

If I remember correctly you can bridge the lan with the wan making it one interface. Never done it because my pfsense box is where your putting the cisco router. Might want to also consider untangle if your trying to do some sort of spam, internet, etc filtering. I know that it will bridge for sure

 

[YeOldeStonecat]

If you want the Cisco on the edge, what do you want to have PFSense for on the inside? It's like having a Ferrari in your garage and a Mustang cemented in the driveway blocking it from ever being taken out for a drive. All the high performance, traffic shaping of the PFSense box can never be utilized.

 

[Deleted member 12106]

Unless your feeding the PFsense a DMZ, there isn't any real value to be had...

 

[Ur_Mom]

Okie Dokie. So, just use the PFSense as a router, too, then.... Works for me. Of course, I'll still have another interface on the PFSense box that goes to a Cisco pod with the Cisco equipment... It's just to configure and play with.

Thanks for the advice, guys. That's why I asked here!

 

[Drewster727]

Or you could keep your cisco router and use Untangle in bridged mode, it won't act as the router but will filter content as you see fit.

Untangle > pfsense

 

[Grentz]

Or you could keep your cisco router and use Untangle in bridged mode, it won't act as the router but will filter content as you see fit.

Untangle > pfsense

Thats just filtering though that way, not extra firewall security.

And Untangle is great for Content Filtering, but PFSense is better for firewall/router/QoS IMO. Plus its a ton more lightweight if you dont need all the other filtering/AV scanning and such.

 

[calvinj]

Thats just filtering though that way, not extra firewall security.

And Untangle is great for Content Filtering, but PFSense is better for firewall/router/QoS IMO. Plus its a ton more lightweight if you dont need all the other filtering/AV scanning and such.

I will 2nd this. I was thinking the same way about untangle being better than pfsense, but until I dug into pfsense more and more I have to think around the opposite. pfsense does better for firewall and the routing and is currently running on a 650mhz p3 with 512mb of ram with 2 dual port nics.

 

[Vito_Corleone]

Why not just use the Cisco?!?

 

[OmegaAvenger]

Why not just use the Cisco?!?

Amen to that.

 

[Ur_Mom]

Why not just use the Cisco?!?

I might just use ACL's with the Cisco and go with a Linux server for MRTG and SNORT... I want decent logs and some good monitoring of the network. A UTM box would be good, but I like the PFSense interface and it has a lot of features that I like. But, I figure it could be done with other means.

 

[capnstabn]

I have a question on the PFSense firewall (probably can be universal, though).

I don't want to double NAT, and don't want to use it as a router. I want to be able to do this:

WAN --- Cisco Router --- PFSense ---- LAN ---- Switch

But, the Cisco will have a WAN IP and a LAN IP. The PFSense will have a LAN IP, but the WAN IP will be on the same subnet. Is there a way to do like a promiscuous mode but still have an IP address for management?

I guess my only other option would be double NAT, with the Cisco doing a private IP and the PFSense doing a different subnet and a private IP, too...

To meet your requirements for not using double nat, you will need to run PFsense in transparent mode (layer 2). Its becoming more and more popular to deploy security devices in layer 2 modes due to ease of management. I am not too familiar with how good the inspect code is on PFsense but if you start using something more along the lines of an IPS you will be very happy with it. In any case keep that cisco router upstream from the firewall.

 

[Vito_Corleone]

I might just use ACL's with the Cisco and go with a Linux server for MRTG and SNORT... I want decent logs and some good monitoring of the network. A UTM box would be good, but I like the PFSense interface and it has a lot of features that I like. But, I figure it could be done with other means.

What model is the router?

 

[YeOldeStonecat]

I will 2nd this. I was thinking the same way about untangle being better than pfsense, but until I dug into pfsense more and more I have to think around the opposite. pfsense does better for firewall and the routing and is currently running on a 650mhz p3 with 512mb of ram with 2 dual port nics.

I don't know if I'd say PFSense has a better firewall than Untangle. I'd say default install of PFSense is less, installing the Snort add-in would bring it closer to UT (as UT uses Snort as well by default..as well as many other custom features). I'm not knocking PFSense, as it's what I usually use at home. But it's 2x totally different categories here..Untangle is a full blown UTM..lots of added security features. Untangle is designed for small to medium business networks, requires a bit of horsepower to run on, pretty much overkill for home setups.

