Currently viewing the tag: "pfsense"

I’ve been doing some pretty interesting things with Splunk lately, and finally got around to toying with the Google Maps Splunk app. I was able to find a couple of boiler plate Splunk configuration files from another blog post, that needed some tweaks to get going properly. I’ve create a Youtube video demonstrating the abilities for visualizing pfSense firewall attacks in Google Maps, using the MAXMIND GeoIP plugin for translating the IP addresses into coordinates.

This can be viewed historically or in real-time as the video above demonstrates.

Setup Guide

This tutorial will presume that you have a working pfSense router and a Splunk server deployed. There are a couple of ways that you can get the pfSense firewall logs over to the Splunk server; this guide will use the Syslog over UDP component from the pfSense machine, sending to a UDP Syslog listener on the Splunk server.

In this guide, I will be using:

  • Splunk v4.3.1
  • pfSense 2.1-Development

Splunk Configuration: Setup Files

First, we need to create a couple of files on the Splunk server. If you have not done so already, you can set the $SPLUNK_HOME environment variable with the follwing command “export SPLUNK_HOME=/opt/splunk”, changing the path to fit your installation.



Save these two files and chown splunk:splunk $SPLUNK_HOME/etc/system/local/*.conf

Splunk Configuration: Setup UDP Input

The next thing to do is setup the Splunk server to listen on a UDP port to collect the firewall logs from the pfSense router. This is done by navigating in the Splunk web UI to:

  • Manager > Data Inputs > UDP > New

Splunk UDP 514 Input Dialog

For the UDP port, choose port 514. This is the default UDP port pfSense will send to (this can be changed, but goes beyond the scope of this guide).

Set the sourcetype to Manual and enter pfsense-firewall as the type. Optionally choose Host, Index and Restriction settings and save.

Restart the Splunk server with $SPLUNK_BIN/bin/splunk restart, or from your init script if you have one configured.

Splunk Configuration: Install Google Maps and MAXMIND

These two apps can be installed from the Splunk App Manager (and they usually appear in the first page of results when navigating to the Find more apps link. No special configuration changes are needed for getting this going for either of the two Splunk apps.

pfSense Configuration

From the pfSense web UI, browse to: Status > System Logs and click the Settings tab. Check the Send log messages to remote syslog server checkbox, and enter the IP address of your Splunk server.

pfSense Syslog Settings Dialog

Save the settings and return to the Splunk web UI.

Google Maps Test Drive

At this point, your pfSense firewall should be logging firewall events to the Splunk server, and the events should appear under the pfsense-firewall sourcetype in the main Search dashboard. If the pfSense router is internal to the network, and does not have any traffic hitting it from it’s WAN side, you may have to be creative with a tool such as Nmap to “wake it up” and produce firewall events.

Once you have confirmed that events are being logged in Splunk, drill down into the pfsense-firewall sourcetype in the search dialog and ensure that the following fields are being shown:

  • action
  • protocol
  • src_ip
  • src_port
  • dest_ip
  • dest_port

After this is confirmed, go ahead and navigate to the Google Maps Splunk app page, and enter the following Splunk Search:

  • sourcetype=”pfsense-firewall” block | geoip src_ip

Adjust the time window to your tastes, and get a geographic picture of the blocked host traffic being dropped!



This is a howto guide for establishing an IPSec VPN tunnel to an Amazon Virtual Private Cloud (VPC) using the pfSense 2.0 (RC1) open source router / firewall distribution. We will use Border Gateway Protocol (BGPv4) inside the tunnel, between the inside IP addresses, to exchange routes from the VPC to the example network using the OpenBGPD software package (available in the pfsense distribution as an add-on package).

pfSense AWS VPC IPsec Tunnel BGP Diagram

In this tutorial, we will be using the following example network topology for demonstration purposes (be sure to change the the RFC1918 WAN address space we show as to your actual WAN, as well as the other LAN and AWS subnets to match your requirements):

Please be sure to make a backup of your entire pfSense configuration before proceeding, in the case you need restore a sane configuration.

Step #1: Deploy an Amazon VPC

Comprehensive instructions on setting up a Virtual Private Cloud on Amazon AWS can be found on the Getting Started Guide.

Although we will not cover all of the steps required for launching an Amazon VPC, you must choose an available external IP address on your pfSense gateway during the setup process. In this example, we are using from our /28 WAN subnet.

In the setup process, you must define your internal address space for your VPC subnet, which will be associated with your VPC instances. After configuring the tunnel (presuming you have set this up using the AWS management Console), navigate to VPN Connection, highlight the connection you created, and select Download Configuration, choosing the generic vendor-agnostic configuration options.

You should also at this point create an instance in your new VPC and assign it an IP address within the VPC subnet you have defined, so at a later time you will be able to perform networking tests from hosts inside your pfSense VPN.

Another important step in this process is to ensure that there aren’t any blocking features set in the Security Group that has been associated with your VPC instance. The Networking ACLs, out of the box, are setup to Allow ALL.

We will over the other relevant settings required on the AWS side for networking later in this tutorial.


Step #2: Install Required Software

The next phase in our setup is to install the BGP daemon software from within the pfSense web UI. Navigate to System > Packages and install the OpenBGPD software. We will come back later to actually configure this software.


Step #3: Configure the Virtual IP Address Space on pfSense

We will need to create an IP alias of for our Inside Address, so that we can communicate with our Amazon BGP peer (neighbor) at

In the pfSense web UI, navigate to Firewall > Virtual IP’s, and select the plus button to add a new item. match the following configuration as shown in the image below and save:

pfSense Virtual IP


Step #4: Create a New Gateway and Static Route

The next step in the process is to configure a gateway on the pfSense WAN. This will be used for our static route to in communicating with our AWS BGP peer.

In the pfSense web UI, navigate to System > Routing, which will bring you to the Gateways tab. Set the following parameters as shown in the image below, adjusting the values for your particular deployment:

pfSense Amazon VPC BGP Gateway
After creating the new gateway and applying the changes, select the Routes tab, and replicate the following settings as shown below:

pfSense Amazon VPC BGP Route

pfSense will now be able to properly route the BGP traffic through our predefined Customer Gateway in our IPSec tunnel.


Step #5: Configure the pfSense IPSec VPN

We will now setup our IPSec VPN. From the pfSense web UI, navigate to VPN > IPSec, and select the plus button to create a new phase 1 entry. Copy the following settings shown below:

pfSense IPSec Tunnel

Save and apply these settings, and make sure to leave the tunnel disabled for now.

Create a new phase 2 entry by selecting the button as shown below:

pfSense Phase 2 Button Tunnel

This will reveal the list of associated phase 2 tunnels (currently empty). Select the plus button to create a new phase 2 entry as shown in the image below:

pfSense New IPSec Phase 2

Setup this tunnel with the local and remote subnets like so, ensuring that it is enabled before saving:

pfSense IPSec Phase 2 Tunnel 1

We will now create a second tunnel (repeating the process above), but this time declaring the local LAN subnet behind our pfSense router in the Local Subnet field, and the VPC subnet we wish to connect to:

pfSense IPSec Phase 2 Tunnel 2


Step #6: Configure OpenBGPD

Our configuration process is now ready for setting up our BGP daemon. Navigate to Services > OpenBGPD and configure the Settings tab as follows:

pfSense Services OpenBGPD

Next, setup a BGP group under the Group tab as shown below (make sure you reference the parameters provided in the VPC configuration you downloaded earlier):

pfSense Services OpenBGPD Group 2

Now we need to navigate to the Neighbors tab, and setup the parameters for our VPC peer:

pfSense Services OpenBGPD Neighbors 3

We are almost there…

Step #7: Setup IPSec Interface Firewall Rules

One important step in our initial setup phase is to create a rule on the IPSec interface in the Firewall > Rules dialog on the pfSense router. Ensure that you initial are allowing bidirectional traffic for all protocols on the IPSec interface.

pfSense IPSec Firewall Rules


Step #8: Finalize Settings and Enable IPSec VPN

One of our last steps before we enable our VPN is to browse back to the AWS Management Console and edit our VPC Route Tables.

To finalize our routes, we must setup:

  • Destination: <pfSense LAN Subnet> | Target: vgw-acbd1234
  • Destination: <VPC Subnet> | Target: local
  • Destination: <> | Target: igw-abcd1234

Please verify that all of the above have the Status of active before proceeding.

The remainder of this guide will focus on bringing up our connections, and will aim to give you the tools and dialogs needed to troubleshoot any potential issues.


Navigate back to VPN > IPSec from the pfSense web UI, and edit the IPSec phase 1 VPN you created. Uncheck Disable this phase 1 entry, then Save and Apply Changes.

At this point pfSense will enable the IPSec VPN.

You should now navigate to Status > IPSec in a new browser tab to monitor the status, Security Associations and logs. It may take some time for the connection to establish, depending on your pfSense system resources and network latencies, so have a bit of patience for the VPN to fully initialize.

When the two green icons appear under the Status menu (Status > IPSec > Overview), this will confirm that the VPN is up. Be sure to check the pfSense system logs if these both do not appear within a few minutes time.


Open another browser tab and navigate in the pfSense web UI to Services > OpenBGPD > Status. Here we are looking for a couple of things.

First we should look and see if we have established communications by viewing the OpenBGPD Summary section, and taking note of the Up/Down column. We can also view the system logs, under Status > System Logs where we should see the bgpd process log valid next hops.

Second, we you will want to check the OpenBGPD IP section to confirm that OpenBGPD is seeing the routes announced from the VPC (in this case, you should see on one line AND your VPC subnet listed).

The OpenBGPD Neighbors section at this point should also be populated with statistics.

Test Networking to a VPC Running Instance

Presuming your pfSense deployment has been set to allow all traffic on the IPSec interface (and your LAN interface is set to allow egress ICMP traffic and SSH/TCP 22), from a host within your pfSense LAN, traceroute to the instance in the VPC. You should see something close to the following output:

If this stops at the hop, you should verify that you have the correct settings in your VPC Route Table, as covered in the beginning section of this step. If the above traceroute succeeds, proceed with logging into the instance via SSH. Once logged in, you should perform the reverse networking tests from the instance to hosts in your pfSense LAN.

Once confirmation of bidirectional networking has been established, you should proceed with tightening down your security settings for allowing the minimums access controls needed.

Feel free to contact me with any questions or recommendations for revisions to this article.

This is a guide to installing Snorby running on an Ubuntu Server machine, for integration with a Snort instance on pfSense. This howto should also work on Debian and other Debian-based distributions, however I HIGHLY recommend NOT using Debian itself in any production environment, due to the distributions lack of compile time security options in its packages (blog about this to come).

Furthermore, this how-to guide should also work just fine (with minor tweaks) for installing Snorby on a seperate machine to integration with a standalone Snort instance.

I highly recommend purchasing the premium rules subscription from Sourcefire, which carries an annual cost of $29.95 so that your system has the most current rules.

Let’s get started

Software Installation and MySQL Setup

pfSense Configuration

For the sake of brevity, I will not cover the installation and initial interface configuration of Snort on pfSense. Please refer to the Setup Snort Package from the pfSenseDocs to do this.

  1. From the pfSense web GUI, navigate to the Snort service menu: Services » Snort
  2. Edit the interface (repeat for each interface you wish to use with Snorby) and navigate to the Barnyard2 tab
  3. Check the Enable Barnyard2 on this Interface checkbox
  4. In the Log to a Mysql Database dialog, use the folowing format (change the values appropriately):
  5. In the If Settings tab, check the box for Log Alerts to a snort unified2 file.
  6. Save the configuration and restart the Snort service on pfSense.

Snorby Web UI

Navigate the the following URL to access the Snorby web UI: