[pfSense] pfSense Implementation with dvSwitch: Urgent Assistance Required

2014-09-30 Thread Rizul khanna 
Hello all,


We are trying to use pfsense with dvswitch in our virtual environment,
where we wish to filter traffic to our VMs directly from pfsense. Our VMs
are windows based terminal servers and we want to restrict IPs/ Ports
accessible on them.


Our Mgmt and VM N/W portgroup is the same in the dvportgroup and whenever
while configuring the pfsense machine I connect the pfsense machine’s NIC
to the mgmt-public dvportgroup, the CPU utilization of any of the ESXi
hosts/ all the hosts increases from 5%-60% unexpectedly. We use ESXi 5.5 U1
with single socket Intel Xeon 2690 10 x 2.99 GHz processors on all our ESXi
hosts in the cluster. We have to implement the firewall in the Virtual
Environment, but unable to do so, please suggest something.


I can be contacted on rizulkha...@gmail.com and rizul.kha...@myrealdata.net



Thanks and Regards,

*Rizul Khanna*

rizulkha...@gmail.com  |  +91 8595370298, +91 9501074400 |
http://www.linkedin.com/pub/rizul-khanna/39/81/a3b  |
http://virtualizationforyou.blogspot.in/  |
___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Snort as IPS in Pfsense

2014-09-30 Thread Roberto Carna 
Ivo, that's a good ideabut please tell me if I'm correct or not:

WAN, LAN, Bridge interfaces: IP-Less
OPT1: IP for management in a management network

Tnaks again,

2014-09-30 9:27 GMT-03:00 Ivo Tonev i...@tonev.pro.br:
 I recommend you create a management network for OPT1 with private IP.


 On Tue, Sep 30, 2014 at 12:13 AM, Roberto Carna robertocarn...@gmail.com
 wrote:

 I think this is good for us:


 - Router ISP with IP 200.0.0.1

 - pFsense with the following interfaces:

   a) WAN IP-Less
   b) LAN IP-Less
   c) OPT1 with IP 200.0.0.2 (management)
   d) Bridge with WAN and LAN interfaces, and Bridge interface IP-Less

 - Corporate firewall with IP 200.0.0.3

 - Snort runs in Bridge interface

 Do you think this is correct ???

 Good night !!!

 Roberto


 2014-09-29 22:09 GMT-03:00 Jeronimo L. Cabral jelocab...@gmail.com:
  I can say that I imagine this addresses space:
 
  Router / IP 200.1.1.1 --- WAN IP-Less / pFsense/ LAN IP-Less ---
  Firewall /
  IP 200.1.1.2
 OPT1 / IP
  200.1.1.3
  (management)
 
  So, the WAN and LAN interfaces from pFsense are IP-LESS (promiscuos
  mode),
  and the OPT1 interface from pFsense has a public IP as router and
  firewall.
 
  Can I do this in pfsense ???
 
 
  On Mon, Sep 29, 2014 at 9:49 PM, Jeronimo L. Cabral
  jelocab...@gmail.com
  wrote:
 
  OK Ivo, this is very helpful to meSuppose I have:
 
  Router / IP 200.1.1.1 --- WAN/pFsense/LAN --- Firewall / IP 200.1.1.2
 
  I have to maintan invariable the addressing of this scenario, so what
  IP
  addresses do I have to assign to WAN and LAN pFsense interfaces ???
 
  Thanks a lot,
 
  JeLo
 
  On Mon, Sep 29, 2014 at 9:32 PM, Ivo Tonev i...@tonev.pro.br wrote:
 
  In production environment you need 3 interfaces - one for WAN, one for
  LAN and one for management.
 
 
 
  http://www.cisco.com/c/en/us/td/docs/security/asa/quick_start/ips/ips_qsg.html
 
 
  On Mon, Sep 29, 2014 at 9:24 PM, compdoc comp...@hotrodpc.com wrote:
 
   But you say: one interface for WAN, a second for
 
  LAN...and which interface is for managing ???
 
 
 
 
 
  You manage with a browser from LAN, and optional also from the WAN
  port.
  And with ssh from the LAN.
 
 
 
 
  ___
  List mailing list
  List@lists.pfsense.org
  https://lists.pfsense.org/mailman/listinfo/list
 
 
 
 
  --
  Ivo R. Tonev
  +55 61 8409-2642
  i...@tonev.com.br
 
  ___
  List mailing list
  List@lists.pfsense.org
  https://lists.pfsense.org/mailman/listinfo/list
 
 
 
 
  ___
  List mailing list
  List@lists.pfsense.org
  https://lists.pfsense.org/mailman/listinfo/list
 ___
 List mailing list
 List@lists.pfsense.org
 https://lists.pfsense.org/mailman/listinfo/list




 --
 Ivo R. Tonev
 +55 61 8409-2642
 i...@tonev.com.br

 ___
 List mailing list
 List@lists.pfsense.org
 https://lists.pfsense.org/mailman/listinfo/list
___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Snort as IPS in Pfsense

2014-09-30 Thread Ivo Tonev 
you need to use the management network to download.


On Tue, Sep 30, 2014 at 3:01 PM, Jeronimo L. Cabral jelocab...@gmail.com
wrote:

 Dear, I can't understand at allplease be patient with me :(

 I'll use pFsense with Snort as a IPS because I see is easier than the
 manually configuration of Snort.