IMO I'd use PFSense as my one and only edge firewall. The biggest benefit of PFSense, IMO, is its superior traffic shaping and QoS. If you have it as your 2nd router...or in some sort of transparent bridge mode, you get ZERO benefit from this feature when you have another router in front of it. I love the fact that I can online game and I don't care what the other several PCs in my house are doing online..my ping remains pretty much unaffected.

Matter of fact I want to go out on a limb and say I don't care what model Cisco router he has, PFSense can run circles around it with 1 hand tied behind its back.

 

[Vito_Corleone]

Matter of fact I want to go out on a limb and say I don't care what model Cisco router he has, PFSense can run circles around it with 1 hand tied behind its back.

Hahahahahahahahahahahaha!

 

[Berg0]

Why not just use the Cisco?!?

+1 for using the Cisco router.

 

[xphil3]

Matter of fact I want to go out on a limb and say I don't care what model Cisco router he has, PFSense can run circles around it with 1 hand tied behind its back.

Dead thread, vito pasted it to me just now... but I really want to know why you think this? How can something designed to route be worse than *nix / packet filter? You're joking right stonecat? Can you elaborate?

 

[cymon]

pfSense is clearly the better option because people like xphil3 are liars and the internet has, and always has, been powered by packet filtering and in-kernel routing features of general purpose operating systems.

In all seriousness, I believe that the comment was in regards to home-based systems, where one could assemble a very high end PC to handle firewall duties. The high-end PC would be cheaper than a Cisco offering, so pfSense could be a more practical solution for a given amount of money, unless one was truly [H]ard and had a dedicated MPLS line running to their basement, and redistributing a whole mess of internal routes via OSPF to a stack of those delightful little blue boxes.

 

[OmegaAvenger]

if pfsense is as good as stonecat is saying, then every ISP Should promptly dump all cisco, etc. equip they have and switch now..... yeah.. not happening. I went back to my cisco due to issues I had with pfsense involving gaming, and it was a cross platform issue on my ps3 and my pc.

 

[YeOldeStonecat]

Dead thread, vito pasted it to me just now... but I really want to know why you think this? How can something designed to route be worse than *nix / packet filter? You're joking right stonecat? Can you elaborate?

Once you're done looking down from the snobby Cisco held high nose....what model will the average person here have from Cisco? Some old 800 or 10 year old PIX 501? Maybe an 1800? Oooo....hold me back...I'm not even sporting a toothpicks worth of wood here for those things.

Seriously...compare the performance and traffic shaping of those models against even an old P3 and 256 meg rig running PFSense. There might be someone here lucky enough to have snuck home some Cisco 7200 or so.

 

[OmegaAvenger]

I got a 1611xm for $75

 

[marley1]

my router is bigger than your router.....

 

[calvinj]

Once you're done looking down from the snobby Cisco held high nose....what model will the average person here have from Cisco? Some old 800 or 10 year old PIX 501? Maybe an 1800? Oooo....hold me back...I'm not even sporting a toothpicks worth of wood here for those things.

Seriously...compare the performance and traffic shaping of those models against even an old P3 and 256 meg rig running PFSense. There might be someone here lucky enough to have snuck home some Cisco 7200 or so.

I'm not saying dump the cisco... if you want to use it all the power to you, but think about what he's saying for a second here... Pfsense with specs he states is killing the specs of my 2621 and the pix 506 that I have. Speaking of which I could part with the 506 now I have my pfsense box going like i want it too

 

[xphil3]

pfSense is clearly the better option because people like xphil3 are liars and the internet has, and always has, been powered by packet filtering and in-kernel routing features of general purpose operating systems.

I think you're being sarcastic here... lol, or at least I hope so

Once you're done looking down from the snobby Cisco held high nose....what model will the average person here have from Cisco? Some old 800 or 10 year old PIX 501? Maybe an 1800? Oooo....hold me back...I'm not even sporting a toothpicks worth of wood here for those things.

