Guide

Firewall Hardware Sizing Guide

Before Starting

The following hardware sizing guide was written initially and mainly for the pfSense® CE and OPNsense® operating systems.

Anyone interested in learning more about the differences will find a comparative pfSense® CE VS OPNsense® technique at this link.

However it is possible to extend these concepts also for Zeroshell, ipFire.

Useful tools: fast sizing of the devices

Below we will expand on some technical concepts to explain and motivate our conclusions in the Instant dimensioning table.
If the navigator does not want to read the entire technical part, he can immediately jump to: Instant sizing.

Here you can find the link to the NEW HARDWARE CONFIGURATOR of our equipment: with just a few clicks it will allow you to understand which device to buy.

Equipment hardware configurator.
N.B. Under “Select product category”: select “Firewall”.

Premise

To size a hardware firewall based on pfSense® CE / OPNsense® from 2.4.X / 18.X onwards it is necessary to keep in mind 3 main factors:

1.Required throughput

2.Features or additional packages of pfSense® / OPNsense® used

3.Number and type of NIC (Network Interface Card) required

These 3 factors mainly affect RAM, CPU, mass memory and of course NIC quantities. In the lower part we will provide our experience in hardware sizing.

Also keep in mind that pfSense® from version 2.4 DOES NOT SUPPORT systems on CF anymore (in particular it no longer supports i386 images), which OPNsense® continues to do.

1. Considerations on the requested throughput

By definition, throughput of a communication channel is meant its transmission capacity actually used.

Throughput is not to be confused with link capacity. Both capacity and throughput are expressed in bit / s, but while the first expresses the maximum transmission frequency at which data can travel, throughput is an index of the actual use of the link capacity. Throughput is the amount of data transmitted in a unit of time and depends exclusively on how much information is entered on the transmission channel.

Before considering troughput considerations, we need to consider the fact that both pfSense® and OPNsense® can operate both as a firewall and as a router or both. It will therefore be necessary to consider the overall throughput of the system we want to achieve for the choice of the apparatus.

For example, if we need to build a firewall, we can consider the sum of the WAN throughputs as throughput.

If instead we have to create a Router that joins networks together we have to sum up the throughput of all the interfaces, both WAN and LAN.

CPU type

It is important to determine the throughput of a network before installing a pfSense® / OPNsense® firewall / router as it determines the type of CPU to use and in some cases the type of NIC.

If less than 10 Mbps are required then the minimum hardware requirements can be used. For higher throughputs we strongly advise you to follow the sizing suggested by the following table, based on tests actually performed in the field. The table below is designed to avoid reaching the maximum level of hardware load, so as not to run into problems.

If for example I have to build a Router or a Firewall with 10 Gbit ports, I won’t be able to use a less powerful CPU than a Quad Core XEON. In fact, when the NICs reach 10 Gbit of traffic the Core of the appliance goes to 100% and the machine goes into crisis.

For these uses we recommend A2-Server o A3-Server.

It should be noted that the pfSense development team has announced that as of version 2.5 it will NOT BE MORE POSSIBLE to install and even less to update the versions of pfSense on hardware without CPUs with AES-IN instructions. The reason (always declared by pfSense) is that to support the increase in CPU loads resulting from cryptography it was necessary to use the set of AES-NI instructions that are used to optimize encryption and decryption algorithms on certain processors Intel and AMD.

This does not concern the OPNsense developers who declare that the execution of the AES-IN instructions can be done either via hardware (with CPUs having AES-IN instructions) or via software, as is the case with current versions of both distributions without any particular problems.

Minimum system requirements for pfSense® up to version 2.4.X:

CPU Not less than 1GHz
RAM 1 GB
Installation su Hard Disk 16 GB
Embedded CF not supported

Minimum system requirements for pfSense® CE version 2.5.X:

CPU Not less than 1 GHz, CPU with AES-IN
RAM 1 GB
Installation on Hard Disk 16 GB
Embedded CF not supported

PfSense® CE/OPNsense® sizing based on Throughput

Throughput:
Mbps
Suggested hardware requirements
Suggested product
Noisiness
1-20 Mbps Not less than 1000 MHz CPU Single Core FIREWALL ENTRY LEVEL
APU1 Entry Level
APU2 Entry Level
None
10-100 Mbps Not less than 2.4 GHz CPU Quad Core FIREWALL CORPORATE
Compact Small UTM 3
Appliance Small UTM 3
None
50-650 Mbps Not less than 2.4 GHz CPU Octa Core FIREWALL CORPORATE / FIREWALL DATACENTER
A1-ServerAPUTM
Almost nothing (*)
450 – 1000 Mbps Not less than 3,5 GHz Quad Core FIREWALL DATACENTER
APUTMA2-Server
Medium (*)
Up to 10 Gbps Not less than 3,5 GHz Xeon Quad/Octa Core FIREWALL DATACENTER
A2-ServerA3-Server
Medium (*)

Sizing pfSense® CE/OPNsense® based on Cluster version Throughput

Throughput:
Mbps
Suggested hardware requirements Suggested product Noisiness
1-20 Mbps Not less than 1000 MHz CPU Single Core FIREWALL ENTRY LEVEL
Nano Cluster APU2
None
10-100 Mbps Not less than 2.4 GHz CPU Quad Core FIREWALL CORPORATE
Compact Small UTM 3
Appliance Small UTM 3
None
50-650 Mbps Not less than 2.4 GHz CPU Octa Core FIREWALL CORPORATE / FIREWALL DATACENTER
Power Cluster
Low (*)
450 – 1000 Mbps Not less than 3,5 GHz Quad/Octa Core A2-Server Cluster
A3-Server Cluster
Medium (*)
Up to 10 Gbps Not less than 3,5 GHz Xeon Quad/Octa Core A2-Server Cluster
A3-Server Cluster
Medium (*)

(*) The Power Cluster and APUTM models with Intel I7 CPU have a Medium noise level only if they are subjected to strong and continuous workloads.

2. Features or additional packages of pfSense®/OPNsense® used

Many features of pfSense® CE/OPNsense® greatly influence hardware sizing.

VPN: the heavy use of the VPN service greatly increases the CPU requirements. Encryption and decryption of packets increases the load on the CPU. The number of connections is a less troubling factor than throughput.

  • 266 MHz CPU supports approximately 4 Mbps of IPsec traffic
  • 500 MHz CPU supports about 10-15 Mbps of IPsec traffic
  • New-generation I7 or I3 CPUs support almost up to 200 Mbps of IPsec traffic
  • New generation XEON CPU for loads over 400 Mbps

Squid – Squidguard – outbound proxy traffic control: both packages use a lot of CPU and disk writes. Therefore, it is strongly discouraged to use the Entry level, Entry level APU1 and Entry Level APU2.
For this type of work it is strongly recommended to use Appliance Small UTM 3, Compact Small UTM 3, A2SUTM, A1-Server, A2-Server, A3-Server or APUTM with SSD or Classic disks.
However, it is also possible to use optimized with only the squid package on Entry level APU1 and Entry Level APU2 provided that you use the writing on the disk support sparingly and in any case to the detriment of performance.

pfBlockerNg: pfBlockerNG is a package for pfSense® that allows extending the functionality of the firewall beyond the traditional L2 / L3 / L4 firewall. pfBlockerNG allows you to configure the firewall to allow / deny traffic based on elements such as the geo location of an IP address, the domain name (for example to block Facebook and the like) or Alexa’s assessments of certain websites.

This package requires an increase in CPU and RAM from 15% to 25%.

To learn more about this package, you can consult the guide we have created and published in our guide area.

Captive Portal: Environments with hundreds of connections require a lot of CPU. With reference to the throughput table it will be necessary to increase users by 15-20% to get the recommended platform.

Large state tables: Each entry in the state table requires 1 KB. The state table, when full, has 10,000 entries, so about 10 MB of RAM. For larger state tables, with hundreds of thousands of connections it will be necessary to properly size the RAM.

Packages: many packages significantly increase the amount of RAM used. For example, snort and ntop should not be installed on hardware platforms with less than 512 MB of RAM and at least 32 GB of disk.

Version of pfSense®/OPNsense® to be installed

The difference between the two types of installations that can be made with pfSense® / OPNsense® on different devices should be emphasized.

We remind you that as far as pfSense® is concerned, the last version that can be installed on CF (ie the embedded version) is 2.3.5, while for OPNsense® the termination of the support is not envisaged.

  • The Embedded solution (firewall Entry Level) DOES NOT allow the writing of log files on the memory (C.F. or DOM) and in any case it is strongly discouraged to do so. On this version it is not possible to install some of the additional packages of pfSense® / OPNsense®.
  • The solution that installs on a hard disk (normally on UTM or higher Appliance solutions) has the ability to save the logs inside it. On this version it is possible to install all the additional packages supplied for pfSense® / OPNsense®.
  • We remind you that pfSense 2.5.X will be installed only on hardware with a CPU with AES-IN support

3. Deepening on the network card chipsets

Choosing a network card is essential for those who are designing a medium / large system.

As you can see from the product descriptions, we always specify very well if the devices integrate Intel or Realtek chipsets internally.

From about mid-2016 onwards virtually all our devices are equipped with Intel chipsets.

The Realtek chipset is less powerful than the Intel chipset and is suitable mainly for less intense workloads. However, for a company that does not require high throughputs (like 85% of Italian companies) it remains the ideal choice.

The Intel chipset, on the other hand, offers greater performance in the event of heavy traffic: in fact, it offers several advanced features such as queue management and, from the pfSense® 2.2 version, also improved multi-core support. This results in higher throughput and less CPU load.

To be precise, full support for multicores has been introduced on FreeBSD, that is, by S.O. father of pfSense® and OPNsense®, so the same argument made for pfSense® is valid and will apply to OPNsense® in the future.

If you are still using pfSense® 2.1.x, we have published an in-depth study on optimizing Intel NICs by tuning the driver and settings. However, we specify that up to now our appliances do not need such optimization. However, we insert it for completeness.

On the current versions of pfSense® / OPNsense® it does not seem necessary to make changes.

If you think your appliances have performance problems arising from NICs, you can use this guide to diagnose the problem.

4. Sizing according to the noise of the equipment

To provide the right product, you need to think about where the firewall will be placed.

If the device is placed near people who work, it will be necessary to choose a machine with a low noise level or it will be necessary to purchase a silent silent kit!

Lately, due to Intel’s new 25-nanometer technology, the absorbed power has greatly reduced and consequently the dissipated heat has also decreased.

From the design point of view, we preferred to maintain the fan in the high-end models (typically used in data centers or CEDs). This is because, if the board or CPU detects high temperatures, using the fan would bring the temperature back to acceptable levels in a few seconds.

Below is a table showing indicative data on the noise level of the equipment:

Band Apparatus Noise level
Entry Level / APU1 Entry Level / APU2 Entry Level / Appliance Small UTM 3 / Compact Small UTM 3 / NanoCluster / A2SUTM / Small Cluster Level 0 (completamente fan less)
A1-Server Level 1 (rumore quasi impercettibile)
A2-Server / A3-Server
Power Cluster / APUTM
Level 4 (rumore udibile from 4/5 meters)

Notes on noise::
a device that dissipates heat well, will certainly last longer and will be more stable and reliable!
That’s why our high-end devices are designed in such a way that the airflow “invests” the internal components by cooling them.

5. RAID function

One of the functions most appreciated by pfSense® CE/OPNsense® in terms of hardware reliability is the Raid functionality directly implemented by the FreeBSD operating system.
This function guarantees a higher level of reliability of the application as in the event of a disk failure the application will continue to function as if nothing had happened.
This function is supported by: Appliance Small UTM 3 / Compact Small UTM 3, A2SUTM, A1-Server, APUTM, A2-Server, A3-Server and in all the Cluster versions of our devices except the NanoCluster.
For those wishing to deepen the subject, we published a guide that explains how it works and how to intervene on the equipment in case of failure. You can find it under the guide menu.

6. When should I use a Cluster system?

A Cluster system is a solution composed of a system having two completely independent hardware devices. There are 3 versions of Cluster solutions, one for small offices and the other for heavy traffic and / or medium/large structures.

  • NANOCluster: compact 1U solution, designed for small offices
  • Small Cluster: 2U solution for SMEs and / or small Datacenters that do not want to give up high reliability
  • Power Cluster: 2U solution for companies and organizations that need high reliability
  • A2-Server Cluster and A3-Server Cluster: 2U Datacenter-level solution that provides high reliability

The Small Cluster and the Power Cluster are 2U devices, consisting of 2 independent drawers, while the NanoCluster is composed of two Entry Level devices.
Using pfSense® CE or OPNsense® you can get a real passive active Cluster configured to obtain high reliability between the 2 devices that become in effect the cluster nodes.
The others S.O. they do not have (hopefully for now) a function like the CARP of pfSense® CE / OPNsense® but they can still be configured in such a way that the user can manually switch off one of the two systems and turn on the other. We can therefore say that it is a Cluster system that in the case of pfSense® CE and OPNsense® is automatic and in the case of other S.O. it’s manual. This system should be used in environments where high reliability is mandatory.

7. Instant sizing

Based on our experiences we have compiled a classification of the installations we have followed over the years. This classification is not only the result of the experience made during the installation of the firewall, but also of the technological evolution that the user requires to the device during the years of use.

The results are linked, for example, to the technological evolution that every company / entity undergoes or requires over the years for different needs. For example, small businesses initially require the installation of a simple firewall. Normally it does not take much time to submit requests such as VPN, content filtering or navigation rules.

For this reason, based on the number of “active devices” (ie devices connected to the Internet) we have elaborated the following table which also takes into account the above concepts:

Firewall model N.of active devices
Entry Level o NanoCluster from 1 a 5 users
Entry level APU1 o Entry Level APU2 o NanoCluster from 1 a 10 users
Appliance Small UTM 3 o COMPACT SMALL UTM o A2SUTM o Small Cluster from 8 a 35 users
Appliance Small UTM 3 o Compact Small UTM 3 o A1-Server o Small Cluster from 20 a 60 users
A1-Server o Power Cluster from 50 a 350 users
A2-Server o APUTM o Power Cluster from 100 a 2000 users
A3-Server o APUTM o Power Cluster from 100 a 3500/5000 users
A3-Server from 500 a 10.000 users

8. Devices performance analysis

NO VPN
BRIDGE NAT
TCP UDP TCP UDP
Band Band Jitter Band Band Jitter
ALIX 86,60 Mbps 87,10 Mbps 0,123 ms 86,57 Mbps 88,40 Mbps 0,122 ms
APU 474,00 Mbps 735,00 Mbps 0,028 ms 474,00 Mbps 535,00 Mbps 0,037 ms
CASUTM 595,00 Mbps 653,00 Mbps 0,033 ms 595,00 Mbps 535,00 Mbps 0,037 ms
AUTM5 754,50 Mbps 735,00 Mbps 0,024 ms 551,20 Mbps 560,00 Mbps 0,035 ms
Power Microcluster 939,00 Mbps 784,00 Mbps 0,029 ms 942,00 Mbps 784,00 Mbps 0,025 ms
APUTM 939,00 Mbps 784,00 Mbps 0,029 ms 942,00 Mbps 784,00 Mbps 0,025 ms
OPENVPN
AES128 AES256 Blowfish
TCP UDP TCP UDP TCP UDP
Band Band Jitter Band Band Jitter Band Band Jitter
ALIX 13,43 Mbps 18,00 Mbps 0,052 ms 12,30 Mbps 16,00 Mbps 0,048 ms 14,67 Mbps 20,00 Mbps 0,095 ms
APU 68,20 Mbps 60,00 Mbps 0,055 ms 58,63 Mbps 55,00 Mbps 0,073 ms 79,33 Mbps 68,40 Mbps 0,057 ms
CASUTM 62,77 Mbps 75,50 Mbps 0,038 ms 56,10 Mbps 65,30 Mbps 0,064 ms 71,93 Mbps 87,10 Mbps 0,040 ms
AUTM5 80,20 Mbps 94,10 Mbps 0,026 ms 69,40 Mbps 80,25 Mbps 0,042 ms 97,10 Mbps 114,80 Mbps 0,040 ms
Power
Microcluster
135,24 Mbps 121,74 Mbps 0,024 ms 116,16 Mbps 106,88 Mbps 0,031 ms 153,79 Mbps 138,41 Mbps 0,029 ms
APUTM 135,24 Mbps 121,74 Mbps 0,024 ms 116,16 Mbps 106,88 Mbps 0,031 ms 153,79 Mbps 138,41 Mbps 0,029 ms
IPSec
AES128 AES256 Blowfish128 3DES
TCP UDP TCP UDP TCP UDP TCP UDP
Band Band Jitter Band Band Jitter Band Band Jitter Band Band Jitter
ALIX 15,27 Mbps 16,00 Mbps 0,105 ms 13,73 Mbps 14,00 Mbps 0,116 ms 14,10 Mbps 15,00 Mbps 0,106 ms 8,62 Mbps 9,00 Mbps 0,089 ms
APU 49,00 Mbps 70,00 Mbps 0,061 Mbps 45,60 Mbps 54,20 Mbps 0,028 ms 44,60 Mbps 58,20 Mbps 0,083 ms 26,53 Mbps 32,00 Mbps 0,051 ms
CASUTM 60,13 Mbps 67,20 Mbps 0,042 ms 56,03 Mbps 63,20 Mbps 0,049 ms 56,87 Mbps 66,10 Mbps 0,057 ms 34,43 Mbps 37,10 Mbps 0,042 ms
AUTM5 74,22 Mbps 80,40 Mbps 0,079 ms 68,60 Mbps 73,50 Mbps 0,064 ms 69,70 Mbps 71,30 Mbps 0,074 ms 37,80 Mbps 40,00 Mbps 0,023 ms
Power
Microcluster
109,54 Mbps 106,77 Mbps 0,039 ms 103,72 Mbps 96,06 Mbps 0,035 ms 105,99 Mbps 95,01 Mbps 0,039 ms 62,82 Mbps 54,86 Mbps 0,024 ms
APUTM 109,54 Mbps 106,77 Mbps 0,039 ms 103,72 Mbps 96,06 Mbps 0,035 ms 105,99 Mbps 95,01 Mbps 0,039 ms 62,82 Mbps 54,86 Mbps 0,024 ms
IPSec
AES128 AES256 3DES
TCP UDP TCP UDP TCP UDP
Band Band Jitter Band Band Jitter Band Band Jitter
ALIX 15,27 Mbps 16,00 Mbps 0,105 ms 13,73 Mbps 14,00 Mbps 0,116 ms 8,62 Mbps 9,00 Mbps 0,089 ms
ALIX + Card (*)
48,33 Mbps 39,10 Mbps 0,061 ms 48,07 Mbps 39,10 Mbps 0,078 ms 48,57 Mbps 39,10 Mbps 0,049 ms
Gain [%]
216,50% 144,38% 41,90% 250,11% 179,29% 32,76% 463,46% 334,44% 44,94%

(*) These measurements were made using the compression hardware module.

0
  ti posso interessare anche

Kutter: the filter for pfSense® / OPNsense® designed for the Content Filter and Malware Protection.

Objective of this guide

In this guide we will discuss how to configure Kutter Content Filter and Malware Protection on the cloud and how to integrate it with our pfSense® and OPNsense firewall.

The hardware and software used

Tested hardware: We tested all our devices with kutter and pfSense and OPNsense systems.
Since the computational load moved to the cloud, we did not experience any slowdown on the tested hardware.

Tested entry level firewalls:
The entire APU 2 NIC line:
The entire APU 3 NIC line:
The entire APU 4 NIC line:

Tested Corporate Firewall:
The entire Compact Small UTM line:
All the Small UTM line:

Tested data center firewalls:
A1 Server: Firewall
A2 Server: Firewall
A3 Server: Firewall

The software used on the appliance is pfSense® version 2.4.4-RELEASE-p3
The same settings can be performed on OPNsense using the same rules.
For those wishing to learn more about Kutter features, the specifications can be reached at the following link www.kutter.it

At the same link you can also ask for a free demo. The procedure is immediate.

Introduction

Before starting I will make a brief summary of what Kutter features are, and how to use them to add more security to navigation.

Kutter is a powerful content filter and malware for the network. It protects over 1.2 billion clicks a day in 90 different countries by leveraging DNS-based technology for cloud filtering.
This technology, for the uninitiated, allows the control of the contents of the web pages requested by the users and devices of the network that we are “filtering”, without weighing it down with web proxies (sometimes not efficient), to the cloud.
The strength is the simple and immediate activation, unlike the old proxies, difficult to configure and often cause problems.
This type of filter is perfectly suited to businesses, schools, ISP / WISP and public administration.

Any device, be it a firewall like pfSense®, OPNSense®, Zeroshell®, IpFire®, or a router from our provider, will increase navigation security if configured with Kutter.

Furthermore, Kutter is compliant with GDPR standards

Before starting

Prerequisites

  • Have an active Kutter If you do not have an account, activate it immediately by clicking here or request a free 30-day demo. Registration is immediate and you will be up and running in seconds.
  • Have an internet connection.
  • A firewall (in this guide we will illustrate pfSense® but it is compatible with other systems – see below compatibility list).

Now let’s see how to proceed step by step.

Customizing the lists

First we need to access our configuration panel by going to the Kutter web page

Kutter Login

Once logged in, we will access our configuration area as shown in the figure.

Kutter

Click on the networks tab

Kutter

By clicking on the add new network button, you will be able to configure your line whether it is dynamic (therefore without a static IP) or static (therefore with an IP perm.

A small menu will open with a series of logos that, when clicked, show how to configure that device in dynamic mode. In our example, we will proceed with the “static” configuration and then click on the button Manual configuration at the bottom.

Simply by following the on-screen instructions, we have configured our network.

Kutter
Kutter
Kutter
Kutter
Kutter
Kutter

Now, move to the Lists tab. You have the possibility to immediately choose 3 profiles already preloaded and configured to block different types of sites.

It starts with the Base profile, up to the more protective and aggressive Alto profile which imposes many more restrictions. It is possible to read below a brief description of the blocked contents.

If you want to customize the blocks, click on Custom configuration.

Notice below, the classic White and Black lists to add or remove sites (or entire domains) by customizing the profile more.

Finally, Kutter is able to filter the searches respecting the blocks of your profile, excluding the results also from the search results of Google and Bing search engines.

For example, if I have excluded pornographic content from my profile, I will not see these results from Google and Bing engine searches.

In this example, we will proceed to perform a custom configuration.

Kutter

The list configuration home page looks like the following figure. A list of categories and 3 columns indicating: Allow, Block, Program the block

Kutter

Clicking on the arrow to the left of the category will open the list with the content.

Kutter

In this example we will show the Social Network category and show how to authorize access only during the lunch break. Clicking on the clock-shaped icon in the third column (Schedule Block), a menu will open in which to insert the block time slots.

Kutter
Kutter
Kutter

We continue in this way until the complete customization of our list (in the Base example).

You can create a different list every 5 coins; that is to say that an office with 25 nominal users can create up to 5 different lists (employees, administration, management, etc.) to balance the different needs of the company. By selecting the basic profile, and then clicking on the pencil icon, we will be able to choose one of the 5 useful dns pairs, precisely, in case we want to diversify the lists.

PfSense® configuration

Now that our network and our lists have been configured, let’s move quickly to our firewall. Here we should simply insert Kutter dns as shown in the figure

go to the pfSense menu under System, General Setup.

Kutter

In order for Kutter to start browsing control, our network will have to use the firewall as a dns server.

There are three possible solutions to achieve this behavior:

  1. force the network devices to use the pfSense DNS forwarder.
  2. oblige network devices to use Kutter’s DNS.
  3. Redirect traffic on port 53 to kutter DNS.

In this guide we will illustrate the first solution:

we now enable the DNS service from: Services -> DNS resolver

Enable it and configure it so that requests can be forwarded:

check the checkbox “Enable DNS resolver” and “Enable Forwarding Mode” selecting the interfaces on which the DNS service will respond (in our case only the “LAN”)

Kutter General DNS

Next we will create two rules.

We will then go to Firewall -> Rules.

Let’s create a rule that allows access to the dns service of the firewall, the second rule that prevents access to the DNS service for the rest of the traffic.

Kutter Regola DNS

At this point the firewall will allow the use of only the pfSense DNS Server, which will resolve the names via the kutter DNS.

All systems must use the firewall as DNS, manually configuring the DNS or properly configuring the DHCP Server.

If you use pfsense DHCP go to Services -> DHCP Server and configure the DNS section with the IP of the firewall of the LAN (configure as below if it is assumed that the firewall has ip 192.168.1.1 on the LAN).

Kutter Servers

Conclusions

The ease of use and configuration, make Kutter a powerful ally to increase corporate security. The implementation methods are sufficiently “elastic”, and allow its use in practically every context and with every device.

Kutter is compatible with any device that allows the forwarding of dns requests, and with devices that allow the use of the ddns service.

In this regard, if you have not already done so, I invite you to contact us on our portal for more information and/or request a free 30-day demo where you can test the solution described above.

0
  ti posso interessare anche
  • No related posts found.

pfSense® 2.4.x: Captive portal configuration

Objective of this guide

The purpose of this guide is to allow access to the Internet through the PFSense Captive Portal service. This system allows access to navigation by entering authorized users or by entering a temporary configurable vaucher (usage time, allowed speed, …).

Hardware and software environment used

Tested hardware: We performed the configuration on a single hardware system as, in fact, the configuration can be replicated on any device compatible with the pfSense system. However, we recommend not using a lower power system than the system used in our tests.

Tested Corporate Firewall:
The entire Compact Small UTM line
All the Small UTM line

The software used on the appliance is pfSense® version 2.4.4-RELEASE-p3

Configuration

First we need to identify one or more network cards on which the Captive Portal will be controlled, these can be normal LAN or VLan. Let’s take an example on VLAN.

Create a VLAN from the “Interface-> assignement->Vlan” menu then add

Captive Portal

Configure it on the desired interface, in this example we create the VLan 25 on the LAN interface (igb1)

Captive Portal

Then we add an interface with the VLAN just created, from the tab “Interface assignement” select in the drop down menu of “avaible network port” the newly created VLan then click on “Add” as shown in fig below.

Captive Portal

An interface with the initial name “OPT” will be created. Click on it to enable and configure it

Below an example

Captive Portal

Configure DHCP from Services->DHCP Server

Captive Portal

So, in our example, select the tab of the newly added tab and configure DHCP as you wish

Captive Portal

We create and enable the captive portal from the Service->Captive portal menu, click on “Add

Captive Portal

Then we enable the service by giving it a name, so we click on Save & continue

Captive Portal

The page will appear as below, we enable the service

Captive Portal

At this point we select the network or networks on which to enable the captive portal. In our example we will select VLAN25

Captive Portal

Further down the page we select the type of authentication, in our example we will use local users at the firewall.

Captive Portal

From the Vouchers tab we create all the vouchers we want with the “Add” button

Captive Portal

Then we select the complexity of the voucher with Roll#

The minutes of connections allowed with the use of these vouchers

And with count how many vouchers to generate

Captive Portal

Once saved, we can export the vouchers by clicking on the “X” icon

An example of an exported file

Captive Portal

If from VLan25 we try to connect using the pfsense as gateway, this will send us back to the Captive Portal page; asking us to authenticate a local user or enter a voucher

Captive Portal

If we go to the active user tab we will see the active vouchers

Captive Portal

With possibility to see detailed information as in the figure below

Captive Portal
0
  ti posso interessare anche

pfSense and pfBlockNG: how to block the TOR network

Objective of this guide

The purpose of this guide is to explain how to configure pfSense to block the Tor browser.

Hardware and software environment used

Tested hardware: We performed the configuration on a single hardware system as, in fact, the configuration can be replicated on any device compatible with the pfSense system. However, we recommend not using a lower power system than the system used in our tests.

Tested Corporate Firewall:
The entire Compact Small UTM line
All the Small UTM line

The software used on the appliance is pfSense® version 2.4.4-RELEASE-p3

Configuration

The TOR browser, when started, first establishes a connection with a server, with which it establishes a tunnel. Once the tunnel has been created, the user will have free access to the resources provided by the TOR network. To avoid this you need to prevent the TOR browser from connecting.

Here is the Tor connection screen:

Tor Browser

Below is a possible configuration of pfSense to block Tor:

  • First install pfBlockerNG;
  • From System->Package Manage, locate the pfBlockerNG package and by clicking on the + Install button, install it.
Tor Browser

After installation, select Firewall->pfBlockerNG and enable the “Enable/Disable” service

Tor Browser

Select the LAN in the inbound Firewall Rules, and the WANs / networks under outbound Firewall Rules

Tor Browser

Then save and then select the “IPV4” tab

Tor Browser

Click on the “+ Add” button and then configure as shown in the figure, putting the following URL in the source heading

https://unlockforus.com/pfblockerng/tor_nodes_ipv4.txt

We offer only one URL, which is reasonably effective.

In particular configured: “Alias Name“, “ipv4 Lists“, “Lists Action“, “Update Frequency

Tor Browser

Save

Tor Browser

Click on “Update“, select “Reload” and click on “Run“, then select “Update” and click on “Run“.

Tor Browser

If you launch the Tor browser it should return an error similar to this one

Tor Browser

The configuration of pfBlockerNG can be very complex; in our example it is used only to block the TOR network. To block other similar networks, it will be sufficient to find a “URL” that contains the IPs to be blocked and insert it in the configuration.

Firewall->pfBlockerNG->IPv4, in the “IPV4 lists” field.

0
  ti posso interessare anche

pfSense®: download images of all versions

Objective of this article

The objective of this article is to provide you with useful links for downloading all the old versions of pfSense®, which can no longer be downloaded from the official website and installed on our devices if necessary.

Sono tutte immagini ufficiali e possono essere installate seguendo le procedure descritte in altre nostre guide dedicate come queste: Installare pfSense® CE su UTM – USB, Installare pfSense® CE su APU – USB, Install pfSense® CE on ALIX – CF Card reader.

They are all official images and can be installed following the procedures described in our other dedicated guides like these: Install pfSense® CE on UTM – USB, Install pfSense® CE on APU – USB, Install pfSense® CE on ALIX – CF Card reader.

Here the complete list of all versions:

DOWNLOAD: pfSense-2.0-RC3-amd64-20110621-2308.iso

DOWNLOAD: pfSense-2.0-RC3-i386-20110621-1650.iso

DOWNLOAD: pfSense-2.0-RELEASE-i386 – 06122011.iso

DOWNLOAD: pfSense-2.0-RELEASE-i386.iso

DOWNLOAD: pfSense-2.0.3-RELEASE-2g-i386-nanobsd-20130412-1022.img

DOWNLOAD: pfSense-2.0.3-RELEASE-4g-i386-nanobsd-20130412-1022.img

DOWNLOAD: pfSense-2.1-RELEASE-2g-i386-nanobsd-20130911-1816.img

DOWNLOAD: pfSense-2.1-RELEASE-4g-amd64-nanobsd-20130911-1817.img

DOWNLOAD: pfSense-2.1-RELEASE-4g-i386-nanobsd_vga-20130911-1816.img

DOWNLOAD: pfSense-2.1-RELEASE-4g-i386-nanobsd-20130911-1816.img

DOWNLOAD: pfSense-2.1.2-RELEASE-2g-i386-nanobsd-20140410-0523.img

DOWNLOAD: pfSense-2.1.2-RELEASE-4g-amd64-nanobsd_vga-20140410-0542.img

DOWNLOAD: pfSense-2.1.2-RELEASE-4g-i386-nanobsd-20140410-0523.img

DOWNLOAD: pfSense-2.1.3-RELEASE-2g-i386-nanobsd-20140501-1552.img

DOWNLOAD: pfSense-2.1.3-RELEASE-4g-amd64-nanobsd-vga-20140501-1552.img

DOWNLOAD: pfSense-2.1.3-RELEASE-4g-i386-nanobsd-20140501-1552.img

DOWNLOAD: pfSense-2.1.4-RELEASE-2g-i386-nanobsd-20140620-1259.img

DOWNLOAD: pfSense-2.1.4-RELEASE-4g-amd64-nanobsd-20140620-1259.img

DOWNLOAD: pfSense-2.1.5-RELEASE-4g-i386-nanobsd-20140825-0744.img

DOWNLOAD: pfSense-CE-2.3.2-RELEASE-4g-i386-nanobsd.img

DOWNLOAD: pfSense-CE-2.3.4-RELEASE-amd64.iso

DOWNLOAD: pfSense-CE-2.3.5-RELEASE-2g-i386-nanobsd.img

DOWNLOAD: pfSense-CE-2.3.5-RELEASE-4g-i386-nanobsd.img

DOWNLOAD: pfSense-CE-memstick-2.3.4-RELEASE-amd64.img

DOWNLOAD: pfSense-CE-memstick-2.4.3-RELEASE-amd64.img

DOWNLOAD: pfSense-LiveCD-2.0.2-RELEASE-amd64-20121207-2239.iso

DOWNLOAD: pfSense-LiveCD-2.1-RELEASE-amd64-20130911-1816.iso

DOWNLOAD: pfSense-memstick-2.1-RELEASE-amd64-20130911-1816.img

0
  ti posso interessare anche

FreeNAS®: a defense strategy from Ransomware like the Cryptolocker

Objective of this article

In this article we will explain how to defend against Ransomware, such as the Cryptolocker, using some of the properties of FreeNAS®.

Software environment

FreeNAS® 11.2-X

Hardware environment

The hardware used for the following operation is composed of: Open Nas Tower 1 – FreeNAS Ready

Introduction

A ransomware is a type of malware that limits the access of the device it infects, requiring a ransom to pay to remove the limitation. For example, some forms of ransomware, such as cryptolockers block the system and instruct the user to pay to unlock the system, while others encrypt the user’s files asking to pay to bring back the encrypted files in the clear.

It is almost always impossible to access the data, sometimes even paying the ransom, and it will therefore be necessary to use a Backup system to return to being productive.

To do this we will proceed as follows:

  • We configure the SMB service, and the number of shares needed; possibly access policies (strongly recommended)
  • We will use the potential of FreeNAS® in order to schedule periodic snapshots.

Configuration

Creation of the Dataset

We create our dataset to share, which for FreeNAS® are nothing but folders, which will be created within the pool.

To create our dataset it is necessary to go to Storage -> Pools -> select the desired pool (in our case “MASTER”) -> Add Dataset

FreeNAS Ransomware

Created our dataset (named “Data”) we can now modify the permissions under “Edit Permissions”.

FreeNAS Ransomware

Creato il nostro dataset (nominato “Data”) possiamo ora modificare i permessi sotto “Edit Permissions”.

FreeNAS Ransomware

We choose the user owner and the group (in our case User “John” and Group “John”).

We can put a tick on “Apply permissions recursively” if we want the permissions to be applied also to the sub-folders.

FreeNAS Ransomware

We can create local users if necessary, to assign access rights by going to Accounts -> Users -> Add.

FreeNAS Ransomware

NOTE

FreeNAS ® supports integration with these directory services:

Active Directory (AD) is a service for sharing resources in a Windows network. AD can be configured on a Windows server running Windows Server 2000 (or later) or on a Unix-like operating system that runs Samba version 4. Since AD provides authentication and authorization services for users on a network, it is not necessary to recreate the same user accounts on the FreeNAS ® system. You can then configure the Active Directory service so that account information, and imported users, can be authorized to access SMB shares on the FreeNAS ® system.

FreeNAS Ransomware

SMB service

As a first step to create a share it is necessary to enable the SMB service with the following procedure: Services -> SMB by checking “running” and “Start Automatically”.

FreeNAS Ransomware

It is sufficient to leave everything as default by default. Eventually we can put a tick on “Enable SMB1 support” if we were to interface with older systems that only support the SMB V1 protocol. For security reasons we advise you not to enable it unless absolutely necessary.

FreeNAS Ransomware
FreeNAS Ransomware

Sharing creation

Let’s go under Sharing -> Windows (SMB) Shares -> ADD

FreeNAS Ransomware

We choose the dateset that we created earlier (in our case named “Data”).

FreeNAS Ransomware

Automatic Snapshot configuration and scheduling

Snapshots are an interesting feature of the ZFS file system. After the initial snapshot, the new snapshots do not actually copy the new / added / modified files, but take a “differential” of the original snapshot resulting in a massive reduction in the size of the subsequent new snapshots, taking less time to record new snapshots and then improve the system performance.

Snapshots can be understood as “photographs” that capture the status of the data up to a certain instant of time. This data will then be kept until all snapshots are deleted.

If all the snapshots, which protect that data are removed, you will obviously lose the history of the changes remaining therefore with the data at present.

You can return to the most recent snapshot by cloning or rolling back.

“Think of snapshots as a fast and efficient process for restoring a file / directory in a previous / original version or in a state.”

We can return to any “cloning” snapshot [term used by FreeNAS – ed]. Cloning is like “mounting” a snapshot in a new location (you need to provide the path on the file system).

After creating a test dataset, we will configure a periodic snapshot for this dataset. Then we will add / modify files and roll back / clone to the state / previous version of the data status.

It is immediately clear how useful this process can be when our data is compromised or even worse if it is encrypted by a Ransomware.

Let’s start by configuring an automatic snapshot creation task.

Let’s go to Task -> Periodic Snapshot Task -> ADD

FreeNAS Ransomware

We can configure:

  • The whole Pool or the dataset that interests us.
  • The lifetime of the snapshot (“Snapshot Lifetime”).
  • The beginning and end of the time frame in which to take snapshots.
  • How often to take the snapshot (“Interval”).
  • The days of the week in which to perform the task.
FreeNAS Ransomware
FreeNAS Ransomware

In order to manage the snapshots we have created, we need to go to Storage -> Snapshot.

FreeNAS Ransomware

Each dataset / pool will have its own snapshot and we will be able to choose which one to restore.

To restore the snapshot we can follow 2 roads:

  • Execute a clone: restore the snapshot in a portion of the file system and therefore storage that we are going to dedicate. In this case no other changes will be made but we will have a situation in which the snapshot will be restored parallel to the “current status”.
  • Rollback: restore the snapshot by overwriting it to the current state of the dataset data to which it refers. Pay attention to the fact that all changes subsequent to the creation of the snapshot will be lost, as will all the snapshots created after the restored snapshot.

Clone

Click on the 3 balls of the snapshot we want to clone and select “Clone”.

At this point we will be asked to select the path where we want the clone to be restored.

FreeNAS Ransomware

For example, we can create it within our shared dataset to be able to access it remotely and make a more convenient consultation.

FreeNAS Ransomware

Rollback

Click on the 3 balls of the snapshot that we want to clone and select “Rollback”

We will therefore be warned of the consequences and irreversibility of the process.

FreeNAS Ransomware

Once a snapshot has been rolled back it should be considered that the permissions in the restored snapshot are also restored.

CONCLUSION

Being able to rely on a certain number of snapshots can be very useful if our data is compromised by Ransomware like Cryptolocker or by other elements that could alter them.

As a method it might be more convenient to first make a snapshot clone, perhaps in an isolated storage or in the event that all our data is encrypted, so that we can consult the content and decide whether to roll back the desired datasets.

0
  ti posso interessare anche
Page 1 of 7 12345...»