Adventures with pfSense: Act 2— Improving your network security

  1. ArpWatch — Notifies me when new devices are connected to network
  2. pfBlocker — DNS filter to prevent access to unsavory sites
  3. Suricata — Intrusion detection and prevention system

1. ArpWatch

This tool builds up a database of what devices are connected to your network and can automatically notify you when there is a new device connected.

3 simple steps to configure ArpWatch
ArpWatch database of devices
Email notification from ArpWatch
Email notification from ArpWatch

2. pfBlocker

This tool main maintains a list of DNS entries that you may not want users in your network to access. This is similar to DNS security products offered by the likes of Palo Alto, Checkpoint, CloudFlare and Cisco.

pfBlocker — OLD VERSION
pfBlocker —NEW VERSION

pfBlocker — IP Tab

Most of the settings should already be configured, you will want to consider turning on CIDR Aggregation to optimize pfBlocker’s performance.

pfBlocker — IP Tab

pfBlocker — DNSBL Tab

Main thing here is to ensure DNSBL is enabled and to whitelist/blacklist any domains that you want to explicitly allow/block.

pfBlocker — DNSBL Tab
Whitelisting .edu.sg
pfBlocker — DNSBL Groups Tab
pfBlocker — DNSBL Category Tab
Warning when selecting large blacklist categories

pfBlocker — General Tab

Once you are done with all the settings, go back to the general tab and enable pfBlockerNG.

pfBlocker — Dashboard widget

Lastly pfBlocker comes with a dashboard widget that allows you to view blocked domain statistics and quickly whitelist domains when required.

pfBlocker — Dashboard widget

3. Suricata

Suricata is a popular tool that performs real time intrusion detection (IDS), inline intrusion prevention (IPS) and network security monitoring (NSM).

Suricata — Global Settings Tab

Start off by going to the Global Settings tab and configuring Suricata to use ET and Snort GPLv2 rules. You may also fiddle with the Rules Update and General settings if you wish, but the defaults are generally good enough.

Suricata — Global Settings Tab

Suricata —WAN Tab

Next go to Interfaces and click on the pencil icon beside your WAN link.

  1. Enable Suricata inspection on the WAN interface.
Suricata — WAN Settings Tab
Suricata — WAN Settings Tab

Suricata — WAN Categories Tab

Next select “WAN Categories” and then click on the “Select All” button followed by the “Save” button.

Suricata — WAN Flow/Stream

This next section is required for devices with 4 or more cores. Due to the increased core count, there is a need to increase the memory cap for Fragmentation, Flow and Stream beyond the default 32MB and 64MB. You will need to double it or more when you get an alloc error starting up Suricata later on.

Fragmentation Memory Cap
Flow Memory Cap
Stream Memory Cap

Suricata — SID Mgmt Tab

SID management is key for Suricata. If one were to go about manually enabling/disabling each SID, it can quickly grow to become a nightmare. To assist with this, Suricata has a SID management section where you can script the SIDs you want to enable, disable, modify or drop.

Suricata — SID Mgmt Tab
Sample of dropsid-sample.conf
Suricata — SID Mgmt — Rebuilding list

Suricata — Turning it on

Finally the last step is to turn on Suricata on the WAN interface and let it perform its job.

Suricata — Enabling on WAN

Suricata — Alerts and Blocks

After a while, you should see Suricata populating the Alerts and Blocks tab with attacks that match the signatures in its database.

Suricata — Alerts
Suricata — Blocks

Conclusion

Overall, pfSense is a very capable open source network appliance that offers significantly more value than similarly priced boxes.

  1. More out of the box (OOTB) capabilities that most consumer routers e.g captive portal, support Class A DHCP, multiple OpenVPN servers, L3 port configuration.
  2. Available of network security packages to enable capabilities like DNS filtering, IDS, IPS, HTTP/AV/malware scanning and HTTPS offloading.
  3. Generally cheaper than hardware routers with similar specs both in upfront costs as well as running energy costs.
  4. Ease of backup and restore.
  1. Configuration know how, more technical skills required to manage certain components such as Suricata
  2. Supports WIFI with add-on adapter card. Needs to integrate with existing WIFI mesh systems
  3. Component failure and troubleshooting may get quite complex. That said these boxes are known to run for years without any unscheduled downtime.

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Jeffery Tay

Jeffery Tay

6 Followers

Education is in my blood, partnership and coaching is my passion. ¬ L’essentiel est invisible pour les yeux