pfSense

[Velvis]

Hi All,

I am starting to do more and more work for a client and I have discovered an old PC under a desk running pfSense. I am not familiar with this, but after a quick google search it seems to be a standalone firewall.

This client is a small gym with 3 desk computers and a server (which is really just a file server) (plus this pfsense machine). The software they use is web based, (the old software was client/server based which is why they have the server).

The pfsense machine seems like overkill. Is there a way to replace it with another piece of software or hardware that wouldn't require such a behemoth running 24/7/365?

I have a feeling the owner has no idea it is there or why it is there.

 

[altrenda]

Is the pfsense box acting as the router as well? With good quality nics in a pc like this it makes an inexpensive high power router. I use it for businesses that need high through put and the flexibility of things like 1:1 routing and traffic shaping. You can do similar things with wrt dd or tomato, but the hardware is more capable.
I use Untangle more now, but pfsense is rock solid.
With a flash drive instead of a hard disk, the old PC's don't work very hard and use much power.

 

[BrentfromZulu]

pfsense is a very simple firewall. You can throw it on a 10 year old computer and it will run fine. I don't know what kind of behemoth is there, but pfsense shouldn't be run on a high end box, especially if it's only supporting 4 servers.

Since it is there, I wouldn't bother. If he was my client, I would backup the pfsense configuration, install untangle on a similar machine, and use that as the utm firewall. Other solutions such as sonicwall and watchguard work too, but I am more familar with untangle and it's free as he already has the hardware.

There is a demo at demo.untangle.com . Login and Password are demo

 

[Velvis]

What about just using the Verizon router as the firewall? Most of my clients dont have a dedicated firewall and I dont really see a reason for this client to have one. They are just a workout gym using a web based checkin software. Seems like overkill.

 

[gikstar]

We install PfSense at all of our business client locations as a content filter and firewall. You can really dial things in with that software to what the business management wants or doesn't want their personnel looking at.
We will use up to 4 nic (one being wireless) in a system that we setup with PfSense. I would say any old system would work but that's not true if you don't have enough slots to put all of the nics in that you plan to use.
A dual-core system with a 40Gb hard drive and 512mbs of ram and preferably onboard video in good, though you can use a P4 3.0 or less works to.

When the client has a server rack we will use an old 1U server and add on a dual nic card.

We know the software well enough that it's faster to deploy that any of those premium options... and this software is free

 

[drpcfix]

op - you could just use the verizon router if you wanted, the pfsense might be overkill, but you are surely downgrading them if you remove it.

You may find things in the future that would work better with a real firewall, and perhaps miss the pfsense if you swap it out.

Many times you get an issue with advanced services like voip using the router that came with the internet.

But yeah.. it probably won't hurt anything to remove it.

It's PROBABLY a better idea to learn pfsense and start doing more with them for your other clients

You can buy them on a small form factor if that's your problem with it;
https://www.pfsense.org/hardware/

 

[altrenda]

Have you looked at the configuration of the pfsense box to see what it is doing? It's hard to decide what you can replace it with if you don't know what it's function is.

Overkill or not, someone put it there for a reason. it would have been much simpler to just use the basic firewall in the Verizon router. We are just guessing if we don't know what it's there for. There is no comparison to the firewall in the Verizon router and the many functions the pfsense can perform.

have you logged into it and seen the settings?

 

[Omnicef]

I use pfsense extensively. If the hardware is a concern to you, purchase a net gate device running pfsense. It is much more energy efficient, and relatively cheap at $300. You should be able to backup the settings and restore to the negate. It will also include a year of support for pfsense once you register. You really can't go wrong with pfsense. Use this opportunity to learn how to use it and you will be better off.

 

[cooltech]

Are they offering WiFi to there members? Could be why they are using pfsense.

Setups like this I would use pfsense(firewall/rouer),untangle(UTM) and packetfence(NAC, byod-management options)

 

[gikstar]

If the client wants/needs wifi, just add a wifi card to the PFSense computer.

We often have to use an old tall box computer so we have enough PCI slots for all of the NICs we install
I had bought 40 new 10/100 Nics for $3.00 each a while back which I have been using and just yesterday bought 4 PCI-e gigabit cards for $5 each from a reputable dealer on eBay.
We don't like to put much money into the machines we use... it's really to our advantage to replace what they are currently using with a PFSense.

 

[Velvis]

Yes they are offering wifi to their clients. Thats why they called me in, they wanted to get rid of the wifi password/captive portal stuff pfsense was doing.

I didnt remove the pfsense, but I did remove shut of the captive portal/login thing as their clients were complaining about having to sign in everyday.

 

[cooltech]

Yes they are offering wifi to their clients. Thats why they called me in, they wanted to get rid of the wifi password/captive portal stuff pfsense was doing.

I didnt remove the pfsense, but I did remove shut of the captive portal/login thing as their clients were complaining about having to sign in everyday.

I would have at least a terms of use agreement only for the WiFi side on the captive portal with no password or login credentials. Gym wouldn't want to be libel without a terms of use agreement.

Here's a picture of what I mean.
http://www.knowzy.com/images/McDonalds_WiFi-Enjoy_Free_Wi-Fi_Now-Sm.gif

 

[YeOldeStonecat]

PFSense really REALLY rocks....I encourage you to get familiar with it. I've played with the distro since...like..version 1.01. It's a Ferrari! Very VERY fast distro, with incredible QoS features.

Very very fast, lean and mean distro, by default.
They have a sort of app-store, where you can download and install many plugins/extensions. Some of which can pork it up a bit. Yes...likely overkill for a small 4x computer network...depends what the clients needs are I suppose.

 

[Markverhyden]

I would have at least a terms of use agreement only for the WiFi side on the captive portal with no password or login credentials. Gym wouldn't want to be libel without a terms of use agreement.

Here's a picture of what I mean.
http://www.knowzy.com/images/McDonalds_WiFi-Enjoy_Free_Wi-Fi_Now-Sm.gif

Absolutely. Not having a T&C for a user to agree to opens up a business to all kinds of potential problems.

 

[Velvis]

What are the potential problems and risks of not having a ToS login page?

 

[Markverhyden]

What are the potential problems and risks of not having a ToS login page?

Pretty certain there are no criminal issues but certainly civil. By law an ISP cannot sniff the traffic to determine whether a user is breaking any laws. Such as emailing threats. If the ISP/provider has no T&C's stating that the service cannot be used for illegal purposes, blah, blah, blah someone filing a civil suite could include them. Without the T&C's it would be tough to get excluded.

 

[ohio_grad_06]

Yep, like for example, if people were looking at child porn on their network or doing illegal activities without the terms and conditions, might be possible for an attorney to say well you knew such activity might occur. At least on the other hand they could say we made an effort to secure things.