Re: [pfSense] looking for perfect pfsense box for home?
I put a Kill-a-Watt meter on it and measured it. During boot-up, it spiked around 58 watts. After settling down at boot, it seems to run consistently at 32-34 watts. Processor utilization rarely exceeds 6%. I run different firewall software but am running a web proxy with AV, snort, intermittent site-to-site VPNs when I need to connect to client sites for troubleshooting, SSL and L2TP remote access protocols. I did have a problem with the on-board Intel NIC - could not handle heavy packet loads and would stop responding. Never figured out if it was a hardware problem or software problem with that particular model (Intel Corporation 82579LM Gigabit Network Connection) as opposed to the dual port cards (Intel Corporation 82571EB Gigabit Ethernet Controller) which have been working well. In my case, I am willing to accept the power utilization for the flexibility to load just about any of the open source firewalls onto it. On 8/3/2016 8:21 AM, rai...@ultra-secure.de wrote: Am 2016-08-03 17:15, schrieb Robert Obrinsky: I am currently using a refurb HP Elite 8200 SFF that I bought through Newegg. I removed the video card so I could use the built-in video and added 2 dual port HP gigabit NICs (Intels in reality) from Amazon. It came with 4 GB RAM, 500 GB hard drive, and Core I-5 processor at 3.3 GHz. Very quiet. Upgraded the RAM to 8 GB. How much energy does that thing consume then? Because it runs all year 24x7, for years sometimes, it can make a huge difference buying a smaller and less power-hungry device. AFAIK, the SG-devices are quite frugal in that respect. ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] looking for perfect pfsense box for home?
I am currently using a refurb HP Elite 8200 SFF that I bought through Newegg. I removed the video card so I could use the built-in video and added 2 dual port HP gigabit NICs (Intels in reality) from Amazon. It came with 4 GB RAM, 500 GB hard drive, and Core I-5 processor at 3.3 GHz. Very quiet. Upgraded the RAM to 8 GB. Robert Obrinsky President Robert Obrinsky Industries, LLC 1908 SE 45th Avenue Portland, OR 97215 Office 503.719.4387 Mobile 503.752.8489 http://www.roillc.com On 08/03/2016 12:37 AM, Eero Volotinen wrote: Any ideas where to find perfect pfsense box for home usage. Must be cheap and silent? netgate device? shuttle box? -- Eero ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] VPN client
To me, it sounds like you want a fully meshed VPN solution and you should be able to set that up. The mathematical for a fully meshed network is" n(n-1)/2 where n = number of locations to connect. 3 locations is not a big deal as 3(3-1)/2 = 3 VPN connections. But if you move to using more locations, it gets much more complex very quickly. For example, 5(5-1)/2 = 10 VPN connections to configure 7(7-1)/2 = 28 VPN connections to configure So, it is also possible to configure a hub and spoke type of communications. It is a much simpler diagram, but if the hub goes down, all VPN communications between the sites is lost. On 12/9/2015 8:21 PM, Ted Byers wrote: > Thanks. > > This is good to know. Now, I ask your forbearance as I am a > programmer, not a network administrator. > > My question is this. Suppose I have three sites on different > continents,each having a DMZ and vault, and within each vault there is > an instance of a MySQL database. I need these instances of the > database to function as a cluster using the usual suite of MySQL > clustering tools for managing such a cluster. but this presupposes the > databases can talk to each other through the LAN. I thought I might > manage this by creating a VPN that connects the vaults, but how do I > ensure that this VPN remains functional for the sites that are up even > if the site that established the VPN goes down. Or can this VPN be > entirely peer to peer, not functioning like I'd expect if one had sole > responsibility as a VPN server and the others as clients thereof. > > I am not sure I an even using the right language to describe what I am > after, but do you understand what I am trying to do, and can I do this > using pfsense? And if I can, the question is how? In this context, > ir i OK to be a bit pedantic as, like I said, I develop programs and > normally leave this sort of question to a network administrator (to > which I do not have access at present). > > Thanks > > Ted > > On Wed, Dec 9, 2015 at 12:59 PM, C. R. Oldhamwrote: >> Yes, it can do site-to-site VPN as well as be a server for remote clients. >> >> --cro >> >> >> On Tue, Dec 8, 2015 at 10:15 PM, Ted Byers wrote: >> >>> Is it possible to use pfsense as a client, replacing a Checkpoint >>> UTM-1 Edge W with AES256 ? You see, I have one of these Checkpoint >>> routers that has failed, and it had been used as a client to a VPN. I >>> know I can use pfsense to provide VPN access to machines behind it. I >>> have done this, and use OpenVPN to connect to to the machines >>> protected by pfsense. >>> >>> I suppose I could use OpenVPN as the client, and will investigate >>> that. But I need to know if pfsense can function as both a server and >>> as a client (for the unrelated purpose of configuring clusters of LANs >>> each of which is protected by pfsense, so that regardless of which LAN >>> fails, the others in the cluster can take over operation of the VPN >>> connecting them all). >>> >>> Thanks >>> >>> Ted >>> >>> -- >>> R.E.(Ted) Byers, Ph.D.,Ed.D. >>> ___ >>> pfSense mailing list >>> https://lists.pfsense.org/mailman/listinfo/list >>> Support the project with Gold! https://pfsense.org/gold >>> >> ___ >> pfSense mailing list >> https://lists.pfsense.org/mailman/listinfo/list >> Support the project with Gold! https://pfsense.org/gold > > ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] Shutdown Interface?
