Basic Setup and Configuring pfsense Firewall Rules For Home

  Рет қаралды 383,491

Lawrence Systems

Lawrence Systems

Күн бұрын

Пікірлер: 362
@LAWRENCESYSTEMS
@LAWRENCESYSTEMS 2 жыл бұрын
Official Netgate pfsense documentation on firewall rules docs.netgate.com/pfsense/en/latest/firewall/rule-methodology.html LTS Curated pfsense Tutorials lawrence.technology/pfsense/ Getting Stared with pfsense firewall rules kzbin.info/www/bejne/m5OUoYepbL2Uo6M How To Setup VLANS With pfsense & UniFI. Also how to build for firewall rules for VLANS in pfsense kzbin.info/www/bejne/mGPaYoytqZVrZ9E Office Network Design and Planning with VLANs, LLDP, Rules, IoT, Guest using UniFi & pfsense kzbin.info/www/bejne/paakg6VjacibgJo How To Setup pfsense OpenVPN Policy Routing With Kill Switch Using A Privacy VPN kzbin.info/www/bejne/q521mJiZr5WIqbM Tutorial: pfsense Wireguard For Remote Access kzbin.info/www/bejne/bpu0Zoh7lJyrmtU ⏱ Timestamps ⏱ 00:00 pfsense Home Firewall Rules 02:00 Diagrams.net Devices & Networks 06:30 pfsense NAT rules 07:04 WAN Firewall Rules 08:16 IOT & LAN Rules
@thegrimreever
@thegrimreever 2 жыл бұрын
Just wanted to drop a comment and thank you for all of your content. You are consistently putting out relevant, detailed videos and I hope it never slows down. This channel is a wealth of information and it just keeps coming. I’m blown away at how much content you are able to put out, and it’s all SO good! Thanks so much for all that you do. It has helped me take my home network and homelab to a whole new level!
@tranthien3932
@tranthien3932 2 жыл бұрын
NSFW LAN as the most important category. You truly a man of culture. Thank you Tom
@gonace
@gonace 2 жыл бұрын
To be fair "what rules you need" is depending on what you do on your network, love these videos, you guys explains things in an easy way to understand.
@Phelper99
@Phelper99 2 жыл бұрын
Imagine at work if your entire desktop support and IT support infrastructure went away. That's what will happen when I spontaneously combust. My poor wife and kids, my servers, my vlans, my homeassistant, my smart home... I love the hobby, tinkering with all this stuff, but at middle age, I do seriously wonder what will happen to it all when I'm gone. I spent months getting my Sh1+ out of the cloud, mostly hosted locally. Hope I can teach my kids how it all works. Not meant to be morbid or anything, but something I am cognizant of. Tom, thanks for these videos. I learned on M. Furneaux's videos, and you've keep me current since. Thanks so much. Edit: I'm sure they'll recover. They'll have it all hosted on Amazon in the cloud :)
@marcvasey2123
@marcvasey2123 2 жыл бұрын
Very interesting to see how your rules are configured! One thing I noted that I'd do differently would be the rules for the NSFW lan - personally I configure an alias for RFC1918 subnets and create an allow rule to the inverse of that alias, rather than creating block rules for each network and having an allow all. Just means if you add any other networks in future you don't need to specifically block them as they're already covered in that private address space. Great video either way! -Marc
@davejoseph5615
@davejoseph5615 Жыл бұрын
Isn't the RFC1918 rule only applied to the WAN port? There is a checkbox at the bottom of the Interfaces/WAN page.
@IndyColts1987
@IndyColts1987 Жыл бұрын
he means creating his own alias based on that RFC so he can reference it in his firewall rules.
@g-luu
@g-luu 3 ай бұрын
beginner here, any video i can watch covering this?
@CmdrStukov
@CmdrStukov 2 жыл бұрын
Thanks! I will be watching and re-watching this video as I scale out my network. I am running Suricata and pfBlockerNG but sometimes feel overwhelmed with all the activity - your other videos have been very helpful Tom. Again, many thanks
@Dreamshadow1977
@Dreamshadow1977 2 жыл бұрын
Thank you for this. Was struggling with configuring pfsense because my only firewall experience was with corporate firewall software. Seeing your rule configuration just made it click!
@loco_latino1498
@loco_latino1498 2 жыл бұрын
Excellent video. Entering the networking and security analyst field, this has been an interesting experience setting pfsense up for home. Great to see I'm on the right path. 😁
@sriran1588
@sriran1588 2 жыл бұрын
Most awaited video especially after the pandemic where most of us started WFH. Watching your videos I have setup a home brew pfsense box and UAP AC Pro with multi WiFi VLANs for IOT, Work, Study and Guest. This video will help us to fine tune the rules.
@MactelecomNetworks
@MactelecomNetworks 2 жыл бұрын
Great video Tom . Love seeing how others do their rules
@mysticsilent
@mysticsilent 2 жыл бұрын
Nice video, this confirms my same thought about securing my own home network the same way. Thanks for your great content and best wishes for 2022!
@MichaelSmith-fg8xh
@MichaelSmith-fg8xh 2 жыл бұрын
Is it better to have firewall rules like: Tom: specific block rule, anything else is allowed Suggestion: specific rule to allow, deny anything else (that wasn't caught by a previous rule)
@hnguk
@hnguk 2 жыл бұрын
Interesting that you put the IoT, Guest and Standard Home devices on the same network. For my setup I have IoT on it's own network with very limited connectivity and QoS setup so that it can't use all my bandwidth.
@GrishTech
@GrishTech 2 жыл бұрын
Do you use limiters or ATLQ?
@samsampier7147
@samsampier7147 2 жыл бұрын
Ubiquiti wireless is really nice. You can create bandwidth limits on each ssid no qos required.
@GrishTech
@GrishTech 2 жыл бұрын
@@samsampier7147 what if you want dynamic QoS? Being able to provide bandwidth when it’s available instead of limiting it to a fixed number?
@hnguk
@hnguk 2 жыл бұрын
@@GrishTech For the IoT network specifically I use limiters as I never want it to saturate my whole network. 50 down and 3 up. 10% of my provided speed.
@hnguk
@hnguk 2 жыл бұрын
@@samsampier7147 That's great for wireless but does not limit wired
@ag100pct
@ag100pct 2 жыл бұрын
Another excellent video. I like how you covered your segmentation and the rationale behind it also. I picked up a few things just in how you used all the aliases to make life easier. Thank you for sharing.
@TheJason13
@TheJason13 Ай бұрын
EMBY baby! I like Plex, i even like Jellyfin... but i've never had an issue with Emby. Used it month-to-month for about 2 months, then we bought it many years ago for $120. Never been happier. it's an essential "tool" in my house.
@vitorhugobarbosa2456
@vitorhugobarbosa2456 11 ай бұрын
Hi Laurence you are a reference abroad for me, your knowledge is precious, and exactly that the fact that you explain things easily and right to the point.
@JeppoTheWrecker
@JeppoTheWrecker 2 жыл бұрын
Hi Tom, I would be interested in a video on your Synology setup you mentioned. I currently have my Synology on the trusted network, but would like to have the video and music content available on the IOT network. I have setup a netgate and unify network using your videos, but the Synology side would be helpful as well. Steven
@rcobsesssed
@rcobsesssed 2 жыл бұрын
I second this request!
@wernerdebijl1885
@wernerdebijl1885 2 жыл бұрын
me too
@HHX_H
@HHX_H 2 жыл бұрын
Thanks you updating this !!! Absolute Pfsense Guru !
@wernerdebijl1885
@wernerdebijl1885 2 жыл бұрын
LOve that you pickup these pfsense series with more interesting video's. Keep 'm coming. Thanks
@scbtripwire
@scbtripwire 2 жыл бұрын
I recently bought myself an SG-2100, quite happy so far. 🙂 I realized when setting it up that I don't need to bog it down with Snort or Suricata if all I'm doing is blocking, so pfBlockerNG has been good enough for me. 🙂 My connection seems a bit slower than it used to be though, at least when establishing connections, but I'm guessing that's pfBlockerNG doing its job.
@IndianaDiy
@IndianaDiy 2 жыл бұрын
I was looking at getting the 2100 for my home office network. I was curious how good they really are? Any hardware failures?
@TumescentPuma
@TumescentPuma 2 жыл бұрын
Very big Doh moment seeing your Separator with Documentation WAN rules. I have been using PFSense for about 6 years and never thought of this.
@LAWRENCESYSTEMS
@LAWRENCESYSTEMS 2 жыл бұрын
We use them a lot with larger more complex firewall configurations.
@turcoscorner
@turcoscorner 2 жыл бұрын
Tom, you can setup the Synology NAS to act as a NTP server, and configure the cameras to use the Synology for NTP. That's how I have setup for customers and my house. Thank you for your videos btw!
@LAWRENCESYSTEMS
@LAWRENCESYSTEMS 2 жыл бұрын
Yes, that is correct, but I chose to use pfsense instead.
@LBCAndrew
@LBCAndrew 2 жыл бұрын
This is exactly what i've been needing. After being fed up with crappy consumer grade routers, I first looked into running OpenWRT on x85 hardware when someone mentioned to look at PFSense. I've been running it for two weeks now on a preliminary hardware build and have been both pleased and overwhelmed by its ability and complexity. I've got a Lenovo M900 Tiny coming tomorrow which i'll be modifying to use a second NIC, and this video will come in handy.
@jaxwylde2139
@jaxwylde2139 2 жыл бұрын
Is there a slot for a second Ethernet NIC on the M900 Tiny, or will you be doing this via USB 3.0 NIC? I've got a similar tiny PC (HP EliteDesk 800 G2 mini), where I use a Proxmox server (to play around with Docker, LXC's, VM's, etc.). Was considering getting another mini PC, but need one that has option for 2 ethernet NICs. Cheers!!
@clintbishop9145
@clintbishop9145 2 жыл бұрын
@@jaxwylde2139 I think your overthinking the situation. Pickup a refurb'd Dell or HP SFF with an i5-4590, add in 4 or 8 GB and a 4 port nic and then enable PowerD once installed.
@jaxwylde2139
@jaxwylde2139 2 жыл бұрын
@@clintbishop9145 I'm not overthinking it. Depends on what you're after. I already have a Dell SFF (790), but wanted something smaller with lower power consumption (that isn't an Rpi) and is more versatile than one of those dual-nic Chinese mini pc boxes). I'll look a bit more into PowerD (haven't used it before) to see if it will provide the lower power usage I'm looking for.
@KegRaider
@KegRaider Жыл бұрын
Under-rated and under subscribed channel. Fixed that for myself! Liked and subscribed, looking forward to binge watching your stuff. Cheers mate.
@LAWRENCESYSTEMS
@LAWRENCESYSTEMS Жыл бұрын
Awesome, thank you!
@spacecorp2000
@spacecorp2000 23 күн бұрын
Thank You Lawrence ! this was very helpful ! Kudos
@susugar3338
@susugar3338 2 жыл бұрын
I really recommend that you should have a home firewall. I already set up a pfsense router after Hikvision's Camera exploit. Hardware to run pfsense is very cheap and popular. If you want to know about my set up, there's some details: I boutght an old itx mainboard (for just 35$) that has: dual-gigabit ethernet port: just enought CPU Atom D2550 2 cores 1.86Ghz 4 threads : Its OK for a internet connection below 500Mbps! RAM 2GB DDR3: the fact it just use 16%. Configuration: Firewall block all connections from Access points, IP cameras and DVR to Internet( i dont want them become a part of a botnet or expose camera records to internet), OpenVPN Server for viewing cameras from internet, opening 2 port for OpenVPN and HomeAssistant. Guest's Network is on subnet of IPS's router. If you think that "IPS's router is also has firewall...". NO, they are really bad, lack of advanced configuration, never get firmware update and God know that whether they are safe from log4j exploit or something like that :)
@gregsh303
@gregsh303 2 жыл бұрын
Great content but just a warning about Wemo light switches and the block firewall rule Tom mentions. You must enable ICMP to your firewall in order for your Wemo Light Switches to stop flashing red. Thanks!
@davidbrowningCodeMix
@davidbrowningCodeMix 2 жыл бұрын
Hi Tom, I was way overthinking this! Thanks so much for freeing my mind.
@Deraco1
@Deraco1 2 жыл бұрын
Always like your videos. I created some test phone servers and decided to be best on its own network. Happy that I did especially when I was wanting to do some port forwards (I know, not the best) to call my phone system from anywhere. Now I got OpenVPN setup and toying with it. Your one of the main guys that got me looking more into pfSense coming from a EdgeRouter-X, loving it
@SyberPrepper
@SyberPrepper 2 жыл бұрын
Excellent video Tom. This information is very appreciated. I would love to hear more about you binding your admin interfaces. I didn't really understand how you do that. Thanks!
@LAWRENCESYSTEMS
@LAWRENCESYSTEMS 2 жыл бұрын
That is done on a per device basis, I will be making one on Synology soon because they have a more complex way of doing it.
@SyberPrepper
@SyberPrepper 2 жыл бұрын
@@LAWRENCESYSTEMS That would be great. I'll do some research myself as well. Sometimes it's hard to know what question to ask, so your videos are very helpful.
@mynightoff
@mynightoff 2 жыл бұрын
@@LAWRENCESYSTEMS Great video Tom - I have a similar set up to the one you described and had the same question about Synology admin interfaces (want to make Plex available to IoT but not the admin interfaces of course). Many thanks for what you're doing.
@mikescott4008
@mikescott4008 2 жыл бұрын
Many thanks. Looking to review pfsense again as an alternative to Untangle / Sophos XG.
@devopshelper
@devopshelper Жыл бұрын
I'm a fan of pfsense, hands down best in the Industry U can use it in ISPs, IXPs, and simple home networks, but for a home network, that sophos home edition is also a nice piece
@AngryDadTech
@AngryDadTech 2 жыл бұрын
This is a great video. I have a 6100 to play with and eventually replace my UDMP once I have it setup how I want it. This will be a great starting place. Was wondering if you would do either a forum post or video on expanding this to pfsense rules to use in a multi tenant business center or SMB
@rkhanso
@rkhanso 2 жыл бұрын
Tom, would you make a video like this for Untangle? I know the theory would it be pretty much the same, but it may be helpful for many using Untangle.
@jimpanse6556
@jimpanse6556 2 жыл бұрын
Good sum up, thanks alot! How would you handle a home network PC that is gaming machine and admin PC for home and other family networks (external) at the same time?
@BillyDickson
@BillyDickson 2 жыл бұрын
Thanks Tom, great video, looking forward to more in 2021.
@DrewMarshall0750
@DrewMarshall0750 2 жыл бұрын
Thanks for another great video! It helped me setting some things I was mulling over with my current setup!
@TulioCamargo179
@TulioCamargo179 2 жыл бұрын
This is all in my to-do-list hehe. Great video Tom.
@michaelp.caputo8190
@michaelp.caputo8190 2 жыл бұрын
Another great video. Since this was a home network setup where would you put the other family member pc’s and also what if you have cloud based cameras like wyze. They would need internet access
@dnsjoinerdnsdns
@dnsjoinerdnsdns 2 ай бұрын
I think you forgot your "block external outgoing dns on lan interface subnet" port 53 and 853 and allow pfsense dns ie ip of the pfsense only rule you used to do that on an earlier vid of yours, I still use it! That's a great rule, thanks!
@frankkesel7252
@frankkesel7252 2 жыл бұрын
it would have been nice to add a printer that needs to be accessed by guess and work network
@gegounaris
@gegounaris 2 жыл бұрын
Another to the point video from Lawrence! Great stuff... Thank you!
@iJamesGC
@iJamesGC 2 жыл бұрын
WOW! You are good! I was just looking at another video for setting up pfsense firewall rules.
@notta3d
@notta3d 2 жыл бұрын
Great video. I was hoping you would make a video like this. Thanks!
@pstgh
@pstgh 8 ай бұрын
Pretty cool setup- I guess you run separate switches and a separate wifi access point(s) connected to separate interfaces for each of these networks, right? I am running a Protectli 4-port box and have an interface designated for PIA in addition to WAN and LAN. Thanks.
@ivantufa
@ivantufa Жыл бұрын
This is one of the best tutorials I have ever seen. Thanks a lot. I have two questions: 1. How Synology will do update? Maybe I missed that part, sorry if that is a case, 2. How your phones will sync/backup photos to Synology? Phones are on NSFW LAN and devices assigned to that interface cannot see CAMLAN. If I have this use case, what is best approach?
@LAWRENCESYSTEMS
@LAWRENCESYSTEMS Жыл бұрын
On the CAM LAN the Synology DOES have internet access, but the other devices do not. Creating an allow rule just for the phone being allowed to talk to the Synology would be a solution.
@musicinsession
@musicinsession Жыл бұрын
I love this guy's channel!! Subbed!!
@LAWRENCESYSTEMS
@LAWRENCESYSTEMS Жыл бұрын
THanks
@mr.needmoremhz4148
@mr.needmoremhz4148 2 жыл бұрын
Great Video ! I'm going to get Pfsense and a netgate box probably (or build something).Fibre to the home has finally arrived where i live with symmetric Gigabit and 10 Gigabit (later) speeds. So i might as well upgrade my router and configure my switches and AP's for it. I have a Netgear select partnered retailer in the street i live and with a future SOHO in mind this may be the best option. Any advice regarding netgate appliances (6100 or 1537 or ...) ?
@geoncic
@geoncic 2 жыл бұрын
Great video and content, I've learned loads from you. I really appreciate it. Do you have any videos of how you manage the routing on the devices themselves? How you bind certain traffic to a specific interface?
@wernerdebijl1885
@wernerdebijl1885 2 жыл бұрын
I would love to see that too. Example configuring Synology etc.
@LAWRENCESYSTEMS
@LAWRENCESYSTEMS 2 жыл бұрын
Each device has heir own way of doing it.
@Spfinator
@Spfinator 2 жыл бұрын
Well, I now have work to do. Thanks, Tom!
@RedBlueLabs
@RedBlueLabs 2 жыл бұрын
I really appreciate the content that you make. It is straight forward and you do a great job of explaining. Thanks :)
@TheInternalNet
@TheInternalNet 2 жыл бұрын
Long time viewer. This is the perfect video. Please expand on this. Part of the home lab series.
@wernerdebijl1885
@wernerdebijl1885 2 жыл бұрын
I second that. Make it a series
@daninmanchester
@daninmanchester 2 жыл бұрын
Interesting I have slightly different approach. I put my cameras in my IoT network (whihc has no internet) and then have a "requires internet" alias for specific devices that I allow internet access (e.g. TV, Roku, etc). I find this easier as then I have a separate SSID / VLAN for guests and anyone who gets the password can then just access the internet and nothing else and it requires little to no management. I am however routing over pfSense for everything. It's not too taxing (even SMB easily hits 1Gig) but I think I need to add VLANS to my XCP-NG servers so I can create multiple interfaces like you have for synology to avoid unnecessary pfSense traffic. It would likely only be an issue if I went to 10Gb .... which would be a nice problem to have.
@CHLEE-ou6ub
@CHLEE-ou6ub 2 жыл бұрын
Great Video Tom Quick question @9:15 if I may, since we are inside "NSFW_LAN" Rules, is it necessary to specify "Source=NSFW_LAN" for this Block rule? or we can leave it as "Source= *" ? Thanks you Tom, and an advance Happy New Year
@LAWRENCESYSTEMS
@LAWRENCESYSTEMS 2 жыл бұрын
There is a difference in specific use cases www.reddit.com/r/PFSENSE/comments/rn0nej/firewall_rules_source_ip_any_vs_interface_name_net/
@thorflea2
@thorflea2 8 ай бұрын
I love your videos. My question is how to prevent devices like my refrigerator and TVs from scanning the netowork for other devices and information the same interface.
@jasonperry6046
@jasonperry6046 2 жыл бұрын
Thanks for the video Tom. Every time I watch a video like this it always seems to be on a dream machine, and every time I think I wish someone would do one on pfsense, so thank you. My question though do you have a different SSID for each vlan? Also you mentioned locking down the admin interfaces, I would be interested in seeing the steps you go through to make sure it is locked down.
@LAWRENCESYSTEMS
@LAWRENCESYSTEMS 2 жыл бұрын
Yes, separate SSID and simply pinging from each network to see if it can hit other networks.
@LeeSteventon
@LeeSteventon 2 жыл бұрын
@Lawrence Systems - great video as always Tom. A quick question on ISP modems and Bridging - if an ISP offers to provide their modem in bridging mode, it's my understanding that this essentially "disables" all NAT and firewall functions on the modem and it just passes through without any checks the public IP address. Is that correct? If so, then connecting this bridged modem to a port of a Netgate device would mean that the public IP (assume for this discussion it's a static one) is directly applied to the port (configured then as WAN) on the Netgate device, and the Netgate device now needs to handle the NATting and all other functions that the modem would usually handle. Is that right?
@LAWRENCESYSTEMS
@LAWRENCESYSTEMS 2 жыл бұрын
Yes
@Dwenger
@Dwenger 2 жыл бұрын
I like your security concept. How would you reach an ubiquiti cloud key with cams connected in the cam lan with the unifi protect App from the NSFW_LAN? The Unifi Protect App scans only its own subnet.
@danberglund7785
@danberglund7785 2 жыл бұрын
Tom is talking about running cam server on a Synology (Surveillance station). Therefore he can have one interface of the Synology in cam lan. If you were to run Unifi cameras on cam lan and have Protect run on NSFW_LAN you would need to open the firewall to the specific IP address of the cloud key. If you adopt the cameras in the NSWF_LAN and then move them to the cam lan they will get correct IP addresses in the cam lan and still be found by Protect.
@chrisbaksa
@chrisbaksa 2 жыл бұрын
Great video Tom. I always learn something new whenever I watch one of your Videos. Question do you have any issues with pfSense and wi-fi calling (from your cell)?
@PowerUsr1
@PowerUsr1 2 жыл бұрын
Just to add to this, at the end of my rules for my Wifi network or DMZ network I have a deny any to destination 'RFC1918'. RFC1918 is an alias that has all 3x private networks in there. I do have a mixture of denies mixed in with my permits so this is really just a catch all. Then the last rule in my policy is a permit any/any.
@pgtt2008
@pgtt2008 2 жыл бұрын
I never thought of a Phone as an IoT device but I see your point.
@hwansu_
@hwansu_ 2 жыл бұрын
Super informative video, thank you! Curious about your thoughts on notifications for cameras? If there's movement or something, would you still get notified if you're out of the house? Would love to learn more about the Synology rules you have set up as well. Thank you!
@LAWRENCESYSTEMS
@LAWRENCESYSTEMS 2 жыл бұрын
The Synology does the notifications kzbin.info/www/bejne/rl6tpmeLgpV6nMk
@BrianThomas
@BrianThomas 2 жыл бұрын
@@LAWRENCESYSTEMS What you don't have Synology? What if it's a Reolink NVR? Would the same thing apply?
@luckbeforeleap
@luckbeforeleap 2 жыл бұрын
Hey Tom, I don't think need any rules on your "CAMLAN net" ? The devices on the CAMLAN network will reach the pfSense CAMLAN interface and grab DHCP/NTP without needing your allow rule. Also, you can delete the CAMLAN rule that's denying access to "This Firewall" (the implicit deny rule will prevent cameras talking to "This Firewall"). Also at the moment your guests (on NSFW network) can reach the pfSense box's non-admin ports and access any non-admin services running on the pfSense. You might want to limit guest access to "This Firewall" entirely.
@LAWRENCESYSTEMS
@LAWRENCESYSTEMS 2 жыл бұрын
Incorrect, if you don't allow access to "CAMLAN Address" then NTP is not available. Guests & devices on NSFW_LAN use DNS on my pfsense.
@nonkelsue
@nonkelsue 2 жыл бұрын
Great video, thanks! Would love to know more on how you combine pfSense with a Unifi Controller such as a UDM Pro. I have been using pfSense in the past, and now using the UDM Pro as router, however would like to reverse that without losing the UDM Pro in my network. A video on that would be appreciated!
@Cole987Turner
@Cole987Turner Жыл бұрын
Just create new networks and use "vlan only" so theese are networks, where the "router" inside the UDM is not involved. But keep in mind, that the unify accesspoints can only forward "udm" routed networks OR vlan netsworks. Not both. Just for test: choose an ap, remove all associated networks from it. Select a VLAN only network and create a new switch profile with mit! Make sure, that only tagged networks are selected. assign that network to your accesspoint and assign the "only tagged" switchprofile on the SWITCH pointing to your pfsense. Create that VLAN in PFSENSE, assign interface, enable dhcp server, make rules. Done :)
@DavidCNavas
@DavidCNavas 2 жыл бұрын
Security was never my thing -- the first job I ever turned down was in security :| Is it really better to hard-connect an interface of your NAS to your iot network rather than going through the trouble of configuring pimd (dlna/sonos/whatever?) and avahi(mdns/chromecast?) and figuring out how to properly lock down multicast? I admit to having gone back and forth on this one, but the security environment around my particular nas brand isn't making me feel particularly safe about using it to lock down access by app....
@houseeverything
@houseeverything 2 жыл бұрын
I would sure love to know how to setup a rule from openVPN to my emby server! I am assuming I am missing a port forwarding from 1194 to 8096. My openVPN works great and can connect to my NAS and everything, but cannot connect to my emby server! Love your videos by the way!
@richardk186
@richardk186 2 жыл бұрын
Would you consider a video detailing the connections and network configurations with your Synology NAS to your private and NSFW networks?
@LAWRENCESYSTEMS
@LAWRENCESYSTEMS 2 жыл бұрын
Already have that kzbin.info/www/bejne/d2KsYp5vg8inY6M
@HarmonicThoughts
@HarmonicThoughts Ай бұрын
How would the ACL change if I need to access my cameras remotely since I travel, I would like that feature. Thanks
@evancatlin1839
@evancatlin1839 2 жыл бұрын
Do you have a video showing this same information but for UDM or UDMP? I’m running a UDM at home and would love to know how someone who lives in that world would set them up.
@superdoug213
@superdoug213 2 жыл бұрын
Great vid thanks Tom! You mentioned Plex server in the beginning but I didn’t see any further reference to it. Don’t you need to have a port open for that? Or is it only local. If you have an open port for Plex, what rules could you apply to mitigate the open port?
@LAWRENCESYSTEMS
@LAWRENCESYSTEMS 2 жыл бұрын
Only local
@Cowclops
@Cowclops 2 жыл бұрын
Not identical but your setup is surprisingly similar to my home network (pfsense, truenas, most stuff goes on the "IoT" network, but my personal desktop and server/management interfaces are on a separate network. I also have my openvpn subnet which you land on when you vpn in, basically has open access but since it needs authentication thats ok.
@the-MaZe
@the-MaZe 2 жыл бұрын
Nice video. But do you really have only IPv4 connections at home? I don't want to miss IPv6 anymore.
@LAWRENCESYSTEMS
@LAWRENCESYSTEMS 2 жыл бұрын
I don't use IPV6
@the-MaZe
@the-MaZe 2 жыл бұрын
@@LAWRENCESYSTEMS interesting. I am currently investigating and preparing to create a IPv6 only network. First for my server backend (because they are actually not dependent on ipv4) and then after evaluating for my whole home network. Including transition techniques.
@dimaj1
@dimaj1 2 жыл бұрын
Yet another awesome video! Thanks Tom! One question: why would you have the same "block access to firewall" on all interfaces instead of creating a floating rule that'll cover all interfaces?
@LAWRENCESYSTEMS
@LAWRENCESYSTEMS 2 жыл бұрын
The use of inbound and outbound floating filtering makes designing the rules more complex and prone to user error. docs.netgate.com/pfsense/en/latest/firewall/floating-rules.html
@dimaj1
@dimaj1 2 жыл бұрын
Thanks! Happy New Year!
@MrGAZZAband
@MrGAZZAband 2 жыл бұрын
Hi Lawrence this was a great video and very helpful. I have just set up the latest version of pfsense in my home using a custom built PC and am playing with rules, schedules, OpenVPN etc. I have a specific question about content filtering especially for mobile phones and tablets connected to wifi and also Amazon Echo devices. I want to be able to filter content specifically spotify from playing adult content. I know I can block KZbin but is there any way I can still allow these streaming services but pfsense can detect if the content is of an adult nature and prevent this streaming? In other words I still want the kids to be able to access KZbin, Spotify etc. but be able to set a rule to make sure the content is not explicit. I hope that makes sense. Thanks
@renalshomlmes338
@renalshomlmes338 2 жыл бұрын
So since your cameras are on a separate segment without internet, you are not interested in any kind of alarm notifications?
@LAWRENCESYSTEMS
@LAWRENCESYSTEMS 2 жыл бұрын
That is done via the Synology, not the cameras.
@christostsekas8795
@christostsekas8795 2 жыл бұрын
Hello Tom! Thank you for your great content! What would be the best method to block anydesk, teamviewer & other remote access aps using pfsense?
@jamesbelding2950
@jamesbelding2950 2 жыл бұрын
This was great. I would love to see this using untangle
@tg9754
@tg9754 Жыл бұрын
Great video. Do you have a newer video that includes making Pfsence more secure for a small business?
@LAWRENCESYSTEMS
@LAWRENCESYSTEMS Жыл бұрын
This applies to small biz as well.
@C650101
@C650101 2 жыл бұрын
Can you do a video on how to connect an external WIFI AP to PF sense router and have some wifi conected devices go to separate networks? Something is wrong with mine. I give devices a static ip on one subnet but they sometimes get a connection on the wrong one.
@TheInsanish
@TheInsanish 2 жыл бұрын
Great video as usual Lawrence, but it raised me a few questions. - "Connection for Emby & Plex" - "Synology interface" - "Admin for devices" I guess that your NSFW_LAN can stream from Emby & Plex, and thats why you have connection. But what is the servers main subnet? And the same with the Synology. Just doesn't seem right to me, if EVERYTING except cameras and your work PC is running on the IOT lan.... but also doesnt seem 100% secure (at least for whats expected from someone as you), that Plex, Emby and Synology should be using LTS_TOM for all purposes...
@LAWRENCESYSTEMS
@LAWRENCESYSTEMS 2 жыл бұрын
Server are on LTS_TOM and what is the threat you are trying to mitigate against by putting plex/emby on a different network?
@TheInsanish
@TheInsanish 2 жыл бұрын
Thanks for clearing this out :) Well, nothing specific I guess. Nothing that I care about in my home network - but if the tinfoil fits, then everyting is a suspect I have done almost the exact same as you, except from i didn't see phones as IoT - but youre right they is. Maybe I should treat my kids PC's as IoT as well. :D
@muchada1
@muchada1 2 жыл бұрын
Pure entertainment and informative 👏🏿👏🏿👏🏿
@numberiforgot
@numberiforgot 2 жыл бұрын
I’ve had some trouble with pfsense flagging non alarming activity in the past. It can be tricky to configure if you’re on the web a lot.
@williamvangundy3358
@williamvangundy3358 2 жыл бұрын
Great video. Can I implement any of these rules with my UDM or do I need to upgrade to adding a PFsense to my home system?
@wernerdebijl1885
@wernerdebijl1885 2 жыл бұрын
I think most can be done on a UDMP. But I don't think you can create rules for systems to go out through PIA VPN as Tom has done. I upgraded to pfsense from a UDMP and it works perfectly. But it has a bit of a learning curve. Tom's video's will help you.
@LAWRENCESYSTEMS
@LAWRENCESYSTEMS 2 жыл бұрын
The UDM supports firewall rules, but not everything I did in this video.
@mrcrackerist
@mrcrackerist 2 жыл бұрын
I generally split the wifi, cable and tv on to there on lan as I am the only one using the cable lan.
@thejjjwils
@thejjjwils 2 жыл бұрын
Ive not worked out what it is but for me NFS shares on different subnets to my Synology NAS dont work very well (they hang) so I have to make sure my NFS clients sit on the same subnet. Im not sure if its Synology, NFS, or pfSense - the simple solution was to avoid it.
@FayazAnwardeen
@FayazAnwardeen 2 жыл бұрын
Hi, just wanted to know if you need to insert a pi-hole into this network where will you place it and will routing all internet traffic through this device be a security risk?
@ForbiddenUser403
@ForbiddenUser403 2 жыл бұрын
You see to have used pfsense quite a bit, how would you say it compares to the flexibility and feature sets of Mikrotik's RouterOS?
@SteveCirelli
@SteveCirelli Ай бұрын
Noob question. You can't have vlans without switches/wifi router etc. that support it? With the little two port pfsense router I have, I can only have two lans?
@HenrickSteele
@HenrickSteele 7 ай бұрын
You skipped the PIA_VPN. Would love to see what/how your route out through the VPN. I'm not sure if you have a video about it already but would love to learn about how to join networks across sites. I have 3-4 locations with devices that I want to communicate more directly. I was planning a Wireguard connection between each of them. Not sure if there is a better way.
@LAWRENCESYSTEMS
@LAWRENCESYSTEMS 7 ай бұрын
Wireguard is fine for site to site, Tailscale is easier for it.
@samo9288
@samo9288 2 жыл бұрын
Could you please do a tutorial on binding interfaces the way you did with the synology server?
@LAWRENCESYSTEMS
@LAWRENCESYSTEMS 2 жыл бұрын
On my to-do list
@21Lettere
@21Lettere 2 жыл бұрын
Why the first "Allow VPN" WAN rule has "This firewall" as a destination (it's the rule for WireGuard) and the second rule (for OpenVPN) has "WAN address" as destination? Shouldn't both be the same (WAN address as destination)?
@andretenreiro
@andretenreiro 2 жыл бұрын
Do you have any video that you speak about the pfSense features? How does pfSense compares with DD-WRT for Home use?
@LAWRENCESYSTEMS
@LAWRENCESYSTEMS 2 жыл бұрын
I don't use Dd-wrt so can't really compare
@AndrewDubas
@AndrewDubas 2 жыл бұрын
I have a UDM Pro. How can I run that UDMP behind PFSense as the firewall. I'd like UDMP for wifi and cameras (protect) but would like to use PFsense as firewall. What is the best way to accomplish this.
@pascal1287
@pascal1287 Жыл бұрын
Hello from the UK - Great video as always! question for your NSFW, would you recommend using a DNS redirect rule to avoid client machines attempting to connect to their own DNS and redirect to the router DNS? or too much bother for the potetnial benifits? Thanks
@Monarchias
@Monarchias Жыл бұрын
Hi! My understanding, if you configure pfsense General setup menu Dns, you can still configure each Lan interface and even VLan interface in the DHCP section to give a different dns IP address then what is been configured in the General setup. Which is very handy, if you want to use a pi-hole for example on one of your subnets.
@arnepaulsen
@arnepaulsen Жыл бұрын
Thank you for so many helpful tutorials. I'm confused about the first rule on the NSFW_LAN. Why is the source '*' for this rule, but the other blocks have source NSFW_LAN? Wouldn't all connections to this interface and going to 'This Firewall' originate on this interface? Wouldn't then source '*' and source 'NSFW_LAN' be the same set of connection attempts? Thank you.
@michnl1772
@michnl1772 Жыл бұрын
Yes it's the same, selecting Any or setting the NSFW_LAN as source makes no different (does both do the same)
@firmanagus7241
@firmanagus7241 7 ай бұрын
Sir, how do I direct the speedtest on Multiwan to a specific ISP?
@dabneyoffermein595
@dabneyoffermein595 4 ай бұрын
Are the various networks (NSFW_LAN), (LTS_TOM), (CAMLAN) setup as vlans or are they physical NIC cards in the firewall appliance (or computer)? Thanks so much !!! I realize you might be virtual as well so just let me know if I have an actual appliance or computer would I need 4 physical NIC's in the case of your home network? 1 for the WAN port and 3 for the above network segregated networks.
@LAWRENCESYSTEMS
@LAWRENCESYSTEMS 4 ай бұрын
You can do them either physical or virtual.
@skipfrog11
@skipfrog11 2 жыл бұрын
So after creating networks, how do you connect devices to a specified network in PfSense?
@LAWRENCESYSTEMS
@LAWRENCESYSTEMS 2 жыл бұрын
VLANs and UniFi kzbin.info/www/bejne/mGPaYoytqZVrZ9E
@YehudaKatz1
@YehudaKatz1 2 жыл бұрын
It is technically possible for the cameras to exfiltrate some data through DNS - there are botnets that use DNS for C&C too. Probably not a major issue since the cameras can't get to anything else, but still technically possible.
@LAWRENCESYSTEMS
@LAWRENCESYSTEMS 2 жыл бұрын
Yeah, I consider that to be a really low risk factor because even if they did pull down some C&C they can't leave their network.
pfSense Firewall (totally) Rules! Basic rule setup...🤫
38:04
The Network Berg
Рет қаралды 156 М.
UniFi Basics: Start the Right Way Without Breaking the Bank!
14:52
Crosstalk Solutions
Рет қаралды 315 М.
DO NOT design your network like this!! // FREE CCNA // EP 6
19:36
NetworkChuck
Рет қаралды 3,3 МЛН
pfsense: Blocking Threats With pfblockerNG Lists
18:30
Lawrence Systems
Рет қаралды 109 М.
Best Practice pfSense Initial Setup w/Netgate 4100
37:33
Crosstalk Solutions
Рет қаралды 111 М.
Tutorial: pfsense and pfBlockerNG Version 3
27:54
Lawrence Systems
Рет қаралды 219 М.
How To Setup VLANs With pfsense & UniFi 2023
21:57
Lawrence Systems
Рет қаралды 203 М.
My pfSense Setup - VLANs, VPN, Firewall, DHCP
31:49
Raid Owl
Рет қаралды 96 М.