Basic Setup and Configuring pfsense Firewall Rules For Home
Рет қаралды 357,180
Күн бұрынlawrence.video/pfsense
Official Netgate pfsense documentation on firewall rules
docs.netgate.com/pfsense/en/l...
Getting Stared with pfsense firewall rules
• Getting Started With p...
How To Setup VLANS With pfsense & UniFI. Also how to build for firewall rules for VLANS in pfsense
• How To Setup VLANS Wit...
Office Network Design and Planning with VLANs, LLDP, Rules, IoT, Guest using UniFi & pfsense
• Office Network Design ...
How To Setup pfsense OpenVPN Policy Routing With Kill Switch Using A Privacy VPN
• How To Setup pfsense O...
Tutorial: pfsense Wireguard For Remote Access
• Tutorial: pfsense Wire...
Connecting With Us
---------------------------------------------------
+ Hire Us For A Project: lawrencesystems.com/hire-us/
+ Tom Twitter 🐦 / tomlawrencetech
+ Our Web Site www.lawrencesystems.com/
+ Our Forums forums.lawrencesystems.com/
+ Instagram / lawrencesystems
+ Facebook / lawrencesystems
+ GitHub github.com/lawrencesystems/
+ Discord / discord
Lawrence Systems Shirts and Swag
---------------------------------------------------
►👕 lawrence.video/swag
AFFILIATES & REFERRAL LINKS
---------------------------------------------------
Amazon Affiliate Store
🛒 www.amazon.com/shop/lawrences...
UniFi Affiliate Link
🛒 store.ui.com?a_aid=LTS
All Of Our Affiliates that help us out and can get you discounts!
🛒 lawrencesystems.com/partners-...
Gear we use on Kit
🛒 kit.co/lawrencesystems
Use OfferCode LTSERVICES to get 5% off your order at
🛒 lawrence.video/techsupplydirect
Digital Ocean Offer Code
🛒 m.do.co/c/85de8d181725
HostiFi UniFi Cloud Hosting Service
🛒 hostifi.net/?via=lawrencesystems
Protect you privacy with a VPN from Private Internet Access
🛒 www.privateinternetaccess.com...
Patreon
💰 / lawrencesystems
⏱️ Timestamps ⏱️
00:00 pfsense Home Firewall Rules
02:00 Diagrams.net Devices & Networks
06:30 pfsense NAT rules
07:04 WAN Firewall Rules
08:16 IOT & LAN Rules
#pfsense #Firewall #Security
@LAWRENCESYSTEMS 2 жыл бұрын
Official Netgate pfsense documentation on firewall rules docs.netgate.com/pfsense/en/latest/firewall/rule-methodology.html LTS Curated pfsense Tutorials lawrence.technology/pfsense/ Getting Stared with pfsense firewall rules kzfaq.info/get/bejne/m8hho7eknL7FnXU.html How To Setup VLANS With pfsense & UniFI. Also how to build for firewall rules for VLANS in pfsense kzfaq.info/get/bejne/mJinZLyo2ZacYaM.html Office Network Design and Planning with VLANs, LLDP, Rules, IoT, Guest using UniFi & pfsense kzfaq.info/get/bejne/pdtxhdVemcnMemw.html How To Setup pfsense OpenVPN Policy Routing With Kill Switch Using A Privacy VPN kzfaq.info/get/bejne/q9KCmsiU35a5o4U.html Tutorial: pfsense Wireguard For Remote Access kzfaq.info/get/bejne/btCBaLh2xJ3clKc.html ⏱ Timestamps ⏱ 00:00 pfsense Home Firewall Rules 02:00 Diagrams.net Devices & Networks 06:30 pfsense NAT rules 07:04 WAN Firewall Rules 08:16 IOT & LAN Rules
@thegrimreever 2 жыл бұрын
Just wanted to drop a comment and thank you for all of your content. You are consistently putting out relevant, detailed videos and I hope it never slows down. This channel is a wealth of information and it just keeps coming. I’m blown away at how much content you are able to put out, and it’s all SO good! Thanks so much for all that you do. It has helped me take my home network and homelab to a whole new level!
@sriran1588 2 жыл бұрын
Most awaited video especially after the pandemic where most of us started WFH. Watching your videos I have setup a home brew pfsense box and UAP AC Pro with multi WiFi VLANs for IOT, Work, Study and Guest. This video will help us to fine tune the rules.
@MactelecomNetworks 2 жыл бұрын
Great video Tom . Love seeing how others do their rules
@tranthien3932 2 жыл бұрын
NSFW LAN as the most important category. You truly a man of culture. Thank you Tom
@CmdrStukov 2 жыл бұрын
Thanks! I will be watching and re-watching this video as I scale out my network. I am running Suricata and pfBlockerNG but sometimes feel overwhelmed with all the activity - your other videos have been very helpful Tom. Again, many thanks
@ag100pct 2 жыл бұрын
Another excellent video. I like how you covered your segmentation and the rationale behind it also. I picked up a few things just in how you used all the aliases to make life easier. Thank you for sharing.
@loco_latino1498 2 жыл бұрын
Excellent video. Entering the networking and security analyst field, this has been an interesting experience setting pfsense up for home. Great to see I'm on the right path. 😁
@gonace 2 жыл бұрын
To be fair "what rules you need" is depending on what you do on your network, love these videos, you guys explains things in an easy way to understand.
@Deraco1 2 жыл бұрын
Always like your videos. I created some test phone servers and decided to be best on its own network. Happy that I did especially when I was wanting to do some port forwards (I know, not the best) to call my phone system from anywhere. Now I got OpenVPN setup and toying with it. Your one of the main guys that got me looking more into pfSense coming from a EdgeRouter-X, loving it
@mysticsilent 2 жыл бұрын
Nice video, this confirms my same thought about securing my own home network the same way. Thanks for your great content and best wishes for 2022!
@Dreamshadow1977 Жыл бұрын
Thank you for this. Was struggling with configuring pfsense because my only firewall experience was with corporate firewall software. Seeing your rule configuration just made it click!
@wernerdebijl1885 2 жыл бұрын
LOve that you pickup these pfsense series with more interesting video's. Keep 'm coming. Thanks
@vitorhugobarbosa2456 7 ай бұрын
Hi Laurence you are a reference abroad for me, your knowledge is precious, and exactly that the fact that you explain things easily and right to the point.
@marcvasey2123 2 жыл бұрын
Very interesting to see how your rules are configured! One thing I noted that I'd do differently would be the rules for the NSFW lan - personally I configure an alias for RFC1918 subnets and create an allow rule to the inverse of that alias, rather than creating block rules for each network and having an allow all. Just means if you add any other networks in future you don't need to specifically block them as they're already covered in that private address space. Great video either way! -Marc
@davejoseph5615 Жыл бұрын
Isn't the RFC1918 rule only applied to the WAN port? There is a checkbox at the bottom of the Interfaces/WAN page.
@IndyColts1987 Жыл бұрын
he means creating his own alias based on that RFC so he can reference it in his firewall rules.
@HHX_H 2 жыл бұрын
Thanks you updating this !!! Absolute Pfsense Guru !
@davidbrowningCodeMix 2 жыл бұрын
Hi Tom, I was way overthinking this! Thanks so much for freeing my mind.
@RedBlueLabs 2 жыл бұрын
I really appreciate the content that you make. It is straight forward and you do a great job of explaining. Thanks :)
@DrewMarshall0750 2 жыл бұрын
Thanks for another great video! It helped me setting some things I was mulling over with my current setup!
@gegounaris 2 жыл бұрын
Another to the point video from Lawrence! Great stuff... Thank you!
@iJamesGC 2 жыл бұрын
WOW! You are good! I was just looking at another video for setting up pfsense firewall rules.
@LBCAndrew 2 жыл бұрын
This is exactly what i've been needing. After being fed up with crappy consumer grade routers, I first looked into running OpenWRT on x85 hardware when someone mentioned to look at PFSense. I've been running it for two weeks now on a preliminary hardware build and have been both pleased and overwhelmed by its ability and complexity. I've got a Lenovo M900 Tiny coming tomorrow which i'll be modifying to use a second NIC, and this video will come in handy.
@jaxwylde2139 2 жыл бұрын
Is there a slot for a second Ethernet NIC on the M900 Tiny, or will you be doing this via USB 3.0 NIC? I've got a similar tiny PC (HP EliteDesk 800 G2 mini), where I use a Proxmox server (to play around with Docker, LXC's, VM's, etc.). Was considering getting another mini PC, but need one that has option for 2 ethernet NICs. Cheers!!
@clintbishop9145 2 жыл бұрын
@@jaxwylde2139 I think your overthinking the situation. Pickup a refurb'd Dell or HP SFF with an i5-4590, add in 4 or 8 GB and a 4 port nic and then enable PowerD once installed.
@jaxwylde2139 2 жыл бұрын
@@clintbishop9145 I'm not overthinking it. Depends on what you're after. I already have a Dell SFF (790), but wanted something smaller with lower power consumption (that isn't an Rpi) and is more versatile than one of those dual-nic Chinese mini pc boxes). I'll look a bit more into PowerD (haven't used it before) to see if it will provide the lower power usage I'm looking for.
@TulioCamargo179 2 жыл бұрын
This is all in my to-do-list hehe. Great video Tom.
@BillyDickson 2 жыл бұрын
Thanks Tom, great video, looking forward to more in 2021.
@notta3d 2 жыл бұрын
Great video. I was hoping you would make a video like this. Thanks!
@SyberPrepper 2 жыл бұрын
Excellent video Tom. This information is very appreciated. I would love to hear more about you binding your admin interfaces. I didn't really understand how you do that. Thanks!
@LAWRENCESYSTEMS 2 жыл бұрын
That is done on a per device basis, I will be making one on Synology soon because they have a more complex way of doing it.
@SyberPrepper 2 жыл бұрын
@@LAWRENCESYSTEMS That would be great. I'll do some research myself as well. Sometimes it's hard to know what question to ask, so your videos are very helpful.
@mynightoff 2 жыл бұрын
@@LAWRENCESYSTEMS Great video Tom - I have a similar set up to the one you described and had the same question about Synology admin interfaces (want to make Plex available to IoT but not the admin interfaces of course). Many thanks for what you're doing.
@KegRaider Жыл бұрын
Under-rated and under subscribed channel. Fixed that for myself! Liked and subscribed, looking forward to binge watching your stuff. Cheers mate.
@LAWRENCESYSTEMS Жыл бұрын
Awesome, thank you!
@turcoscorner 2 жыл бұрын
Tom, you can setup the Synology NAS to act as a NTP server, and configure the cameras to use the Synology for NTP. That's how I have setup for customers and my house. Thank you for your videos btw!
@LAWRENCESYSTEMS 2 жыл бұрын
Yes, that is correct, but I chose to use pfsense instead.
@Spfinator 2 жыл бұрын
Well, I now have work to do. Thanks, Tom!
@gregsh303 2 жыл бұрын
Great content but just a warning about Wemo light switches and the block firewall rule Tom mentions. You must enable ICMP to your firewall in order for your Wemo Light Switches to stop flashing red. Thanks!
@AngryDadTech 2 жыл бұрын
This is a great video. I have a 6100 to play with and eventually replace my UDMP once I have it setup how I want it. This will be a great starting place. Was wondering if you would do either a forum post or video on expanding this to pfsense rules to use in a multi tenant business center or SMB
@jimpanse6556 2 жыл бұрын
Good sum up, thanks alot! How would you handle a home network PC that is gaming machine and admin PC for home and other family networks (external) at the same time?
@mr.needmoremhz4148 2 жыл бұрын
Great Video ! I'm going to get Pfsense and a netgate box probably (or build something).Fibre to the home has finally arrived where i live with symmetric Gigabit and 10 Gigabit (later) speeds. So i might as well upgrade my router and configure my switches and AP's for it. I have a Netgear select partnered retailer in the street i live and with a future SOHO in mind this may be the best option. Any advice regarding netgate appliances (6100 or 1537 or ...) ?
@musicinsession Жыл бұрын
I love this guy's channel!! Subbed!!
@LAWRENCESYSTEMS Жыл бұрын
THanks
@Phelper99 2 жыл бұрын
Imagine at work if your entire desktop support and IT support infrastructure went away. That's what will happen when I spontaneously combust. My poor wife and kids, my servers, my vlans, my homeassistant, my smart home... I love the hobby, tinkering with all this stuff, but at middle age, I do seriously wonder what will happen to it all when I'm gone. I spent months getting my Sh1+ out of the cloud, mostly hosted locally. Hope I can teach my kids how it all works. Not meant to be morbid or anything, but something I am cognizant of. Tom, thanks for these videos. I learned on M. Furneaux's videos, and you've keep me current since. Thanks so much. Edit: I'm sure they'll recover. They'll have it all hosted on Amazon in the cloud :)
@MrGAZZAband 2 жыл бұрын
Hi Lawrence this was a great video and very helpful. I have just set up the latest version of pfsense in my home using a custom built PC and am playing with rules, schedules, OpenVPN etc. I have a specific question about content filtering especially for mobile phones and tablets connected to wifi and also Amazon Echo devices. I want to be able to filter content specifically spotify from playing adult content. I know I can block KZfaq but is there any way I can still allow these streaming services but pfsense can detect if the content is of an adult nature and prevent this streaming? In other words I still want the kids to be able to access KZfaq, Spotify etc. but be able to set a rule to make sure the content is not explicit. I hope that makes sense. Thanks
@michaelp.caputo8190 2 жыл бұрын
Another great video. Since this was a home network setup where would you put the other family member pc’s and also what if you have cloud based cameras like wyze. They would need internet access
@christostsekas8795 2 жыл бұрын
Hello Tom! Thank you for your great content! What would be the best method to block anydesk, teamviewer & other remote access aps using pfsense?
@muchada1 2 жыл бұрын
Pure entertainment and informative 👏🏿👏🏿👏🏿
@mikescott4008 2 жыл бұрын
Many thanks. Looking to review pfsense again as an alternative to Untangle / Sophos XG.
@chaostv3795 Жыл бұрын
This Video helped me a lot. Thank you
@FayazAnwardeen 2 жыл бұрын
Hi, just wanted to know if you need to insert a pi-hole into this network where will you place it and will routing all internet traffic through this device be a security risk?
@pgtt2008 2 жыл бұрын
I never thought of a Phone as an IoT device but I see your point.
@TumescentPuma 2 жыл бұрын
Very big Doh moment seeing your Separator with Documentation WAN rules. I have been using PFSense for about 6 years and never thought of this.
@LAWRENCESYSTEMS 2 жыл бұрын
We use them a lot with larger more complex firewall configurations.
@jamesbelding2950 2 жыл бұрын
This was great. I would love to see this using untangle
@scbtripwire 2 жыл бұрын
I recently bought myself an SG-2100, quite happy so far. 🙂 I realized when setting it up that I don't need to bog it down with Snort or Suricata if all I'm doing is blocking, so pfBlockerNG has been good enough for me. 🙂 My connection seems a bit slower than it used to be though, at least when establishing connections, but I'm guessing that's pfBlockerNG doing its job.
@IndianaDiy 2 жыл бұрын
I was looking at getting the 2100 for my home office network. I was curious how good they really are? Any hardware failures?
@evancatlin1839 2 жыл бұрын
Do you have a video showing this same information but for UDM or UDMP? I’m running a UDM at home and would love to know how someone who lives in that world would set them up.
@rkhanso 2 жыл бұрын
Tom, would you make a video like this for Untangle? I know the theory would it be pretty much the same, but it may be helpful for many using Untangle.
@devopshelper Жыл бұрын
I'm a fan of pfsense, hands down best in the Industry U can use it in ISPs, IXPs, and simple home networks, but for a home network, that sophos home edition is also a nice piece
@ForbiddenUser403 2 жыл бұрын
You see to have used pfsense quite a bit, how would you say it compares to the flexibility and feature sets of Mikrotik's RouterOS?
@AndrewDubas 2 жыл бұрын
I have a UDM Pro. How can I run that UDMP behind PFSense as the firewall. I'd like UDMP for wifi and cameras (protect) but would like to use PFsense as firewall. What is the best way to accomplish this.
@houseeverything 2 жыл бұрын
I would sure love to know how to setup a rule from openVPN to my emby server! I am assuming I am missing a port forwarding from 1194 to 8096. My openVPN works great and can connect to my NAS and everything, but cannot connect to my emby server! Love your videos by the way!
@JeppoTheWrecker 2 жыл бұрын
Hi Tom, I would be interested in a video on your Synology setup you mentioned. I currently have my Synology on the trusted network, but would like to have the video and music content available on the IOT network. I have setup a netgate and unify network using your videos, but the Synology side would be helpful as well. Steven
@rcobsesssed 2 жыл бұрын
I second this request!
@wernerdebijl1885 2 жыл бұрын
me too
@ChristopherDopp 2 жыл бұрын
Thanks Tom!
@C650101 2 жыл бұрын
Can you do a video on how to connect an external WIFI AP to PF sense router and have some wifi conected devices go to separate networks? Something is wrong with mine. I give devices a static ip on one subnet but they sometimes get a connection on the wrong one.
@nonkelsue 2 жыл бұрын
Great video, thanks! Would love to know more on how you combine pfSense with a Unifi Controller such as a UDM Pro. I have been using pfSense in the past, and now using the UDM Pro as router, however would like to reverse that without losing the UDM Pro in my network. A video on that would be appreciated!
@Cole987Turner 11 ай бұрын
Just create new networks and use "vlan only" so theese are networks, where the "router" inside the UDM is not involved. But keep in mind, that the unify accesspoints can only forward "udm" routed networks OR vlan netsworks. Not both. Just for test: choose an ap, remove all associated networks from it. Select a VLAN only network and create a new switch profile with mit! Make sure, that only tagged networks are selected. assign that network to your accesspoint and assign the "only tagged" switchprofile on the SWITCH pointing to your pfsense. Create that VLAN in PFSENSE, assign interface, enable dhcp server, make rules. Done :)
@MichaelSmith-fg8xh 2 жыл бұрын
Is it better to have firewall rules like: Tom: specific block rule, anything else is allowed Suggestion: specific rule to allow, deny anything else (that wasn't caught by a previous rule)
@susugar3338 2 жыл бұрын
I really recommend that you should have a home firewall. I already set up a pfsense router after Hikvision's Camera exploit. Hardware to run pfsense is very cheap and popular. If you want to know about my set up, there's some details: I boutght an old itx mainboard (for just 35$) that has: dual-gigabit ethernet port: just enought CPU Atom D2550 2 cores 1.86Ghz 4 threads : Its OK for a internet connection below 500Mbps! RAM 2GB DDR3: the fact it just use 16%. Configuration: Firewall block all connections from Access points, IP cameras and DVR to Internet( i dont want them become a part of a botnet or expose camera records to internet), OpenVPN Server for viewing cameras from internet, opening 2 port for OpenVPN and HomeAssistant. Guest's Network is on subnet of IPS's router. If you think that "IPS's router is also has firewall...". NO, they are really bad, lack of advanced configuration, never get firmware update and God know that whether they are safe from log4j exploit or something like that :)
@CHLEE-ou6ub 2 жыл бұрын
Great Video Tom Quick question @9:15 if I may, since we are inside "NSFW_LAN" Rules, is it necessary to specify "Source=NSFW_LAN" for this Block rule? or we can leave it as "Source= *" ? Thanks you Tom, and an advance Happy New Year
@LAWRENCESYSTEMS 2 жыл бұрын
There is a difference in specific use cases www.reddit.com/r/PFSENSE/comments/rn0nej/firewall_rules_source_ip_any_vs_interface_name_net/
@hwansu_ 2 жыл бұрын
Super informative video, thank you! Curious about your thoughts on notifications for cameras? If there's movement or something, would you still get notified if you're out of the house? Would love to learn more about the Synology rules you have set up as well. Thank you!
@LAWRENCESYSTEMS 2 жыл бұрын
The Synology does the notifications kzfaq.info/get/bejne/rpN6qJeGsparlps.html
@BrianThomas 2 жыл бұрын
@@LAWRENCESYSTEMS What you don't have Synology? What if it's a Reolink NVR? Would the same thing apply?
@numberiforgot 2 жыл бұрын
I’ve had some trouble with pfsense flagging non alarming activity in the past. It can be tricky to configure if you’re on the web a lot.
@LeeSteventon 2 жыл бұрын
@Lawrence Systems - great video as always Tom. A quick question on ISP modems and Bridging - if an ISP offers to provide their modem in bridging mode, it's my understanding that this essentially "disables" all NAT and firewall functions on the modem and it just passes through without any checks the public IP address. Is that correct? If so, then connecting this bridged modem to a port of a Netgate device would mean that the public IP (assume for this discussion it's a static one) is directly applied to the port (configured then as WAN) on the Netgate device, and the Netgate device now needs to handle the NATting and all other functions that the modem would usually handle. Is that right?
@LAWRENCESYSTEMS 2 жыл бұрын
Yes
@pstgh 4 ай бұрын
Pretty cool setup- I guess you run separate switches and a separate wifi access point(s) connected to separate interfaces for each of these networks, right? I am running a Protectli 4-port box and have an interface designated for PIA in addition to WAN and LAN. Thanks.
@jasonperry6046 2 жыл бұрын
Thanks for the video Tom. Every time I watch a video like this it always seems to be on a dream machine, and every time I think I wish someone would do one on pfsense, so thank you. My question though do you have a different SSID for each vlan? Also you mentioned locking down the admin interfaces, I would be interested in seeing the steps you go through to make sure it is locked down.
@LAWRENCESYSTEMS 2 жыл бұрын
Yes, separate SSID and simply pinging from each network to see if it can hit other networks.
@nandurx 2 жыл бұрын
Thanks for video. Going to make some changes in VLAN. Question though, how do I put truenas management access on one vlan and sharing on other. I believe that's what you were saying. I would like to access my truenas from main pc but allow my tv to see content from NAS who is on different vlan.
@clintbishop9145 2 жыл бұрын
I think you have managed switch? If so, assign your devices to the required vlans (multiple, if needing access to different vlans) and change your pc to be trunk (access all vlans)
@chrisbaksa 2 жыл бұрын
Great video Tom. I always learn something new whenever I watch one of your Videos. Question do you have any issues with pfSense and wi-fi calling (from your cell)?
@TheInternalNet 2 жыл бұрын
Long time viewer. This is the perfect video. Please expand on this. Part of the home lab series.
@wernerdebijl1885 2 жыл бұрын
I second that. Make it a series
@pascal1287 Жыл бұрын
Hello from the UK - Great video as always! question for your NSFW, would you recommend using a DNS redirect rule to avoid client machines attempting to connect to their own DNS and redirect to the router DNS? or too much bother for the potetnial benifits? Thanks
@Monarchias Жыл бұрын
Hi! My understanding, if you configure pfsense General setup menu Dns, you can still configure each Lan interface and even VLan interface in the DHCP section to give a different dns IP address then what is been configured in the General setup. Which is very handy, if you want to use a pi-hole for example on one of your subnets.
@asis-vo1rx 2 жыл бұрын
Thank you very much for the video Tom. Is there any reason in particular why you put the "NSFW_LAN net" as the source for blocks instead of using any/wildcard?
@LAWRENCESYSTEMS 2 жыл бұрын
Because it's sourcing from that network, and yes I know it will work without it.
@geoncic 2 жыл бұрын
Great video and content, I've learned loads from you. I really appreciate it. Do you have any videos of how you manage the routing on the devices themselves? How you bind certain traffic to a specific interface?
@wernerdebijl1885 2 жыл бұрын
I would love to see that too. Example configuring Synology etc.
@LAWRENCESYSTEMS 2 жыл бұрын
Each device has heir own way of doing it.
@lordbaboon1110 2 жыл бұрын
Is there a bug with exceptions from vpn, i have wholesystem set vpn and ive used exceptions for the IPs that needs to use wan without vpn and it has worked before, but i discovered today it doesnt anymore :( By exception i mean i set a rule for the specific lan ip to use wan instead of opt. Thanks in advance
@thorflea2 4 ай бұрын
I love your videos. My question is how to prevent devices like my refrigerator and TVs from scanning the netowork for other devices and information the same interface.
@Dwenger 2 жыл бұрын
I like your security concept. How would you reach an ubiquiti cloud key with cams connected in the cam lan with the unifi protect App from the NSFW_LAN? The Unifi Protect App scans only its own subnet.
@danberglund7785 2 жыл бұрын
Tom is talking about running cam server on a Synology (Surveillance station). Therefore he can have one interface of the Synology in cam lan. If you were to run Unifi cameras on cam lan and have Protect run on NSFW_LAN you would need to open the firewall to the specific IP address of the cloud key. If you adopt the cameras in the NSWF_LAN and then move them to the cam lan they will get correct IP addresses in the cam lan and still be found by Protect.
@thejjjwils 2 жыл бұрын
Ive not worked out what it is but for me NFS shares on different subnets to my Synology NAS dont work very well (they hang) so I have to make sure my NFS clients sit on the same subnet. Im not sure if its Synology, NFS, or pfSense - the simple solution was to avoid it.
@daninmanchester 2 жыл бұрын
Interesting I have slightly different approach. I put my cameras in my IoT network (whihc has no internet) and then have a "requires internet" alias for specific devices that I allow internet access (e.g. TV, Roku, etc). I find this easier as then I have a separate SSID / VLAN for guests and anyone who gets the password can then just access the internet and nothing else and it requires little to no management. I am however routing over pfSense for everything. It's not too taxing (even SMB easily hits 1Gig) but I think I need to add VLANS to my XCP-NG servers so I can create multiple interfaces like you have for synology to avoid unnecessary pfSense traffic. It would likely only be an issue if I went to 10Gb .... which would be a nice problem to have.
@firmanagus7241 3 ай бұрын
Sir, how do I direct the speedtest on Multiwan to a specific ISP?
@PowerUsr1 2 жыл бұрын
Just to add to this, at the end of my rules for my Wifi network or DMZ network I have a deny any to destination 'RFC1918'. RFC1918 is an alias that has all 3x private networks in there. I do have a mixture of denies mixed in with my permits so this is really just a catch all. Then the last rule in my policy is a permit any/any.
@cdm297 2 жыл бұрын
Excellent Video 🙂
@Cowclops 2 жыл бұрын
Not identical but your setup is surprisingly similar to my home network (pfsense, truenas, most stuff goes on the "IoT" network, but my personal desktop and server/management interfaces are on a separate network. I also have my openvpn subnet which you land on when you vpn in, basically has open access but since it needs authentication thats ok.
@hnguk 2 жыл бұрын
Interesting that you put the IoT, Guest and Standard Home devices on the same network. For my setup I have IoT on it's own network with very limited connectivity and QoS setup so that it can't use all my bandwidth.
@GrishTech 2 жыл бұрын
Do you use limiters or ATLQ?
@samsampier7147 2 жыл бұрын
Ubiquiti wireless is really nice. You can create bandwidth limits on each ssid no qos required.
@GrishTech 2 жыл бұрын
@@samsampier7147 what if you want dynamic QoS? Being able to provide bandwidth when it’s available instead of limiting it to a fixed number?
@hnguk 2 жыл бұрын
@@GrishTech For the IoT network specifically I use limiters as I never want it to saturate my whole network. 50 down and 3 up. 10% of my provided speed.
@hnguk 2 жыл бұрын
@@samsampier7147 That's great for wireless but does not limit wired
@DavidCNavas 2 жыл бұрын
Security was never my thing -- the first job I ever turned down was in security :| Is it really better to hard-connect an interface of your NAS to your iot network rather than going through the trouble of configuring pimd (dlna/sonos/whatever?) and avahi(mdns/chromecast?) and figuring out how to properly lock down multicast? I admit to having gone back and forth on this one, but the security environment around my particular nas brand isn't making me feel particularly safe about using it to lock down access by app....
@superdoug213 2 жыл бұрын
Great vid thanks Tom! You mentioned Plex server in the beginning but I didn’t see any further reference to it. Don’t you need to have a port open for that? Or is it only local. If you have an open port for Plex, what rules could you apply to mitigate the open port?
@LAWRENCESYSTEMS 2 жыл бұрын
Only local
@BrianThomas 2 жыл бұрын
Great video. So what if you have a ton of single board computers? I have a friend that i was helping, and he has pretty much the same thing mentioned in the video, but he also has a ton of raspberry pi's and other single board computers for various things. Some of which are IOT (and that makes sense where they should go), but not so much about some of the other devices like Zabbix, ip phone systems. What would you suggest?
@LAWRENCESYSTEMS 2 жыл бұрын
Zabbix and other servers could go on the network that I called LTS_Tom in the video
@visghost 9 ай бұрын
and where did you get the firewall_Service_port port from ?
@21Lettere 2 жыл бұрын
Why the first "Allow VPN" WAN rule has "This firewall" as a destination (it's the rule for WireGuard) and the second rule (for OpenVPN) has "WAN address" as destination? Shouldn't both be the same (WAN address as destination)?
@Phroggster 2 жыл бұрын
You allow your ISP to "spoof" your internal network address range (subnet LTS_TOM) and access your firewall's login page/shell remotely on the WAN interface? My ISP frequently utilizes RFC1918 addresses on their network, and I have in the past seen some of their devices overlap my internal network segments. It just seems silly to give them a wide-open rule for "managing" your edge externally, barring some scenario where you're L2 switching upstream of your edge such that it really is a firewall ingest interface for your internal network traffic. Personally, I have a floating fast-deny inbound-WAN rule to block anything destined for a management port (22, 23, 161, 162, 443, etc) immediately, as well as another floating inbound-WAN rule to fast-deny anything that claims to originate from my private address ranges. Allow rules on the management VLAN interface for the administrative ports enable the typical infrequent tinkering. It's not often, but I'll occasionally enough see the packet counters increment on the floating WAN rules, and it gives me a good metric for traffic that my ISP is likely counting on the bill but I most definitely should not be paying for. Edit: I also use a floating rule to explicitly fast-reject the firewall administrative ports from my versions of the internal NSFW network interface. The packet state counter, shared across all internal non-management interfaces, makes it wickedly obvious when my printer or IOT $junkDevice is attempting to brute force the SSH key on it's default gateway.
@dabneyoffermein595 23 күн бұрын
Are the various networks (NSFW_LAN), (LTS_TOM), (CAMLAN) setup as vlans or are they physical NIC cards in the firewall appliance (or computer)? Thanks so much !!! I realize you might be virtual as well so just let me know if I have an actual appliance or computer would I need 4 physical NIC's in the case of your home network? 1 for the WAN port and 3 for the above network segregated networks.
@LAWRENCESYSTEMS 22 күн бұрын
You can do them either physical or virtual.
@ianjharris 2 жыл бұрын
Just noticed that you use signal to get business messages, hey that is pretty cool.
@LAWRENCESYSTEMS 2 жыл бұрын
Best way to communicate something securely.
@rllove016148 2 жыл бұрын
Hey! Thanks for the video. You mentioned you have no NAT configuration on the FW. Do you use Plex outside of your home? I thought we had to allow plex through over a specific port for it to work outside of the home. I was curious as to what you may have done here. Thank you.
@LAWRENCESYSTEMS 2 жыл бұрын
I use a VPN
@rllove016148 2 жыл бұрын
@@LAWRENCESYSTEMS Thanks!
@arnepaulsen Жыл бұрын
Thank you for so many helpful tutorials. I'm confused about the first rule on the NSFW_LAN. Why is the source '*' for this rule, but the other blocks have source NSFW_LAN? Wouldn't all connections to this interface and going to 'This Firewall' originate on this interface? Wouldn't then source '*' and source 'NSFW_LAN' be the same set of connection attempts? Thank you.
@michnl1772 Жыл бұрын
Yes it's the same, selecting Any or setting the NSFW_LAN as source makes no different (does both do the same)
@dimaj1 2 жыл бұрын
Yet another awesome video! Thanks Tom! One question: why would you have the same "block access to firewall" on all interfaces instead of creating a floating rule that'll cover all interfaces?
@LAWRENCESYSTEMS 2 жыл бұрын
The use of inbound and outbound floating filtering makes designing the rules more complex and prone to user error. docs.netgate.com/pfsense/en/latest/firewall/floating-rules.html
@dimaj1 2 жыл бұрын
Thanks! Happy New Year!
@shamsugrace 2 жыл бұрын
Can we integrate the pfsense with PMS system like Opera ?
@williamvangundy3358 2 жыл бұрын
Great video. Can I implement any of these rules with my UDM or do I need to upgrade to adding a PFsense to my home system?
@wernerdebijl1885 2 жыл бұрын
I think most can be done on a UDMP. But I don't think you can create rules for systems to go out through PIA VPN as Tom has done. I upgraded to pfsense from a UDMP and it works perfectly. But it has a bit of a learning curve. Tom's video's will help you.
@LAWRENCESYSTEMS 2 жыл бұрын
The UDM supports firewall rules, but not everything I did in this video.
@therealb888 2 жыл бұрын
Anyway to use the colorscheme or theme used in the thumbnail?
@andretenreiro Жыл бұрын
Do you have any video that you speak about the pfSense features? How does pfSense compares with DD-WRT for Home use?
@LAWRENCESYSTEMS Жыл бұрын
I don't use Dd-wrt so can't really compare
@ag100pct 2 жыл бұрын
Does your "This Firewall" alias include *all* of your ports on the firewall... i.e. 172.16.16.1 + 192.168.60.1 + 192.168.1.1 ? That would be my guess...sorry if I somehow missed this.
@samo9288 2 жыл бұрын
Could you please do a tutorial on binding interfaces the way you did with the synology server?
@LAWRENCESYSTEMS 2 жыл бұрын
On my to-do list
@lcbdias 8 ай бұрын
first of all, thanks for this great content. i managed to make my pfsense setup to work properly but now i'm facing a very annoying issue. when my system reboots for example due to a power outage, pfsense cant get the WAN address automatically. i gets WAN as blank. any idea what could be happening?
@LAWRENCESYSTEMS 8 ай бұрын
Not sure why, post in the forums for support.
@Apex180 2 жыл бұрын
Are there any 3rd party tools that you could recommend that can look at the firewall logs generate by pfsense and be more useful / helpful / intuitive to help understand whats going on and make recommendations ?
@LAWRENCESYSTEMS 2 жыл бұрын
I use Graylog kzfaq.info/get/bejne/qNqWnZmImr6UiXU.html
@ahmetoooo Жыл бұрын
I have 6100 i need help setting it up with 10gig wan/lan and 10 gig cisco switch
Lawrence Systems
Рет қаралды 99 М.
Garena Free Fire Global
Рет қаралды 60 МЛН
2023 Firewall Features Compared: pfsense | Arista | UniFi | Sophos | Fortinet | Meraki & What We Use
Lawrence Systems
Рет қаралды 128 М.
Lawrence Systems
Рет қаралды 57 М.
Dave's Garage
Рет қаралды 586 М.
Lawrence Systems
Рет қаралды 68 М.
Lawrence Systems
Рет қаралды 183 М.
FISPECKT
Рет қаралды 225 М.
One More German
Рет қаралды 1,4 МЛН
lev89k
Рет қаралды 2,5 МЛН