Official Netgate pfsense documentation on firewall rules docs.netgate.com/pfsense/en/latest/firewall/rule-methodology.html LTS Curated pfsense Tutorials lawrence.technology/pfsense/ Getting Stared with pfsense firewall rules czcams.com/video/eb1pTs7XamA/video.html How To Setup VLANS With pfsense & UniFI. Also how to build for firewall rules for VLANS in pfsense czcams.com/video/b2w1Ywt081o/video.html Office Network Design and Planning with VLANs, LLDP, Rules, IoT, Guest using UniFi & pfsense czcams.com/video/ouARr-4chJ8/video.html How To Setup pfsense OpenVPN Policy Routing With Kill Switch Using A Privacy VPN czcams.com/video/ulRgecz0UsQ/video.html Tutorial: pfsense Wireguard For Remote Access czcams.com/video/8jQ5UE_7xds/video.html ⏱ Timestamps ⏱ 00:00 pfsense Home Firewall Rules 02:00 Diagrams.net Devices & Networks 06:30 pfsense NAT rules 07:04 WAN Firewall Rules 08:16 IOT & LAN Rules
Just wanted to drop a comment and thank you for all of your content. You are consistently putting out relevant, detailed videos and I hope it never slows down. This channel is a wealth of information and it just keeps coming. I’m blown away at how much content you are able to put out, and it’s all SO good! Thanks so much for all that you do. It has helped me take my home network and homelab to a whole new level!
Very interesting to see how your rules are configured! One thing I noted that I'd do differently would be the rules for the NSFW lan - personally I configure an alias for RFC1918 subnets and create an allow rule to the inverse of that alias, rather than creating block rules for each network and having an allow all. Just means if you add any other networks in future you don't need to specifically block them as they're already covered in that private address space. Great video either way! -Marc
To be fair "what rules you need" is depending on what you do on your network, love these videos, you guys explains things in an easy way to understand.
Excellent video. Entering the networking and security analyst field, this has been an interesting experience setting pfsense up for home. Great to see I'm on the right path. 😁
Thanks! I will be watching and re-watching this video as I scale out my network. I am running Suricata and pfBlockerNG but sometimes feel overwhelmed with all the activity - your other videos have been very helpful Tom. Again, many thanks
Most awaited video especially after the pandemic where most of us started WFH. Watching your videos I have setup a home brew pfsense box and UAP AC Pro with multi WiFi VLANs for IOT, Work, Study and Guest. This video will help us to fine tune the rules.
Thank you for this. Was struggling with configuring pfsense because my only firewall experience was with corporate firewall software. Seeing your rule configuration just made it click!
Another excellent video. I like how you covered your segmentation and the rationale behind it also. I picked up a few things just in how you used all the aliases to make life easier. Thank you for sharing.
Imagine at work if your entire desktop support and IT support infrastructure went away. That's what will happen when I spontaneously combust. My poor wife and kids, my servers, my vlans, my homeassistant, my smart home... I love the hobby, tinkering with all this stuff, but at middle age, I do seriously wonder what will happen to it all when I'm gone. I spent months getting my Sh1+ out of the cloud, mostly hosted locally. Hope I can teach my kids how it all works. Not meant to be morbid or anything, but something I am cognizant of. Tom, thanks for these videos. I learned on M. Furneaux's videos, and you've keep me current since. Thanks so much. Edit: I'm sure they'll recover. They'll have it all hosted on Amazon in the cloud :)
Hi Laurence you are a reference abroad for me, your knowledge is precious, and exactly that the fact that you explain things easily and right to the point.
Tom, you can setup the Synology NAS to act as a NTP server, and configure the cameras to use the Synology for NTP. That's how I have setup for customers and my house. Thank you for your videos btw!
Excellent video Tom. This information is very appreciated. I would love to hear more about you binding your admin interfaces. I didn't really understand how you do that. Thanks!
@@LAWRENCESYSTEMS That would be great. I'll do some research myself as well. Sometimes it's hard to know what question to ask, so your videos are very helpful.
@@LAWRENCESYSTEMS Great video Tom - I have a similar set up to the one you described and had the same question about Synology admin interfaces (want to make Plex available to IoT but not the admin interfaces of course). Many thanks for what you're doing.
This is exactly what i've been needing. After being fed up with crappy consumer grade routers, I first looked into running OpenWRT on x85 hardware when someone mentioned to look at PFSense. I've been running it for two weeks now on a preliminary hardware build and have been both pleased and overwhelmed by its ability and complexity. I've got a Lenovo M900 Tiny coming tomorrow which i'll be modifying to use a second NIC, and this video will come in handy.
Is there a slot for a second Ethernet NIC on the M900 Tiny, or will you be doing this via USB 3.0 NIC? I've got a similar tiny PC (HP EliteDesk 800 G2 mini), where I use a Proxmox server (to play around with Docker, LXC's, VM's, etc.). Was considering getting another mini PC, but need one that has option for 2 ethernet NICs. Cheers!!
@@jaxwylde2139 I think your overthinking the situation. Pickup a refurb'd Dell or HP SFF with an i5-4590, add in 4 or 8 GB and a 4 port nic and then enable PowerD once installed.
@@clintbishop9145 I'm not overthinking it. Depends on what you're after. I already have a Dell SFF (790), but wanted something smaller with lower power consumption (that isn't an Rpi) and is more versatile than one of those dual-nic Chinese mini pc boxes). I'll look a bit more into PowerD (haven't used it before) to see if it will provide the lower power usage I'm looking for.
I recently bought myself an SG-2100, quite happy so far. 🙂 I realized when setting it up that I don't need to bog it down with Snort or Suricata if all I'm doing is blocking, so pfBlockerNG has been good enough for me. 🙂 My connection seems a bit slower than it used to be though, at least when establishing connections, but I'm guessing that's pfBlockerNG doing its job.
Always like your videos. I created some test phone servers and decided to be best on its own network. Happy that I did especially when I was wanting to do some port forwards (I know, not the best) to call my phone system from anywhere. Now I got OpenVPN setup and toying with it. Your one of the main guys that got me looking more into pfSense coming from a EdgeRouter-X, loving it
Hi Tom, I would be interested in a video on your Synology setup you mentioned. I currently have my Synology on the trusted network, but would like to have the video and music content available on the IOT network. I have setup a netgate and unify network using your videos, but the Synology side would be helpful as well. Steven
Interesting that you put the IoT, Guest and Standard Home devices on the same network. For my setup I have IoT on it's own network with very limited connectivity and QoS setup so that it can't use all my bandwidth.
@@GrishTech For the IoT network specifically I use limiters as I never want it to saturate my whole network. 50 down and 3 up. 10% of my provided speed.
Great content but just a warning about Wemo light switches and the block firewall rule Tom mentions. You must enable ICMP to your firewall in order for your Wemo Light Switches to stop flashing red. Thanks!
I'm a fan of pfsense, hands down best in the Industry U can use it in ISPs, IXPs, and simple home networks, but for a home network, that sophos home edition is also a nice piece
Is it better to have firewall rules like: Tom: specific block rule, anything else is allowed Suggestion: specific rule to allow, deny anything else (that wasn't caught by a previous rule)
I really recommend that you should have a home firewall. I already set up a pfsense router after Hikvision's Camera exploit. Hardware to run pfsense is very cheap and popular. If you want to know about my set up, there's some details: I boutght an old itx mainboard (for just 35$) that has: dual-gigabit ethernet port: just enought CPU Atom D2550 2 cores 1.86Ghz 4 threads : Its OK for a internet connection below 500Mbps! RAM 2GB DDR3: the fact it just use 16%. Configuration: Firewall block all connections from Access points, IP cameras and DVR to Internet( i dont want them become a part of a botnet or expose camera records to internet), OpenVPN Server for viewing cameras from internet, opening 2 port for OpenVPN and HomeAssistant. Guest's Network is on subnet of IPS's router. If you think that "IPS's router is also has firewall...". NO, they are really bad, lack of advanced configuration, never get firmware update and God know that whether they are safe from log4j exploit or something like that :)
This is a great video. I have a 6100 to play with and eventually replace my UDMP once I have it setup how I want it. This will be a great starting place. Was wondering if you would do either a forum post or video on expanding this to pfsense rules to use in a multi tenant business center or SMB
I love your videos. My question is how to prevent devices like my refrigerator and TVs from scanning the netowork for other devices and information the same interface.
Good sum up, thanks alot! How would you handle a home network PC that is gaming machine and admin PC for home and other family networks (external) at the same time?
Pretty cool setup- I guess you run separate switches and a separate wifi access point(s) connected to separate interfaces for each of these networks, right? I am running a Protectli 4-port box and have an interface designated for PIA in addition to WAN and LAN. Thanks.
This is one of the best tutorials I have ever seen. Thanks a lot. I have two questions: 1. How Synology will do update? Maybe I missed that part, sorry if that is a case, 2. How your phones will sync/backup photos to Synology? Phones are on NSFW LAN and devices assigned to that interface cannot see CAMLAN. If I have this use case, what is best approach?
On the CAM LAN the Synology DOES have internet access, but the other devices do not. Creating an allow rule just for the phone being allowed to talk to the Synology would be a solution.
Great video and content, I've learned loads from you. I really appreciate it. Do you have any videos of how you manage the routing on the devices themselves? How you bind certain traffic to a specific interface?
Just to add to this, at the end of my rules for my Wifi network or DMZ network I have a deny any to destination 'RFC1918'. RFC1918 is an alias that has all 3x private networks in there. I do have a mixture of denies mixed in with my permits so this is really just a catch all. Then the last rule in my policy is a permit any/any.
Thanks for the video Tom. Every time I watch a video like this it always seems to be on a dream machine, and every time I think I wish someone would do one on pfsense, so thank you. My question though do you have a different SSID for each vlan? Also you mentioned locking down the admin interfaces, I would be interested in seeing the steps you go through to make sure it is locked down.
Another great video. Since this was a home network setup where would you put the other family member pc’s and also what if you have cloud based cameras like wyze. They would need internet access
IPv6 is not fun to deal with for internal network. IPv4 is perfectly fine for internal use. So it may make sense to also enable IPv6 on the WAN port along with IPv4 to make use of the dual stack. It gets a bit tricky to work nicely in pfSense.
Great Video ! I'm going to get Pfsense and a netgate box probably (or build something).Fibre to the home has finally arrived where i live with symmetric Gigabit and 10 Gigabit (later) speeds. So i might as well upgrade my router and configure my switches and AP's for it. I have a Netgear select partnered retailer in the street i live and with a future SOHO in mind this may be the best option. Any advice regarding netgate appliances (6100 or 1537 or ...) ?
Interesting I have slightly different approach. I put my cameras in my IoT network (whihc has no internet) and then have a "requires internet" alias for specific devices that I allow internet access (e.g. TV, Roku, etc). I find this easier as then I have a separate SSID / VLAN for guests and anyone who gets the password can then just access the internet and nothing else and it requires little to no management. I am however routing over pfSense for everything. It's not too taxing (even SMB easily hits 1Gig) but I think I need to add VLANS to my XCP-NG servers so I can create multiple interfaces like you have for synology to avoid unnecessary pfSense traffic. It would likely only be an issue if I went to 10Gb .... which would be a nice problem to have.
I like your security concept. How would you reach an ubiquiti cloud key with cams connected in the cam lan with the unifi protect App from the NSFW_LAN? The Unifi Protect App scans only its own subnet.
Tom is talking about running cam server on a Synology (Surveillance station). Therefore he can have one interface of the Synology in cam lan. If you were to run Unifi cameras on cam lan and have Protect run on NSFW_LAN you would need to open the firewall to the specific IP address of the cloud key. If you adopt the cameras in the NSWF_LAN and then move them to the cam lan they will get correct IP addresses in the cam lan and still be found by Protect.
Great video, thanks! Would love to know more on how you combine pfSense with a Unifi Controller such as a UDM Pro. I have been using pfSense in the past, and now using the UDM Pro as router, however would like to reverse that without losing the UDM Pro in my network. A video on that would be appreciated!
Just create new networks and use "vlan only" so theese are networks, where the "router" inside the UDM is not involved. But keep in mind, that the unify accesspoints can only forward "udm" routed networks OR vlan netsworks. Not both. Just for test: choose an ap, remove all associated networks from it. Select a VLAN only network and create a new switch profile with mit! Make sure, that only tagged networks are selected. assign that network to your accesspoint and assign the "only tagged" switchprofile on the SWITCH pointing to your pfsense. Create that VLAN in PFSENSE, assign interface, enable dhcp server, make rules. Done :)
Great video Tom. I always learn something new whenever I watch one of your Videos. Question do you have any issues with pfSense and wi-fi calling (from your cell)?
I would sure love to know how to setup a rule from openVPN to my emby server! I am assuming I am missing a port forwarding from 1194 to 8096. My openVPN works great and can connect to my NAS and everything, but cannot connect to my emby server! Love your videos by the way!
Not identical but your setup is surprisingly similar to my home network (pfsense, truenas, most stuff goes on the "IoT" network, but my personal desktop and server/management interfaces are on a separate network. I also have my openvpn subnet which you land on when you vpn in, basically has open access but since it needs authentication thats ok.
Yet another awesome video! Thanks Tom! One question: why would you have the same "block access to firewall" on all interfaces instead of creating a floating rule that'll cover all interfaces?
The use of inbound and outbound floating filtering makes designing the rules more complex and prone to user error. docs.netgate.com/pfsense/en/latest/firewall/floating-rules.html
Speaking as a network engineer, too many block rules, weird choice of subnet ip ranges, not a fan. Positive is that there is network separation at all, which is not a given even in corporate contexts. But then, there's surprisingly little guidance on this topic out there.
I know Open VPN will drop the Connection if the connecting device does not have the correct TLS key . Does wireguard behave the same way if the public 🔑 does not match ?
Great Video Tom Quick question @9:15 if I may, since we are inside "NSFW_LAN" Rules, is it necessary to specify "Source=NSFW_LAN" for this Block rule? or we can leave it as "Source= *" ? Thanks you Tom, and an advance Happy New Year
Super informative video, thank you! Curious about your thoughts on notifications for cameras? If there's movement or something, would you still get notified if you're out of the house? Would love to learn more about the Synology rules you have set up as well. Thank you!
@Lawrence Systems - great video as always Tom. A quick question on ISP modems and Bridging - if an ISP offers to provide their modem in bridging mode, it's my understanding that this essentially "disables" all NAT and firewall functions on the modem and it just passes through without any checks the public IP address. Is that correct? If so, then connecting this bridged modem to a port of a Netgate device would mean that the public IP (assume for this discussion it's a static one) is directly applied to the port (configured then as WAN) on the Netgate device, and the Netgate device now needs to handle the NATting and all other functions that the modem would usually handle. Is that right?
You skipped the PIA_VPN. Would love to see what/how your route out through the VPN. I'm not sure if you have a video about it already but would love to learn about how to join networks across sites. I have 3-4 locations with devices that I want to communicate more directly. I was planning a Wireguard connection between each of them. Not sure if there is a better way.
Hey Tom, I don't think need any rules on your "CAMLAN net" ? The devices on the CAMLAN network will reach the pfSense CAMLAN interface and grab DHCP/NTP without needing your allow rule. Also, you can delete the CAMLAN rule that's denying access to "This Firewall" (the implicit deny rule will prevent cameras talking to "This Firewall"). Also at the moment your guests (on NSFW network) can reach the pfSense box's non-admin ports and access any non-admin services running on the pfSense. You might want to limit guest access to "This Firewall" entirely.
It is technically possible for the cameras to exfiltrate some data through DNS - there are botnets that use DNS for C&C too. Probably not a major issue since the cameras can't get to anything else, but still technically possible.
Security was never my thing -- the first job I ever turned down was in security :| Is it really better to hard-connect an interface of your NAS to your iot network rather than going through the trouble of configuring pimd (dlna/sonos/whatever?) and avahi(mdns/chromecast?) and figuring out how to properly lock down multicast? I admit to having gone back and forth on this one, but the security environment around my particular nas brand isn't making me feel particularly safe about using it to lock down access by app....
Great vid thanks Tom! You mentioned Plex server in the beginning but I didn’t see any further reference to it. Don’t you need to have a port open for that? Or is it only local. If you have an open port for Plex, what rules could you apply to mitigate the open port?
Ive not worked out what it is but for me NFS shares on different subnets to my Synology NAS dont work very well (they hang) so I have to make sure my NFS clients sit on the same subnet. Im not sure if its Synology, NFS, or pfSense - the simple solution was to avoid it.
Glad you did this video. Because that is the one thing I have not done yet is set up pfsense, I have security cameras, and want to put all those one a completely Network, were they don't have access to the out side world at all other than the Video Server, being the only thing that can see them. and then I can create rulls so I can see the Security cameras out side of network or in ect. I also have google crap also witch I'm getting ride of and going back to just Lights with out the smart since I can't Assign my own Network for them and the google stuff. Wish Google would let me create my own Cloud for my smart devices, and when google needs Internet for all other questions it will have that access. I don't want it to have to have the internet just to turn on a light, or control HVAC ect. I know they have Home assistant and you can I think hack the google stuff to work with Home Assistant. I just don't like not being able to control my devices with out having to relying on the cloud.
@@JasonsLabVideos Sorry, I thought you missed that video. It is indeed a very sexy device. 😉 I am confused about Tom's home device. In a previous video, he said that he had a SG-1100 at home. But in this video, he is showing pfSense CE, not pfSense Plus which runs on Netgate's devices. Maybe Tom is actually showing a demo configuration based on his home config but with slight changes in order to avoid exposing his real configuration.
@@viaujoc I'm sure he is like me with my videos, he doesn't show anything for work & his personal on any videos. All it takes is one simple slip up and stuff could happen. Tom's very smart and does a good job at his videos :)
Are the various networks (NSFW_LAN), (LTS_TOM), (CAMLAN) setup as vlans or are they physical NIC cards in the firewall appliance (or computer)? Thanks so much !!! I realize you might be virtual as well so just let me know if I have an actual appliance or computer would I need 4 physical NIC's in the case of your home network? 1 for the WAN port and 3 for the above network segregated networks.
Do you have a video showing this same information but for UDM or UDMP? I’m running a UDM at home and would love to know how someone who lives in that world would set them up.
Great video as usual Lawrence, but it raised me a few questions. - "Connection for Emby & Plex" - "Synology interface" - "Admin for devices" I guess that your NSFW_LAN can stream from Emby & Plex, and thats why you have connection. But what is the servers main subnet? And the same with the Synology. Just doesn't seem right to me, if EVERYTING except cameras and your work PC is running on the IOT lan.... but also doesnt seem 100% secure (at least for whats expected from someone as you), that Plex, Emby and Synology should be using LTS_TOM for all purposes...
Thanks for clearing this out :) Well, nothing specific I guess. Nothing that I care about in my home network - but if the tinfoil fits, then everyting is a suspect I have done almost the exact same as you, except from i didn't see phones as IoT - but youre right they is. Maybe I should treat my kids PC's as IoT as well. :D
Hi Lawrence this was a great video and very helpful. I have just set up the latest version of pfsense in my home using a custom built PC and am playing with rules, schedules, OpenVPN etc. I have a specific question about content filtering especially for mobile phones and tablets connected to wifi and also Amazon Echo devices. I want to be able to filter content specifically spotify from playing adult content. I know I can block CZcams but is there any way I can still allow these streaming services but pfsense can detect if the content is of an adult nature and prevent this streaming? In other words I still want the kids to be able to access CZcams, Spotify etc. but be able to set a rule to make sure the content is not explicit. I hope that makes sense. Thanks
Official Netgate pfsense documentation on firewall rules
docs.netgate.com/pfsense/en/latest/firewall/rule-methodology.html
LTS Curated pfsense Tutorials
lawrence.technology/pfsense/
Getting Stared with pfsense firewall rules
czcams.com/video/eb1pTs7XamA/video.html
How To Setup VLANS With pfsense & UniFI. Also how to build for firewall rules for VLANS in pfsense
czcams.com/video/b2w1Ywt081o/video.html
Office Network Design and Planning with VLANs, LLDP, Rules, IoT, Guest using UniFi & pfsense
czcams.com/video/ouARr-4chJ8/video.html
How To Setup pfsense OpenVPN Policy Routing With Kill Switch Using A Privacy VPN
czcams.com/video/ulRgecz0UsQ/video.html
Tutorial: pfsense Wireguard For Remote Access
czcams.com/video/8jQ5UE_7xds/video.html
⏱ Timestamps ⏱
00:00 pfsense Home Firewall Rules
02:00 Diagrams.net Devices & Networks
06:30 pfsense NAT rules
07:04 WAN Firewall Rules
08:16 IOT & LAN Rules
Just wanted to drop a comment and thank you for all of your content. You are consistently putting out relevant, detailed videos and I hope it never slows down. This channel is a wealth of information and it just keeps coming. I’m blown away at how much content you are able to put out, and it’s all SO good! Thanks so much for all that you do. It has helped me take my home network and homelab to a whole new level!
NSFW LAN as the most important category. You truly a man of culture. Thank you Tom
Very interesting to see how your rules are configured! One thing I noted that I'd do differently would be the rules for the NSFW lan - personally I configure an alias for RFC1918 subnets and create an allow rule to the inverse of that alias, rather than creating block rules for each network and having an allow all. Just means if you add any other networks in future you don't need to specifically block them as they're already covered in that private address space. Great video either way! -Marc
Isn't the RFC1918 rule only applied to the WAN port? There is a checkbox at the bottom of the Interfaces/WAN page.
he means creating his own alias based on that RFC so he can reference it in his firewall rules.
beginner here, any video i can watch covering this?
To be fair "what rules you need" is depending on what you do on your network, love these videos, you guys explains things in an easy way to understand.
Excellent video. Entering the networking and security analyst field, this has been an interesting experience setting pfsense up for home. Great to see I'm on the right path. 😁
Great video Tom . Love seeing how others do their rules
Thanks! I will be watching and re-watching this video as I scale out my network.
I am running Suricata and pfBlockerNG but sometimes feel overwhelmed with all the activity - your other videos have been very helpful Tom.
Again, many thanks
Nice video, this confirms my same thought about securing my own home network the same way. Thanks for your great content and best wishes for 2022!
Most awaited video especially after the pandemic where most of us started WFH. Watching your videos I have setup a home brew pfsense box and UAP AC Pro with multi WiFi VLANs for IOT, Work, Study and Guest. This video will help us to fine tune the rules.
Thank you for this. Was struggling with configuring pfsense because my only firewall experience was with corporate firewall software. Seeing your rule configuration just made it click!
Another excellent video. I like how you covered your segmentation and the rationale behind it also. I picked up a few things just in how you used all the aliases to make life easier. Thank you for sharing.
Very big Doh moment seeing your Separator with Documentation WAN rules. I have been using PFSense for about 6 years and never thought of this.
We use them a lot with larger more complex firewall configurations.
Thanks you updating this !!! Absolute Pfsense Guru !
Imagine at work if your entire desktop support and IT support infrastructure went away. That's what will happen when I spontaneously combust. My poor wife and kids, my servers, my vlans, my homeassistant, my smart home... I love the hobby, tinkering with all this stuff, but at middle age, I do seriously wonder what will happen to it all when I'm gone. I spent months getting my Sh1+ out of the cloud, mostly hosted locally. Hope I can teach my kids how it all works. Not meant to be morbid or anything, but something I am cognizant of.
Tom, thanks for these videos. I learned on M. Furneaux's videos, and you've keep me current since. Thanks so much.
Edit: I'm sure they'll recover. They'll have it all hosted on Amazon in the cloud :)
LOve that you pickup these pfsense series with more interesting video's. Keep 'm coming. Thanks
Hi Laurence you are a reference abroad for me, your knowledge is precious, and exactly that the fact that you explain things easily and right to the point.
Tom, you can setup the Synology NAS to act as a NTP server, and configure the cameras to use the Synology for NTP. That's how I have setup for customers and my house.
Thank you for your videos btw!
Yes, that is correct, but I chose to use pfsense instead.
Hi Tom,
I was way overthinking this!
Thanks so much for freeing my mind.
Excellent video Tom. This information is very appreciated. I would love to hear more about you binding your admin interfaces. I didn't really understand how you do that. Thanks!
That is done on a per device basis, I will be making one on Synology soon because they have a more complex way of doing it.
@@LAWRENCESYSTEMS That would be great. I'll do some research myself as well. Sometimes it's hard to know what question to ask, so your videos are very helpful.
@@LAWRENCESYSTEMS Great video Tom - I have a similar set up to the one you described and had the same question about Synology admin interfaces (want to make Plex available to IoT but not the admin interfaces of course). Many thanks for what you're doing.
This is exactly what i've been needing. After being fed up with crappy consumer grade routers, I first looked into running OpenWRT on x85 hardware when someone mentioned to look at PFSense. I've been running it for two weeks now on a preliminary hardware build and have been both pleased and overwhelmed by its ability and complexity. I've got a Lenovo M900 Tiny coming tomorrow which i'll be modifying to use a second NIC, and this video will come in handy.
Is there a slot for a second Ethernet NIC on the M900 Tiny, or will you be doing this via USB 3.0 NIC? I've got a similar tiny PC (HP EliteDesk 800 G2 mini), where I use a Proxmox server (to play around with Docker, LXC's, VM's, etc.). Was considering getting another mini PC, but need one that has option for 2 ethernet NICs. Cheers!!
@@jaxwylde2139 I think your overthinking the situation. Pickup a refurb'd Dell or HP SFF with an i5-4590, add in 4 or 8 GB and a 4 port nic and then enable PowerD once installed.
@@clintbishop9145 I'm not overthinking it. Depends on what you're after. I already have a Dell SFF (790), but wanted something smaller with lower power consumption (that isn't an Rpi) and is more versatile than one of those dual-nic Chinese mini pc boxes). I'll look a bit more into PowerD (haven't used it before) to see if it will provide the lower power usage I'm looking for.
Under-rated and under subscribed channel. Fixed that for myself! Liked and subscribed, looking forward to binge watching your stuff. Cheers mate.
Awesome, thank you!
I recently bought myself an SG-2100, quite happy so far. 🙂 I realized when setting it up that I don't need to bog it down with Snort or Suricata if all I'm doing is blocking, so pfBlockerNG has been good enough for me. 🙂 My connection seems a bit slower than it used to be though, at least when establishing connections, but I'm guessing that's pfBlockerNG doing its job.
I was looking at getting the 2100 for my home office network. I was curious how good they really are? Any hardware failures?
Well, I now have work to do. Thanks, Tom!
Always like your videos. I created some test phone servers and decided to be best on its own network. Happy that I did especially when I was wanting to do some port forwards (I know, not the best) to call my phone system from anywhere. Now I got OpenVPN setup and toying with it. Your one of the main guys that got me looking more into pfSense coming from a EdgeRouter-X, loving it
I never thought of a Phone as an IoT device but I see your point.
Hi Tom, I would be interested in a video on your Synology setup you mentioned. I currently have my Synology on the trusted network, but would like to have the video and music content available on the IOT network. I have setup a netgate and unify network using your videos, but the Synology side would be helpful as well. Steven
I second this request!
me too
Interesting that you put the IoT, Guest and Standard Home devices on the same network. For my setup I have IoT on it's own network with very limited connectivity and QoS setup so that it can't use all my bandwidth.
Do you use limiters or ATLQ?
Ubiquiti wireless is really nice. You can create bandwidth limits on each ssid no qos required.
@@samsampier7147 what if you want dynamic QoS? Being able to provide bandwidth when it’s available instead of limiting it to a fixed number?
@@GrishTech For the IoT network specifically I use limiters as I never want it to saturate my whole network. 50 down and 3 up. 10% of my provided speed.
@@samsampier7147 That's great for wireless but does not limit wired
Great content but just a warning about Wemo light switches and the block firewall rule Tom mentions. You must enable ICMP to your firewall in order for your Wemo Light Switches to stop flashing red. Thanks!
I'm a fan of pfsense, hands down best in the Industry
U can use it in ISPs, IXPs, and simple home networks, but for a home network, that sophos home edition is also a nice piece
Thanks Tom, great video, looking forward to more in 2021.
This was great. I would love to see this using untangle
Thanks for another great video! It helped me setting some things I was mulling over with my current setup!
Is it better to have firewall rules like:
Tom: specific block rule, anything else is allowed
Suggestion: specific rule to allow, deny anything else (that wasn't caught by a previous rule)
This is all in my to-do-list hehe. Great video Tom.
Many thanks. Looking to review pfsense again as an alternative to Untangle / Sophos XG.
I really recommend that you should have a home firewall. I already set up a pfsense router after Hikvision's Camera exploit. Hardware to run pfsense is very cheap and popular.
If you want to know about my set up, there's some details:
I boutght an old itx mainboard (for just 35$) that has:
dual-gigabit ethernet port: just enought
CPU Atom D2550 2 cores 1.86Ghz 4 threads : Its OK for a internet connection below 500Mbps!
RAM 2GB DDR3: the fact it just use 16%.
Configuration: Firewall block all connections from Access points, IP cameras and DVR to Internet( i dont want them become a part of a botnet or expose camera records to internet), OpenVPN Server for viewing cameras from internet, opening 2 port for OpenVPN and HomeAssistant. Guest's Network is on subnet of IPS's router.
If you think that "IPS's router is also has firewall...". NO, they are really bad, lack of advanced configuration, never get firmware update and God know that whether they are safe from log4j exploit or something like that :)
Great video. I was hoping you would make a video like this. Thanks!
WOW! You are good! I was just looking at another video for setting up pfsense firewall rules.
Another to the point video from Lawrence! Great stuff... Thank you!
I really appreciate the content that you make. It is straight forward and you do a great job of explaining. Thanks :)
Long time viewer. This is the perfect video. Please expand on this. Part of the home lab series.
I second that. Make it a series
I love this guy's channel!! Subbed!!
THanks
This is a great video. I have a 6100 to play with and eventually replace my UDMP once I have it setup how I want it. This will be a great starting place.
Was wondering if you would do either a forum post or video on expanding this to pfsense rules to use in a multi tenant business center or SMB
I love your videos. My question is how to prevent devices like my refrigerator and TVs from scanning the netowork for other devices and information the same interface.
it would have been nice to add a printer that needs to be accessed by guess and work network
Good sum up, thanks alot!
How would you handle a home network PC that is gaming machine and admin PC for home and other family networks (external) at the same time?
Pretty cool setup- I guess you run separate switches and a separate wifi access point(s) connected to separate interfaces for each of these networks, right? I am running a Protectli 4-port box and have an interface designated for PIA in addition to WAN and LAN. Thanks.
Pure entertainment and informative 👏🏿👏🏿👏🏿
This is one of the best tutorials I have ever seen. Thanks a lot.
I have two questions:
1. How Synology will do update? Maybe I missed that part, sorry if that is a case,
2. How your phones will sync/backup photos to Synology? Phones are on NSFW LAN and devices assigned to that interface cannot see CAMLAN. If I have this use case, what is best approach?
On the CAM LAN the Synology DOES have internet access, but the other devices do not. Creating an allow rule just for the phone being allowed to talk to the Synology would be a solution.
Just noticed that you use signal to get business messages, hey that is pretty cool.
Best way to communicate something securely.
This Video helped me a lot. Thank you
Great video and content, I've learned loads from you. I really appreciate it.
Do you have any videos of how you manage the routing on the devices themselves? How you bind certain traffic to a specific interface?
I would love to see that too. Example configuring Synology etc.
Each device has heir own way of doing it.
Tom, would you make a video like this for Untangle? I know the theory would it be pretty much the same, but it may be helpful for many using Untangle.
Thanks Tom!
I generally split the wifi, cable and tv on to there on lan as I am the only one using the cable lan.
Just to add to this, at the end of my rules for my Wifi network or DMZ network I have a deny any to destination 'RFC1918'. RFC1918 is an alias that has all 3x private networks in there. I do have a mixture of denies mixed in with my permits so this is really just a catch all. Then the last rule in my policy is a permit any/any.
Thanks for the video Tom.
Every time I watch a video like this it always seems to be on a dream machine, and every time I think I wish someone would do one on pfsense, so thank you. My question though do you have a different SSID for each vlan?
Also you mentioned locking down the admin interfaces, I would be interested in seeing the steps you go through to make sure it is locked down.
Yes, separate SSID and simply pinging from each network to see if it can hit other networks.
Another great video. Since this was a home network setup where would you put the other family member pc’s and also what if you have cloud based cameras like wyze. They would need internet access
Please, a tutorial on IPv6.
Maybe one day when I use IPv6, but I don't use it now so not anytime soon.
IPv6 is not fun to deal with for internal network. IPv4 is perfectly fine for internal use. So it may make sense to also enable IPv6 on the WAN port along with IPv4 to make use of the dual stack. It gets a bit tricky to work nicely in pfSense.
Great Video ! I'm going to get Pfsense and a netgate box probably (or build something).Fibre to the home has finally arrived where i live with symmetric Gigabit and 10 Gigabit (later) speeds. So i might as well upgrade my router and configure my switches and AP's for it. I have a Netgear select partnered retailer in the street i live and with a future SOHO in mind this may be the best option. Any advice regarding netgate appliances (6100 or 1537 or ...) ?
Interesting I have slightly different approach.
I put my cameras in my IoT network (whihc has no internet) and then have a "requires internet" alias for specific devices that I allow internet access (e.g. TV, Roku, etc). I find this easier as then I have a separate SSID / VLAN for guests and anyone who gets the password can then just access the internet and nothing else and it requires little to no management.
I am however routing over pfSense for everything. It's not too taxing (even SMB easily hits 1Gig) but I think I need to add VLANS to my XCP-NG servers so I can create multiple interfaces like you have for synology to avoid unnecessary pfSense traffic. It would likely only be an issue if I went to 10Gb .... which would be a nice problem to have.
you can almost think Tom have set up PFsense before :P speedy video but grate content. less is more.
I like your security concept. How would you reach an ubiquiti cloud key with cams connected in the cam lan with the unifi protect App from the NSFW_LAN? The Unifi Protect App scans only its own subnet.
Tom is talking about running cam server on a Synology (Surveillance station). Therefore he can have one interface of the Synology in cam lan. If you were to run Unifi cameras on cam lan and have Protect run on NSFW_LAN you would need to open the firewall to the specific IP address of the cloud key. If you adopt the cameras in the NSWF_LAN and then move them to the cam lan they will get correct IP addresses in the cam lan and still be found by Protect.
Great video, thanks! Would love to know more on how you combine pfSense with a Unifi Controller such as a UDM Pro. I have been using pfSense in the past, and now using the UDM Pro as router, however would like to reverse that without losing the UDM Pro in my network. A video on that would be appreciated!
Just create new networks and use "vlan only" so theese are networks, where the "router" inside the UDM is not involved. But keep in mind, that the unify accesspoints can only forward "udm" routed networks OR vlan netsworks. Not both.
Just for test: choose an ap, remove all associated networks from it. Select a VLAN only network and create a new switch profile with mit! Make sure, that only tagged networks are selected. assign that network to your accesspoint and assign the "only tagged" switchprofile on the SWITCH pointing to your pfsense. Create that VLAN in PFSENSE, assign interface, enable dhcp server, make rules. Done :)
Great video Tom. I always learn something new whenever I watch one of your Videos. Question do you have any issues with pfSense and wi-fi calling (from your cell)?
Would you consider a video detailing the connections and network configurations with your Synology NAS to your private and NSFW networks?
Already have that czcams.com/video/A1I1k9Nct-A/video.html
I would sure love to know how to setup a rule from openVPN to my emby server! I am assuming I am missing a port forwarding from 1194 to 8096. My openVPN works great and can connect to my NAS and everything, but cannot connect to my emby server! Love your videos by the way!
Not identical but your setup is surprisingly similar to my home network (pfsense, truenas, most stuff goes on the "IoT" network, but my personal desktop and server/management interfaces are on a separate network. I also have my openvpn subnet which you land on when you vpn in, basically has open access but since it needs authentication thats ok.
Yet another awesome video! Thanks Tom!
One question: why would you have the same "block access to firewall" on all interfaces instead of creating a floating rule that'll cover all interfaces?
The use of inbound and outbound floating filtering makes designing the rules more complex and prone to user error.
docs.netgate.com/pfsense/en/latest/firewall/floating-rules.html
Thanks!
Happy New Year!
Sir, how do I direct the speedtest on Multiwan to a specific ISP?
Speaking as a network engineer, too many block rules, weird choice of subnet ip ranges, not a fan. Positive is that there is network separation at all, which is not a given even in corporate contexts.
But then, there's surprisingly little guidance on this topic out there.
Excellent Video 🙂
Nice!
I know Open VPN will drop the Connection if the connecting device does not have the correct TLS key . Does wireguard behave the same way if the public 🔑 does not match ?
Great Video Tom
Quick question @9:15 if I may,
since we are inside "NSFW_LAN" Rules, is it necessary to specify "Source=NSFW_LAN" for this Block rule? or we can leave it as "Source= *" ?
Thanks you Tom, and an advance Happy New Year
There is a difference in specific use cases www.reddit.com/r/PFSENSE/comments/rn0nej/firewall_rules_source_ip_any_vs_interface_name_net/
Super informative video, thank you! Curious about your thoughts on notifications for cameras? If there's movement or something, would you still get notified if you're out of the house? Would love to learn more about the Synology rules you have set up as well. Thank you!
The Synology does the notifications czcams.com/video/x-Ju4UM0Gfg/video.html
@@LAWRENCESYSTEMS What you don't have Synology? What if it's a Reolink NVR? Would the same thing apply?
@Lawrence Systems - great video as always Tom. A quick question on ISP modems and Bridging - if an ISP offers to provide their modem in bridging mode, it's my understanding that this essentially "disables" all NAT and firewall functions on the modem and it just passes through without any checks the public IP address. Is that correct? If so, then connecting this bridged modem to a port of a Netgate device would mean that the public IP (assume for this discussion it's a static one) is directly applied to the port (configured then as WAN) on the Netgate device, and the Netgate device now needs to handle the NATting and all other functions that the modem would usually handle. Is that right?
Yes
Would you consider doing a video on pfSense email filters. I have enabled one, but don't see any changes. Like your videos, you do what you love.
Pfsnes doesn't filter email.
the first part of the setup when first getting to the configuration wizard for the basic connection with the modem/router. You didn't cover that part.
I’d like to see a critique on Firewalla Gold.
It's not a device I have a use case for.
ok; what about cameras like wyze cams and firmware updates
Could you please do a tutorial on binding interfaces the way you did with the synology server?
On my to-do list
Great video. Do you have a newer video that includes making Pfsence more secure for a small business?
This applies to small biz as well.
You skipped the PIA_VPN. Would love to see what/how your route out through the VPN.
I'm not sure if you have a video about it already but would love to learn about how to join networks across sites. I have 3-4 locations with devices that I want to communicate more directly. I was planning a Wireguard connection between each of them. Not sure if there is a better way.
Wireguard is fine for site to site, Tailscale is easier for it.
Hey Tom, I don't think need any rules on your "CAMLAN net" ? The devices on the CAMLAN network will reach the pfSense CAMLAN interface and grab DHCP/NTP without needing your allow rule. Also, you can delete the CAMLAN rule that's denying access to "This Firewall" (the implicit deny rule will prevent cameras talking to "This Firewall").
Also at the moment your guests (on NSFW network) can reach the pfSense box's non-admin ports and access any non-admin services running on the pfSense. You might want to limit guest access to "This Firewall" entirely.
Incorrect, if you don't allow access to "CAMLAN Address" then NTP is not available. Guests & devices on NSFW_LAN use DNS on my pfsense.
Hello Tom! Thank you for your great content! What would be the best method to block anydesk, teamviewer & other remote access aps using pfsense?
It is technically possible for the cameras to exfiltrate some data through DNS - there are botnets that use DNS for C&C too. Probably not a major issue since the cameras can't get to anything else, but still technically possible.
Yeah, I consider that to be a really low risk factor because even if they did pull down some C&C they can't leave their network.
and where did you get the firewall_Service_port port from ?
Why don't we need to allow any IPv6 traffic if they have indeed run out of IPv4 addresses?
Security was never my thing -- the first job I ever turned down was in security :| Is it really better to hard-connect an interface of your NAS to your iot network rather than going through the trouble of configuring pimd (dlna/sonos/whatever?) and avahi(mdns/chromecast?) and figuring out how to properly lock down multicast? I admit to having gone back and forth on this one, but the security environment around my particular nas brand isn't making me feel particularly safe about using it to lock down access by app....
So how does one easily monitor an external camera when away from the home.. without having to VPN each time ..🤔
Great vid thanks Tom! You mentioned Plex server in the beginning but I didn’t see any further reference to it. Don’t you need to have a port open for that? Or is it only local.
If you have an open port for Plex, what rules could you apply to mitigate the open port?
Only local
Ive not worked out what it is but for me NFS shares on different subnets to my Synology NAS dont work very well (they hang) so I have to make sure my NFS clients sit on the same subnet. Im not sure if its Synology, NFS, or pfSense - the simple solution was to avoid it.
Glad you did this video. Because that is the one thing I have not done yet is set up pfsense, I have security cameras, and want to put all those one a completely Network, were they don't have access to the out side world at all other than the Video Server, being the only thing that can see them. and then I can create rulls so I can see the Security cameras out side of network or in ect. I also have google crap also witch I'm getting ride of and going back to just Lights with out the smart since I can't Assign my own Network for them and the google stuff. Wish Google would let me create my own Cloud for my smart devices, and when google needs Internet for all other questions it will have that access. I don't want it to have to have the internet just to turn on a light, or control HVAC ect. I know they have Home assistant and you can I think hack the google stuff to work with Home Assistant. I just don't like not being able to control my devices with out having to relying on the cloud.
HEY! you can't do that, You can't put a picture of a 6100 in your video and not show us this piece of awesome gear !! Good video sir !
Tom did another video reviewing the Netgate 6100 a few months ago.
@@viaujoc Yes i know ! BUt he needed to show that sexy piece of hardware in this one too!! I almost bought a 6100..
@@JasonsLabVideos Sorry, I thought you missed that video. It is indeed a very sexy device. 😉 I am confused about Tom's home device. In a previous video, he said that he had a SG-1100 at home. But in this video, he is showing pfSense CE, not pfSense Plus which runs on Netgate's devices. Maybe Tom is actually showing a demo configuration based on his home config but with slight changes in order to avoid exposing his real configuration.
@@viaujoc I'm sure he is like me with my videos, he doesn't show anything for work & his personal on any videos. All it takes is one simple slip up and stuff could happen. Tom's very smart and does a good job at his videos :)
So since your cameras are on a separate segment without internet, you are not interested in any kind of alarm notifications?
That is done via the Synology, not the cameras.
Are the various networks (NSFW_LAN), (LTS_TOM), (CAMLAN) setup as vlans or are they physical NIC cards in the firewall appliance (or computer)? Thanks so much !!! I realize you might be virtual as well so just let me know if I have an actual appliance or computer would I need 4 physical NIC's in the case of your home network? 1 for the WAN port and 3 for the above network segregated networks.
You can do them either physical or virtual.
Do you have a video showing this same information but for UDM or UDMP?
I’m running a UDM at home and would love to know how someone who lives in that world would set them up.
Great video as usual Lawrence, but it raised me a few questions.
- "Connection for Emby & Plex"
- "Synology interface"
- "Admin for devices"
I guess that your NSFW_LAN can stream from Emby & Plex, and thats why you have connection. But what is the servers main subnet? And the same with the Synology.
Just doesn't seem right to me, if EVERYTING except cameras and your work PC is running on the IOT lan.... but also doesnt seem 100% secure (at least for whats expected from someone as you), that Plex, Emby and Synology should be using LTS_TOM for all purposes...
Server are on LTS_TOM and what is the threat you are trying to mitigate against by putting plex/emby on a different network?
Thanks for clearing this out :)
Well, nothing specific I guess. Nothing that I care about in my home network - but if the tinfoil fits, then everyting is a suspect
I have done almost the exact same as you, except from i didn't see phones as IoT - but youre right they is. Maybe I should treat my kids PC's as IoT as well. :D
Hi Lawrence this was a great video and very helpful. I have just set up the latest version of pfsense in my home using a custom built PC and am playing with rules, schedules, OpenVPN etc.
I have a specific question about content filtering especially for mobile phones and tablets connected to wifi and also Amazon Echo devices. I want to be able to filter content specifically spotify from playing adult content. I know I can block CZcams but is there any way I can still allow these streaming services but pfsense can detect if the content is of an adult nature and prevent this streaming?
In other words I still want the kids to be able to access CZcams, Spotify etc. but be able to set a rule to make sure the content is not explicit.
I hope that makes sense. Thanks