User Login

TipidPC.com is the largest online IT Community in the Philippines. Have something to sell or share? Sign up for an account now. It's absolutely free!

Forum Topic

Unified PFSense users... Pasok!!!!

  • 1. the reason na gusto ko sa perimeter/edge si pfsense dahil sa secure daw kasi bsd based, according to my readings lang din. i dunno if that is false sense of security, but if it is true, then okay.

    2. yung sa bridge mode si sophos, dahil mas madali e bridge mode si sophos, mas maganda at ready na ang reporting nya, at mas detailed ang application control at qos, limiters compared to pfsense. kaya dapat malaman nya ang per ip address.

    3. tama na per ip ang counting ng software version ni sophos. at lahat ng devices na may gateway kahit hindi nag e internet ay counted nya. kaya ginawa ko rin ang natting noon after sophos software to control number of ip add. but with my latest discovery/style, i can save from license cost to the minimum.

    so yung impression ko is, pfsense is very good as router/port,ip-based firewall, kasi it was made for that.
    while administration wise, mas efficient gumamit ng paid webfilter and updated network protection signatures.

    i hope the combination of these two products in our network will be good, and better if it could give us savings wish me luck. :)

    -- edited by phdot_com on Aug 15 2014, 05:07 PM
  • I see. Well, kung ako I would implement a syslog monitoring appliance (linux) for reporting/log collection buy yeah it will be a complicated setup parang large entreprise na dating (multiple firewalls, routers, log collection and analysis) and you'll need a dedicated admin just handling log collection, analysis and reporting. Well goodluck sa deployment.
  • Thanks again sir for the new point. I will look into that. I still have a lot to learn and will be asking you more questions as i go along. :)

    Especially security. Like advisable ba na lagyan ko ng internal firewall like pfsence ang mga windows or linux servers ko na naka connect lang direct sa switches?

    I recall you mentioned na dapat sa router sila connected for security. So naisip ko baka pwede lagyan ng pfsense in front of all those servers. That is aside sa edge firewall. Your thoughts sir?
  • why kaya bakit lagi nalang pumupunta sa HTTPS ang youtube hindi naman sila naka log in sa Gmail, Ymail, FB. at youtube.
  • Baka forced na ni google na mag https..
  • @paturong_pfsense

    try using older version of brownser (firefox esr)
  • mga master...

    paturo naman po set-up ng captive portal using my 2nd lan. single wan, 2 lan po set-up ng pf ko. yung 1st lan ay nakaconnect sa switch. plan ko sana yung 2nd lan ang kakabitan ko ng wifi for captive portal...

    TIA
  • mga sir new lang po ako sa PFsense pa tulong naman po single ISP 8mbps hatiin po 3mbps browsing 5 mbps games, gamit ko po is PFsense 2.1.4 + Squid thanks ng madami
  • @phdot_com
    It's segmentation where you isolate critical and/or sensitive servers as much as possible.

    Like advisable ba na lagyan ko ng internal firewall like pfsence ang mga windows or linux servers ko na naka connect lang direct sa switches?


    Yes. I've already started segregating my server network from my workstation network at my home lab. Next process will be defining firewall rules in pfsense to block all non relevant ip addresses/services from the server network.

    So naisip ko baka pwede lagyan ng pfsense in front of all those servers. That is aside sa edge firewall.


    Yes, pwede ganito:

    internet
    |
    pfsense1
    |
    sophos--switch--workstations
    |
    pfsense2--switch--servers

    If sophos can't do routing, install a switch in front of sophos and pfsense2.
  • pa help po.. sino po pwedeng mag install nang pfsense po sa shop ko dasma cavite area po ako.. maraming salamat po..
  • @Sir david,

    thanks a lot. i will try that with sophos, if not then pfsense. it can do inter vlan routing, plus pwede pa firewall and other controls. i will update you once i have tried.
  • ^No problem.
  • pde ba gawing dual isp yung pfsense kung ang slot ng mobo 1 pci lang? atom d945g po ang board. thanks
  • @lowie
    Yes, just grab a dual port or a quad port nic card. Legacy pci nics are cheap at ebay, get those intel pro nics.
  • how to block mga extension files sa pfsense...ex: .EXE/ .FLV/ .AVI etc... patulong nama po..TIA
  • if you know how to findle with iptables possible yan but not plausible these days.

    specially if you download exe/zip/rar/mkv on a filehosting site, which is based on AJAX/PHP, where you cant filter it anyway since dynamic yung link na binibigay ng filehosting. Even a premium based firewall cant do anything with that but to block the entire filehosting site instead.

    eg

    http://medosys.me/file.php=1235654
  • how to block mga extension files sa pfsense...ex: .EXE/ .FLV/ .AVI etc... patulong nama po..TIA


    search ka sir sa google. baka pwede yan sa squid . we can effectively block what we want to block sa paid utm, but it can be done sa free siguro with some hardwork.

    eto isang link..
    <click here for link>

    challenge lang sa ngayon eh dapat meron na ring capability ng https scanning ang set up mo.

    -- edited by phdot_com on Aug 19 2014, 08:30 AM
  • ^https is not designed to be intercepted, so its technically impossible.

    sa squid, hindi rin possible since, squid only scans for raw url, even caching youtube require url_rewrite module to do the trick since video links in youtube is dynamic and not linked as a .mp4 or flv to avoid manual link scanning on youtube page source. It doesnt check what that link can do, and instead cache it raw (if caching is enabled).

    not even sophos or microtik os can do that work, at least for now, they can do partial scan on the connection (checking the sinature of a file (eg scan the first 1024 byte)), but that would require huge amount of cpu cycles to do the job specially in large scale network.
  • well i am fortunate, in my situation, i can block https youtube video from loading, using application control of sophos utm.

    [ACK PSH] len=557 ttl=64 tos=0x00 srcmac=0:c:29:8d:dd:86
    09:13:46 Application control rule #1 YouTube 10.172.xx.xx : 33558
    &#8594;
    202.90.152.78 : 443

    [ACK PSH] len=245 ttl=64 tos=0x00 srcmac=0:c:29:8d:dd:86
    09:24:00 Application control rule #1 YouTube
    10.172.xx.xx : 37431
    &#8594;
    202.90.152.78 : 443

    [ACK PSH] len=245 ttl=64 tos=0x00 srcmac=0:c:29:8d:dd:86
    09:24:02 Application control rule #1 YouTube
    10.172.xx.xx : 41967
    &#8594;
    202.90.152.78 : 443


    -- edited by phdot_com on Aug 19 2014, 09:25 AM
  • @phdot_com, sir bale na try ko now dito sa pfsense eh yung sa Filtering Expression <click here for link> yung nag try ako mag download ng adobe reader naka block na nga..

    tanong ko po, paano iedit or open yung squid.conf sa pfsense..thanks
  • mga sir, meron lang po ako tanong..

    yung isang shop ko po kasi medyo mahina ang signal ng kahit anong wireless isp pero dito sa isa kong shop sa bahay ok naman ang internet. pareho po silang naka-pfsense, pede po kayang yung internet ko na lang dito sa bahay ang ipasa ko sa kanya.. meron po bang ganun?hehe parang hotspot.. magkabilang barangay po kami, i think di naman lagpas ng 1 km ang distance namin.. aabot pa kaya yun mga sir?
  • yung isang shop ko po kasi medyo mahina ang signal ng kahit anong wireless isp pero dito sa isa kong shop sa bahay ok naman ang internet. pareho po silang naka-pfsense, pede po kayang yung internet ko na lang dito sa bahay ang ipasa ko sa kanya.. meron po bang ganun?hehe parang hotspot.. magkabilang barangay po kami, i think di naman lagpas ng 1 km ang distance namin.. aabot pa kaya yun mga sir?


    Check mo muna kung nasa line of sight on both points... kung meron buy ka Ubiquiti...
  • Meron ba dito na gumagamit ng pfsense + squidguard + AD (Ldap) authentication.
    Di ko kasi mapagana. Pa share ng config.

    TIA
  • tanong ko po, paano iedit or open yung squid.conf sa pfsense..thanks


    never tried editing sa pfsense sir.. linux lang na edit ko na squid.conf dati.


  • phdot_com Send Message View User Items on August 20, 2014 05:26 PM

    tanong ko po, paano iedit or open yung squid.conf sa pfsense..thanks



    never tried editing sa pfsense sir.. linux lang na edit ko na squid.conf dati.


    meron

    andun sa general sa babang baba yung custom options. May format sya





    mhugsy Send Message View User Items on August 18, 2014 02:31 PM
    how to block mga extension files sa pfsense...ex: .EXE/ .FLV/ .AVI etc... patulong nama po..TIA


    kayang kaya ng squid and no need for squidguard. Kung may prerequisite ka na sa paghandle ng squid pwede mo i-apply yan sa pfnonsense

    urlpath_path regex -i ----------------------- kaw n magpatuloy

    youtube??

    pwede i block yan pili ka firewall rule o sa squid?

    firewall
    - reject

    squid
    - redirection/ dictionary word blocking
  • Warning: Cannot modify header information - headers already sent by (output started at /etc/inc/captiveportal.inc:3539) in /usr/local/captiveportal/index.php on line 40 Warning: Cannot modify header information - headers already sent by (output started at /etc/inc/captiveportal.inc:3539) in /usr/local/captiveportal/index.php on line 41 Warning: Cannot modify header information - headers already sent by (output started at /etc/inc/captiveportal.inc:3539) in /usr/local/captiveportal/index.php on line 42 Warning: Cannot modify header information - headers already sent by (output started at /etc/inc/captiveportal.inc:3539) in /usr/local/captiveportal/index.php on line 43 Warning: Cannot modify header information - headers already sent by (output started at /etc/inc/captiveportal.inc:3539) in /usr/local/captiveportal/index.php on line 44 Warning: Cannot modify header information - headers already sent by (output started at /etc/inc/captiveportal.inc:3539) in /usr/local/captiveportal/index.php on line 76



    Help po paano ito mafifix sa captive portal?

    -- edited by bheeelaat on Aug 21 2014, 04:01 PM

Who's Online

426 active users within the last minute, 246 members, 180 guests.
Our newest member is SergioSl
Click here to see online members.

Browse Items

More »

Search TipidPC


New Want to Buys

Active Want to Buys