Re: [pfSense] looking for perfect pfsense box for home?

[Robert Obrinsky]

I put a Kill-a-Watt meter on it and measured it. During boot-up, it 
spiked around 58 watts. After settling down at boot, it seems to run 
consistently at 32-34 watts. Processor utilization rarely exceeds 6%. I 
run different firewall software but am running a web proxy with AV, 
snort, intermittent site-to-site VPNs when I need to connect to client 
sites for troubleshooting, SSL and L2TP remote access protocols.


I did have a problem with the on-board Intel NIC - could not handle 
heavy packet loads and would stop responding. Never figured out if it 
was a hardware problem or software problem with that particular model 
(Intel Corporation 82579LM Gigabit Network Connection) as opposed to the 
dual port cards (Intel Corporation 82571EB Gigabit Ethernet Controller) 
which have been working well.


In my case, I am willing to accept the power utilization for the 
flexibility to load just about any of the open source firewalls onto it.


On 8/3/2016 8:21 AM, rai...@ultra-secure.de wrote:

Am 2016-08-03 17:15, schrieb Robert Obrinsky:

I am currently using a refurb HP Elite 8200 SFF that I bought through
Newegg. I removed the video card so I could use the built-in video and
added 2 dual port HP gigabit NICs (Intels in reality) from Amazon. It
came with 4 GB RAM, 500 GB hard drive, and Core I-5 processor at 3.3
GHz. Very quiet. Upgraded the RAM to 8 GB.




How much energy does that thing consume then?

Because it runs all year 24x7, for years sometimes, it can make a huge 
difference buying a smaller and less power-hungry device.


AFAIK, the SG-devices are quite frugal in that respect.


___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] looking for perfect pfsense box for home?

[Robert Obrinsky]

I am currently using a refurb HP Elite 8200 SFF that I bought through 
Newegg. I removed the video card so I could use the built-in video and 
added 2 dual port HP gigabit NICs (Intels in reality) from Amazon. It 
came with 4 GB RAM, 500 GB hard drive, and Core I-5 processor at 3.3 
GHz. Very quiet. Upgraded the RAM to 8 GB.



Robert Obrinsky President Robert Obrinsky Industries, LLC 1908 SE 45th 
Avenue Portland, OR 97215 Office 503.719.4387 Mobile 503.752.8489 
http://www.roillc.com

On 08/03/2016 12:37 AM, Eero Volotinen wrote:

Any ideas where to find perfect pfsense box for home usage.

Must be cheap and silent? netgate device? shuttle box?

--
Eero
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold


___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] VPN client

[Robert Obrinsky]

To me, it sounds like you want a fully meshed VPN solution and you
should be able to set that up. The mathematical for a fully meshed
network is"

n(n-1)/2

where n = number of locations to connect.

3 locations is not a big deal as

3(3-1)/2 = 3 VPN connections. But if you move to using more
locations, it gets much more complex very quickly. For example,
5(5-1)/2 = 10 VPN connections to configure
7(7-1)/2 = 28 VPN connections to configure

So, it is also possible to configure a hub and spoke type of
communications. It is a much simpler diagram, but if the hub goes down,
all VPN communications between the sites is lost.