Seriously...compare the performance and traffic shaping of those models against even an old P3 and 256 meg rig running PFSense. There might be someone here lucky enough to have snuck home some Cisco 7200 or so.

1. How am I looking down on anyone? I just asked for you to elaborate, thats all.

2. You have clearly done NO testing against ANY cisco model, its obvious. Ive
PERSONALLY tested a P4, 1.8Ghz, 2Gig RAM against an 1841... the 1841 beat the living pants off it by about 10k pps. The pfsense box choked at 20Mpbs constant traffic, latency was unbelievable. 1814 takes that and smiles back. Yes, i just brought up Mbps but in the world of routing/filtering packet switching is god and like I said... the 1841 had it by about 10k pps.

3. You made a blanket statement about Cisco routers, stating that pfsense would run circles around them... and im telling you that you dont know what you're talking about. It has nothing to do with the fact that I work with this equipment daily, it has to do with the fact that Ive use both opensource firewalls and cisco routers AT home and tested ALL of them and generally the cisco routers comes out on top on all accounts.

4. Im not even going to get into Cisco hardware assisted platforms or MLS, as these will take ANY pfsense box with ANY hardware you put into it and beat the living snot out of it. Even the authors of pfsense themselves say this. Again, this goes once again proves the fact that you really dont understand routing and switching.

5. Im going to go so far as to say that an cisc 2651 would beat the living pants off of a p3 pfsense box!

6. If you want to do an apples to apples comparison on hardware between pfsense and a Cisco device, again the Cisco will come out literally crushing it.

7. Show me some performance charts of *CONSTANT* throughput of a p3 pfsense box AND CPU statistics associated with that, I bet you with about 20-30Mpbs the CPU will be pegged because of the way its designed.

8. For the record, I do like pfsense(I ran it for YEARS and im sure YOU have seen my old threads about it) and a lot of other opensource firewalls... but they have their place(at home). Try putting one at a large business(5,000+ users) and watch it be brought to it knees with moderate traffic.

Stonecat, just because you dont know IOS or Cisco equipment in general doesn't mean that its worse than the stuff that you do know an use. You think the shaping is better for pfsense, ive use the shaping heavily with pfsense and can 100% tell you that IOS is easier and WAY more robust. Get out and use some other products and maybe that will open your eyes a bit. Now, with that said... you know a shit ton about windows networking, more than I do by far so I commend you for that... but once you step into the network infrastructure side thats another story.

From,
someone half your age.

 

[calvinj]

From,
someone half your age.

Them's Fightin words there

 

[xphil3]

Them's Fightin words there

meh, sontecat always comes off snobby and acting like he knows more than everyone, sure... I guess I do too but I usually support what Im saying with factual information.

 

[Vito_Corleone]

Even though xphil3 can be a little harsh sometimes, I agree with him most of the time. It was a silly statement and Cisco > PFSense if you're talking about routers that aren't ridiculously old. My 1811 was a beast, my average CPU usage was 4%, and I was pushing a ton of traffic through it with torrents and newsgroups, I was doing a lot of QoS (shaping/policing) and the thing never stuttered.

Despite his feelings towards Cisco, I think Stonecat is a valuable member of this forum and contributes a lot of good info.

 

[Vito_Corleone]

meh, sontecat always comes off snobby and acting like he knows more than everyone, sure... I guess I do too.

Never! Hahahahahha.

 

[xphil3]

meh, eff you guys....

 

[calvinj]

meh, sontecat always comes off snobby and acting like he knows more than everyone, sure... I guess I do too but I usually support what Im saying with factual information.

i was only joking... But will agree you do support the things you post through some fashion or another

 

[OmegaAvenger]

I think you're being sarcastic here... lol, or at least I hope so


1. How am I looking down on anyone? I just asked for you to elaborate, thats all.

2. You have clearly done NO testing against ANY cisco model, its obvious. Ive
PERSONALLY tested a P4, 1.8Ghz, 2Gig RAM against an 1841... the 1841 beat the living pants off it by about 10k pps. The pfsense box choked at 20Mpbs constant traffic, latency was unbelievable. 1814 takes that and smiles back. Yes, i just brought up Mbps but in the world of routing/filtering packet switching is god and like I said... the 1841 had it by about 10k pps.

3. You made a blanket statement about Cisco routers, stating that pfsense would run circles around them... and im telling you that you dont know what you're talking about. It has nothing to do with the fact that I work with this equipment daily, it has to do with the fact that Ive use both opensource firewalls and cisco routers AT home and tested ALL of them and generally the cisco routers comes out on top on all accounts.

4. Im not even going to get into Cisco hardware assisted platforms or MLS, as these will take ANY pfsense box with ANY hardware you put into it and beat the living snot out of it. Even the authors of pfsense themselves say this. Again, this goes once again proves the fact that you really dont understand routing and switching.

5. Im going to go so far as to say that an cisc 2651 would beat the living pants off of a p3 pfsense box!

6. If you want to do an apples to apples comparison on hardware between pfsense and a Cisco device, again the Cisco will come out literally crushing it.

7. Show me some performance charts of *CONSTANT* throughput of a p3 pfsense box AND CPU statistics associated with that, I bet you with about 20-30Mpbs the CPU will be pegged because of the way its designed.

8. For the record, I do like pfsense(I ran it for YEARS and im sure YOU have seen my old threads about it) and a lot of other opensource firewalls... but they have their place(at home). Try putting one at a large business(5,000+ users) and watch it be brought to it knees with moderate traffic.

Stonecat, just because you dont know IOS or Cisco equipment in general doesn't mean that its worse than the stuff that you do know an use. You think the shaping is better for pfsense, ive use the shaping heavily with pfsense and can 100% tell you that IOS is easier and WAY more robust. Get out and use some other products and maybe that will open your eyes a bit. Now, with that said... you know a shit ton about windows networking, more than I do by far so I commend you for that... but once you step into the network infrastructure side thats another story.

From,
someone half your age.

My cisco 2611xm with the 256mb ram upgrage beats the pants off the p3 733mhz with 4x intel nics pfsense box I hand in both reliability and latency. my latency was always higher with pfsense.

 

[cymon]

I think you're being sarcastic here... lol, or at least I hope so

Don't worry, I was being quite sarcastic.

Also, FWIW: I have used a P3 based firewall. pfSense had issues with the network cards, but under smoothwall it was a crapshoot. I routinely had 400+ ms latencies (granted, somewhat heavy BitTorrent traffic). I got better performance out of a PIX 520 than I got out of that Smoothwall.

 

[centurion]

Wow... it just got insanely heated around here...

Unfortunately I can't really throw anything knowledge-wise into this argument (Cisco vs PFsense) other than the fact that if PFsense (or smoothwall, m0n0wall, etc...) were as good as Cisco or Juniper, then you'd see them in massive networks. I've been working in the research & education networking community for a year now and on not one of the 13 networks I've worked on have I ever seen a PFsense box or the like used. It's always Cisco, Juniper, etc...

I will say this, at home I use smoothwall just because I don't want to f**k with it. It works, it's easy, and I don't have to sweat it.

 

[Valnar]

My experience has been the opposite of xphil3 under certain cirumstances. I have a 2621XM and 1841 at home along with a variety of firewalls (pfSense, Linksys/DDWRT, ASA5505, etc). As a routing platform, the Cisco does much better than any home brewed firewall. No contest. However, when I enable NAT, CBAC, IOS FW, QoS, IPSEC and all the bells & whistles, I can kill a SOHO Cisco router pretty easily. My pfSense box has no problems. Neither does the ASA.

I have not done any extensive throughput testing, but this has been my cursory observation. The Cisco routers (as a home firewall) also "felt" slower than pfSense, or the ASA, or even a Sonicwall TZ170. Once again, no numbers, but it was noticeable.

 

[Vito_Corleone]

My experience has been the opposite of xphil3 under certain cirumstances. I have a 2621XM and 1841 at home along with a variety of firewalls (pfSense, Linksys/DDWRT, ASA5505, etc). As a routing platform, the Cisco does much better than any home brewed firewall. No contest. However, when I enable NAT, CBAC, IOS FW, QoS, IPSEC and all the bells & whistles, I can kill a SOHO Cisco router pretty easily. My pfSense box has no problems. Neither does the ASA.

