Pfsense or Ipfire - single nic in virtualbox

Hamish McPanji

Honorary Master
Joined
Oct 29, 2009
Messages
42,240
Reaction score
6,696
Location
Jhb
Need to monitor traffic per IP address on a home network with an ADSL WiFi router. The challenge is to be able to monitor the WiFi clients as well as the wire ones.

The only kit I have spare is a laptop which my SO uses that is connected wired to the ADSL router. There is a single nic on that laptop. It is running windows 7 and has virtual box on it.

My proposed config:

Clients -----> WiFi router --------> laptop ------> virtual nic1 (green) ------> pfsense or ipcop/ipfire -----> virtual nic2 via ppoe (red) -------> ADSL router ------> internet

Key considerations:

1. The WiFi router and ADSL router are the same. It will behave as the WiFi access point and ADSL modem seperately
2. I don't want to buy any more kit
3. The virtual OS will be responsible for handling the dhcp, the ppoe connection and the IP traffic monitoring and logging. The software should be able to handle dhcp ip reservations based on Mac address

What I want to achieve:

1. Monitor and log the IP traffic on my network. This info needs to be able to be stored and looked up in a easy presentable manner for a non it person to understand.
2. Prefer it to be transparent, so all the users don't have to make changes to their settings at all

What I need help with:

1. Windows and virtual box configuration for this setup
2. What virtual OS to use.... And how to configure it to achieve my goals.

Please note: am an old school networking guy from the NetWare days, so you don't have to speak slowly. I have messed around with Cisco and Juniper routers and switches, and done this before manually with iptables, sarg and squid transparent proxies. Am just a little rusty and need to set this up quickly

Thanks in advance
 
Toyed with this a while back...you can add 2 NICs in VB. That makes it a hint more feasible (those firewall distros don't deal well with the concept of a single NIC).

Even then...I found it to be a complete pain and would serious consider just buying a HP microserver or something.

>>What virtual OS to use.... And how to configure it to achieve my goals.

One of the custom firewall ones...so smoothwall etc (forgot the names of the others). They have all kinds of useful stuff for this task built in so much better than a vanilla distro.
 
Toyed with this a while back...you can add 2 NICs in VB. That makes it a hint more feasible (those firewall distros don't deal well with the concept of a single NIC).

Even then...I found it to be a complete pain and would serious consider just buying a HP microserver or something.

>>What virtual OS to use.... And how to configure it to achieve my goals.

One of the custom firewall ones...so smoothwall etc (forgot the names of the others). They have all kinds of useful stuff for this task built in so much better than a vanilla distro.
Have installed ipfire already on a VM , and have 2 NICs created within it. Green is linked to the physical nic, and red is a ppoe connection. However, where I am struggling is how the relationship of the NICs and virtual nics will work. And how the config within the OS works.

I have my HP mini server already, unfortunately that's not an option because I have to get this setup working at someone's house.....which is why the laptop is the only option

Router OS I have downloaded : ipfire, pfsense, ipcop, monowall, smoothwall, Endian (now sophos utm). Will play with these in that order until I get this working
 
Last edited:
Will play with these in that order until I get this working
Well good luck. As I said - found it to be a pain.

One of the NIC types in VB worked better than the others (don't remember which one)...plus I seem to recall that dumping DHCP in favour of fixed IPs also helped.
 
The only OS that gave me more joy among others was Zentyal ... for the eye candy and 'simplicity'.
Not tried the virtual NIC route although I saw a tutorial once for the ultimate windows firewall using the same trick, de-coupling the nic from the physical nic and routing all traffic through smoothwall via a VM
 
If you want to monitor traffic, you have to route traffic through your virtual firewall, and that means having two NIC's.

The two NIC's are there for security purposes, to separate bad traffic from good.

Of course it is feasible in having a proxy server dishing out web pages, for that you'll need a VM with one NIC, and a caching proxy server such as Squid. There's add-ons available for Squid, with which you can draw reports wrt sites visited etc. You can then monitor web traffic visited this way.

But if you want to monitor all traffic, then you'll need to pass all your traffic through a firewall with two NIC's.

FWIW I have used more than one virtual Smoothwall, two NIC's and three physical NIC's on the host PC itself. Works like a charm.
Same goes for pfSense. Two virtual NIC's and monitor all traffic incoming and outgoing.
 
Last edited:
I've setup Untangle on a VM, and i have a extra nic (usb dlink) connected to my notebook.
Untangled can work with one nic only, (transparent bridge)

Infact when untangle install itself, it runs as a vm, thats why it support so many hardware configs. I prefer VMWare to oracles product.
 
Hey imranpanji,

I don't have much to add here as I haven't really spent much time using firewalls on VMs, I have installed and fiddled with pfSense on a VM but Havoc mentioned it is a royal pain in the behind.

On the monitoring side of things I don't really know of anything that is really great from a user-friendly point of view. Bandwidthd is probably the only solution that is simplified for end-user usage. Ntop is another solution but it's very resource heavy if you want to keep persistent history on all hosts and the interface is not an end-user friendly environment.

If you want to log usage using a proxy (and something like sarg) that's an option, but if you want it transparent then you can only really log unencrypted traffic so all ssl traffic wouldn't be included.

Bandwidthd is probably the best offering if you want to use a free option.
 
We have a pfsense box at work running squid with the light squid add-on which gives you some reports to work with.

It was very easy to setup and ran very well for quite some time until light squid stopped pulling reports for some reason.
 
We have a pfsense box at work running squid with the light squid add-on which gives you some reports to work with.

It was very easy to setup and ran very well for quite some time until light squid stopped pulling reports for some reason.
Report back when you duplicate that in a VM
 
Was just airing my 2c on the report part of his request, getting that setup to work is going to be his baby :D
 
Was just airing my 2c on the report part of his request, getting that setup to work is going to be his baby :D
This is just encouragement for me :p. Am just waiting for someone to tell me it can't be done.....then I will gave to do it
 
Subscribing...

I want to do something similar / have a similar need. Those annoying browser hijackers are the most prolific of Mac malware. I have taken an 80GB HD and partitioned it into 4 equal parts, each with a currently-used Mac OS (10.6,7,8 and 9). Each has LittleSnitch to monitor network traffic and block access. What my project entails, for each OS:

(1) Find and install as many of the rubbish toolbars as possible.
(2) Record each and every thing these toolbars do to the system, in terms of installation footprint AND network access.
(3) Create a universal uninstaller that works as a .sh shell script to remove all traces of these infections.
(4) Build a comprehensive hosts file to prevent both reinfection and bandwidth theft by these toolbars.
(5) Build an app wrapper to execute the .sh script for novice users / GUI lovers.


For (2) and (4) above, I would need to accurately track network lookups by these toolbars and LittleSnitch may not do everything I need, especially if the toolbars are working through Safari so I would need the firewall to trace both DNS and direct IP access from the infected machine.

I have acquired a low-profile NIC from Esquire (today) to turn my HP MicroServer into a complete firewall. I had hoped to accomplish this with just the built-in NIC and a USB WiFi adaptor but IPCop is a bitch with USB WiFi (at least, that was my first impression). The problem I have is that with two NICs, the HDMI card may not fit - dunno yet. In that instance, I will have to try exactly what Imran is trying here.

Will IPCop report on the network throughput I need in the first place, though?
 
Here is my suggestion:

Run your adsl PPPOE account on a Mikrotik RB750Gl, use your ADSL wifi modem in bridge mode. Then enable IP accounting to send "netflow" reports to a machine on your network running opensource software e.g NTOP or NFDUMP?
 
Subscribing...

I want to do something similar / have a similar need. Those annoying browser hijackers are the most prolific of Mac malware. I have taken an 80GB HD and partitioned it into 4 equal parts, each with a currently-used Mac OS (10.6,7,8 and 9). Each has LittleSnitch to monitor network traffic and block access. What my project entails, for each OS:

(1) Find and install as many of the rubbish toolbars as possible.
(2) Record each and every thing these toolbars do to the system, in terms of installation footprint AND network access.
(3) Create a universal uninstaller that works as a .sh shell script to remove all traces of these infections.
(4) Build a comprehensive hosts file to prevent both reinfection and bandwidth theft by these toolbars.
(5) Build an app wrapper to execute the .sh script for novice users / GUI lovers.


For (2) and (4) above, I would need to accurately track network lookups by these toolbars and LittleSnitch may not do everything I need, especially if the toolbars are working through Safari so I would need the firewall to trace both DNS and direct IP access from the infected machine.

I have acquired a low-profile NIC from Esquire (today) to turn my HP MicroServer into a complete firewall. I had hoped to accomplish this with just the built-in NIC and a USB WiFi adaptor but IPCop is a bitch with USB WiFi (at least, that was my first impression). The problem I have is that with two NICs, the HDMI card may not fit - dunno yet. In that instance, I will have to try exactly what Imran is trying here.

Will IPCop report on the network throughput I need in the first place, though?

Is there a specific reason why you chose IPCop? I found it to be the one of the least desirable distributions.
 
Update.....am also playing with Sophos UTM.....formerly Astaro Security gateway. But it definitely not as lite on resources as the others

Am struggling to get the basic networking part sorted on the virtual machine setup..... Am pulling out a switch from somewhere to help me with that
 
Will IPCop report on the network throughput I need in the first place, though?
No, high detail Traffic Reporting is currently not supported on IPCop v2.1.

IPCop v1.4 supports the TCAR addon which only reports downloaded traffic by user - excludes uploaded.
 
Top
Sign up to the MyBroadband newsletter
X