Router Charts

Router Charts

Router Ranker

Router Ranker

Router Chooser

Router Chooser

NAS Charts

NAS Charts

NAS Ranker

NAS Ranker

More Tools

More Tools

Security How To

Introduction

In Part One of this series, we established a working definition of our target, i.e. what has to be done, and in what order, to Cerberus the lowly IDS firewall to make it a UTM Appliance.

As we saw, there are six areas that need to be upgraded to grab the prize: IDS/IPS, Anti-Virus, Content Filtering, Traffic Control, Load Balancing and Failover, and finally Anti-Spam. We’ll step through each of the six functional areas and show you how to install and configure the required packages.

Once we have everything set up, we’ll look at performance and see if Cerberus with PFSense is able to be called a UTM appliance. But first, we need to attend to some prerequisites, which include setting up a second WAN interface for load balancing and fail-over and installing Squid, a critical piece needed for content filtering and anti-virus.

Multiple WAN Setup

For the purposes of this upgrade, we’ve ordered service from another ISP. You may remember we had previously set up a little-used guest wireless interface to use for our second ISP WAN connection for testing. Now we need the real thing.

The setup is straightforward—enable the interface using parameters provided by your ISP. In most cases this is just DHCP. Note, the FTP Proxy should be disabled on all WAN interfaces, including this one. Figure 1 shows the settings.

Enabling the second WAN interfaceFigure 1: Enabling the second WAN interface

You can test your second WAN interface by changing the gateway on the already-established LAN routing rule, the one that directs LAN traffic through our current default gateway. Get the gateway for OPT1 from Status Interfaces, then under Firewall->Rules, edit the LAN rule, changing the gateway drop-down value to the OPT1 gateway IP as shown in Figure 2.

Testing the second WAN

Figure 2: Testing the second WAN

Now from a web browser, visit the GRC Shields-Up Site. Your IP should correspond to your IP address from the secondary ISP. If you can’t reach any web site, verify that the link is active by going to your modem/router diagnostics. If the IP Address corresponds to your primary ISP, turn on logging for the routing rule, close your browser, and reboot your installation. Check the log once you are back up. If you still don’t see the new IP address, verify your gateway settings. But hold off changing it back to the default gateway until after we’ve tested our IDS changes below.

That’s it, done. We can now hang Snort on the Secondary WAN interface and  set up the needed proxy servers. Load balancing and failover will come later.

More Stuff

Top Performing Routers

AC3200
AC2350
AC1900
AC1750
AC1200

Top Performing NASes

1 drive
2 drives
4 drives
6 drives
8 drives

Over In The Forums

  • apscan.asp returns an empty list:
    On my N66U...

    Site Survey does not find any WLAN networks (on AC68U)" class="lightTip" target="_self" rel="nofollow">Site Survey does not find any WLAN networks (on AC68U)
    Hi,

    Since long time (actually I reported this issue already on firmware 374.40) the Site Survey does not find any WLAN network (on my AC68U).

    The manual execution of the apscan.asp returns an empty list:
    On my N66U...

    Site Survey does not find any WLAN networks (on AC68U)
  • http://1drv.ms/1uChm3J
    ===============================

    For those of you not yet ready to update to the latest 376 or 378 releases, I have created an incremental update (fixpack) to 374.43_2. This build primarily backports some of the fixes of the later Merlin builds back to the 374.43_2 build and attempts to address user requests/bugs where possible.

    Update-07 of the 374.43 update fork is now...

    [Fork] Update for 374.43 available" class="lightTip" target="_self" rel="nofollow">[Fork] Update for 374.43 available
    LATEST RELEASE: Update-07
    20-January-2015
    Merlin fork 374.43_2-07j9527
    Download http://1drv.ms/1uChm3J
    ===============================

    For those of you not yet ready to update to the latest 376 or 378 releases, I have created an incremental update (fixpack) to 374.43_2. This build primarily backports some of the fixes of the later Merlin builds back to the 374.43_2 build and attempts to address user requests/bugs where possible.

    Update-07 of the 374.43 update fork is now...

    [Fork] Update for 374.43 available
  • Asus RT-AC87 Repeater mode
    Hello,
    Is it possible to activate on the next firmware the Repeater mode for AC87U?
  • Media Server (miniupnp) issue" class="lightTip" target="_self" rel="nofollow">Media Server (miniupnp) issue
    Hi,
    I have two Asus routers: RT-AC68U (in router mode) and RT-N66U (repeater mode). Both are using 378.50 build.
    First one (RT-AC68U) has connected HDD and Media Server (aka miniDLNA or miniUPNP server) enabled, Samsung Smart TV wired connection with static IP.

    TV constantly loosing Media Server. I've tried different hard drives, and different firmware builds (with 'hard reset' and manual setting after flash) - nothing helps. I have to enable/disable Media server on the...

    Media Server (miniupnp) issue
  • Like the new site!
    Tim Higgins, just a comment on the new forums.

    Very modern and clean.

    Thank you!