Like every other website on the planet, SmallNetBuilder uses cookies. Our cookies track login status, but we only allow admins to log in anyway, so those don't apply to you. Any other cookies you pick up during your visit come from advertisers, which we don't control.
If you continue to use the site, you agree to tolerate our use of cookies. Thank you!

Router Charts

Click for Router Charts

Router Ranker

Click for Router Ranker

NAS Charts

Click for NAS Charts

NAS Ranker

Click for NAS Ranker

More Tools

Click for More Tools

Security How To

pfSense and Package Install

Installing pfSense could not be easier, and is well documented here, but briefly:

  1. Burn a LiveCD, downloaded from pfSense.org.
  2. Boot the CD.
  3. Using Auto-Detect, when prompted plug in each network cable, in order:  LAN, WAN, OPT1/WLAN.
  4. Your router is now up in RAM. From here, select from the menu &99.  Install to hard disk.
  5. Go with the defaults to dedicate the hard disk to pfSense; once completed, remove the CD.
  6. From a browser, log in to your router’s Web GUI at 192.168.1.1 – with the default user-id / password of admin, pfSense
  7. Step through the set-up wizard, changing the defaults:  LAN IP, User Name, Password.
  8. Set up your wireless interface, change the name, and enable DHCP.
  9. Set up a Firewall Rule to define a route for the Wireless interface to the WAN and to your LAN, or not.

For Cerberus, this entire process took less than an hour, and was seamless. You will need to configure your legacy router to operate as an AP. The steps are specific to your router – but generally, you need to disable DHCP and plug a LAN cable into a LAN, not the WAN port. You can also check this popular how-to.

For your wireless bridge setup, follow the manufacturer's directions. These tend to be configured first and then plugged into your optional WLAN interface.

Snort

As previously introduced, Snort is a packet inspection rules engine which scans network traffic looking for anything that might raise an eyebrow. The rules for Snort come from Snort.org, and are comprehensive - thousands of rules. As you can imagine, setting up and running Snort is a bit more demanding both for you and for your build; you, because of the inevitable generation of false positives, and for your build, because of the sheer amount of processing and memory required for real-time packet scanning of that many rules.

To get rules for your install, you need to register with Snort.org and get your free OinkMaster Code. Once you get your code, you are ready to install.

All packages for pfSense are added through the System->Packages submenu. Once added, enter your code into the Snort's global settings (Figure 8) by going back to Packages, then to Services->Snort. Then update rules through the Update tab. If you have a problem, ensure there are no trailing or leading blanks in your Oinkmaster code.

Snort global settings

Figure 8: Snort global settings

You now need to bind Snort to your interfaces. Start with the WAN interface. This is like alarming your main entrance, it’s where most of the action occurs. I recommend either the AC-STD or AC-SPARSEBANDS memory model, providing a good balance between performance and memory usage (Figure 9).

Snort WAN interface settings

Figure 9: Snort WAN interface settings

Choosing to block offenders will make you more invisible to those probing your network for a weakness and offers higher security But this requires more administration as you’ll need to clear false positives and add them to your whitelist. A shorter block period in global settings will ease this burden - I use one day, but a couple of hours would probably be enough to make an attacker move on to an easier target.

Once this is accomplished, turn up the rules you want applied. Return to the Snort Interfaces tab and select the edit icon for the WAN interface. For many of the rules, HTTP Inspect has to be enabled. You’ll also want to normalize specific traffic for scanning as well as enable detection of port scans, done via the Preprocessor tab. These settings are pretty self-explanatory (Figure 10).

Snort preprocessor settings

Figure 10: Snort preprocessor settings

We are now ready to select the rules that Snort will apply. From the Preprocessors tab, select Categories. If you performed the update correctly, the rule categories should be prefixed with Snort, ET (Emerging Threat), and pfSense. These are the rule sources; ignore any categories without a prefix.

A way to approach these categories is that there are three types: policy, specific target, and general target categories. The policy categories include P2P, Games, and Inappropriate – and allow you to block those types of traffic from your network. For example, you might enable the P2P categories on your Guest WLAN interface because of bandwidth or legal responsibility concerns.

Specific target categories are those where a particular protocol or software package can be targeted by attackers. These include protocols like SNMP, IMAP, and NNTP and software packages like IIS, Oracle, and MYSQL. If you are not running these protocols or software packages on your network there is no reason to enable those categories. Remember, the more categories you enable, the larger the performance burden. Additionally, the more categories you enable, the higher the probability of false positives and more of a network administration headache.

The General target categories, as I’m sure you’ve guessed, are general attacks on your network, for example denial of service attacks, web client, and the exploit categories. You’ll probably want to enable all of these.

If you are unsure of the type of the category, just click on it. This will take you to the corresponding rule set, where the rule descriptions should clarify the ambiguity. For example, are the FTP categories a policy or a specific target?

Once you’ve completed selecting your categories and saving your settings, you can now start Snort for the WAN interface from the Snort Interfaces tab. You can now be confident that you are protected against all sorts of nefarious interlopers.

You’ll find that it takes longer to set up Snort than it took bring up pfSense for the first time, but for the protection it offers you will find the time well spent.

More Stuff

Wi-Fi System Tools
Check out our Wi-Fi System Charts, Ranker and Finder!

Support Us!

If you like what we do and want to thank us, just buy something on Amazon. We'll get a small commission on anything you buy. Thanks!

Over In The Forums

May 24 02:09:45 kernel: pgd = ffffffc00b209000May 24 02:09:45 kernel: [00000000] *pgd=0000000011084003, *pud=0000000011084003, *pmd=0000000001408003, ...
Hi,I'm currently on the lookout for a router that is capable of delivering speeds of 1000/1000 mbps in a small apartment (~ 350 sq ft) with only a liv...
This is my first post. Not sure if it's in the right place. My router Rt-ac68r running latest Merlin 384.11_2 has shown a strange connected clients ma...
About how fast is the AC66U-B1 or AC86U? with HW acc Disabled? WAN throughput wise? I couldn't find much other than with it most likely turned on from...
Anyone knows what this is all about?avahi_key_new() failedI get this a lot not a while and them it stops.A search on the forum reviled nothing.I keep ...

Don't Miss These

  • 1
  • 2
  • 3