A small hint: it's good practice to reject packages instead of blocking them. Because if you block them, the session is kept open until the blocking timeout, whereas reject sends a reject package back immediately and closes the session. Also, it is not necessary to set the DNS servers in the DHCP server as it takes the default servers set in the system page if they are to be used for the network too.
on the other hand, if you reject a packet instead of just dropping it, you confirm to the sender that there's actually something there at the IP address that the packet was sent to.
@@mrxmry3264 Yes, for the WAN interface, this would have some slight advantages (like a scanner does not know that there is a firewall). But that only holds true if no port is open at all. But for internal networks, reject is the way to go. It's better to get rid of packages as fast as possible so that you don't clog your network.
@@Tomahawk_55 That makes no sense. The text underneath even states: "Leave blank to use the system default DNS servers: The IP address of this firewall interface if DNS Resolver or Forwarder is enabled, otherwise the servers configured in General settings or those obtained dynamically."
Looks like Chris caught this in post: Note the message on the right side. More information: !RFC1918 is very different than RFC1918. That rule-set due to the "invert match" button being checked at timestamp 31:30 would only allow access to the Local Network. Guest Users would hit this rule the it would block all "not RFC1918" (i.e. "Internet") traffic. All RFC1918 traffic would be allowed by the "Allow All" rule next in the rule-set. Checking the invert match button was a mistake. I kept expecting Dave or Chris to see the error, thinking it was going to be a well executed "teachable moment." Either 1. change the rule to allow and remove the "Allow All" rule below it OR 2. uncheck the invert match button. Glad the mistake was caught in post though! Great video!
I bought a Netgate SG-4860 several years ago and it has _never_ gone down. It's an absolute beast of an appliance for a (relatively) large home network like mine, with over 75 IPs spanning 4 LANs. Sure, it wasn't a very cheap solution, but not having to buy new hardware every 2 years is worth it, imo. Sidenote: Nice Compaq "draggable" at 5:00. I had one of those 30y ago 😀
Good video as a starter...JUST one of the MANY MANY reasons to never use Unifi as your router/firewall. This is a FABULOUS firewall router for the money. Hands down should be the go to choice for home, small & med size corporate environments not requiring overpriced Cisco, Palo Alto FWs. I've deployed lots and lots of this model and the older version of this model and also have it running in my home network. Only had 1 go down in 7 years, all others running 24-7 for years without a single issue. Netgate also offers less expensive versions with the SAME features...obviously capabilities are inline with the package. I also add a firewall port alias that contains 22 & 443 to the admin. Then add a rule to block access to that alias, to ensure the guest network can not reach the firewall admin interface via SSH or 443.
I do not see many function needed in a normal setup, and putting this in front of Unify waste of money , the many rules and forwards are for somebody who want to run VPN and NAS and other things with outside access, most dont do tha
There's no need to create a separate alias for RFC1918 most of the times. You can block those ranges directly from the Interface settings. There's a box called "Block private networks and loopback addresses" for that on the bottom of the page. I think David didn't mention it in the video.
That should only be used on the WAN interface like they discussed. When checked it blocks traffic sourced from rfc1918 addresses which wouldn't be useful in locking down the guest network.
Do yourself a favour and install PFSense on a older pc, throw in a Intel dual Gb NIC + 4-8GB ram + 120GB or smaller SSD. With the intel NIC's you should not need much more than an i3, maybe even a upper end Celeron. Worst case, 1x NIC is ok, provided that you have a smart switch / router that can be configured as a smart switch (aka vlan aware switch).
Oops, you accidently checked Invert Match on your RFC 1918 rule. So the rule's logic is to block any traffic to NON RFC1918 alias addresses. You can see the exclamation point in front of your Alias in the rule list.
On the guest interface I would just create the bottom rule as «Allow all exept rfc as destination», and above that rule «Allow udp connection dns to guest network address». The rule you created also exposes the web interface for pfsense to your guests.
16:47 yeah, i'm interested in more advanced setups, especially remote-user VPN but also site-to-site VPN and QoS. and of course anything else that improves my online security. 20:47 you forgot to blur out the password. now that particular password is worthless. 25:44 so if i want to create a wireless guest network, should i do that in unifi or in pfsense? and of course i want to be able to switch the guest network on and off and change the password easily 29:49 i don't think allow all is a good idea because if there is some malware that isn't covered by a block rule, it can just do what it wants. it would be better to make a block all rule and then explicitly allow specific types of packets (based on IP address and port) to go through. malware would have a much harder time. PS. i have some unifi hardware: USW8-150W, USG (not used anymore), UAC AC-Pro, cloudkey 2 running unifi software and an SG-1100 running pfsense, connected to the internet using a draytek vigor 130.
You should always pick America/Los_Angles (or in my case America/New_York) so DST auto applies as well. If your region does not observe DST then +/- GMT is fine too.
Hi. First of all, thank you for this great video for beginners. That made me try pfsense again, hopefully longer this time ;-) But on a different note, am I the only one who thinks David Barger bears some resemblance to Will Forbe (Last Man on Earth)? The hair, the face, the beard... I don't mean that in a derogatory way!!! Rather the opposite. As soon as I see David Barger I think of Last Man on Earth :-) I hope to see more videos with him. Have a nice day.
I'm going to use this to install my first ever firewall. I tried another video before coming across this which seems to be more user friendly than the other. I have to reset the pfsense which I don't remember how now.
Are you sure the 4 LAN ports come bonded as a switch by default? Because that was not the case on my SG 6100. They were set up as individual LAN ports and during the first run you needed to assign WAN and LAN interfaces. Bridging ports into a switch setup is also not commonly done on pfSense, usually it's one subnet per port, setting up one or more trunk ports, or putting multiple ports into a LAGG. They're really nice devices though. The 6100 adds 2 10G ports that are preconfigured as WAN 3 and 4, but I reconfigured them as a LAGG to serve as a 20G trunk between the 6100 and my core switch. WAN is currently a RJ45 an WAN1, but in the future I'll probably reconfigure on of the 2.5G LAN ports as WAN once my ISO goes gets a modem and plan that goes faster than 1G.
There must be a lot of bad pfsense people out there. Almost every motel I stay in, I check out what hardware is in use. Invariably when they are using pfsense, their guest network is not blocking device to device communications. Not necessarily a programming error with pfsense, but not setting up their AP's as guest network properly
PF sense community edition hab ich seit Jahren bei mir auf meinem Router und bin SEHR zufrieden damit! Es gibt nix, was man nicht einstellen kann. Ich würd gern noch mein Telefon irgendwie dranhängen, aber hab noch nix gefunden, wie man das machen könnte. daher hab ich sie nur hinter dem normalen teledoofrouter. Ich würde gerne die internetverbindung damit machen, aber so funktioniert sie auch perfekt, mit VPN-Tunnel, Netzwerke gebrückt, und trotzdem noch sauschnell. Kann ich nur empfehlen!
I just watched the part where you talk about incoming Internet traffic to use RFC1918 (i.e. local private IPs) to get into the network. For my UDM, would it be wise to add a firewall rule to the "internet in" rule set and drop all RFC1918 addresses? Is that essentially what David was talking about at the around 8:30 mark of the video? I already have the "Internet Out" version of that rule in my firewall. Thanks!
Can you talk about malware ZuoRAT and VPNfilter? Isolation of the setup menus are critical. Being able to limit disaster from hackers has not been addressed
hi Do I need to actually set the IP on the pC port to ther same lkan? won't my pc pick up an IP from the DHCP directly when i plug it into the lan port?
thanks, all works all is good, but i just cannot get any update status. 22.05-RELEASE (arm64) built on Wed Jun 22 18:56:18 UTC 2022 FreeBSD 12.3-STABLE Unable to check for updates Any idea why? thanks in adavance
Hi there, 06:40 setting-up domain whatever.local I don't think to be a "best practice", actually I would say it's big NO NO, because of .local is reserved and is used for mDNS lookups, generally on L2 network segments. This type of configuration can cause conflicts and unpredictable behavior in various situations, all the Apple, Linux and Windows clients relay on this. Thanks for other good tips anyway, and have great day everyone.
Override DNS When checked, a dynamic WAN ISP can supply DNS servers which override those set manually. To force the use of only the DNS servers configured manually, uncheck this option.
Tom Lawrence also ignores IPv6. There is a general hate for it, and from what I've observed elsewhere, it's not easily secured.. or something along those lines. I wish I had a link to reference.
@@SpookyLurker ...not easily secured, why? You have a general firewall rule for rejecting new incomming connections and instead port forwardings you have port allow rules
@@no0ne. what's stopping you to do that on ipv4? I can see the benefit of ipv4 in public addresses i.e. each mobile device will get its own public IP. But as it seems so far mobile operators prefer to keep mobiles on 10./8 range. Starlink is in the same boat ...
Please Stop using classful networking terms when using classless networking. I know it is an old habit but when using subnet masking you are by default using classless IP networking protocols. If you were RIP v1, you'd be using classful networking. Class A,B,C,D,and E networks is old school but often carry-over from the good ole days like when I learned on WellFleet routers.
A small hint: it's good practice to reject packages instead of blocking them. Because if you block them, the session is kept open until the blocking timeout, whereas reject sends a reject package back immediately and closes the session.
Also, it is not necessary to set the DNS servers in the DHCP server as it takes the default servers set in the system page if they are to be used for the network too.
on the other hand, if you reject a packet instead of just dropping it, you confirm to the sender that there's actually something there at the IP address that the packet was sent to.
@@mrxmry3264 Yes, for the WAN interface, this would have some slight advantages (like a scanner does not know that there is a firewall). But that only holds true if no port is open at all. But for internal networks, reject is the way to go. It's better to get rid of packages as fast as possible so that you don't clog your network.
@@Tomahawk_55 That makes no sense. The text underneath even states: "Leave blank to use the system default DNS servers: The IP address of this firewall interface if DNS Resolver or Forwarder is enabled, otherwise the servers configured in General settings or those obtained dynamically."
Looks like Chris caught this in post: Note the message on the right side.
More information:
!RFC1918 is very different than RFC1918. That rule-set due to the "invert match" button being checked at timestamp 31:30 would only allow access to the Local Network. Guest Users would hit this rule the it would block all "not RFC1918" (i.e. "Internet") traffic. All RFC1918 traffic would be allowed by the "Allow All" rule next in the rule-set. Checking the invert match button was a mistake. I kept expecting Dave or Chris to see the error, thinking it was going to be a well executed "teachable moment." Either 1. change the rule to allow and remove the "Allow All" rule below it OR 2. uncheck the invert match button. Glad the mistake was caught in post though! Great video!
This video is brilliant for new people like me that just discovered pfsense. Thank you very much
I bought a Netgate SG-4860 several years ago and it has _never_ gone down. It's an absolute beast of an appliance for a (relatively) large home network like mine, with over 75 IPs spanning 4 LANs. Sure, it wasn't a very cheap solution, but not having to buy new hardware every 2 years is worth it, imo.
Sidenote: Nice Compaq "draggable" at 5:00. I had one of those 30y ago 😀
Good video as a starter...JUST one of the MANY MANY reasons to never use Unifi as your router/firewall. This is a FABULOUS firewall router for the money. Hands down should be the go to choice for home, small & med size corporate environments not requiring overpriced Cisco, Palo Alto FWs. I've deployed lots and lots of this model and the older version of this model and also have it running in my home network. Only had 1 go down in 7 years, all others running 24-7 for years without a single issue. Netgate also offers less expensive versions with the SAME features...obviously capabilities are inline with the package.
I also add a firewall port alias that contains 22 & 443 to the admin. Then add a rule to block access to that alias, to ensure the guest network can not reach the firewall admin interface via SSH or 443.
I do not see many function needed in a normal setup, and putting this in front of Unify waste of money , the many rules and forwards are for somebody who want to run VPN and NAS and other things with outside access, most dont do tha
There's no need to create a separate alias for RFC1918 most of the times. You can block those ranges directly from the Interface settings. There's a box called "Block private networks and loopback addresses" for that on the bottom of the page. I think David didn't mention it in the video.
I was just about to say this. LOL
That should only be used on the WAN interface like they discussed. When checked it blocks traffic sourced from rfc1918 addresses which wouldn't be useful in locking down the guest network.
False. This does not block inter-VLAN communication between the guest network and the LAN they setup.
Nice basic setup video. I'm certain I'll share this with folks on the forums quite often.
Awesome - please give us more wizard stuff from David!!
I'd love to see a video on how to pick the right Netgate appliance. Basically working through desired internet speed, snort and VPN impacts, ect.
Do yourself a favour and install PFSense on a older pc, throw in a Intel dual Gb NIC + 4-8GB ram + 120GB or smaller SSD. With the intel NIC's you should not need much more than an i3, maybe even a upper end Celeron. Worst case, 1x NIC is ok, provided that you have a smart switch / router that can be configured as a smart switch (aka vlan aware switch).
With Snort ram becomes NB.
@@zadekeys2194 Yes that works and cheap but problem is they use too much electricity and not efficient at all.
Beautiful use of that Compaq very first Mobile computer!
Great video! It will help lots of our customers.
We love Netgate pfSense devices so much that we became Netgate partner in the UK
Great video! Im going to watch this a few times when my netgate gets there.
Oops, you accidently checked Invert Match on your RFC 1918 rule. So the rule's logic is to block any traffic to NON RFC1918 alias addresses. You can see the exclamation point in front of your Alias in the rule list.
Yes - I put a note up in the screen about that mistake.
Timestamp 31:30 by the way
@@geraldh.8047 Glad you posted this note. I missed Chris's onscreen note.
When i saw LastPass popup, the memories came back. Man, it changed how i think.
Awesome video, especially for someone like me that wants to get started on pfsense. Thanks so much.
The network ports are all independent and are *NOT* switch ports. There is no switch backplane on the 4100 or 6100.
On the guest interface I would just create the bottom rule as «Allow all exept rfc as destination», and above that rule «Allow udp connection dns to guest network address». The rule you created also exposes the web interface for pfsense to your guests.
Also it exposes ssh but that's not a problem assuming it's set to require a keypair or outright disabled (which I think it is by default)
@@ikkuranus ssh is disabled by default if I am not mistaken.
This is the way
this is a great video thanks a lot guys
Brilliant video and very well explained.....👍
Thanks for the vid, still playing with the thought of switching out my USG for PfSense… hmmm what to do…
16:47 yeah, i'm interested in more advanced setups, especially remote-user VPN but also site-to-site VPN and QoS. and of course anything else that improves my online security.
20:47 you forgot to blur out the password. now that particular password is worthless.
25:44 so if i want to create a wireless guest network, should i do that in unifi or in pfsense? and of course i want to be able to switch the guest network on and off and change the password easily
29:49 i don't think allow all is a good idea because if there is some malware that isn't covered by a block rule, it can just do what it wants. it would be better to make a block all rule and then explicitly allow specific types of packets (based on IP address and port) to go through. malware would have a much harder time.
PS. i have some unifi hardware: USW8-150W, USG (not used anymore), UAC AC-Pro, cloudkey 2 running unifi software and an SG-1100 running pfsense, connected to the internet using a draytek vigor 130.
Me skimming through the video be like “Yes!” “Yes!” “Yes!”
You should always pick America/Los_Angles (or in my case America/New_York) so DST auto applies as well. If your region does not observe DST then +/- GMT is fine too.
I have 3100 and great so far.
This is gonna be very interesting! Thanks
Hi. First of all, thank you for this great video for beginners. That made me try pfsense again, hopefully longer this time ;-)
But on a different note, am I the only one who thinks David Barger bears some resemblance to Will Forbe (Last Man on Earth)? The hair, the face, the beard... I don't mean that in a derogatory way!!! Rather the opposite. As soon as I see David Barger I think of Last Man on Earth :-) I hope to see more videos with him. Have a nice day.
Thanks
Did we configure IPv6? Some other items I would consider for small businesses: Quad9 DNS, pfBlockerNG
Hi. Why did you click on Invert at 31:30 when setting firewall rule for Guest Network?
I'm going to use this to install my first ever firewall. I tried another video before coming across this which seems to be more user friendly than the other. I have to reset the pfsense which I don't remember how now.
Are you sure the 4 LAN ports come bonded as a switch by default? Because that was not the case on my SG 6100. They were set up as individual LAN ports and during the first run you needed to assign WAN and LAN interfaces.
Bridging ports into a switch setup is also not commonly done on pfSense, usually it's one subnet per port, setting up one or more trunk ports, or putting multiple ports into a LAGG.
They're really nice devices though. The 6100 adds 2 10G ports that are preconfigured as WAN 3 and 4, but I reconfigured them as a LAGG to serve as a 20G trunk between the 6100 and my core switch. WAN is currently a RJ45 an WAN1, but in the future I'll probably reconfigure on of the 2.5G LAN ports as WAN once my ISO goes gets a modem and plan that goes faster than 1G.
There must be a lot of bad pfsense people out there. Almost every motel I stay in, I check out what hardware is in use. Invariably when they are using pfsense, their guest network is not blocking device to device communications. Not necessarily a programming error with pfsense, but not setting up their AP's as guest network properly
Why is that third guest network rule used? Ive been doing some tinkering along and it seems to work fine with the first two.
these re the basic firewalling configs can this device do also NEXT GEN firewalling? did you make a video on that aspect?
PF sense community edition hab ich seit Jahren bei mir auf meinem Router und bin SEHR zufrieden damit!
Es gibt nix, was man nicht einstellen kann.
Ich würd gern noch mein Telefon irgendwie dranhängen, aber hab noch nix gefunden, wie man das machen könnte. daher hab ich sie nur hinter dem normalen teledoofrouter. Ich würde gerne die internetverbindung damit machen, aber so funktioniert sie auch perfekt, mit VPN-Tunnel, Netzwerke gebrückt, und trotzdem noch sauschnell.
Kann ich nur empfehlen!
Great video!!! Do you have video on sg3100 setup??? I am having issues connecting to internet with my switch ports. ISP is att fiber 2g.
Would love to know how to add a NAS to port LAN2 so that your computer on LAN1 can see it.
I just watched the part where you talk about incoming Internet traffic to use RFC1918 (i.e. local private IPs) to get into the network. For my UDM, would it be wise to add a firewall rule to the "internet in" rule set and drop all RFC1918 addresses? Is that essentially what David was talking about at the around 8:30 mark of the video? I already have the "Internet Out" version of that rule in my firewall.
Thanks!
Crosstalk solutions what unifi outdoor access point do you recommend
Thank you
Can you talk about malware ZuoRAT and VPNfilter? Isolation of the setup menus are critical. Being able to limit disaster from hackers has not been addressed
whoa, that thing is quite a bit bigger than my SG-1100. but it runs the same software.
hi Do I need to actually set the IP on the pC port to ther same lkan? won't my pc pick up an IP from the DHCP directly when i plug it into the lan port?
thanks, all works all is good, but i just cannot get any update status.
22.05-RELEASE (arm64)
built on Wed Jun 22 18:56:18 UTC 2022
FreeBSD 12.3-STABLE
Unable to check for updates
Any idea why?
thanks in adavance
David sounds and looks just like Will Forte, is he related?
good day, I'm seeking help and have reached out online but have not been contacted please advise!
Hi there, 06:40 setting-up domain whatever.local I don't think to be a "best practice", actually I would say it's big NO NO, because of .local is reserved and is used for mDNS lookups, generally on L2 network segments. This type of configuration can cause conflicts and unpredictable behavior in various situations, all the Apple, Linux and Windows clients relay on this. Thanks for other good tips anyway, and have great day everyone.
No export wizard for CE users :- (
Error in the video. If you want to force the dns servers uou put in you want to uncheck the box or your isp can change them.
Override DNS
When checked, a dynamic WAN ISP can supply DNS servers which override those set manually. To force the use of only the DNS servers configured manually, uncheck this option.
Why is IPv6 always completely ignored?
Why would you bother with one? What can ipv6 give you that ipv4 can't in private network?
Tom Lawrence also ignores IPv6. There is a general hate for it, and from what I've observed elsewhere, it's not easily secured.. or something along those lines. I wish I had a link to reference.
@@gregamb If for example I have a couple of Raspberry PIs running a webservice, each Pi can grab a LetsEncrypt certificate for it self.
@@SpookyLurker ...not easily secured, why? You have a general firewall rule for rejecting new incomming connections and instead port forwardings you have port allow rules
@@no0ne. what's stopping you to do that on ipv4?
I can see the benefit of ipv4 in public addresses i.e. each mobile device will get its own public IP. But as it seems so far mobile operators prefer to keep mobiles on 10./8 range.
Starlink is in the same boat ...
the sg1100 can do high availability with the opt port. Don't mislead people.
If you're not using pfSense, you're doing it wrong ;)
That looks just like the 5100...
Edit : forget it... missing 2x 10gb sfp ports...
Williams Matthew Martin Sarah Lee Amy
Davis Jose Thompson Melissa Wilson Jessica
Why Snort and not Suricata? Yes, tomayto tomahto...
Open vpn please
Thompson Michael Gonzalez Sandra Miller Lisa
old coworkers harassing me at a non stop rate illegally, they are criminals
waste my time
This shit is too advanced, you have to explain why you set certain numbers in fields etc... Love the content but you lost me at the Alias stuff.
Please Stop using classful networking terms when using classless networking. I know it is an old habit but when using subnet masking you are by default using classless IP networking protocols. If you were RIP v1, you'd be using classful networking. Class A,B,C,D,and E networks is old school but often carry-over from the good ole days like when I learned on WellFleet routers.
First!
It'd be nice to talk about the DNS domain a little more in depth. @5:55. home.arpa is best for home DNS domains.
Wilson John Thomas Anna Johnson Nancy