Basic pfsense to pfsense IPSEC tunnel config

pfsense logo 100x100Rolfsa is another user who’s replacing Cisco PIX boxes with pfSense.

Part of my security redesign this year is to replace our aging Cisco PIX boxes with pfsense. Yesterday I spent the day setting up a simulated environment for 3 of our offices over an Internet connection. I was able to get the IPSEC tunnel up and running between two pfsense boxes pretty quick. Here’s a quick and dirty process for getting it all to work:

ANNOUNCEMENT: BSD Router Project (bsdrp)

Olivier Cochard-Labbé, an IP routing expert and founder of FreeNAS (a FreeBSD based Network-Attached-Storage system), has released the first alpha (0.1) image of his new project: BSD Router Project - http://bsdrp.net

bsdrp is an open source customised distribution of FreeBSD dedicated to offering IP routing services for small ISP’s.

The release 0.1 of BSDRP is a fully working prototype, to be used on real or virtual machines that boot from ATA device only (not usb).

This first release includes:

  • Base FreeBSD 8.0-CURRENT system (NanoBSD) for i386
  • Customized script (config, upgrade, help, command completion, etc…)
  • Quagga ready to use (OSPFv2, OSPFv3, RIP, RIPng and BGP)

You may ask, what is the difference between BSDRP and m0n0wall of pfSense.

  • The main goal of BSDRP is not firewalling but routing. If you need a firewall don’t use BSDRP: Use m0n0wall or pfSense.
  • BSDRP is not for a home use, but for compagny use (small ISP’s for example).
  • BSDRP doesn’t have a Web GUI: It’s to be configured from a CLI only (like Cisco or Juniper)
  • pfSense can be used for routing, but Olivier wanted to set up a Cisco or Juniper like project just for routing.

Thanks, Olivier, for contacting me to announce this project. If you have any (new) FreeBSD related products or services that you want to announce, submit it here.

Comparison between pfSense and Check Point

pfsense logo 100x100Jake describes his experiences with router systems pfSense and Check Point

After been using the CheckPoint safe@office in a live environment for almost two month I have now decided to go back to using my homebuilt pfSense firewall.

Both firewalls have pros and cons. For me the pros of the pfSense made it for me. The biggest pros of the pfSense is definitely the speed. Even if both firewalls are able to deliver around 100 mbit/s throughput, the CheckPoint has some nasty lags sometimes, and drops the connections sometimes to IRC, MSN, ICQ and also webdownloads. Even thou I made a rule to allow all those protocols. Anyway, the biggest pros of the CheckPoint is without a doubt it’s power consumption, heat and sound level. It has a power consumption of about 15-20W compared to my pfSense which is about 60W. No heat or whatsoever from the CheckPoint either. And it makes NO sound at all, it’s fanless.

Whole article here (cyberinfo.se – 06/10/2009)

pfSense is also mentioned at the bottom of the “Enterprises cut costs with open-source routers” article on news.idg.no

FreeBSD link roundup – 28/04/09

FreeBSD

FreeBSD Logo1) Martin Wilke is looking for people to test QT 4.5.1. He also reports he managed to get Firefox 3.1 Beta4 working on FreeBSD. Please test.

2) Ivan Voras has done some virtualised benchmarking of

  • Ubuntu 8.10,
  • FreeBSD 7.1 and
  • Windows Server 2008 R2 beta

on the three currently most prominent virtualisation platforms:

  • VMWare ESX 3.5 U3,
  • Citrix XenServer 5.0 U2,
  • Microsoft Hyper-V 2008 R2

The results are mostly better then I thought they will be. Especially suprising was FreeBSD’s more than decent performance which actually lead the others in one benchmark…”

… The results show that a wholly-virtualized FreeBSD machine under ESXi was consistently almost as fast as the para-virtualized Xen Linux.


pfSense

pfSense logoAbout a month ago, the pfSense developers gave a sneak preview of the new pfSense dashboard theme. Following feedback and comments, Holger Bauer has now designed a new theme:

Well, after there was not too much love for my last theme I tried to do something more masscompatible this time trying to take all the critics in consideration that I earned so far:

  • less colorful, stick with the original pfSense-colors (grey/red)
  • don’t waste too much space for the header/footer
  • kind of corporate look
  • static menu, that doesn’t scroll away (I guess that at least was
  • something everybody liked about the hackathon theme)
  • more lightweight on graphics
  • So here is what I came up with so far. This is still in the making so (like always) your feedback is appreciated and might influence the final result.

New design here

 

BSD CertificationBSD Certification

Dru Lavigne has an update on the BSDA Exam

The BSD Associate Exam is now over a year old! Here are some interesting
atats so far:

  • 12 Events in all of 2008; 14 events in just the first half of 2009 
  • Over 1000 people have registered for a BSDCG ID (needed to register for an exam)
  • The exam has been held in US, Brazil, Canada, Germany, Japan, France, Denmark, Ukraine, Netherlands, Argentina, and the UK
  • So far, 66 people have passed the BSDA exam and received their certificates
  • Read further

Cisco meets its match (pfSense)

Cisco products are generally good and reliable, but often expensive. RickC had some issues with a Cisco firewall and takes the free pfSense for a spin, and he loves it… Is that surprising?

 Enter PFSense - the BSD-based firewall distro closely related to the m0n0wall project.  Having used several host-based firewalls like Smoothwall and m0n0wall over the years, I figured I’d give PFSense a shot.  I threw together a PIII 550 with 256MB RAM and a pair of Intel NICs – and installed pfsense, which is actually a LiveCD that you can then install to disk or usb drive.  The most basic setup is done from a menu-driven CLI, but once the Interfaces are assigned and the LAN side has an IP, you can access the web UI.  Better yet – it’s a web UI that works!  From their I was able to config PPPoE and all the NAT settings I needed in minutes.  From there is was just a matter of moving a few cables and I was switched over with an absolute minimum of downtime.

The feature set of pfsense is rich, easily on par with commercial appliances.  IPSEC, 1:1 NAT, inbound and outbound load balancing, fail-over, good logging options, lots of built-in graphing and monitoring and an excellent UI.  It’s built on BSD 7.0 and costs you absolutely nothing.  The distro is under constant development and it’s current status as per Secunia is zero unpatched vulnerabilities.  The PFsense community is strong and development of utils and add-ons offers many options to the operator.  The nice thing about having such a reasonable solution – you can easily afford to build a backup to either run in failover mode or use to swap out should your pfsense hardware fail.

I will likely continue to use PFSense going forward as my main firewall.  I guess I will still play with the 851 I can use it to learn more IOS and become a 1337 Cisco zealot like those I so admire.

Full story on parallel42.ca (23/03/2008)