 I have an ISP router with 200.1.1.1, a corporate firewall with 200.1.1.2
 and the condition is that I MUST LET THIS CONFIGURATION AS IT IS NOW.

 So, I have to locate the pFsense server between the router and the
 firewall, in inline mode.

 My pFsense server has 3 network interfaces, let's say: WAN connected to
 router, LAN connected to corporate firewall and OPT1 for management with IP
 192.168.1.1.

 Now I have the question:

 How should I have to configure the WAN and LAN interfaces, with IP,
 IP-less, creating a bridging interface IP-less or with IP  Because if I
 create a bridge with WAN and LAN and I don't assign an IP, the IPS won't
 download the signs from Internet...I'm a bit confused.

 Thanks a lot, regards.

 JeLo



 On Tue, Sep 30, 2014 at 10:55 AM, Ivo Tonev i...@tonev.pro.br wrote:

 Yes. Always use out of band management.



 On Tue, Sep 30, 2014 at 10:35 AM, Roberto Carna robertocarn...@gmail.com
  wrote:

 Ivo, that's a good ideabut please tell me if I'm correct or not:

 WAN, LAN, Bridge interfaces: IP-Less
 OPT1: IP for management in a management network

 Tnaks again,

 2014-09-30 9:27 GMT-03:00 Ivo Tonev i...@tonev.pro.br:
  I recommend you create a management network for OPT1 with private IP.
 
 
  On Tue, Sep 30, 2014 at 12:13 AM, Roberto Carna 
 robertocarn...@gmail.com
  wrote:
 
  I think this is good for us:
 
 
  - Router ISP with IP 200.0.0.1
 
  - pFsense with the following interfaces:
 
a) WAN IP-Less
b) LAN IP-Less
c) OPT1 with IP 200.0.0.2 (management)
d) Bridge with WAN and LAN interfaces, and Bridge interface IP-Less
 
  - Corporate firewall with IP 200.0.0.3
 
  - Snort runs in Bridge interface
 
  Do you think this is correct ???
 
  Good night !!!
 
  Roberto
 
 
  2014-09-29 22:09 GMT-03:00 Jeronimo L. Cabral jelocab...@gmail.com:
   I can say that I imagine this addresses space:
  
   Router / IP 200.1.1.1 --- WAN IP-Less / pFsense/ LAN IP-Less ---
   Firewall /
   IP 200.1.1.2
  OPT1 / IP
   200.1.1.3
  
  (management)
  
   So, the WAN and LAN interfaces from pFsense are IP-LESS (promiscuos
   mode),
   and the OPT1 interface from pFsense has a public IP as router and
   firewall.
  
   Can I do this in pfsense ???
  
  
   On Mon, Sep 29, 2014 at 9:49 PM, Jeronimo L. Cabral
   jelocab...@gmail.com
   wrote:
  
   OK Ivo, this is very helpful to meSuppose I have:
  
   Router / IP 200.1.1.1 --- WAN/pFsense/LAN --- Firewall / IP
 200.1.1.2
  
   I have to maintan invariable the addressing of this scenario, so
 what
   IP
   addresses do I have to assign to WAN and LAN pFsense interfaces ???
  
   Thanks a lot,
  
   JeLo
  
   On Mon, Sep 29, 2014 at 9:32 PM, Ivo Tonev i...@tonev.pro.br
 wrote:
  
   In production environment you need 3 interfaces - one for WAN,
 one for
   LAN and one for management.
  
  
  
  
 http://www.cisco.com/c/en/us/td/docs/security/asa/quick_start/ips/ips_qsg.html
  
  
   On Mon, Sep 29, 2014 at 9:24 PM, compdoc comp...@hotrodpc.com
 wrote:
  
But you say: one interface for WAN, a second for
  
   LAN...and which interface is for managing ???
  
  
  
  
  
   You manage with a browser from LAN, and optional also from the
 WAN
   port.
   And with ssh from the LAN.
  
  
  
  
   ___
   List mailing list
   List@lists.pfsense.org
   https://lists.pfsense.org/mailman/listinfo/list
  
  
  
  
   --
   Ivo R. Tonev
   +55 61 8409-2642
   i...@tonev.com.br
  
   ___
   List mailing list
   List@lists.pfsense.org
   https://lists.pfsense.org/mailman/listinfo/list
  
  
  
  
   ___
   List mailing list
   List@lists.pfsense.org
   https://lists.pfsense.org/mailman/listinfo/list
  ___
  List mailing list
  List@lists.pfsense.org
  https://lists.pfsense.org/mailman/listinfo/list
 
 
 
 
  --
  Ivo R. Tonev
  +55 61 8409-2642
  i...@tonev.com.br
 
  ___
  List mailing list
  List@lists.pfsense.org
  https://lists.pfsense.org/mailman/listinfo/list
 ___
 List mailing list
 List@lists.pfsense.org
 https://lists.pfsense.org/mailman/listinfo/list




 --
 Ivo R. Tonev
 +55 61 8409-2642
 i...@tonev.com.br

 ___
 List mailing list
 List@lists.pfsense.org
 https://lists.pfsense.org/mailman/listinfo/list



 ___
 List mailing list
 List@lists.pfsense.org
 https://lists.pfsense.org/mailman/listinfo/list




--