Router Charts

Router Charts

Router Ranker

Router Ranker

Router Chooser

Router Chooser

NAS Charts

NAS Charts

NAS Ranker

NAS Ranker

More Tools

More Tools

Security How To

Introduction

In Part One of this series, we established a working definition of our target, i.e. what has to be done, and in what order, to Cerberus the lowly IDS firewall to make it a UTM Appliance.

As we saw, there are six areas that need to be upgraded to grab the prize: IDS/IPS, Anti-Virus, Content Filtering, Traffic Control, Load Balancing and Failover, and finally Anti-Spam. We’ll step through each of the six functional areas and show you how to install and configure the required packages.

Once we have everything set up, we’ll look at performance and see if Cerberus with PFSense is able to be called a UTM appliance. But first, we need to attend to some prerequisites, which include setting up a second WAN interface for load balancing and fail-over and installing Squid, a critical piece needed for content filtering and anti-virus.

Multiple WAN Setup

For the purposes of this upgrade, we’ve ordered service from another ISP. You may remember we had previously set up a little-used guest wireless interface to use for our second ISP WAN connection for testing. Now we need the real thing.

The setup is straightforward—enable the interface using parameters provided by your ISP. In most cases this is just DHCP. Note, the FTP Proxy should be disabled on all WAN interfaces, including this one. Figure 1 shows the settings.

Enabling the second WAN interfaceFigure 1: Enabling the second WAN interface

You can test your second WAN interface by changing the gateway on the already-established LAN routing rule, the one that directs LAN traffic through our current default gateway. Get the gateway for OPT1 from Status Interfaces, then under Firewall->Rules, edit the LAN rule, changing the gateway drop-down value to the OPT1 gateway IP as shown in Figure 2.

Testing the second WAN

Figure 2: Testing the second WAN

Now from a web browser, visit the GRC Shields-Up Site. Your IP should correspond to your IP address from the secondary ISP. If you can’t reach any web site, verify that the link is active by going to your modem/router diagnostics. If the IP Address corresponds to your primary ISP, turn on logging for the routing rule, close your browser, and reboot your installation. Check the log once you are back up. If you still don’t see the new IP address, verify your gateway settings. But hold off changing it back to the default gateway until after we’ve tested our IDS changes below.

That’s it, done. We can now hang Snort on the Secondary WAN interface and  set up the needed proxy servers. Load balancing and failover will come later.

More Stuff

Featured Sponsors




Support Us!

If you like what we do and want to thank us, just buy something on Amazon. We'll get a small commission on anything you buy. Thanks!

Top Performing Routers

AC3200
AC2600
AC1900
AC1750
AC1200

Top Performing NASes

NoRAID
RAID1
RAID5

Over In The Forums

I have a new Asus RT-88U router. I engaged the Trend Micro protection features, and I had the first website link blocked today by that software. How...
​What happens to throughput when you start bouncing signals around a mesh Wi-Fi network? We compared multi-hop performance for eero, Luma, Amplifi a...
Iam going to assume Microsoft has been messing around again since i can still access from the drive from my netbook. When i try to access the drive i...
Hi there, Router Netgear R7000 using Asuswrt-Merlin with latest build. There is no usb drive connected. Windows Home Server is connected to the rout...
Hi, I'm using AT&T's Pace 5268AC gateway and a ASUS AC5300. I have the gateway setup to receive the internet, then act as a pass-thru device using ...

Don't Miss These

  • 1
  • 2
  • 3