On 12/9/2015 8:21 PM, Ted Byers wrote:
> Thanks.
>
> This is good to know.  Now, I ask your forbearance as I am a
> programmer, not a network administrator.
>
> My question is this.  Suppose I have three sites on different
> continents,each having a DMZ and vault, and within each vault there is
> an instance of a MySQL database.  I need these instances of the
> database to function as a cluster using the usual suite of MySQL
> clustering tools for managing such a cluster. but this presupposes the
> databases can talk to each other through the LAN.  I thought I might
> manage this by creating a VPN that connects the vaults, but how do I
> ensure that this VPN remains functional for the sites that are up even
> if the site that established the VPN goes down.  Or can this VPN be
> entirely peer to peer, not functioning like I'd expect if one had sole
> responsibility as a VPN server and the others as clients thereof.
>
> I am not sure I an even using the right language to describe what I am
> after, but do you understand what I am trying to do, and can I do this
> using pfsense?  And if I can, the question is how?  In this context,
> ir i OK to be a bit pedantic as, like I said, I develop programs and
> normally leave this sort of question to a network administrator (to
> which I do not have access at present).
>
> Thanks
>
> Ted
>
> On Wed, Dec 9, 2015 at 12:59 PM, C. R. Oldham  wrote:
>> Yes, it can do site-to-site VPN as well as be a server for remote clients.
>>
>> --cro
>>
>>
>> On Tue, Dec 8, 2015 at 10:15 PM, Ted Byers  wrote:
>>
>>> Is it possible to use pfsense as a client, replacing a Checkpoint
>>> UTM-1 Edge W with AES256 ?  You see, I have one of these Checkpoint
>>> routers that has failed, and it had been used as a client to a VPN.  I
>>> know I can use pfsense to provide VPN access to machines behind it.  I
>>> have done this, and use OpenVPN to connect to to the machines
>>> protected by pfsense.
>>>
>>> I suppose I could use OpenVPN as the client, and will investigate
>>> that.  But I need to know if pfsense can function as both a server and
>>> as a client (for the unrelated purpose of configuring clusters of LANs
>>> each of which is protected by pfsense, so that regardless of which LAN
>>> fails, the others in the cluster can take over operation of the VPN
>>> connecting them all).
>>>
>>> Thanks
>>>
>>> Ted
>>>
>>> --
>>> R.E.(Ted) Byers, Ph.D.,Ed.D.
>>> ___
>>> pfSense mailing list
>>> https://lists.pfsense.org/mailman/listinfo/list
>>> Support the project with Gold! https://pfsense.org/gold
>>>
>> ___
>> pfSense mailing list
>> https://lists.pfsense.org/mailman/listinfo/list
>> Support the project with Gold! https://pfsense.org/gold
>
>

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Shutdown Interface?

[Robert Obrinsky]

I just checked my lab system and you can view live logs. 'Status 
-->System Logs'. Then choose the Firewall tab and Dynamic View tab.


On 12/10/2015 12:14 PM, Joshua Young wrote:

At this point, I do not believe there are any services open for students to
access servers remotely.  But we are reviewing all of our rules.  We
actually started this process before the DDoS attacks started but they have
heightened our awareness of the need to do so.

It is configured to not respond to ICMP.

We have considered the possibility of an infected machine on that network.
We have updated and scanned all Windows computers on that network (which
aren't that many as we are a mostly Mac environment).  We encourage
students and staff to keep their devices updated.

One of the issues here that we were well aware of prior to this is the fact
that the High School wireless network, which is the one that keeps getting
targeted, is wide open.  We're in a different situation here with the setup
- we are what's known as an AOS (Alternative Organizational Structure).
This was in response to a law passed in our state a few years ago requiring
consolidation of school districts.  I'm the Technology Coordinator, which
means I am over all IT in the AOS.  But, each school is actually it's own
district with it's own tech staff - we share certain resources (like a
Superintendent and other Central Office staff) but there is a lot of local
control at the school level, so much so that some things I can only make
recommendations on and I cannot dictate what happens.  It's very confusing
and is really a ridiculous setup.  But it is what I have to work with.

The WAN is in my purview, as is the core LAN in each school.  But the
wireless network is actually the responsibility of the school and they
therefore have the final say on what happens with it.  The school tech
staff make the decisions regarding the wireless networks - this is one of
the areas that I can only make recommendations.  Like I said - very
confusing and it gets quite frustrating!

My Network Admin and I keep recommending to the High School that they
secure their network but they were steadfastly refusing - until now.  Now
they actually think it's a good idea (go figure).  That may or may not have
contributed to this spate of attacks but it certainly will help in the
future.

On Thu, Dec 10, 2015 at 3:11 AM, Robert Obrinsky <robrin...@roillc.com>
wrote:


Are there any services open on that interface so that students can access
servers from remote sites? Does your public address respond to ICMP? Is it
possible that some of your students' computers/devices are members of a
botnet and reporting back to a command and control server? Have you or
someone you have hired conducted a penetration test of your public
addresses? It seems too convenient that you are continually being
rediscovered. How long before the new public address gets attacked?

As far as outbound traffic is concerned, are there any protocols that are
restricted, or is anything allowed out? I have seen hedge funds that were
very serious about security where they only allowed their staff to access
certain services from specific workstations. Granted, they almost certainly
had fewer employees than you have students, but the idea is that they only
allowed outbound services that were necessary for their business, and even
then restricted those services to the individuals who required them. I am
certain that the challenges of a high school population are much more
difficult to control.

Bob


On 12/9/2015 12:32 PM, Joshua Young wrote:


We have been working with our ISP but I'm looking for something we might
be
able to do here.  I don't think there is a service that is being attacked.
It's always the same interface - it's the public NAT IP for our High
School
wireless network.  We change the public IP address and the problem goes
away - until the new one is discovered.  We have cycled through I think 6
IP addresses now that are available to us from at least two different
ranges.  We have not re-used any addresses - most of the addresses that
were targeted are currently disabled by our ISP.

On Tue, Dec 8, 2015 at 10:05 AM, WebDawg <webd...@gmail.com> wrote:

On Mon, Dec 7, 2015 at 10:40 AM, Joshua Young <joshua.yo...@mdirss.org>

wrote:


We have recently been the target of DDoS attacks.  The same interface is
targeted each time.  Is there any way we can shut down this interface
automatically when this happens?  Is there a way to maybe set a
threshold
for traffic and, when it reaches that threshold, automatically shut the
interface down?  When this happens, the pfSense is overwhelmed and our
entire WAN loses Internet connectivity.  I figure if we can shut the one
interface that is being targeted down before the traffic gets to the


point


of saturating our bandwidth, then just that one network would be down
rathe

Re: [pfSense] Shutdown Interface?

[Robert Obrinsky]

I am sorry to hear of the distributed responsibilities for the network, 
and that only makes your job harder.


Any possibility of using a protocol analyzer (Wireshark) to see what is 
going out and where it is going? If you have managed switches with port 
mirroring capabilities, you can strategically place the protocol 
analyzer to see what kind of traffic (i.e. - services) is leaving your 
network, and also see what kind of traffic is coming in.


I don't think pfSense has live logs (I am still fairly new to this 
product), but I have used other firewall products that do have this 
feature. The live logs have been very useful in determining what IP 
addresses are being contacted, what services are being requested, and 
who is attempting to do reconnaissance (port scanning) on your network 
from outside. Other than that, you will need to analyze the existing 
logs - not a task I ever look forward to. This is also one reason I like 
protocol analyzers, but for some reason, most IT departments won't spend 
the time to learn them and use them.


At some point, you may need to consider hardware. It is possible that 
the WAN interface is defective and just shuts down under moderate to 
heavy traffic.Have you been able to assess the packets/second hitting 
your WAN on this interface during the attacks? There are many on the 
forums who maintain that Intel and Broadcom NICs are robust and perform 
best in pfSense, and that Realtek NICs are problematic at best. I cannot 
confirm those opinions and just don't have the setup to make a 
definitive test. I use Realtek NICs in my firewalls, but my office is 
unlikely to see the variety and utilization that your networks do.


On 12/10/2015 12:14 PM, Joshua Young wrote:

At this point, I do not believe there are any services open for students to
access servers remotely.  But we are reviewing all of our rules.  We
actually started this process before the DDoS attacks started but they have
heightened our awareness of the need to do so.

It is configured to not respond to ICMP.

We have considered the possibility of an infected machine on that network.
We have updated and scanned all Windows computers on that network (which
aren't that many as we are a mostly Mac environment).  We encourage
students and staff to keep their devices updated.

One of the issues here that we were well aware of prior to this is the fact
that the High School wireless network, which is the one that keeps getting
targeted, is wide open.  We're in a different situation here with the setup
- we are what's known as an AOS (Alternative Organizational Structure).
This was in response to a law passed in our state a few years ago requiring
consolidation of school districts.  I'm the Technology Coordinator, which
means I am over all IT in the AOS.  But, each school is actually it's own
district with it's own tech staff - we share certain resources (like a
Superintendent and other Central Office staff) but there is a lot of local
control at the school level, so much so that some things I can only make
recommendations on and I cannot dictate what happens.  It's very confusing
and is really a ridiculous setup.  But it is what I have to work with.

The WAN is in my purview, as is the core LAN in each school.  But the
wireless network is actually the responsibility of the school and they
therefore have the final say on what happens with it.  The school tech
staff make the decisions regarding the wireless networks - this is one of
the areas that I can only make recommendations.  Like I said - very
confusing and it gets quite frustrating!

My Network Admin and I keep recommending to the High School that they
secure their network but they were steadfastly refusing - until now.  Now
they actually think it's a good idea (go figure).  That may or may not have
contributed to this spate of attacks but it certainly will help in the
future.

On Thu, Dec 10, 2015 at 3:11 AM, Robert Obrinsky <robrin...@roillc.com>
wrote:


Are there any services open on that interface so that students can access
servers from remote sites? Does your public address respond to ICMP? Is it
possible that some of your students' computers/devices are members of a
botnet and reporting back to a command and control server? Have you or
someone you have hired conducted a penetration test of your public
addresses? It seems too convenient that you are continually being
rediscovered. How long before the new public address gets attacked?

As far as outbound traffic is concerned, are there any protocols that are
restricted, or is anything allowed out? I have seen hedge funds that were
very serious about security where they only allowed their staff to access
certain services from specific workstations. Granted, they almost certainly
had fewer employees than you have students, but the idea is that they only
allowed outbound services that were necessary for their business, and even
then restricted those services to the individuals who required them

Re: [pfSense] Shutdown Interface?

[Robert Obrinsky]

Are there any services open on that interface so that students can 
access servers from remote sites? Does your public address respond to 
ICMP? Is it possible that some of your students' computers/devices are 
members of a botnet and reporting back to a command and control server? 
Have you or someone you have hired conducted a penetration test of your 
public addresses? It seems too convenient that you are continually being 
rediscovered. How long before the new public address gets attacked?


As far as outbound traffic is concerned, are there any protocols that 
are restricted, or is anything allowed out? I have seen hedge funds that 
were very serious about security where they only allowed their staff to 
access certain services from specific workstations. Granted, they almost 
certainly had fewer employees than you have students, but the idea is 
that they only allowed outbound services that were necessary for their 
business, and even then restricted those services to the individuals who 
required them. I am certain that the challenges of a high school 
population are much more difficult to control.


Bob

On 12/9/2015 12:32 PM, Joshua Young wrote:

We have been working with our ISP but I'm looking for something we might be
able to do here.  I don't think there is a service that is being attacked.
It's always the same interface - it's the public NAT IP for our High School
wireless network.  We change the public IP address and the problem goes
away - until the new one is discovered.  We have cycled through I think 6
IP addresses now that are available to us from at least two different
ranges.  We have not re-used any addresses - most of the addresses that
were targeted are currently disabled by our ISP.

On Tue, Dec 8, 2015 at 10:05 AM, WebDawg <webd...@gmail.com> wrote:


On Mon, Dec 7, 2015 at 10:40 AM, Joshua Young <joshua.yo...@mdirss.org>
wrote:

We have recently been the target of DDoS attacks.  The same interface is
targeted each time.  Is there any way we can shut down this interface
automatically when this happens?  Is there a way to maybe set a threshold
for traffic and, when it reaches that threshold, automatically shut the
interface down?  When this happens, the pfSense is overwhelmed and our
entire WAN loses Internet connectivity.  I figure if we can shut the one
interface that is being targeted down before the traffic gets to the

point

of saturating our bandwidth, then just that one network would be down
rather than our entire WAN.

--


-

"The number one benefit of information technology is that it empowers
people to do what they want to do. It lets people be creative. It lets
people be productive. It lets people learn things they didn't think they
could learn before, and so in a sense it is all about potential."


   - Steve Ballmer


-

Josh Young
Educational Technology Coordinator

*Mount Desert Island Regional School System - AOS 91*
1081 Eagle Lake Road, Mt. Desert, ME 04660
P.O. Box 60, Mt. Desert, ME 04660
Phone: (207) 288-5049 | Fax: (207) 288-5071
___



Can we have more details on the DDoS attack?  Are you sure their are
no other solutions then shutting it down?  Why would it freeze?  Is a
service hosted by pfSense being attacked?
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold






--
Robert Obrinsky President Robert Obrinsky Industries, LLC 1908 SE 45th 
Avenue Portland, OR 97215 Office 503.719.4387 Mobile 503.752.8489 
http://www.roillc.com

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Shutdown Interface?

[Robert Obrinsky]

Found the description of the attack on GRC. Of course, it is rather 
dated (2001), but may offer some help in dealing with your ISP.

http://www.crime-research.org/library/grcdos.pdf

On 12/7/2015 8:40 AM, Joshua Young wrote:

We have recently been the target of DDoS attacks.  The same interface is
targeted each time.  Is there any way we can shut down this interface
automatically when this happens?  Is there a way to maybe set a threshold
for traffic and, when it reaches that threshold, automatically shut the
interface down?  When this happens, the pfSense is overwhelmed and our
entire WAN loses Internet connectivity.  I figure if we can shut the one
interface that is being targeted down before the traffic gets to the point
of saturating our bandwidth, then just that one network would be down
rather than our entire WAN.



--
Robert Obrinsky President Robert Obrinsky Industries, LLC 1908 SE 45th 
Avenue Portland, OR 97215 Office 503.719.4387 Mobile 503.752.8489 
http://www.roillc.com

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold