pfSense has alternatives?!

» 3 Comments    » Permalink
Delicious Digg Reddit Technorati

Posted on February 07, 2010
Filed Under: Internet and web sites. See Also:

Sometimes I find a great idea, put it in writing, then realize that it isn't working. pfsense was one of those moments. To be fair to the project, I am still using pfsense in many places, and am perfectly pleased with it as a part of most solutions. But my corporate firewall had some issues that were causing me sleepless nights.

The first problem was with our Voip provider. The firewall configuration to work with our sip trunks took several hours to find the solution, which required the firewall to be more open than I would like. Fortunately, the instructions I found solved the problem, and we were online. Then weeks later, and for reasons I don't care to review right now, I ran into my second problem. It appears that if you use PPTP connections to remote locations, you can not turn on the PPTP server on the firewall. The reasons are just as complicated as the reasons behind the VoIp issue, but this time there was no solutions, and I was left with grumbling users on both side of the great wall.

The problems, as it turns out, were both caused by the same issue. pfsense uses a product named packet filter for its firewall. packet filter as I understand has a good history in security, but it's connection tracking systems lack support for at least a few of the protocols that I use on a regular basis.

After a bit of research, I learned that pfsense's parent project, m0n0wall, used a different firewall - ipfilter. On a whim, I switched out the memory card and replaced the main firewall with m0n0wall. The install process was basically the same process I learned from pfsense. The interface, though lacking some of the features and extensibility of pfsense, was so similar that I was reconfigured in minutes. Two notable differences: the VoIp worked out of the box, and PPTP was now available from both sides. I was now able to host a server, and dial into remote networks. PfSense has failover options that I would have liked to explore some day, but right now PPTP was a make it or break it option. Both projects are great assets to the open source community, but at least for now, m0n0wall has taken over my main router.

by Chris Gamble

« TOC - Linux, Apple,... | Main | Starbucks and IT »
Comments:

m0n0wall uses ipfilter. There is no iptables on BSD. The PPTP issue you mentioned is somewhat the same in ipfilter, in that it can't NAT multiple internal hosts to a single external host, but it doesn't have the difficulties pf has when the server is enabled. Those things will get fixed in pf at some point, hopefully this year. As far as VoIP goes, the capabilities of m0n0wall are actually more limited. If pfSense doesn't work out of the box, but m0n0wall does, #1 here will resolve that. http://doc.pfsense.org/index.php/VoIP_Configuration They're both solid projects though (I'm a developer for both).

Posted by Chris Buechler on February 07, 2010 at 10:18 PM CST #

Chris, thanks for setting the record straight on the ipfilter issue. There is probably a lot of room for improvement in my knowledge of the two systems, and as I mentioned - I still have many boxes running pfsense due to it's greater range of available software packages. My intent was primarily to point out that there was a difference between the two, and that even a novice could easily switch in order to gain the benefits of each. Thanks again for the information, and a third time for being a developer on these amazing systems.

Posted by Chris Gamble on February 07, 2010 at 10:32 PM CST #

Found the article on pfsense and bandwidth.com . Wanted to share it here in case someone else ran into these problems. http://forum.bandwidth.com/archive/index.php/thread-144.html I just wanted let everyone know that i figured out how to fix the one way audio problem when using trixbox behind a pfsense firewall. The one way audio problem didnt happen when using an IVR, only when using DID. Besides opening the ports with NAT, and i do mean ALL ports, bandwidth.com doesnt conform to the standard media ports you have to open ALL ports to your trixbox from 10000 on. thanks bandwidth.com that will be a nice security nightmare. but thats another topic. (they say 1024 - 64000, but it works with 10000 - 64000) The setting that fixed my one way audio problem was under Firewall -> NAT -> Outbound You have to switch the setting from automatic to manual. It will then create a rule for you that you have to edit. Check the box for "static port" and apply the settings. That will change the rule to "static port=yes" This will fix the one way audio problem, since pfsense uses symmetric nat instead of full coned nat, the returning packets get lost if the ports arent static outbound. aka one way audio. if you are using another firewall and are having one way audio problem you might try checking if it has an option like that or not. I hope that this helps someone out there.

Posted by Chris Gamble on February 09, 2010 at 08:45 PM CST #

Post a Comment:
Comments are closed for this entry.