I just checked my lab system and you can view live logs. 'Status -->System Logs'. Then choose the Firewall tab and Dynamic View tab. On 12/10/2015 12:14 PM, Joshua Young wrote: At this point, I do not believe there are any services open for students to access servers remotely. But we are reviewing all of our rules. We actually started this process before the DDoS attacks started but they have heightened our awareness of the need to do so. It is configured to not respond to ICMP. We have considered the possibility of an infected machine on that network. We have updated and scanned all Windows computers on that network (which aren't that many as we are a mostly Mac environment). We encourage students and staff to keep their devices updated. One of the issues here that we were well aware of prior to this is the fact that the High School wireless network, which is the one that keeps getting targeted, is wide open. We're in a different situation here with the setup - we are what's known as an AOS (Alternative Organizational Structure). This was in response to a law passed in our state a few years ago requiring consolidation of school districts. I'm the Technology Coordinator, which means I am over all IT in the AOS. But, each school is actually it's own district with it's own tech staff - we share certain resources (like a Superintendent and other Central Office staff) but there is a lot of local control at the school level, so much so that some things I can only make recommendations on and I cannot dictate what happens. It's very confusing and is really a ridiculous setup. But it is what I have to work with. The WAN is in my purview, as is the core LAN in each school. But the wireless network is actually the responsibility of the school and they therefore have the final say on what happens with it. The school tech staff make the decisions regarding the wireless networks - this is one of the areas that I can only make recommendations. Like I said - very confusing and it gets quite frustrating! My Network Admin and I keep recommending to the High School that they secure their network but they were steadfastly refusing - until now. Now they actually think it's a good idea (go figure). That may or may not have contributed to this spate of attacks but it certainly will help in the future. On Thu, Dec 10, 2015 at 3:11 AM, Robert Obrinsky <robrin...@roillc.com> wrote: Are there any services open on that interface so that students can access servers from remote sites? Does your public address respond to ICMP? Is it possible that some of your students' computers/devices are members of a botnet and reporting back to a command and control server? Have you or someone you have hired conducted a penetration test of your public addresses? It seems too convenient that you are continually being rediscovered. How long before the new public address gets attacked? As far as outbound traffic is concerned, are there any protocols that are restricted, or is anything allowed out? I have seen hedge funds that were very serious about security where they only allowed their staff to access certain services from specific workstations. Granted, they almost certainly had fewer employees than you have students, but the idea is that they only allowed outbound services that were necessary for their business, and even then restricted those services to the individuals who required them. I am certain that the challenges of a high school population are much more difficult to control. Bob On 12/9/2015 12:32 PM, Joshua Young wrote: We have been working with our ISP but I'm looking for something we might be able to do here. I don't think there is a service that is being attacked. It's always the same interface - it's the public NAT IP for our High School wireless network. We change the public IP address and the problem goes away - until the new one is discovered. We have cycled through I think 6 IP addresses now that are available to us from at least two different ranges. We have not re-used any addresses - most of the addresses that were targeted are currently disabled by our ISP. On Tue, Dec 8, 2015 at 10:05 AM, WebDawg <webd...@gmail.com> wrote: On Mon, Dec 7, 2015 at 10:40 AM, Joshua Young <joshua.yo...@mdirss.org> wrote: We have recently been the target of DDoS attacks. The same interface is targeted each time. Is there any way we can shut down this interface automatically when this happens? Is there a way to maybe set a threshold for traffic and, when it reaches that threshold, automatically shut the interface down? When this happens, the pfSense is overwhelmed and our entire WAN loses Internet connectivity. I figure if we can shut the one interface that is being targeted down before the traffic gets to the point of saturating our bandwidth, then just that one network would be down rathe
Re: [pfSense] Shutdown Interface?
I am sorry to hear of the distributed responsibilities for the network, and that only makes your job harder. Any possibility of using a protocol analyzer (Wireshark) to see what is going out and where it is going? If you have managed switches with port mirroring capabilities, you can strategically place the protocol analyzer to see what kind of traffic (i.e. - services) is leaving your network, and also see what kind of traffic is coming in. I don't think pfSense has live logs (I am still fairly new to this product), but I have used other firewall products that do have this feature. The live logs have been very useful in determining what IP addresses are being contacted, what services are being requested, and who is attempting to do reconnaissance (port scanning) on your network from outside. Other than that, you will need to analyze the existing logs - not a task I ever look forward to. This is also one reason I like protocol analyzers, but for some reason, most IT departments won't spend the time to learn them and use them. At some point, you may need to consider hardware. It is possible that the WAN interface is defective and just shuts down under moderate to heavy traffic.Have you been able to assess the packets/second hitting your WAN on this interface during the attacks? There are many on the forums who maintain that Intel and Broadcom NICs are robust and perform best in pfSense, and that Realtek NICs are problematic at best. I cannot confirm those opinions and just don't have the setup to make a definitive test. I use Realtek NICs in my firewalls, but my office is unlikely to see the variety and utilization that your networks do. On 12/10/2015 12:14 PM, Joshua Young wrote: At this point, I do not believe there are any services open for students to access servers remotely. But we are reviewing all of our rules. We actually started this process before the DDoS attacks started but they have heightened our awareness of the need to do so. It is configured to not respond to ICMP. We have considered the possibility of an infected machine on that network. We have updated and scanned all Windows computers on that network (which aren't that many as we are a mostly Mac environment). We encourage students and staff to keep their devices updated. One of the issues here that we were well aware of prior to this is the fact that the High School wireless network, which is the one that keeps getting targeted, is wide open. We're in a different situation here with the setup - we are what's known as an AOS (Alternative Organizational Structure). This was in response to a law passed in our state a few years ago requiring consolidation of school districts. I'm the Technology Coordinator, which means I am over all IT in the AOS. But, each school is actually it's own district with it's own tech staff - we share certain resources (like a Superintendent and other Central Office staff) but there is a lot of local control at the school level, so much so that some things I can only make recommendations on and I cannot dictate what happens. It's very confusing and is really a ridiculous setup. But it is what I have to work with. The WAN is in my purview, as is the core LAN in each school. But the wireless network is actually the responsibility of the school and they therefore have the final say on what happens with it. The school tech staff make the decisions regarding the wireless networks - this is one of the areas that I can only make recommendations. Like I said - very confusing and it gets quite frustrating! My Network Admin and I keep recommending to the High School that they secure their network but they were steadfastly refusing - until now. Now they actually think it's a good idea (go figure). That may or may not have contributed to this spate of attacks but it certainly will help in the future. On Thu, Dec 10, 2015 at 3:11 AM, Robert Obrinsky <robrin...@roillc.com> wrote: Are there any services open on that interface so that students can access servers from remote sites? Does your public address respond to ICMP? Is it possible that some of your students' computers/devices are members of a botnet and reporting back to a command and control server? Have you or someone you have hired conducted a penetration test of your public addresses? It seems too convenient that you are continually being rediscovered. How long before the new public address gets attacked? As far as outbound traffic is concerned, are there any protocols that are restricted, or is anything allowed out? I have seen hedge funds that were very serious about security where they only allowed their staff to access certain services from specific workstations. Granted, they almost certainly had fewer employees than you have students, but the idea is that they only allowed outbound services that were necessary for their business, and even then restricted those services to the individuals who required them
Re: [pfSense] Shutdown Interface?
Are there any services open on that interface so that students can access servers from remote sites? Does your public address respond to ICMP? Is it possible that some of your students' computers/devices are members of a botnet and reporting back to a command and control server? Have you or someone you have hired conducted a penetration test of your public addresses? It seems too convenient that you are continually being rediscovered. How long before the new public address gets attacked? As far as outbound traffic is concerned, are there any protocols that are restricted, or is anything allowed out? I have seen hedge funds that were very serious about security where they only allowed their staff to access certain services from specific workstations. Granted, they almost certainly had fewer employees than you have students, but the idea is that they only allowed outbound services that were necessary for their business, and even then restricted those services to the individuals who required them. I am certain that the challenges of a high school population are much more difficult to control. Bob On 12/9/2015 12:32 PM, Joshua Young wrote: We have been working with our ISP but I'm looking for something we might be able to do here. I don't think there is a service that is being attacked. It's always the same interface - it's the public NAT IP for our High School wireless network. We change the public IP address and the problem goes away - until the new one is discovered. We have cycled through I think 6 IP addresses now that are available to us from at least two different ranges. We have not re-used any addresses - most of the addresses that were targeted are currently disabled by our ISP. On Tue, Dec 8, 2015 at 10:05 AM, WebDawg <webd...@gmail.com> wrote: On Mon, Dec 7, 2015 at 10:40 AM, Joshua Young <joshua.yo...@mdirss.org> wrote: We have recently been the target of DDoS attacks. The same interface is targeted each time. Is there any way we can shut down this interface automatically when this happens? Is there a way to maybe set a threshold for traffic and, when it reaches that threshold, automatically shut the interface down? When this happens, the pfSense is overwhelmed and our entire WAN loses Internet connectivity. I figure if we can shut the one interface that is being targeted down before the traffic gets to the point of saturating our bandwidth, then just that one network would be down rather than our entire WAN. -- - "The number one benefit of information technology is that it empowers people to do what they want to do. It lets people be creative. It lets people be productive. It lets people learn things they didn't think they could learn before, and so in a sense it is all about potential." - Steve Ballmer - Josh Young Educational Technology Coordinator *Mount Desert Island Regional School System - AOS 91* 1081 Eagle Lake Road, Mt. Desert, ME 04660 P.O. Box 60, Mt. Desert, ME 04660 Phone: (207) 288-5049 | Fax: (207) 288-5071 ___ Can we have more details on the DDoS attack? Are you sure their are no other solutions then shutting it down? Why would it freeze? Is a service hosted by pfSense being attacked? ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold -- Robert Obrinsky President Robert Obrinsky Industries, LLC 1908 SE 45th Avenue Portland, OR 97215 Office 503.719.4387 Mobile 503.752.8489 http://www.roillc.com ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] Shutdown Interface?
Found the description of the attack on GRC. Of course, it is rather dated (2001), but may offer some help in dealing with your ISP. http://www.crime-research.org/library/grcdos.pdf On 12/7/2015 8:40 AM, Joshua Young wrote: We have recently been the target of DDoS attacks. The same interface is targeted each time. Is there any way we can shut down this interface automatically when this happens? Is there a way to maybe set a threshold for traffic and, when it reaches that threshold, automatically shut the interface down? When this happens, the pfSense is overwhelmed and our entire WAN loses Internet connectivity. I figure if we can shut the one interface that is being targeted down before the traffic gets to the point of saturating our bandwidth, then just that one network would be down rather than our entire WAN. -- Robert Obrinsky President Robert Obrinsky Industries, LLC 1908 SE 45th Avenue Portland, OR 97215 Office 503.719.4387 Mobile 503.752.8489 http://www.roillc.com ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold