PfSense or npm or both
I’ve been using CrowdSec with the npmplus Docker image for about a year now, and just set up a pfSense box. npmplus is running on a separate physical machine from my pfSense. Is there any way to set up both without paying 59$ a month for a second slot? I tried just having the npmplus be the LAPI and having the pfSense box send the logs to the npmplus parser, but whenever I do that, it requires me to add a second slot to my engine. Not saying I don’t want to support CrowdSec in the amazing things they are doing. I guess a better question is, would it be better that I abandon Crowdsec in npmplus and only have Crowdsec in my pfSense box, since that is directly connected to my modem and is the first thing the internet sees coming in before it even hits my reverse proxy?
9 Replies
Important Information
Thank you for getting in touch with your support request. To expedite a swift resolution, could you kindly provide the following information? Rest assured, we will respond promptly, and we greatly appreciate your patience. While you wait, please check the links below to see if this issue has been previously addressed. If you have managed to resolve it, please use run the command
/resolve or press the green resolve button below.Log Files
If you possess any log files that you believe could be beneficial, please include them at this time. By default, CrowdSec logs to /var/log/, where you will discover a corresponding log file for each component.
Guide Followed (CrowdSec Official)
If you have diligently followed one of our guides and hit a roadblock, please share the guide with us. This will help us assess if any adjustments are necessary to assist you further.
Screenshots
Please forward any screenshots depicting errors you encounter. Your visuals will provide us with a clear view of the issues you are facing.
© Created By WhyAydan for CrowdSec ❤️
You could setup rsyslog on pfsense, and forward your logs from your second machine to pfsense and then CrowdSec on that box can read both logs without needing a second slot.
would it make more sense to just run crowdsec on pfsense and have a firewall bouncer via iptables on the second machine installed in the host? currently everything runs via docker on that second machine. I still would only need 1 slot that way as well. I would pay the 59$ every month if it was actually worth it. I have to pay it this month regardless as I added the second slot to see how much traffic gets blocked, but only the npmplus crowdsec was doing blocking. No alerts or traffic was dropped from the pfsense install at all this month.
do you use Cloudflare or other upstream proxy/cdn?
cloudflare yes
then this is why pfsense see's limited amount, as on the firewall layer it doesnt get the real IP it only seeing cloudflare proxying the request, when NPM gets the real IP then it will be able to enforce the decision
even when proxy is set to dns only?
No with DNS only it will be able to block at Pfsense level, but due to contraints on pfctl (packet filter firewall) it doesnt show in metrics on app.
hmmm... I may just pay for the second slot then. At least until I can get time to setup rsyslog and forward logs. At least ill have piece of mind that both ends are protected. Gives me a few things to ponder on. Thanks!