A comprehensive guide to pfSense Pt 7 - Firewall Rules, Nat, Aliases, UPnp

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments

Not strictly an unRAID video. But for you guys running pfSense on your network as a physical box or as an unRAID VM. This video talks about firewall rules, port forwarding, Aliases and UPnp.

Hope you find it useful :) .

......got some great unRAID video projects coming in soon :)

👍︎︎ 6 👤︎︎ u/spaceinvaderone 📅︎︎ Jul 17 2018 🗫︎ replies

This is great, thank you!

👍︎︎ 1 👤︎︎ u/FrozenWineCloud 📅︎︎ Jul 20 2018 🗫︎ replies

Thank you!!! This was really good and helpful information.

👍︎︎ 1 👤︎︎ u/Blindside995 📅︎︎ Jul 22 2018 🗫︎ replies
Captions
hi there and welcome to this video this is the seventh part in a series of tutorials on PF sense and in this part we're going to be looking at firewall rules so let's get to it [Music] right so basically in this video we're going to be looking at firewall rules and how to use and create them in PF sense so first let's look at the PF sense web UI and what we're going to be looking at today is under the firewall rule tab at the top here so let's look what's in here and here we can see the following aliases NAT rules schedules traffic shaper and virtual IPs now we're not going to be looking at traffic shaping in this video and neither are we going to be looking at virtual IPS that's all coming in future videos but basically traffic shaping is controlling the flow of your traffic and it's used for things such as bandwidth control for various things on the network and virtual IP addresses are used for things such as PF sync and carp which are used for firewall syncing and redundancy but the topics covered in this video we're just going to be looking at the following so we're going to be looking at aliases and then we're going to be looking at Nats which is network address translation which is where we do things such as port forwarding etc now I'm sure you're all familiar with that from your regular isp reuters that you've used in the past and also in the same vein as Nats we're also going to be looking at you PNP in pfsense and of course we're going to be looking at rules creating rules which control the flow of traffic such as where the traffic can flow between one interface and another etc and we're going to look at schedules which is just hey where we create time schedules for when we want these rules to run now throughout this video I'm going to try and give little examples of practical uses for using these features as we go along but one of the examples is to kind of follow on video to this I've decided to separate into its own video really just so it's easier for people to find it if they're searching on YouTube for that news case so what is that use case well it's how to configure the firewall for online gaming with consoles many people using ps4 and Xbox one have trouble with strict NAT effects on their online experience and also people with multiple Xbox is on the same connection can have trouble playing in the same online games together so setting that up correctly uses a lot of the things that we're looking at in this video so it seems a natural supplement to that and you can watch it here now before we start I'm just going to head over to the interfaces section I'm not going to add two new interfaces which we're going to use for this video and you can see here at present I've got three interfaces one land and two ran interfaces now please just ignore the second one interface as we won't be using that today the second one is actually a USB 4G data dongle that I can use as a failover should my main one go down so first I'm going to add an interface for all my Internet of Things devices to go on and you can see here I'm actually using a VLAN for this interface not actually a physical interface but that doesn't matter you can use either I'm not going to be going into VLANs in this tutorial that'll be a later tutorial and obviously I don't want this to be cool up to I'm going to name it IOT and I'm going to give it an IP address of 192.168.0.0 save the settings and apply them and then add the next interface this one I'm going to call it VM network and give it a separate IP address again right so we have two new interfaces so now we need to enable a DHCP server on each I'm going to fast-forward through this quickly as it's been covered in earlier videos okay so now our two new interfaces are created and configured so let's head over to the firewalls rule section and take a look there let's look at the IOT interface now by default when we create a new interface it has no rules created at all and when there's no rules on an interface all traffic is blocked by default that's just the default setting the rules that we add will then allow the flow of traffic so there are no firewall rules for newly created interfaces with the original LAN interface when PF sensors installed does have some rules created so let's look at those the first rule here is the anti lockout rule it's just make sure that we can always access the pfsense web UI no matter what rules we may create or even delete later so this rule is basically our safety net to be able to always access PF sin that's why it's at the very top of the list and we can't edit it and we can't move it up and down firewall rules and pfSense they weren't from the top down the rules at the top are check first if there's a match then that rule will be acted upon but if there's no match pfSense will then move down to the next rule and check last and so on so the order of rules is very important the next rule is underneath are the default allow land to any rules the bottom one here being the ipv6 rule because I'm not using ipv6 on my firewall let's just ignore that rule and instead let's take a close look at the standard default to any rule so let's click on here where it allows us to edit and view the rule the first thing to notice here is the rules action note it's set to pass so this will allow traffic through now the next thing here is the interface and that's set to land that's the interface the rule is bound to and underneath here the address family is set to ipv4 then under that we've got the protocol which is set to any so all of these protocols will be passed through now the next thing to notice here is the source and it tells us here that it's set to landmass so the source is for all the land subnet so the computer that I won now that's on the land net so my computer is in that source range now let's look underneath there next we've got destination and we can see that set to any so this means that devices on this interface the land net can go anywhere yes they can go to the internet but also they can access all the other interfaces as well now if you remember when I created the Internet of Things interface I gave it the IP of 192.168.1.1 and we can see here that I'm connected to PF censors web UI with the IP address 10 10 20 dot 1 and the IP address of my computer well X 10.10 xx dot 100 but I can put in the IP address into my browser of the IOT interface 192.168.1.1 and I can access PF sense on that IP address that's because the destination is set to any so even though the IOT network doesn't have any rules I can still connect to it when I'm on the land but at the moment any device is connected I oh t well they can't go anywhere cuz there's no rules defined so let's create a rule for IOT now it can add your rule by pressing using this button here which will add the rule to the top of the list well we can add a rule by pressing this button here which will add it to the bottom of the list well as there's no rules here at the moment it doesn't really matter so I'm going to click on add to the top of the list now we have to choose an action and it's going to be pass but let's talk about what these other options do as well block obviously blocks any traffic not allowing it to pass through it does this silently what that means is it doesn't send any message back to say that the traffic's being blocked and this other option here reject that also blocks the traffic it sends a message back reporting that it's being blocked now normally we wouldn't want to do this but just want to only use block the reason being when a message is sent back when a packet is rejected and that's a potential attacker know that there's a firewall there so it's always safer to use block so why would you want to use reject anyway because when you send a message back saying that the packets being rejected the program doesn't have to timeout waiting for a response it knows straight away but again anyway for normal purposes if you want to block traffic we always use block and if you want to pass traffic we use past now so let's look under here we can disable this rule if we just want to make the rule and not use it right now well we've got a rule this running and we want to disable it but not delete it and here again we got our interface and the interface is set for IOT which is what we want again we want I P v4 and the protocol we're going to set it to any and now this time for sauce we're going to have I owe to net so anything on the IOT subnet and the destination again as before is any now always give your firewall rules of description I'll she'll forget what they are and then once you've created the rule click Save and after making any firewall change you must click on apply changes okay so this rules exactly the same is the default lam one here if you remember when we're on the lam net we can actually access all of the other networks so because all of my Internet of Things are going to be on this network I don't want it to better connect to anything that's on my mainland so this rule is no good for that so let's go back to the rule and see how we can change that so let's go down to our destination and you can see we've got a tick box that says invert match now we want to tick that and for the destination now I'm going to select land that so now what the rule says to do is the destination is anywhere except for and that's what this invert matches except for land there's so that means now the traffic will be passed through over interface IOT protocol any from IOT net to anywhere else except for the lam nares so that basically keeps these two networks separated and so I'd update the description and click Save so now you can notice here there's an exclamation mark in front of lamb there's that just tells us that the destination is anywhere except landmass but again this rule is all well and good then what happens of who on the IOT to also not be able to go on to our VM network here well we can do that as well but this is when we have to start using aliases so now let's go ahead and create an alias for the VM network and the LAN network so let's go up to firewall and click onto aliases and here on the alias page you can see we've got IP ports URLs and all well obviously all is all of these here but we can create aliases for IPS and ports this one here where it's URLs that allows us to point pfSense to the web address where we can download from a URL files that can contain lists for our aliases but for our purposes now we're going to use an IP alias so let's click on to add and the type right up in the drop down onto networks and we need to give it a name and I'm going to call it nan an underscore IOT mime using underscore because we can't use spaces in the nail EEOC's name and the description I'm just going to call it glam and VM now and so now we have to put in the subnet of both the lamb and the VM network so to easily find out what that is I'm just going to go to services and in a new tab I'm going to open the DHCP server and we're on LAN and the supplement there is 10 10.20 dot 0 and it's going to copy that and go back to the aliases page and put that in here and the type of network is a forward slash 24 so we want to select that and the description obviously is lamb net and now this is when we need to add the second networking of the m-net one here so let's go back to the DHCP server and let's look on VM net and here's our subnet here 192.168.0.0 and copy that paste that in and again forward slash 24 and BM network net so now let's click on to save to save that and again apply changes and now that you can see we've got our alias name nan IOT for these two subnets so let's go back to our firewall rules and back to IOT now let's edit this rule let's go to our destination and now we want to choose single host or alias so we can select the alias we just created and then let's help start typing and we'll see the list of alias has come up and this is the one I want to choose and scroll down and click Save and apply changes and so now this time the IOT subnet his destination is anywhere but the nan IOT alias which is LAN net and VM network net so now I Atene that can't go on any of my other local interfaces okay one thing I forgot to do is actually change to the description so let's just do that now just to be proper and I'm going to put VM net in it as well and say ok so the description is correct so we've made a pass rule so now let's make a block rule let's do that on the land subnet but before we go making any block rules I'm just going to connect to the IP address on the land but at the moment I'm connected to 192 168 11.1 to connect to my pfsense box which is actually connecting through this subnet here so I'm going to go back to the original LAN one and now we're back at the same page so what I'm going to do is I'm going to make a rule that's going to block traffic on port 80 so that will block any non-secure website any standard HTTP web site and if you just open this tab here and go to the website London comm this websites a standard HTTP and at the moment it displays fine let's go back to our firewall and we're going to add a rule above this default allow lamb to any rule so I'm going to click on this green button here and for action obviously this time we want block you need to face this correct LAN the address family ipv4 and the protocol TCP the source any and the destination any but we want to the match support so we can choose HTTP here and for the description I'm just going to call it block port 80 and click Save okay so now let's apply the changes now if you go back to this tab here and let's try and connect to London calm again now we can see we're not going to connect because port 80 is blocked ok so let's get back to our firewall now let's look at the Santee lockout rule here the reason I can still actually access the firewall it's because there is an T lockout rule so I'm using HTTP to connect to my firewall and this anti lockout rule here is allowing port 80 to go through to the land address 1010 20.1 so I'm not locked out however this rule is only letting traffic through to a LAN address and not an address on the IOT so basically I'm not going to be able to send anything port 80 to here so now if I opened another Tower and I wanted to go to the web UI of pfsense on that IP this time I'm not able to do it that's because the computer I'm working on now is connected to this subnet and because all TCP traffic over port 80 is blocked unless it meets the criteria of the anti lockout rule here and is going to 1010 20.1 so I hope that makes sense so you can see that the order of roles is really important so if we were to move this rule here underneath the default allow LAN to any rule and this rule isn't going to work because this rule is a very general blanket rule is passing all of the traffic to any destination so let's test our block rule again but first we must click Save and apply as we change the order in the firewall so now if we go back to this page here and refresh the page we can get back on to the PF sense web UI through this IP and also if we go back to London comm you can see we can access this because port 80 now isn't being blocked so always really think about the order of your firewall rules if you're having a problem with a rule not working because it may well just be that it's in the wrong order and one thing to notice with how the rules are displayed you'll see on the left hand side some of the rules have a tick and there's one there with a cross well the firewall rules from the tick our pass rules and the ones with crosses our block rules so it's really easy to see anyway I don't want this rule so let's delete it so anyway the lesson to be learned here is more specific rules should always be above the more general rules so there's one thing I haven't talked about in the rules and that's about floating rules that you can see here now floating rules are a special type of rule which probably for most people you won't need to use however if you do use the traffic shaper then you'll find a lot of floating rules will be automatically created now floating rules are different to the other firewall rules and as such they're more complex the way they're process is also different to other rules a normal firewall rule as you know is matched on a first seen basis however floating rules are matched in a last seen basis so only if there are no other rules in the normal set which also map however this can also be overridden so let's take a look at the options we have and the first I'm going to look at here is this setting saying quick now if we check this and this is the exception I was talking about earlier if this is checked then the floating rule is matched on a first seen basis and another thing that floating rules can do is they can act over multiple interfaces and also floating rules can Maps traffic coming both in and out whilst a normal firewall rule will only match traffic coming in okay so that's enough about floating rules now let's move on to that and let's look at port forwarding now there's many reasons why you might want to forward a port maybe you've got some security cameras on your network well maybe you or a friend or family member want to have external access to your Plex or your NB server and I'm going to port forward so I can have access to my NB server from outside and here I've just jumped over to the configuration on my own B server and we can see here this is the remote address and it's on four eight zero nine six and obviously clicking on it does nothing so let's go to port forward let's add a new rule now the interface is always one and for protocol trying to be as strict as you can if you need TCP then don't choose TCP stroke UDP keep it as small as you can I need TCP for an B and the destination is one address so we leave that as is and here we have the destination port range and here I'm gonna put in eight zero nine six as my from port and two port also is eight zero nine six now if you need to you can open multiple ports by putting the start port in here and the end port here and now redirect target IP I'm going to put in the IP address of the server running MB and again we need to put the port number in again this is eight zero nine six and description I'm going to put an NB and I'm going to click Save and apply changes now if I go to my cellphone and see if I can connect to MB I can so that's good let's just go back here and if I try and access the one address from on my network it doesn't go through but we can fix that let's go back to our port forwarding rule and click on edit now if we scroll down to the bottom we have something here called nat reflection now that reflection is also known as nat loopback and that hair pinning and basically what it does is allow us to access local services via the one address without actually leaving the land now there's two different types which we can label here and I'm going to enable nat plus proxy and click on to save and again the ply changes now I'm going to go back to the embassy ver and try and connect through the round address but now I can connect absolutely fine now and that reflection is also useful when we've got multiple games consoles on our internet connection but we'll be looking at that more in the next video now so we've created our port forwarding rule now if we click on a firewall and go to rules we can see here the corresponding firewall rules been created okay so let's go back to our port forwarding and let's edit this rule again now if we scroll down here you can see here source now normally we wouldn't adjust this but if we click on display advanced then you can here specify the source now have you ever given that your Plex or env details to a friend only to find he's told his brother sister and even his dog the details and they can all log in now I don't like that so this is where we can restrict the rule to specific IP addresses online so if we set the source to single host or alias now we should be able to put something in here but I found that that doesn't happen until we actually click Save and then it comes up with an error and then the source box is actually open so we can put in an IP address here if we knew our friend had a static IP address if they haven't and we can set up an alias and we can set up a dynamic DNS track so we get them to set up something like a duck DNS account or no IP account and make a host name maybe space invaders bro top-to-toe org and space invaders sis hot to dog so get your friends and family to set up a dynamic IP tracker and tell you what their host names are go to aliases and adding new alias and I'm gonna call this family and description and the users and so now we've put in the first dynamic host name space invader sister hop to the org and they're going to call that sister and then click Add host that's a now put in the next dynamic host name space and cleaners bro dot hop to the org and call that one brother and now click Save and apply changes and now it's going to go back to that rule we're editing for the port forwarding so now we can put our alias in here save and apply changes and so now the only people that can access my env server and my family using the dynamic IP trackers to associate their IP address ok and just to finish off this video we're just going to quickly look at UPnP so let's click on the services and go down here to UPnP and we can label it here and UPnP stands for universal plug and play and this allows devices on the network to automatically router open ports when needed now this is very convenient but it's also with its problems and can have fun rebuilding and this is why it isn't enabled by default on pfsense now the external interface which it runs on is always wound and we can naturally choose which interfaces it's going to run on now I've never run it on the same subnet as my Internet of Things devices because I just don't trust them now we can make you PNP a little bit safer and pfsense if we tick the default denied box here and what this does is it sets the default to deny devices access to the UPnP this unless they're specified here below in this box ACL entries but if you want all devices to be able to have access to you PMP you just uncheck this and click Save now if we go back to the main page and our pfSense box and now we can see the UPnP service is running here we're going to be using this feature a lot more in the next video when we set up all our gaming consoles in PF sense but for today that's the end of this video it was quite a long one and I hope it was interesting and you found it useful if you did then that'd be really great if you could take a moment just to hit that like button and subscribe if you're not already and I just want to give a big shout out and a huge thank you to the guys who make these videos possible so all of my patrons and supporters out there I just can't tell you how much your support means to me anyway I'm gonna sign off now so whatever you're up to for the rest of the day I hope it's good and I'll catch you in the next video
Info
Channel: Spaceinvader One
Views: 34,726
Rating: 4.9759035 out of 5
Keywords: pfSense, pfsense tutorial, pfsense port forwarding, pfsense aliases, pfsense firewall rules, pfsense floating rules, pfsense nat, pfsense nat reflection, nat reflection, port forward, plex pfsense, emby pfsense, unraid, spaceinvaderone, spaceinvader one, vm, pfsense vm, unraid vm, unraid pfsense, pfsense upnp
Id: xB8ssY8Cunk
Channel Id: undefined
Length: 26min 28sec (1588 seconds)
Published: Mon Jul 16 2018
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.