I have not done any extensive throughput testing, but this has been my cursory observation. The Cisco routers (as a home firewall) also "felt" slower than pfSense, or the ASA, or even a Sonicwall TZ170. Once again, no numbers, but it was noticeable.

I would say something is wrong with your config. An 1841 should be able to handle anything you're doing at home without issue, my 1811 sure did.

NAT shouldn't do much, CBAC/FW can use some resources, but not enough to slow down an 1841, same for QoS. What were you doing with IPSEC? And what other "bells & whistles" were you using?

The 1841 is above a SOHO router, IMO (SOHO is the 800 series). I really find it hard to believe that you can "kill" on with home use... especially if I can't.

 

[Ur_Mom]

My experience has been the opposite of xphil3 under certain cirumstances. I have a 2621XM and 1841 at home along with a variety of firewalls (pfSense, Linksys/DDWRT, ASA5505, etc). As a routing platform, the Cisco does much better than any home brewed firewall. No contest. However, when I enable NAT, CBAC, IOS FW, QoS, IPSEC and all the bells & whistles, I can kill a SOHO Cisco router pretty easily. My pfSense box has no problems. Neither does the ASA.

I have not done any extensive throughput testing, but this has been my cursory observation. The Cisco routers (as a home firewall) also "felt" slower than pfSense, or the ASA, or even a Sonicwall TZ170. Once again, no numbers, but it was noticeable.

I am looking at using a 2600XM model router. But, I may just use that and a different IDS/IPS after that. Wondering how much logging I could do with SNMP and some kind of graphing program.... I'm not going to be putting too much traffic through it (torrents, HTML, Email, SSH, FTP, etc. but nothing major). But, I am going to have 2 networks, one to the ISP, and the other to my mock Cisco Pod, so I will need two interfaces, and I'd rather use the Cisco. But, the pfSense QoS sounds spectacular. I'd like to be able to browse the web and stream videos without having them CRAWL. But, I was going to see if I can implement that using the Cisco.

I'm going to try one and then the other, and report back. My Cisco config won't be the best, as I'm using it to learn (first time doing a more than basic config), but it'll work!

 

[just2cool]

As always, I don't take either side . I think the open source stuff is a great low cost option for SMB.

Cisco can be too expensive usually, but that's because they're the market leaders. Why? Excellent reliability, support, features, and performance. To some (like my company), that's worth the extra $$$. To others, it's overkill based on how good the alternatives are for their needs.

On a final note, as a computer engineer, I have to say I'm slightly biased toward specialized hardware because I understand why it is bad to punt everything to the CPU -- unpredictable latency and performance. Again, for most people, they would never care (or notice) a few small hiccups every now and then.

 

[Valnar]

I would say something is wrong with your config. An 1841 should be able to handle anything you're doing at home without issue, my 1811 sure did.

NAT shouldn't do much, CBAC/FW can use some resources, but not enough to slow down an 1841, same for QoS. What were you doing with IPSEC? And what other "bells & whistles" were you using?

The 1841 is above a SOHO router, IMO (SOHO is the 800 series). I really find it hard to believe that you can "kill" on with home use... especially if I can't.

Sorry, I didn't "kill" it. Bad choice of words. It was slower. And I assure you my config was pristine.

The CPU plays a large part of any product, whether we think so or not. Why then are the ASA firewalls usually 2Ghz or so but the routers much slower? Routers are not punting all the ACL's and FW functions to the ASIC/RP 100% of the time. Not everything runs in CEF.

I installed a 1841 as a NAT/Firewall device for a small branch of mine and the users had problems with it as a firewall. When I replaced it with an ASA, they were fine. I was trying to kill two birds with one stone since it was also their router, but it couldn't cut it. Once I left it to routing only, it was fine.

 

[Vito_Corleone]

So you're saying latency was higher through the 1841 than PFSense? What was the CPU usage on the 1841? My 1811 ran at <4% with a ton of traffic (torrents/newsgroups), while using QoS, CBAC and a lot of other features. How do you know your config was "pristine"?