OPNSense Playlist, covers all of this: kzbin.info/aero/PLXHMZDvOn5sVAhOGZOUVk5Hfk0k1q-It2&si=zM9GAcIwvzkMnH0P
@atraxotoxin38403 күн бұрын
Been working with pfsense for about 4 years now absolutely love it. Just remember to back up your configuration often. Trust me it will save you a lot of headaches. When you break things and you will. It just comes with the territory.
@Jims-Garage3 күн бұрын
Absolutely agree. I also do VM backups and snapshots to limit downtime.
@elminster81493 күн бұрын
You can use Autoconfig Backup under Services. Make sure to keep a copy of your device key in a secure location.
@atraxotoxin38403 күн бұрын
@@Jims-Garage yeah me to. Unfortunately I had to learn the hard way. A couple of years ago my ssd died and at the time I didn't back anything up. So needless to say I had to start completely over. So now I send backups to another device about every month or two. And take regular snapshots about every 3 to 4 weeks or so. But if I'm working on a project I'll take a snapshot before I make any drastic changes.
@Sli3py2 күн бұрын
Awesome video as usual, very information and easy to follow a long. I have been waiting for this pfSense part 2 for longggg time haha! Thank you so much for upload the vid, can not wait for the next one.
@Jims-Garage2 күн бұрын
@@Sli3py thanks!
@derglatzi17253 күн бұрын
Thanks for the great video. I really appreciate seeing a for detailled insight in IDS and IPS. Cheers
@Jims-Garage3 күн бұрын
My pleasure!
@mikescott40083 күн бұрын
Thank you for the video :)
@Jims-Garage2 күн бұрын
My pleasure!
@zcavaleiro3 күн бұрын
Thanks for sharing your work!
@Jims-Garage3 күн бұрын
My pleasure!
@JavierPerez-fq2fi3 күн бұрын
Outstanding job Jim! Never watched a video about pfsense (I have fork version opnsense) but was easy to follow although networking, vlans and so on are tough topics... Thanks for putting so much effort to share all your wisdom to the world :)
@Jims-Garage3 күн бұрын
Glad you enjoyed it! Thanks for leaving a comment.
@PCMagikHomeLab3 күн бұрын
great vid! Maybe site-to-site on wg next time?
@Jims-Garage3 күн бұрын
Sure, sounds like a good idea.
@cyrilpinto4182 күн бұрын
Hi Jim; Great video as always. What I couldn’t get is if Vlan20 and 40 are just virtual systems (not physical devices like IOT, Cameras, Office Laptops etc), why do they need to be configured on the Switch itself. Does that mean, one has to have an individual / physical port for each virtual VLAN (ie no underlying physical device) created in Proxmox / PfSense ?
@Jims-GarageКүн бұрын
No, it's just whichever port is used (you can have multiple VM on a single port) has to understand the vLANs (tagged).
@cyrilpinto418Күн бұрын
@@Jims-Garage thanks for the reply; atm I have a physical Nic (and created a Proxmox VMBR without it being VLAN aware), connected to a Mikrotik Hex (with VLANs). This is being used as parent interface to segregate physical IOT, office, cameras etc. I have also created another VLAN aware VMBR in Proxmox, albeit without it being connected to a physical NIC port. Have created 3 VLANs on Pfsense, and CTs/VMs on Proxmox with respective VLAN tags. Not sure if this is the right way. Or should I make the physic Nic / bridge VLAN aware then have all 7 VLANs trunked to the Hex.
@asis-vo1rx2 күн бұрын
Good video! Have you looked into Suricata instead of Snort for IDS/IPS? Curious what your opinion is on it.
@Jims-Garage2 күн бұрын
Thanks! I haven't, both are pretty useless for WAN traffic regardless due to HTTPS. You're better off with an EDR solution or proper web proxy if you're concerned about web traffic. For hosted services, Crowdsec is the way to go IMO.
@DigiDoc1013 күн бұрын
Thank you for this. Great work! This is first to see Nordvpn setup. You have setup accross all LANs. I wonder if there is a way to specifiy as a gateway. Also, there is no mention of kill switch mechanism. May be through packet tagging, not sure.
@Jims-Garage2 күн бұрын
I specficy it as a gateway for Wireguard (check the video). That should function as a killswitch - if gateway isn't available the traffic goes nowhere.
@elminster81493 күн бұрын
Last I heard KEA DHCP was not feature complete, be cautious!
@Jims-Garage3 күн бұрын
Thanks, wasn't aware of that. I'll read into it.
@emanuelpersson31683 күн бұрын
KEA is lacking a lot of stuff.
@emanuelpersson31683 күн бұрын
@@Jims-Garage Basic functionality is present in version 23.09, but the Kea implementation lacks the following DHCP server features: Local DNS Resolver/Forwarder Registration for static and dynamic DHCP clients Remote DNS server registration DHCPv6 Prefix Delegation High Availability Failover Lease statistics/graphs Custom DHCP options
@unmesh592 күн бұрын
@@emanuelpersson3168 I've had problems with KEA as the DHCP back end and had to revert back. Basically, I've had statically mapped clients sometimes get IP addresses from the DHCP server pool instead of the mapped ones.
@zyntax813 күн бұрын
Could you cover traefik and PfSense with the port 443/444 for internal external access? Hairpin/NAT Reflection is a pain to get working in PfSense. Split DNS is recommended instead, but that doesn't support port changing if i understand correctly.
@miguelfonseca99232 күн бұрын
Great video! Is there already a way of using MFA in VPN (either from pfsens or OPNSense) without entering the OTP+password / password+OTP when authenticating? Should be a 2nd phase separately as it is in any other solution. Thanks
@Jims-Garage2 күн бұрын
@@miguelfonseca9923 checkout my netbird video. You can integrate that with an identity provider and have MFA
@BartTech3 күн бұрын
Opnsense please! 😀
@Jims-Garage3 күн бұрын
I have a complete playlist already on OPNSense covering all of this and more.
@sonny80853 күн бұрын
First 🙌
@Jims-Garage3 күн бұрын
Haha! Yes, you win 🥇
@docmalitt3 күн бұрын
Now kind Sir, you're talking my language. Unfortunately we all aren't in position to "hijack" the entire network for ourselves or our homelab and just tell the rest of the family to use neighbor's wi-fi (regardless if you're a "dad-in-charge".. when ever wife is kind enough to let you believe in such.. hmm, nonsense... or a "regular" part of a family) so thank you for this distinction. Let's rock'n'roll - for younger viewers then is the ONLY real genre of music and you poor young souls have no idea what you're missing. (The opinions are my own and not of my employer - pls don't send h8 and spread only love via these internet comments)
@Jims-Garage2 күн бұрын
Haha, thanks Doc, rock on!
@DrAlien23Күн бұрын
Hi, great video I have a UCG Ultra right now connected to my modem and i tried switching it like this ISP-pfsense-ucg-accesspoints But in this scenario my pfsense only sees ucg ip in logs and not individual hosts connected to AP. I want to monitor network connections in a SIEM. Can you suggest how can i overcome this? Thanks
@Jims-GarageКүн бұрын
Why do you want 2 firewalls?
@DrAlien2318 сағат бұрын
@@Jims-Garage because i have netgate 1100 which can not afford ids/ips, i tried multiple time but it doesn’t work due to less memory so i want to use ucg ultra for that and I invested in these 2 hardwares now so thought of finding some way but am not super with networking stuff.
@IwanDavies2 күн бұрын
What's the additional hardware requirement from running Wireguard, OpenVPN and snort? I'm in a virtualised environment on Proxmox and looking to keep resource allocations as meagre as possible. Currently running pfSense with just 1 core and 512MB of memory (I know the reqts are higher), so wondering what I will need to tweak if I add snort and Wireguard?
@Jims-Garage2 күн бұрын
@@IwanDavies snort you likely need about 6GB and 4 cores, WireGuard shouldn't need much. I'm very surprised that you can run pfSense long term and reliably with 512MB, the minimum requirement on their site is 1 GB.
@IwanDavies2 күн бұрын
@@Jims-Garage pfSense VM uptime currently clocking in at 193 days! (I've jinxed it now haven't I!) There's only two of us in the house but we both work from home, so there's a work vlan, home vlan and IOT vlan, plus all the usual streaming, etc. so a chunk of traffic running through it. The limiting factor is my Proxmox server which is an ageing Fujitsu entry-level tower server with a 4-core Xeon that only supports 32GB of RAM. I managed to get your K3s & longhorn tutorial running on it though! Just about got an nginx container running on that but it was struggling. Thx for the vid(s) & your reply!
@Jims-Garage2 күн бұрын
@@IwanDavies that's amazing considering the hardware constraints, nice one!
@dreeastwood2500Күн бұрын
Chet Jim, great content as usual. You are one of the Goats!! Did not know you were Could you do a review of Wazuh next?
@Jims-GarageКүн бұрын
@@dreeastwood2500 thank you! It's on the to-do list
@dreeastwood2500Күн бұрын
@@Jims-Garage Thanks for replying, I also have another idea here. I do not recall if you use Grafana in your stack for logging but if you do, could you do a video on collecting logs using Grafana Alloy seeing promtail will be deprecated ?
@Jims-GarageКүн бұрын
@@dreeastwood2500 I've covered logging extensively in a 2 part video but I haven't done alloy. Will look into it
@quocthaitran5400Күн бұрын
Thanks for the great video. Could you do another video to cover QinQ (IEEE 802.1ad) Vlan on Pfsense ?
Күн бұрын
great video!! now, given your previous experience with OPNsense, and now that you've switched to pfSense, have you formed a preference for either firewall?
@Jims-Garage16 сағат бұрын
I'm still running pfSense behind OPNSense for evaluation. I find pfSense to be more intuitive but that's a personal preference. I am going to acquire a licence to Plus and see if that adds anything meaningful for my lab setup. My current thinking is that unless Wireguard performance is important, both are great.
@mikescott40083 күн бұрын
RE the NAT piece re WireGuard, I assume you're only doing that due to running full tunnel setup? I'm still on pfsense, I started looking at v21 Early Access Sophos XG, but back here.. SDN is of interest on Sophos XG, but I am using multiple WAN. Virgin and 4G failover, I don't like the monitor IP option on pfsense as it essentially creates a static route underneath. Next thing I'll be doing re "homelab" is spinning up an internal CA and lets encrypt only for the pfsense box. WG for my IOS devices, OpenVPN for laptop and IPSec for s2s to other family firewalls.
@TantissTheEmperorКүн бұрын
Very cool vid, and yes I might be interested by a IDS/IPS deep dive video :D
@Jims-Garage16 сағат бұрын
Noted! Unfortunately both OPNSense and pfSense are quite limited in that respect as they can't do HTTPS traffic.