2020 Getting started with pfsense 2.4 Tutorial: Network Setup, VLANs, Features & Packages

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

tom here from orange systems and we're going to talk about pf sense getting started kind of a start to finish video for setting up your pfsense firewall building it custom or virtualizing or buying the hardware no matter which way you want to do it we'll talk about all the methods in the beginning then we'll walk into some of the hardware and then we'll go through the loading process getting it configured building your network so kind of a from loaded to multiple networks vlans etc it's going to be kind of in depth here but i want to go through all the features and options with pf sense and cover-up so you can kind of have it all in one place but before we get started let's first if you'd like to learn more about me or my company head over to lawrences.com if you'd like to hire a short project there's a hires button right at the top if you'd like to help keep this channel sponsor free and thank you to everyone who already has there is a join button here for youtube and a patreon page your support is greatly appreciated if you're looking for deals or discounts on products and services we offer on this channel check out the affiliate links down below they're in the description of all of our videos including a link to our shirt store we have a wide variety of shirts that we sell and new designs come out well randomly so check back frequently and finally our forums forums.lawrencesystems.com is where you can have a more in-depth discussion about this video and other tech topics you've seen on this channel now back to our content and i want to start here with a little bit of history so pfsense is a fully open source firewall and for those of you that have been doing this for a long time and especially people like myself who've been an advocate of open source firewalls since well the early 2000s late 99 i think is when i first started messing with open source firewalls and i was told i was crazy now they're pretty much very very common now pfsense is used in corporate environments i have a separate video talking about that uh there will be someone below i'm positive that puts their caps lock on and tells me it's not ready for corporate it's not really using corporate you're wrong tom but i can tell you because of the amount of consulting we do the page on netgate and some videos i've done deep diving where i show companies large companies including mastercard hiring for pf sense professionals i can tell you it's well used in the corporate even the banking markets so i'm not here to debate that the person with the caps lock hi um anyways i'm not i'm not going to feed the trolls today i just want to at least mention yes it's used in corporate environments and yes it can be used in your home environment so pfsense is a fork of the monowall project so in 2014 a competing open source firewall project open sense was forked from pf sense the first official release of january 2015. so yes i am aware open sense exists that comment comes up almost every video i do on pf senses please do an open sense open sense is a fork with some different opinions than pf sense i stay with pfsense because it is well well supported well documented and uh i trust it very well now important concept any firewall is trust because this is the divider between you and the internet and all the devices you may have on your network so uh you have to have something solid and secure and just because something has more features doesn't necessarily mean it's something i need i find the features to be quite adequate in pf sense so that's as much i'll talk about on that topic but i'll leave a link to this here now a little bit more context open source security this is pfsense.org where you're going to download pfsense from and it is fully open source this question comes up a lot as well people say was it really open source or partly open source no it's fully open source so i'm not sure where uh people get that misinformation i usually just link them to the github or anywhere you can download all the source codes you can compile this all yourself if you so feel the need to i'm going to tell you it's much easier to uh go to the download option over here and download pfsense it's uh already compiled for you now what does it run on that's an important aspect pf sense does not run on all arm devices it does run on the netgate provided armor devices so no your raspberry pi won't run pf sense sorry i don't know if there's any plan to ever support something like a raspberry pi but the custom arm boards that were commissioned by netgate the commercial company that provides support for pf sense and makes the hardware when you buy a netgate piece of hardware that does have an arm board in it they have a custom arm still open source but they compiled it specifically for arm now those downloads like i said are not available directly for some other custom armboards that you have and arm's a lot different than building things on x86 because things have to be custom compiled for that particular arm board to make it work so the only arm proper support that there is right now in august of 2020 is on the netgate devices that are shipping with custom arm boards in them so that hopefully that clears that up but if you're building x86 we're going to talk real briefly about the hardware before we get into the download part because well if you're going to build it yourself and buy some parts or maybe you have an old computer laying around and you say this is what i want to do is build it i do have and i'll leave a link to this this super micro 1u box that i'm not building it because i think it's the best for pf sense i'm choosing it because i have it laying around and it seemed like a fun thing to do a demo on now this has four on-board ports uh which is great that's what you need a few on-board ports but let's say you have some other pc in my 2018 video i just had a motherboard laying around that i don't have uh well something around anymore i got rid of that old one and i'm going to use this intel card in this but this is the same intel card i had recommended before and let me jump over here and show you you can find this intel card and i'll leave a link to this is the zero eight zero nine two p intel card that i found off of ebay i think i paid around 35 or 40 dollars for it which is still what they're going for they're relatively inexpensive some people think they're worth more than they are but you can find these relatively cheap and they work really really well with pf sense these are four port intel cards that gives you four spots you can plug into that if you have just a standard computer maybe an older one because pfs does not require a whole lot of processing power to run even doing gigabit networking does not require really high-end cpus you can plug these in and away you go and you have four ports on that pc now buying the netgate devices they have a whole list of them on there and they have all the specs listed on their site and as i said when you buy a netgate device one you're going to get guaranteed to work pf sense no troubleshooting of hey i got this weird quirky problem that i ran into this is the same thing with when you virtualize it you have these weird quirky problems you run into virtualizing is my least favorite way to do pfsense but there are guides on how to do it i have a guide on even how to set it up inside of xdpng there's plenty of documentation on that it's really popular to do but be warned it is also the most picky way to do it because you run into weird performance issues that's because you're now creating a virtualization layer and then virtualizing a network interface so there's a lot of potentially more problems with it someone will have their capstock on saying they've run it with no problems for some amount of time yes if your hardware lines up and everything aligns perfectly you'll have no problems if it doesn't you'll spend a lot of time in forms going why does it do this weird thing why does it only get really slow performance randomly etc but for commercial installs i do highly recommend buying the netgate hardware and if you're looking for not playing with hardware at all and you're a home user i'm holding in my hand in sg 1100 the sg-1100 great box works really really well and does a excellent job of up to five or six hundred megs per second so it's not gonna if you have gigabit internet at home um this is gonna be a little bit underpowered for you uh it's not gonna get full gigabit but for a you know right now they're about 199 or 189 just under 200 you can get a complete well supported and i have done videos that this will even run full h a proxy on here with you know let's encrypt search and reverse so you can actually get quite a bit done with a tiny little box like this right here anyways on to the build process uh because you can spend more time at the netgate site figuring out which one fits for your commercial uh project they have all the speeds and everything listed on there so onto the commercial side here and we're non-commercial side of i have a computer and we're just going to build it let's start here and let's start with downloading and loading it now so now we can get to that part and we want to download we'll go here architecture 6 amd 64-bit which means it works on intel works in amd works on 64-bit processors are you going to load it to a usb mem stick or a cd iso those are your two options that you have on there so and pick your download location now for demonstration purposes not for anything more than this video we're going to refresh the page real quick i'm going to now walk through what the loading process looks like it's actually really straightforward so this is not installing it on this machine next to me but this is just to show you what the installer looks like and go through the options and there's very few of them so this part's pretty quick um i will mention i've done a video on this before recover config.xml if you somehow goof up completely break your pf sense install through some level of corruption or not following documentation properly there is a way to recover it and i thought this is a great feature that they have built in i'll re all the configs are all in one xml file located on here and i've got a separate video just on recovering pf sense but what you do is you can load the pfsense cd and recover the xml file grab that file and reload all the settings back in there so there is also a rescue shell option so if you are trying to fix a broken install great um i've had to use this on people who forgot to back up that xml file because you have a really easy way to back this up and a lot of people don't so that gets used more frequently than probably it should but if you have backups you can just reload provide that xml file when you're doing the install and done you're back to your pfsense setup configured keymap uh for me i'm american it defaults to american it configures the american setup so i'm good on the keyboard layout no problem guided disk setup auto ufs that's fine i have a separate video on custom pf sense with zfs where i talk about using zfs if you have multiple drives generally speaking auto ufs is fine auto zfs is fine we're going to go ahead we have a single drive in here just to the auto ufs i haven't had a problem with it and now it's installing that's pretty much going to be it here goes through installs the base overall pro progress here and depending on the speed of your machine is how fast this is going to install this is all in real time on my zen server and just about done uh do you want to make any more modifications nope reboot that's it it's going to reboot and have pfsense up and running that's as easy as the install goes that part is so straightforward with pfsense now i will show you what it looks like when you boot up to the first time menu if you if you need to look at it so here's the first time boot menu and what was fast forward while it runs through all the boot process setup and this is what the boot menu looks like once it started up now the other device sitting next to me this only had a vga out that's why i didn't try to do it here i'm showing it through the virtual one but when we do all the rest of the demo we're going to be doing it on this actual hardware right here not not this now the one thing you may have to figure out and you'll see is going to be different about this because this has so many network interfaces on it with this little 1u super micro is assigning interfaces i only added two network interfaces virtually to this so they're pretty easy to find and they're both plugged in and running but when we are trying to figure things out which one's which it says up and up if you have a list of them it'll tell you which ones are up and which ones are down as a matter of fact let's go ahead and take one down well that actually appears to removed it not taking it down but instead of up you get it down any time there's a cable disconnected so if you are trying to sort this out and figure out which interface is which that's how that will go is you have to kind of go through and plug each one in figure out which ones are up and then you can assign the interfaces now if you buy one of the netgate devices it's kind of small here but uh they're all labeled uh opt land when so all the nike devices come labeled out of the box with all of them especially ones with multiple interfaces they'll have the interfaces listed on there so you can figure out you know which ones which without having to go through the menus at the console level so now we're going to boot this up and start with the getting started part for logging in for the first time and go through that so i'm going to plug this in and jump over to that okay this system is booted up running pf sense and ready to be configured so everything's at default and i didn't have to do too much guessing because i know these intel cards quite well that if the card's facing this way you know with the little lip part at the top this is igb0 igb1 igb2 igb3 so by default igb 0 is going to be for the wan igb1 is going to be for the lan and i have here a edge switch and i have done a review of this this is the edge switch 10x you can find it on my channel if you want to know more details about it i just happened to have it it was black and match this so that's why it's here it's not like i'm absolutely endorsing this is the best switch to work with pf sense i have found pf sense to work with amazing variety of switches i haven't found one it doesn't work with we've set up cisco hp pro curve lots of unify obviously and unifi being one of my preferenced ones but the edge switch line works fine so there's it's fully standards compliant when it comes to things like setting up vlans so i haven't had any issues setting that up but what we're going to do now is start setting up and configuring pfsense once you've decided how you want to do this now a managed switch is not a requirement but if you want to do vlans a managed switch is a requirement to set up vlans the other option would be having everything because we've got well plenty of network interfaces on here having each interface provide its own network now doing a vlan versus provided so network vlans are very convenient i've got an entire video about vlans but i will mention that vlans are a shared medium so if you want to do multiple networks or vlan they do share a physical cable so there is bandwidth limitation you cannot get the full amount of two networks simultaneously if they're split up with vlans so i'm not going to spend too much time on it i have a vlan video a whole explainer on that but we will be covering that how to configure a vlan in this particular video and how to get the networks configured now pfsense by default comes up with 192.168.1.1 to log into it and it's a self-signed certificate so we're going to accept the risk and continue admin pf sense is the password that is from a default load it does not ask you during the install to set up a password it asks you nothing other than those options you set so you have to set up the password yourself once you go through the wizard now the interesting thing is it's already routing traffic and the way you want to configure the wan side on apf sense generally speaking for most all use cases is going to be you want the let's say comcast cable or whoever your internet provider is comcast wide open west there's a lot of different providers where if you're out of the country there's more way more than i'm aware of you're going to want to have that set up in bridge mode so your wan gets a public ip address or in some cases when we're doing this commercially the public ip addresses are statically assigned and provided to us from the provider so that's an important aspect but i can't really do that here this is in my lab so there's going to be an option that we change to allow it to work inside my lab properly hostname pfsense youtube seems like a good name but you can call it whatever you want dns servers i like 9.9.9 and override dns allow dnsers be overridden if it's on dhcp i do not want that to happen now you're setting the primary dns server for pfsense to use to get out to the internet or you can just leave it blank and allow override provided as dhcp the options are yours this is still different than when we get further down in this review and tutorial of how you would set up dns specifically for other things i have a couple separate videos on that as well but we will cover that but i choose 999 choose the one that makes you happy next i am in detroit so we're going to choose america detroit but choose a time zone that works for you so go here i just like that detroit's in there always made me happy it automatically has a time server in there to set the time that's great configure wan interface now normally if you're a home user and you're just getting an ip address from your provider dhcp works perfectly fine especially when it's in bridge mode you should get a public ip assigned to it you have the option of ppoe a lot of people have a lot of questions about ppe and i have no answers for you on it spend time in the forums if you're setting up ppe and have problems the reason i bring that up is because we just don't see that many of them here in the u.s we really see very few of them on our clients um it does work with ppoe i do know there are nuances to it that i'm unaware of and have no way to stand up and test so if you are having problems with that i'm really not the person to ask because i don't have a way to demo that we're going to leave this at dhcp but if you had a custom mac address you could assign that here too maybe you have some reason you want to do that custom ip addresses anything can all be put all in through here your ppoe or pptp configurations but we are going to uncheck these boxes which normally leave checked block rfc 1918 networks means block your private i p addresses because this is in my lab it's going to get a private ap address therefore i want that private ip address not to be blocked and not to cause issues and people who are sitting up here have sense in a lab this is often the fix that you'll find that fixes hey i can't get certain things to work and i'm like yeah you're probably assigning to when a private ip address because it's your lab and voila you can't do it unless you do this so just go ahead and change that all right lan ip address now many home networks and that support 192 was dropped to default at 192.168.1.1 i recommend you change this and you can change it to any type of private ip address you want i'm going to put 192 168 55.1 just because but if you leave it at 192.16811 the challenge you run into is let's say you're on another network your friends network but you want to vpn back to your pf sense system well if they have a 1.1 network which is a default for lots of consumer network products like many of them you will have a trouble routing back to your house because or wherever your pf sense is installed because well you have a problem with the routes matching on both sides so it doesn't know are you trying to go to a local address or that address there's workarounds for that but they're more of a headache if you don't have it set to a common address so you set to something like 192.168.5.1 with a subnet mask at 24. that's a less common one so you're less likely to have to deal with any of those workarounds so we'll leave it at 55. admin password we're going to go real complicated here because i've got to type this a few times so there's my admin password and we're going to click reload now while i'm clicking reload it's going to reset and configure it but my computer was assigned to 192.1681 address so simple solution here i'm just going to unplug the edge switch here that's going to drop the connection here and the edge switch because it's managed doesn't need an ip address i want the ip address of the edge switch to be in the same 55 range so when i reset it it's going to because it only takes a few minutes from that reload depending on the speed of your computer where it reconfigures the interfaces it reconfigures the dhcp server so now it's going to be in that 55 range so this is going to get a 55 dot something address and this will get a 55 something address so i'll see what address i get all right my computer now has 192 168 55.11 as its ip address so we'll go ahead and ping something okay i can paint well that didn't respond let's find something that responds to a ping resolved there we go google resolves and responds to pings so i'm online i have an ip address assigned to my computer we can log into our pfcents here so we're going to click finish and because i am plugged and plugged it back in when i click finish it should redirect me and if it doesn't it's going to be i'm impatient so we'll just do here oop there we go now be 55.1 accept risk and continue admin and my rather short password because i have to type it a lot and we have pfsense loaded and configured so first things to do here is really up to you so from the security standpoint this is the question that comes up all the time is all right i loaded it now what is it secure what are those extra things i need to do what are the defaults i need to change to make this box more secure and the good news is as long as you have a good password the defaults on pfsense are quite secure it does not open any ports to the internet it does normally block the win except for we uncheck those boxes so the audit of box config for pfsense is quite secure if there was a more secure default and this is my quote i've heard them say more than once on the psense if you watch their hangouts i think i've heard them say if if the if there was a more secure default way to set it up we would just make that the default way to set it up so the good news is you're secure you don't have any ports open out of the box now it doesn't mean there's not a million things you can do with pfsense to change it modify it and bend it to your will this is one of the things i really love about pf senses it's extremely flexible so we're going to go ahead and close this i mean this is just let you know netgate pf sense community support resources some support links etc and we'll close that because we don't really need that information on here so we'll start with that customizing the dashboard i like to have the interfaces on the list here uh what else do we like we can put the gateway up here if you like to have those on the list we can list our packages i guess so we can customize that service status is good too so we'll throw the service status on here if you're running openvpn i do like the openvpn being on there and uh where was the package one again installed packages and i'm gonna say the finest one the last one it will load on here would probably be maybe the smart status so you got service data gateways captive portal if you're using that carp if you're using that load balancer picture picture's kind of neat you can put a picture on there i've seen a few people do that it's kind of nice you can load a picture of for example what the network looks like when you're dealing with remote systems so you have an idea and we'll put the smart one over here it'll also do thermal status as well if you have those sensors in there now the smart status is only going to be if the system has the ability to see the smart status on that particular one we're using a drive that does so that works on there now that's pretty good for the dashboard it gives you plenty of information on here you can see that this is an intel atom c2758 at 2.4 gigahertz um there's you know general statistics on here one thing to note is make sure that you have plenty of room on here so uh don't have too much uh space taken up on here so if you do run out of space on there that can be a problem this is one reason i have that video on building a custom one with a lot of space but for the most part not too much going on there in terms of space when you first started out it comes down to if you start playing with and customizing the logs now under the general setup we have the dns settings we have the if we want to change that setting i already set to allow it or not to allow it override yeah that's something that is uh important whether or not you want to change dns on there time zone we've already set so all these things are like i said already configured you can customize the top navigation we can switch this to a different color interface i believe right here the login page you can change if you want they have different colors for like the login page color things like that you could disable drag and give it there's not a lot i really change much in here um show host name and banner there's a lot of little tweaking you can do i don't do much in terms of that level of tweaking on there but i do like because screens are so much wider now to change that particular one dashboard column so we'll go ahead and hit save then jump back over to the dashboard here and now we have three columns now if you note when i'm dragging things around here they're pretty easy to drag and just go ahead and hit save though when you're done to save the positions that they're in so if you want to move these around and rearrange it but as you get more information on there building your dashboard um having a three column layout is a lot easier and of course most screens are a lot wider now so it's pretty straightforward to do system advanced now this is where i do make some changes the default config for pfsense is to put one https open on the lan side it is blocked on wan so the out of the box config this cannot be administered remotely i'm not going to bother opening it up remotely it's not needed for this particular demo but i do like to change the port it's on and the reason for that is if you're starting to run other services or other things you want to forward or open up the lan in certain ways having everything at the default port is i'm not saying security through obscurity is a good thing but you know having on a different port because most systems if there's something on your land is trying it may frequently try that local port also if you start running things like h.a proxy you run into the problems of sometimes you're like hey it's forwarding to the web interface not to the h8 proxy that i set up on 443 that i wanted those are all issues you can run into so i do recommend changing the tcp port we're just going to use 1043 out of habit like i said it's not hard to figure out if something was scanning your network and find it it's more about just not having on a common port that will cause conflict with other things you may run especially if you get something more advanced like an hk proxy setup as far as the rest of this goes i think everything else in here is pretty straightforward i don't see any reason to change this except i do like to turn on ssh i usually leave password or public key on and then once i have my key installed i'll change it to public key only so that's reasonable to me to set that everything else here as far as defaults works perfectly fine it does have the ability if you have a serial console to redirect all the output if you were setting this up somewhere so we'll mention that that's in there and password protect the console menu i've seen people debate about this whether or not they would enhance security yes it does in the fact that if someone has physical access they would have to put a password in to get to the council but if someone has physical access it's kind of game over anyways because if they can get to the machine physically so i it's not something i usually change at default because well i figure if they got physical access and they're logging directly into it they can also just reboot with a boot disk grab your xml file and extract your passwords so maybe if it's in an environment you don't think it's secure or someone may be walking up to it you want to put a password on here but that is definitely an option that you have now when you do this redirect so we redirected it here tcp port 1043 you'll see one moment redirecting to and it's going to make those changes for me and forward me to the updated port and we just have to remember to put colon 1043 each time we log in so it's going to keep the ip address the same 192.168.55 except there is continue but we've now added the 10443 now by adding ssh we also got a notice over here for ssh keygen and ssh startup um what that did was generate the keys for the ssh it just noticed that you get when you do turn it on nothing to be concerned about it's just letting you know that it's done and turned on and ssh is also going to be opened up on the land side only even though we enable on the firewall unless we create an implicit rule to do so um it's not going to open up now i know you see right here when dhcp6 and it says pending and i'm going to bring that up real quick one i just don't know a lot about dhcp 6 well ipv6 i should say in general so it's not something i really use i know there's a lot of people with a lot of questions about it i just don't really use it so that i leave alone so that's not going to be part of this review at all i just don't have a use case for it that much for the most part everything that we run into generally works best over ipv4 so that's all we're going to cover in this particular video now firewall rules there's no rules on the land like i said there's no floating rules there are land rules and this anti-lockout rule you can disable this if you uh want to but generally speaking the land is where you want the anti-lockout rule what this does it prevents you from creating a rule that stops you from logging into the system so you can't lock yourself out of it so like its namesake is it's an anti-lockout rule because if you were to create a rule to block port 10443 well that would be an issue you ran into now one more thing i will change under advanced over here is under firewall and nat this is another customization that comes down to how you want to handle things you can do this on a rule basis or you want to do it this way i usually do it this way but this can be done in each individual rule this just basically sets the default what you're doing is setting up that reflection or sometimes people call it hair pinning so let's say i open up a port so i have a part up on my wand that opens up something to let's just for example use a camera system and i want that same ip address which would be my public ip address to work inside the network and outside the network for convenience for example when you're on your phone that way when you connect to the lan you don't have to change where it connects to you this is basically creating a hairpin so when that reflection is turned on is i just like i said i recommend very in the beginning before you start turning these on just make that the default it goes out to the wan address and it loops it back and says oh i've seen you ask for the wan address in this port but we know that's internal and it hairpins it back to being local so when you're on the lan side or any of the internal networks it brings that back around so that's something i like to turn on and also will save you a lot of time troubleshooting when you're doing some opening of ports and things like that so we're just go ahead and hit save and away we go and of minor note uh i did leave it on but the web gui redirect you may want to turn that off once again if you're using it because it does listen still on port 80 to redirect you so we'll go ahead and just disable it and say we'll turn that off and all that's doing is redirecting 80 to 10443 once again if you're running something like a proxy or some other things on here you're like hey i had told to hit the firewall it did and it keeps redirecting me over here yeah that's because you have that turned on um so that completely gets things off and so you'll just have to manually remember to type in 192.168.55.1 colon 10443 every time you want to log into the admin interface it won't you know do those niceties of just redirecting you now as far as everything else in here package manager routing setup wizard you can rerun the setup wizard updates pretty straightforward to use update and user manager another thing of security on here now for the most part um there's not a lot you need to do with any of these each one of these is for a more advanced use case but user manager is another one that i'm going to say out-of-the-box default getting started yeah you might want to create something other than admin so if you create another one and we'll just create a user tom and then we create a password for tom and then we'll make tom and admin we'll say his full name is thomas and we can even paste the ssh keys in here and we can click save and we can log out log back in system user manager again edit user can't log in now it's still a level of security by obscurity but by disabling the admin account someone can't just guess through admin passwords if they're on the local network they first have to know what username you're using um so it's one more layer and you know at least i've disabled the default admin on there and have it set up so i have another admin user as this so just one more little thing that i usually do but not really necessary i kind of leave that up to you now let's get to the networking part of this and setting up interfaces so assignments we have a lot of interfaces on here because we have the four port intel card and this has a built-in intel card so all together it starts at zero so that ends at seven giving us eight interfaces on there and the igb0123 are all on that intel extra add-in card that i have on there and then we have the other ones if we wanted to add more interfaces and we can just do those real quick so hey why not now adding all these interfaces does not actually activate them at all we have to do something to activate them and these are all physical interfaces not vlans so we click on here to the interface like opt one it's not enabled so if we wanted to enable it all right and we'll call this some other network and static now this sometimes gets a little bit confusing because people say hey how do we set up a second wan and how does pf sense determine when from lan well pf sense based on the old-school mono wall and go back to the even old school how things used to work you never really thought about lan and when everything was just an interface assignment that interface whether or not it had a gateway that it would get out on determine whether or not it was a destination essentially or a land where it would then share out the information and become a gateway itself or it had an upstream gateway and that upstream gateway makes it a wan interface so actually let's just name this one wan two and talk about what i mean here so if this were to be a lan interface i would stop here and just assign an interface but when it doesn't it has an upstream gateway we can add a gateway so just for sake of doing the demo here let's type in let's say this is going to be a 10.1.1.15 and we're going to add a new gateway for this one and we'll call it wan2 it's not going to be our default gateway let's pretend this is our backup interface gateway ip address 10.1.1.1 add and whatever the netmask is given to you by whoever gave you this gateway and away we go so hit save and technically if i was doing this in my lab i was i'd make sure these are unchecked as well don't reserve the networks i gave it the wrong name i have to make sure it's called wan2 and interface with this name exists so we'll give that in the name wan2 save apply so now this particular interface is now called wan2 it's applying the changes right now we know it's igb2 so it's technically the third port over because they start at zero and that would be my failover one now this became a win too because it has an upstream gateway so that's how it knows to be on that side of the network so let's go ahead and create another interface and we can make that one another lan interface so let's look at these interface assignments again what do we have here let's go with the next one over because this one's wan two so we'll take igb3 and uh we'll call it another lan so we have this one as another lan now the difference here is we're going to go ahead and go static ibv4 and by the way on the wan too i could have said it's a dhcp as well and that would grab a gateway grab everything else and by setting a port to dhcp you're kind of implying that yes i want a gateway i want all the settings to come from dhcp which means it's also not going to be a land but this one will so this one will be another land and we'll give this a different ip range so 192.168.200.1 that's going to be the ipv4 static ip of this we'll make it a slash 24. so this is our another land that we're creating no preference no duplex and uh actually four guests there we go another land for guests this will be a dedicated interface for a guest network save apply and now we have another lan for guest interface but now what's the next step so next step is creating firewall rules so we go over here another lan for guest all right pass on our lan for guess ipv4 protocol this defaults to tcp which means for example lots of these other things including dns which runs over udp and ping icmp down in here in the list right there these won't work if you set it to tcp only which is the default i've seen a lot of people create these rules on these networks and they create a role and they say hey it won't work it won't get um it won't ping things for example but it seems to have some things working yes anything tcp works anything um not tcp won't work so we're gonna change this protocol to any so we have action pass and what we're doing is create a rule to pass the traffic on this one another lamp for guest description is going to be allow all oops and why do i have allowing all caps don't need the caps on these are just really handy descriptive rules we don't really need to get into advance but any rule comes with really advanced options if you want to play with them that goes beyond the scope of this particular tutorial now both this one and this one work fine matter of fact let's plug into it and confirm it's working but before we do that we need to have an ip address set up on it so we're going to go to services and we need to go to dhcp server for every interface you create whether it's a vlan or a physical interface you're attaching it to it does create a list here in the dhcp server so that's great we do have to define a range though so we'll say 100 and to 200. now you can add a whole series of pools there's way advanced things you can do with dns for the most part usually just set one long range of pool maybe some static on there but now we have essentially this another land for guests oh there's a space in front please note when you copy and paste sometimes you copy a space and if you do that there we go it'll tell you the ip range is invalid so go ahead and hit save all right so now in terms of interfaces we've got this and we've got this one here so we can now go and unplug this which is my computer and we're going to plug it into that other port right here give my computer a second to get an ip address no there we go already has it so 192.168.200.1 100. so let's go ahead and log back in now a couple different ways we can log in so we'll go ahead and here and we're still logged in at 55.1 but also just so you know 200.1 colon one oh four four three also lets us log in now we call this guest network and probably you don't want your guests logging in so let's talk about creating rules now that stop that from happening so we're gonna go over here to our rules another land for guests now there's a few different ways to do this and the first thing you want to do is recognize that rules are from top down i have a specific video about getting started with rules where i dive a little more in depth in it but the rules are a top down on a per interface basis so um the first rule it matches is going to be what it matches on and then doesn't go any further so we can put a block rule to our 10443 1043 source any protocol tcp and we're going to say actually the destination is going to be the firewall itself you cannot talk to this firewall on 10443 from that network that's an important thing that you want to make sure is in there if not anyone on guest can try to get to the interface now granted you have a good password on there i'm assuming so it's not the biggest security risk but it's not the best the other problem people have is they assume the guest network should have no access to the firewall so they block everything to the firewall well that's a problem because you have dhcp on the firewall you have dns on the firewall and if those are providing those things well now how are you going to get out to the internet they need to at least talk to the firewall but they don't need to talk to this specific port so we'll go ahead and say this is block web interface all right so now we have the web interface blocked and when that rule is applied all right it is unable so 192.168.200.104.3 times out so we're going to plug my computer back in over here to the regular lan so we can keep administering it and show you how to further lock down that guest network because even though it can't get to 192 168 one oh four four 200.1 if we put a block in there it can get over to our primary land so if we can get there then it can go into and get to one nine two one six eight fifty five dot one colon one oh four four three and we wanna make sure we stop that all right back on the 55 network firewall rules and two oops i'm sorry another lan for guess so this firewall block port 1443 block web interface now let's say we wanted to black block things going to land which is our next goal so we have this allow traffic there's a couple different ways to do this and there's not necessarily one way that is absolutely right and sometimes there's a lot of customization you need to do where you want to be able to access some networks and not others so you can create an alias for example say alias and we can say like an ip range and we'll add or we'll label this one my private networks because maybe you want to separate things in a couple different networks and you want a list of private networks and that private network's going to be 192.168.55.0 24. actually we want to list it as a network there we go dot zero and we'll call this one lan and that's maybe we have more than one of these is why you want to do it as an alias now the advantage of an alias if you have if we had created more than one so maybe there was a 50 network and the same thing we'll do this my other lan you can list out all the networks and then have this block in there so we only have once we'll just hit save and show you how an alias works apply firewall rules another lan and we need another block rule so we can say block and then we can go here block all protocols not just any where's the destination single host or alias and uh my private networks save apply so if it tries to go to my private networks right here and for each time i add another private network i added to the list this is not allowed to have that as a destination so it's not allowed to have the destination firewall and it's not allowed to have the destination uh these networks on here so now all i do is update the alias and by updating the alias if i have this rule repeated in different places it'll work another way to do this is go ahead and edit this role here and you can just say invert match and go right here and say invert match lan net save and now we can say the destination as long as the destination exclamation point means not is not the land that we can go but i only specified one network so then i could specify my private networks also as an option as an alias and say destination not that so there's a couple different ways you can do it in a single role separate rules allow traffic to accept is how i would probably relabel this role so i would say like you know and we'll actually change it to an alias in case we had more than one so my private networks allow traffic accept for my private networks save apply and actually we're going to go ahead and delete this rules we don't need rules be twice so block the web interface allow traffic for except for my private network so all right that's been applied and hey why not let's go ahead and try this real quick and we're going to pick something we can ping so go over here to services dhcp server we'll go here and we can see what things we have so here's my laptop at 55.11 and we have 55.10 which is the i think this is probably over here cool we can see it this is the edge router i'm able to ping right now so from the 55 network i can easily ping this and i shouldn't be able to ping it from that 200 network so i'm just going to move my computer back over real quick okay it's on the 200 network now let's ping google again google's responding awesome so i'm online but what about when i try to ping 55.10 nope i have now blocked the lan network from this particular network interface so my guests can get online but they can't see what's on my lan or whatever you put on there maybe you have your camera system on that separate one and now you've stopped anything from coming over there so now i'm going to go ahead and switch it back and put it back in the normal network and we'll kind of walk through this same scenario but we're going to do it with a vlan this time so the concept's almost identical the firewall rules hdp servers can be the same but there's a little bit difference in how we assign the interfaces and i want to make sure that's clear because well vlans are extremely convenient especially when you have larger networks and you don't have the luxury of running one individual cable to each segment of the network to each individual switch and vlans obviously create a lot of easy ways to segment things so even though they share the bandwidth there's a lot of good reasons to use a vlan to create separate networks and it makes it easy especially when you just need to pivot back and forth between them all right so creating a vlan interface assignments now we have to know which interface we're attaching this vlan 2 and we're going to be connecting it to the lan which means that's the shared physical interface that the vlan will be on and we're going to go over here and we'll define a vlan vlan tag 69 the six nine network and right here we assign it and don't worry about the priority it's up to you it's advanced and goes out of scope of this um if you are using traffic shaping you can set priorities and that can be at the switch level or prioritizes certain traffic over other traffic now this is a problem you're going to have and if you say hey i've been trying this and it's not working i'm running this virtually you handle if you virtualized pf sense if you load it into some other hypervisor on a per hypervisor basis you may handle vlans differently because well it's not that there's issues with it but it is a one of the nuances of having that level of support on the drivers for the hypervisor this is one of the challenges when you have a virtualized when you're running on physical hardware though pretty straightforward and easy you just assign this the exceptions are if you're running a netgate 7100 or neck 8 1100 look up the videos i have on those there's a couple extra steps to tag the vlans in there not an issue on uh the other devices or in this self-built situation with this intel card the vlans just work by assigning him to an interface so we have igb1 vlan tag 69 and we call it the 69 network now when we go to interface assignments here's that other assignment so we're going to go ahead and assign it and like i said it works just like a normal interface we'll give it a name vlan69 static 69.1 make it a slash 24. now this is up to you you could make it bigger than the slash 24 but that's pretty much you know way to do it there if you want um if you wanted to be a slash 22 or a bigger range whichever is up to you and i typed in 61 so let me get that typo fixed save apply firewall rules there's no rules by default so we'll go here and say any now here comes the next question is this another secure network do we want to do an invert match and say that same thing single host or network of my private networks or is uh 69 your private network and you want to keep that in your private network list so instead we're going to say any any we'll make that assumption on this particular network but we could have done either way on this so we won't say invert match because that would make a mess we'll just say allow all hit apply and now this network's in there but this network's not set to private which means the guest can get to it so we don't want the guest 69 so we're going to go over here and say firewall aliases we'll edit this alias and we'll um add network it's a dot 0 on this part here 24 save apply and now when we go back over to rules the guest networks now i have both applied to them now this is one of the reasons it's nice to use an alias so when you know you're building out private networks and then you've built out different guests or security networks and you don't want them to have access to something easy enough that when you have the alias it applies everywhere universally so i'd make one change to the alias and universally it goes everywhere else and also if you wanted to take this network now we allow this over here we have this right here if we wanted to say but we don't want the 69 network to be able to get to the web interface you'd have to actually do a couple blocks as one it could still get to the 55 interface and get to it but for terms of duplicating it that's what the copy's for and we can just copy it to another network like this and hit apply and now that rule will copy over to the other side so um you do have to redo the block rule for each network you don't want to have access now what we didn't do yet though was set up a dhcp server once again don't forget that part range uh we'll say 100 make sure you don't have a space in it this time 100 to 200 save and now that is ready to go and now i can plug anything i want into that one there but obviously i need to define this in my switch now i'm not going to spend a lot of time on this but the edge twitch 10x let's talk about how it's plugged in real quick we have this port coming from the lan and goes into port 1 on the edge switch 10x and then we have port 2 right now plugged in and going to my laptop and this is going to vary a lot based on the interface for whatever managed switch you're using when you're defining vlans one of the reasons we like the unify platform so much is the unify one specifically that line has got some of the easiest vlan setups i have videos on that particular topic so really easy to find vlans inside of that when you're defining them in other switches this is where people get stuck because they have similar but not always the same methodologies to do this and it varies from cisco it varies from ticket varies from edge there's the concept's the same the protocol is standard but the web interface is up to the ui designers so i'm going to show you and i have a review on the edge switch but this is the edge switch to set up a new vlan id tagged 69 right here so we have this set to be the trunk port port one then we have this to allow all untagged traffic to come in then we say grab the tag traffic on here and forward it over to here as untagged so and then we want port 5 excluded that way when port 5 it doesn't ever give me the lan it only gives me the vlan 69 traffic so it's excluded from the default tag of vlan 1. so natively vlan 1 means untagged or basically all the traffic comes on vlan 1 by default on pretty much everything including the apf sense put things out and then we peel out the one picture vlan so i have a separate review of this if you you can find on my channel where i talk a little bit more in depth about that but for this particular switch that's how we define it and that's how we define port five so let's see if we have this vlan 69 working and if i did it correctly i should be able to take and move this network cable from here over to port five and now i should get that other address and it should work uh tagged with the vlans let's see which ip address my computer gets all right 192.168.69.100 let's go ahead and ping something like google and hey look we're online it's up and running and working and because we didn't block anything i can still get to the web interface on that particular one or i could you know copy the block rules and make this a private network now you get the idea of how to set those up so this should give you a good concept on how to get all of those things up and running so let's talk about the plugins or packages that come with pfsense now these are directly pulled from the pf sense repository they're official and vetted by pf sense by the neck 8 team and i didn't i already shut this down i didn't want to do it on this because i feel like setting all the plugins up i was going to go over to our production machine and show you what we have installed now these are not the same plugins we install for every client but there are clients that we use that have all of these needs we decide which packages are installed based on the use case and based on what the needs are so i'm going to walk through because our system pretty much has all the ones we use commonly when there's large projects all set up here so i have separate videos that will break down in detail any one of these in the configuration guides form and i'll be leaving that in a playlist down below so we'll start at the top here the automated certificate management environment for automated use of let's encrypt certificates is wonderful combined with and i'll just put them together h a proxy which you'll see down in here those two work wonderful together i've got two separate videos on that one for using wild cards one for just setting up configuring it but if you want an automated way to handle certificates and to have reverse proxies and everything else that is just a great plug-in for that and that's not something every client needs so it's not like we automatically load that it's just kind of on a as needed basis arp watch once again not something a general small office would use but if you have for example a separate network where you have certain servers and you want to keep an eye if anything pops up on that network that wasn't supposed to be there artwatch is that tool to do that it looks at the network and if a new mac address shows up on that network and it shows up in the arc table because hey look what i found and this was unexpected because there was a change it'll also let you know if someone tried to spoof a mac address because same thing if something changes and the arp table changes on a particular segment of the network it lets you know don't do this on your main lan if you have things coming and going or you'll just get bombed with notices and it becomes well ineffective at that point but on a network that essentially is not very dynamic and things are statically set you have this group of servers that run in there well arp watch is great for watching that the aws wizard is something that comes default with uh the pf sense installs when you buy the nike hardware just i'm not something i really use dark stat i've never done a full video on it but dark stats definitely pretty cool for just getting some general statistics on things free radius 3 now once again comes down to use case where do you want your radius server to live for authentication so if you're going to use radius authentication you can use this in windows you can then tie attack to directory or you can run a standalone free radius server right on your pf sense why would you do that well i have a video talking about how to use free radius for authentication on your network and specifically with openvpn so those two things work together really well and so if the client doesn't need just standard ovp openvpn install or is going to use the pf sense for all the authentication or is going to use the pf says for authentication i need something more advanced like free radius that's there when they don't use free radius because it's not necessary for openvpn you use uh the standard user manager you can create users that don't have admin privileges that really don't have any privileges you're just using them to authenticate uh so don't use the admin user for pfsense as your user create like another user like hey your username underscore vpn or whatever nomenclature or whatever methodology i should say you want to use for naming that whatever methodology works for you that works but free radius is a completely separate database that can be maintained and then you can point openvpn at it and i have a separate video on that process if top i don't use this very often it's kind of a novel thing that you can use on the command line to do command lines showing bandwidth per ip address i think it may i may or may not have done a video on it at some point but it's it's just novel to have installed there same with iperf iperf is benchmarking and you can have this and it comes up on a web interface so you can you know do speed testing now that's not doing speed testing through the firewall it's speed testing you know from port to port and uh man that's still sometimes pretty handy to do so hey why not it doesn't really take up much space it's easy to load uh ipsec profile wizard this is something else netgate installs it's not something i really use i just didn't remove it um same thing with the netgate core boot upgrade this is for updating core boot on netgate devices and something else that if you have a netgate device it's going to come loaded by default nmap i like that nmap is in here because well i can pivot into a network and get something set up and run nmap or having nmap right on the pf sense system is handy because then i can take and scan a specific segment of network with some nmap go through find or discover things uh with their pf sense and pfsense of course usually sits at the intersection of all the different networks so being on one box especially the pf sense box or at the head end and then pivot through everything to create and map scans so having that built in um yeah that's easy open vpn client export hands down one of the if they're running a vpn you always run this when you look at my openvpn videos you understand this package is the executable with the certificates and the settings in it for openvpn so when you set up openvpn it's you want a one single executable install with everything rolled into it that is the tool that does that for you so if you've watched my videos and i've had a few people skip over that part you're like i can't find that export it's not built in i almost think this should be a built-in one because if you're loading if you're going to do anything with vpn use this it makes your life a lot easier if not you have to manually set up everything which was tedious uh when you want to manually create an export file but this creates it all for you so that's uh i one of my favorite features because the way it does the packaging um for openvpn pf blocker devil uh devil is important which means development version i've done videos on pf blocker ng this one's great i definitely uh like that quite a bit as far as you know being able to manage things for blocking and dns uh looks like a couple of videos on that but watch the most recent one because the most recent one covers the devil version versus the non-development version uh status traffic totals it gives you some traffic totals page on the status menu give a total amount of traffic passed in and out over the period of time hours days and months uses the vm stat for collection and seracota i just did a video on sierra cotta and cerakata is extensive great for security also very extensive to set up and tune that being said it's still not something we load for every client because it provides very limited protection if you're not opening any ports it mostly provides lots of false positives on general generic networks and does require a bit of tuning so it's not like an automatic because it's you know it's an upsell so to speak to have us set up and tune that as opposed to and it needs constant tuning so um it's not for everyone that would be the best way to describe siracada it kind of depends on the use case on there especially home users who want to use it generally find themselves if they have no ports open um just with a ton of false positives as well but watch my video in seracotta to talk about some of the details on that the xavix agent well that's only if we're going to monitor it in xavix and if we're going to actively uh watch what this pf sense does you know watch for uptime zappbx is a great way to do this there is a nagios plug-in went as well if you're a nagios fan i don't use nagios i don't have an interest in it people ask me to review it i like xavix the competing product to nagios and be one of those ain't broke don't fix it don't have the time to learn it but it does support both for monitoring on there now in terms of the entire list of every available package that's all listed right here there's plenty of them in the list it you know if you have some other specific thing you want to do and i know someone's going to ask about squid and squiggart i have a video on that of why i don't like squid it just becomes a headache trying to install certificates on there so don't expect me to run a video on or create a video on that topic other than my rant about squid not a big fan of it um this is also interesting and i don't use this but i know there's some use cases people have is the telegraph plug-in it is an agent written and go for collecting processing aggregating and writing metrics package dependencies et cetera i've seen a few people talk about this it's not something i actively do right now exporting things with telegraph over to another server for you know getting data pushed over if you want to do some external analytics on there so that's kind of neat that they have it it's not something maybe at some future point i'll take a look at it and if you want the uh ups system for example to shut down the pf sense when there's a power outage that is built in as well so you can for controlling all apc ups models and i think there's that one i believe there's one more plug-in that does the same thing called network ups tool or nut and it provides monitoring for unretropies and shuts them down so that kind of covers it for the plug-ins but now where do the plug-ins show up well that's a little bit more complicated because the answer is really everywhere so if you install a plug-in that shows up as a service like acme certificates or h.a proxy or free radius yeah those are all places those will show up where there's avex agent there in the case of traffic totals and we can go over here to traffic totals that shows up right here so when you're breaking down some of the graphs and things like that which by the way it is normal for this to pause before it loads any of the information in there that is something that definitely happens when you're doing the traffic graphs so all right and it does as i said it takes a second to load and here's why when it renders the page whatever they're using how they render it it's a lot of data on there so we look at the memory footprint of this particular page you can see it's one of the biggest ones here in my task manager here inside of google chrome so it does take a little while to render this and get all the data but it does break down these kind of cool looking graphs of you know data what we're using on each one it's kind of nice i like this plug-in and or package works pretty well now from here i want to go through all the menu so i've covered you know getting set up the packages we use kind of all the other process now i just kind of want to do a general overview of all the features so it's a i just want to make sure this next part is kind of like just that i'm going to talk through everything but not dive into detail on any of them uh just because of brevity and well how far we are in this video so far and i don't use all these features but at least i'll show you that they exist kind of give you a broad sweeping of all the different things in pf sets even though i don't use them these are kind of neat to have and one of the first things i'm going to talk about was going to be bgp now i bring this up because this is a real enterprise little feature there are people who frequently have set these up in data centers at that edge level and have large blocks of ip address are going to handle a bgp so there are a couple different tools in terms of ways you can do this this goes well beyond the scope of the video because i am not a bgp expert that is not it's not something i do with it very often frequently i go through the basics and usually if i'm talking to a data center we'll basically load the plug-in get it set up follow the data center people of hey here's the announcements here's the uh route announced that you need to match in here and go through it i've been thinking about setting up something in the lab to really demonstrate how that works it's a little bit complicated because bgp itself is not a simple task but it's also not something even most business users run into it's more goes into if people have large blocks of ips but i do want to bring up the fact that yes pf sense can handle it and netgate has an entire bgp video in terms of you like talking about it and walking you through step-by-step uh the bgp features on there now going back over to i mean you could look at the system here like i said core boot upgrade there's not much to cover in this but we'll walk through some of the other menus and things that are on here and once again things not often used but are had are available in here is things like the interface groups so if you need to create a group of interfaces to apply rules or features to that stability wireless i have a dedicated video for this but once again something i rarely use i did the video for fun i'll be cool if there's some future that they have some better wireless cards are supported in there but for the most part when you're doing especially business wi-fi there's better solutions than popping a card in a single router anyways you usually need something larger more scalable we covered vlans but we didn't cover qinq those are q and q's and it's a specific ieee 802180 standard so it is networking standard informally known as q and q as an amendment to the ieee it was incorporated on the base of that so this technique is also provider bridging or stacked vlans so if you have one of those unusual unique use cases where you need to use stacked vlans for example that's actually something supported in here it's not something i've used or have a video on ppps or point-to-point protocol interface types of for 3g 4g modems that is something built in as well it's not something i've done a video on either they've got some documentation here it's not something we use very often generally speaking if we're going to have a failover device that's 4g it usually provides its own ip address so we just plug it into the secondary lan port and set it up as a failover so that's um i have a video on doing failover so it depends on how the device is but yeah it does have support for certain devices in there setting up gre interfaces once you get a feature i don't use very often it's a edge use case but that's built in there as well and if you're not familiar with gre it's a generic routing encapsulation and then the other one next to it a generic tunnel interface those are both supported in here so it's very similar to gre both protocols are means to tunnel traffic between hosts without encryption so gre works at a different it works at the layer so i can encapsulate all the traffic going across and that's something you can you know do on pf sense well like i said this is one of the amazing things is they've got so much built in over time that has been you know put into pf sense that any type of weird use case there's usually a pf sense solution that it can handle that type of thing bridging i've done a video on setting up bridges now bridges are particularly cool because when you take a bridge and set this up and i've done a video on how to do a transparent bridge with cerakata for filtering which is really neat um it basically creates a very customizable switch that you can do all kinds of fun stuff with and really fine tune it so it's neat that it does this you can set priorities and it sees all the networks um you can set rtusp or stp dive through all the protocols set the private ports set port mirroring it's a really neat way to bridge interfaces together for special use cases or in the demo video i do have on this setting up transparent bridging so you can essentially passively watch traffic with something like cerakotta and apply rules to it now i covered nat rule and aliases but there are virtual ips and traffic shaper those are going to be used for a couple things so virtual ips really briefly i've covered those when i've done the ha videos so this does have full ha ability and i have videos on how to set up high availability on here and you're going to build virtual ips virtual repeats are also used for assigning a block of ips to a wan address for example so you'll have your primary ip set up the gateway and then you can attach virtual ips you can do it on the lan side you can do it on the lan side there's a couple different options when you do these whether they're a virtual ip for aj a virtual ip shared between more than one device or just assigning multiple blocks of ips to a single interface whether it be lan or when those are all options you can do in virtual ips and then traffic shaper which i have pulled up here now the traffic shaper i've never done a deep dive into there's a video by mark and it's called the comprehensive guide to pf sense traffic shaper the visuals in here i think are really really relevant even though it's not an older version of pf sense what really will stick out if you watch this video is you'll gain a better understanding because he does a great job of explaining how traffic shaping works and that's what i think is a key takeaway from this video matter of fact i think the video is more about traffic shaping in terms of and it doesn't matter about pf sets just in general the first half of this uh hour-long video breaks down all the details on traffic shape matter of fact more than half of it is so this is a great way to learn traffic shaping before it even gets the pf sense for the most part in pf sense the wizard works fine and that is still the video because i don't think i can do one better that's the video i frequently refer people to when i say i want to understand traffic shaping better i'm like i mark i don't know if he produces his videos anymore but this particular one was really good and i'll leave a link to it below but it's obviously it's on youtube it's called comprehensive guide to pfsense 2.3 part 9 traffic shaper and all the animations and everything are great to explain it so that first will give you a good understanding of one the complexities of traffic shaping two um why you should probably just run the wizards and the wizards work really good the other thing i do have a video on is how to set up coddle cue limiters and i've got a specific video on this so does the netgate has a hangouts video where they talk about it more in depth that can be a good way to tune it it can be a little tricky to tune them that's one of the reasons they have the wizards in pf sense to run and do this because traffic shaping is a complex topic and i think mark did a great job on that so i'll leave that there now one last thing in a firewall is scheduling if you have a use case for this i don't but i've had people say hey i do this so my kids go to bed at night i have them i have the firewall set to block their computers i have rules that are tied to a specific schedule that's a really cool thing i really do like that a lot the fact that there's a scheduler in there it's just not something i use very often but it's novels as you can see i'm not really going through and using it but hey it's it's pretty cool um if you have that kind of use case now going down the list here i've had a few people ask me to do a more detailed video on like a dhcp server there's really to me it seems so self-explanatory on dhcp you set it up just like i showed earlier in the video but i do like when you go to the log settings in there you can just click the plus and add a static mapping but of note and i'm not going to go any further than this on it but i will mention that with that setup you do want to make sure that you don't try to map things in the middle of the pools that is kind of an annoyance that you can't actually map something so if the pool goes from 100 to 200 for example you can't map something statically at 150 you can map it from 99 below or above that 200 so 201 on up in an ip range i bring that up because there is kind of a workaround for it the dhcp server does support multiple pools and we've had to do this because we had someone who had you know we did a rip and replace to their firewall we put a pf sense in they had static mappings in the middle of the pool the workaround is you can create multiple dhtp pools it's actually really easy to do in a dhcp server the simple way to do it but annoying is the fact that i can add a pool from 100 to 149 then start another pool that goes from 51 to 200 and then i can statically map the 150 in between kind of annoying you can't map in the middle of a pool but actually it's i've seen some firewalls they can some firewalls that can't so it's probably better that you don't have things scattered all over the place generally you want to put all your servers in one block or grouping and maybe all your other devices in another and i like to have some level of organization for it but uh when we take over networks it's not always as easy as that of just swapping everything to it makes us happy sometimes we have to deal with what we have because it would be greatly disruptive to do it otherwise now vpn support i've got separate videos i've not done a video specifically on ipsec vpns or l2p in there most of the time you're wanting users to connect if you want users connect openvpn is your go-to it works it's well vetted it's solid that installer allows you to export a single executable run it on a windows computer it works fine in linux as well not the installer but the export file it creates can be imported i've done a video on that of how to import it into like an ubuntu based distribution openvpn is a great go-to for individual computers connecting when you go site to site ipsec gonna be a little faster and works really well so no problem running the ipsec on there and we have had clients who have things like ipsec tied into different cloud services uh we've actually had it's more troubleshooting we've done ipsec tied to other non-pf sense firewalls as part of a requirement for setting up users which includes several healthcare clients we have require ipsec vpns matter of fact one large healthcare provider now has documentation on pf sense that we helped make to how to set up pfsense to connect to uh their healthcare system uh it was really easy to set up and one thing about pfsense and we're going to not go in depth on this but something worth mentioning is the logging on it is wonderful matter of fact it's frequently i find when we're troubleshooting the pf sense is where i'll go to the logs one of the ones we had to set up between another firewall the logs i was they're bad they just did not have enough detail to ever tell me why things weren't connecting but by looking through the pf sense logs because they're so extensive i was able to figure that out so that's something that i found really helpful um that there is a lot of extensive logging pf sense but it does have all those vpns and different types if you want on there captive portal now this is also under the services if you want to set up captive portal i might do a video on it at some point in time and once again this is something you can tie in with free radius as well so captive portal free radius and a sign like bandwidth and things like that it's on my to-do list do a video on it i just loathe captive portal it's a only if i absolutely need it any restaurant that thinks captive portal is the way to get more customers no it's a way to get people to get aggravated because they're using an iphone it doesn't like your captive portal and it just skips it and because people generally have good internet on their phones here in 2020 unless they're in an area that doesn't have good internet they won't bother logging in and agreeing to whatever your terms and conditions are that's well proven we even had some commercial restaurants that are franchises that hate the fact that the corporate makes them put a thing in there because it's the number one complaint that oh god they hate the stupid splash page they have to get to with the captive portal and it makes people come and talk to my staff member and this is at a fast food restaurant they actually contacted us the franchise owner and we put wi-fi in there which i know is against the franchise i'm imagining but they're like yeah people just want wi-fi and we like having a wi-fi that doesn't make them come up and ask questions to the people all the time that are serving their burgers so captain portal love hate relationship if it's a necessary evil it does exist inside of pf sense and it works as well as captive portal works it's not the fault of um pf sense or any other captive portal they always have problems with phones that's your big hand gift works pretty good when it comes to browsers even windows 10 has gone much better with capture portal understand to redirect it and my android pixel phone works good samsung i don't know what they're thinking they don't seem like captive portal and ios is it that's a random crap shoot of i'm not i'm not an ios user i know they have a lot of trouble with at least my experience has always been they seem to be the more troubled people when trying to get onto captive portal and get signed in but i'm not going to spend too much time dwelling on that it does exist maybe one day i'll do a video on it let's move over here to status these are all the statuses for all the different things going on now these statuses you can get to and i'm going to mouse over right here related status page that's commonality across pf sensor that you'll see so the top of most services also have a related status page where you can see all the leases and things like that or you can go here to the general status page and you can see things like let's look at the queue status you can see what's in the queue what's going across this is for the traffic shaper and there's a lot of different things in your system logs the traffic cap that i showed earlier your gateway status he proxy stats interface stats load balancer monitoring etc now on to diagnostics diagnostics are wonderful in pf sense because of the one i use the most which is going to be your pf top i've got some videos where i talk about troubleshooting pf sense i go right to pf top to be able to figure things out all the time it is really helpful in watching and tracing any connections and of course it's got filtering so you can filter for a very specific connection even on a very large network you can narrow things down right away to exactly what you're looking for so i probably use that more than anything else in here but there are things like backup restore command prompt dark stat um i mentioned before dark side give you some stats dns lookup this is kind of neat if you're having a weird dns problem you go here to dns lookup and you can look at this now this is particularly handy if you have a different result than your client and you're remoted into your client you can remotely go in do dns look up on their system okay what does their system say and kind of start pivoting around and looking around in there so that's there's something something that's pretty helpful on there now oddly if you're wondering how to reboot or shut down a pf sense those are located here i always thought they should be under system there's so many other things in here it would be shorter if they were under system but i don't get to make that choice perhaps someone has a hack that moves it over there which would be kind of funny and it's not that i reboot it or halt it very often i just always thought those were misplaced but um the designers think otherwise i'll i'll disagree with them on that um but hey capture this now i have videos on how to do full packet capture directly into wireshark using pf sense and ssh and tunneling all the data over but it also just has the ability to create a pcap file so if you want to filter down which is obviously a better idea than just dumping everything but you can go in here grab a packet capture download the packet capture even on a remote system and a good example this is going to be when you're troubleshooting a voip phone you're going to go all right i know the ip address of the phone i don't know why it's not working give me all the data from that phone and filter it to the host even the port if you need to and grab all the data related to it drop it into a pcap file throw it over in wireshark and do the diagnostics great that that's just a default feature built into pf sense more advanced like i said if you look in wireshark and pf sense i have ways you can filter data right out of pf sense right into wireshark uh which is great so that's about it for the diagnostic there's pain and arp and authentication testing there's a lot of little things you can do in here that are just general handy utilities and by the way when you do authentication testing each authentication server you set up whether it's the rad server or radius server called rad server or local database or any other ones you've added especially if you've you know tied in some external authentication this is nice that way if the user can't log in you're like oh that's weird you can try their username password here and test it against one of those authentication servers you set up these are all those little tools that just make your life easier when you're going through and troubleshooting is spend some time going through the diagnostics but like i said when it comes to tracing there's a lot of that oh there is a port test on there for ports are open as well i've suggested people use that quite a bit which is down here test port hostname to look up and this can be internally or externally because before you port map something and someone will go through nat and say hey i want this opened up and it's not working on my lan side i can't seem to get there i'm using some external service i'll jump inside pfsense and look internally and if i find the device isn't responding internally well it's not going to respond externally so once again another great troubleshooting on there now system logs i really like i said pf sensor does a good job on this they dump all the system logs out with a lot of detail that is handy when you're trying to troubleshoot especially vpn there's going to be a lot of detail in the vpn there's going to be a lot of detail in the firewall logs make sure if you choose to keep a lot of logs and this is to a tunable setting that you also have enough space for them or and another thing you can do in pfsense push it to a syslog server and currently this is being pushed all to security onion for all the syslog so that is a great way you can do it you can send everything to a remote syslog server or multiple syslog servers if you have more than one place you want to land it this is a way to handle without having a massive drive a place to land all the logs so that is uh definitely feature in here i will comment though i think logs should be in reverse order they default to the newest logs at the bottom to me i always want the newest logs at the top so i don't have to scroll down and the gui log entries defaults to 100 i set it to 200. you can set it to higher so you can dump the logs on down the list if it's more helpful to you you can set it a little higher depends on how fast your machine is and how not your pf sense machine but your browser for handling how much gets dumped on the screen at a time so that's kind of a personal preference on there but in terms of show logs at top i do wish that was the default but it's easy enough to change you just do that you can also reset all the logs files and clear them and wipe them all out if you feel the need to do so you can disable writing to local disk i don't recommend it because you usually want some logs on there because logs are your best friend when it comes to troubleshooting but those are some tuning options in there and because it would reveal lots of details uh of names and everything i'm not going to show you all the logs rope a vpn system and everything else but everything does have logs that attempts on there now the last little advanced thing i'll talk about in psense that kind of goes everywhere that you look so let's pull back up like the dhcp server sorry i mean dns server so so we're at services dns resolver general settings we'll scroll down a little bit to custom options now this is something that is persistent throughout pf sense there's easy ways without going to the command line without opening up special config files and adding something on and this is something that survives upgrades reboots etc and it's part of the actual config xml file is custom options and i bring that up because for any particular service they have created a lot of menus but maybe they didn't create that one extra thing you want it to do that one extra parameter that you want to pass on the command line and that on many other systems is either impossible to do on some firewalls or would actually require you to go through and edit some special config file that probably wouldn't survive the next update psense thought of that and they have this option for custom options and this like i said through many many of the services have this at the very bottom you can just pass whatever parameters you want to add on in the config file without having to go and go to a command line edit the config file so i like this feature quite a bit and it's once again saved for as part of your xml so it survives updates upgrades and is part of the backup so if you have those weird custom things that somehow they didn't make a menu for which they made a menu for most everything you can then pass those through now in the case of exactly what is this this is the way pf blocker integrates so pf blocker creates a list of the dns blocking information and it wants it added on so you're saying server includes so hey use the config file plus include this config file and passing a parameter along as well alright so that's it for getting started with pf sense and this should hopefully get you started get you loaded you're still going to be debating probably which way you want to do this whether you want to just buy a device or build a device or virtualize it and like i said i mentioned beginning all the different pros and cons of those but this is enough to get you going with it i'm going to make a playlist that i'll leave linked below for any specific topic where i need to go in depth because some of the videos where i go in depth on like openvpn or how to set that up i'm going to build that list down below so i have all the most recent versions because sometimes there's more than one version of those videos i'll make sure i have the most recent one only in the playlist because sometimes i leave the old ones in case you're using an older version or have some reason to reference them they're pretty much still the same but when i remake a video i will cover a lot of the nuances and changes that may come with a new version of pf sense and sometimes is having a time to recreate some of those videos when something changes but you can kind of get through if the menus have changed a little bit and see that it might be a little different but it's enough the same that you can get the idea of how it works so good luck uh if you have comments concerns head over to the forums i'll link this over in the forums where i'll actually probably have a list of the videos as well so we can have a more in-depth discussion of maybe what i need to cover next but hopefully it's enough to get you started and get you playing with a pretty outstanding when it comes to features firewall thanks and thank you for making it to the end of the video if you like this video please give it a thumbs up if you'd like to see more content from the channel hit the subscribe button and hit the bell icon if you like youtube to notify you when new videos come out if you'd like to hire us head over to launchsystems.com fill out our contact page and let us know what we can help you with and what projects you'd like us to work together on if you want to carry on the discussion head over to forums.laurensystems.com where we can carry on the discussion about this video other videos or other tech topics in general even suggestions for new videos they're accepted right there on our forums which are free also if you like to help the channel in other ways head over to our affiliate page we have a lot of great tech offers for you and once again thanks for watching and see you next time

Info

Channel: Lawrence Systems

Views: 585,669

Rating: 4.9300914 out of 5

Keywords: lawrencesystems, pfsense, pfsense install, pfsense installation, pfsense setup, install pfsense, pfsense hardware, pfsense download, pfsense 2.3, pfsense router, pfsense firewall, 2018 getting started with pfsense, getting started with pfsense, ntel pro/1000 et quad port, tutorial, firewall, pfsense tutorial, pfsense (software), guide, how to install pfsense, router, pfsense 2.4.5, pfsense build

Id: fsdm5uc_LsU

Channel Id: undefined

Length: 90min 58sec (5458 seconds)

Published: Fri Aug 07 2020