Configuring pfsense Firewall Rules For Home

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments

Oh man, I've been waiting for this sequel to the greatest Pfsense tutorial from Lawrence Systems. Tom the community and I are still grateful wedding photography didn't work out ;-) but all the video skills transferred over to this new gig! You have a very comfortable persona and trusting when you lead us through this.

👍︎︎ 15 👤︎︎ u/babakbani 📅︎︎ Jan 04 2022 🗫︎ replies

I guess I’m both more and less paranoid :-)

I have the following, where VLANs cannot access resources in a VLAN above it, except for mDns broadcast and Plex/Emby ports from streamers.

  • LAN, parent personal computers go here as well as parent phones/laptops, as well as admin interfaces.
  • Servers, has access to the internet. No access to any other networks.
  • Kids, Network for kids devices and friends, has access to select IOT devices, Plex and Emby.
  • Trusted IoT, streamers, gaming devices, Sonos, Apple TV, etc.
  • Untrusted IoT, lawnmowers, roombas, “smart” tv, etc.
  • Cameras, no internet access. Only access NVR on relevant ports.
  • Guests.

Funnily enough, my work laptop goes on the trusted IoT network. Not that it matters since it won’t connect to anything except a VPN server at work.

The above networks gets squished into 3 WiFi networks, LAN, IOT and Guests. LAN is LAN only, and kids share with both IoT VLANs, and use MAC assigned VLANs. That way I can assign VLANs to gadgets, while allowing kids friends to connect by assigning a default VLAN of “kids”. Should an attacker get creative on the IoT networks and change the MAC address, they won’t gain much access anyway. Kids can access a few devices on the trusted IoT network, as well as gadgets.

I also keep IDS/IPS running, and also have zero open (TCP) ports (not counting VPN ports), and while I agree that it probably doesn’t have much to do in todays world where everything is encrypted, it can still block access to known bad hosts, as well as prevent potential malware on the client networks from calling home. It is however only a question of time before malware writers learn to thwart IPS by using encryption, so it (probably) becomes less and less relevant as time passes. You can of course setup a SSL proxy and decrypt everything in transit, but that kinda defeats the purpose of encryption :-)

I switched my DNS to NextDNS, which allows me to assign different profiles per subnet, so each VLAN is running with its own rule set, so should an IoT device attempt to leak DNS information, it will only see what’s exposed to the IoT network.

👍︎︎ 11 👤︎︎ u/8fingerlouie 📅︎︎ Jan 04 2022 🗫︎ replies

!remindMe 5 days

(I hate videos)

👍︎︎ 3 👤︎︎ u/Asche77 📅︎︎ Jan 04 2022 🗫︎ replies

New video from Tom! Excellent!

👍︎︎ 3 👤︎︎ u/englandgreen 📅︎︎ Jan 04 2022 🗫︎ replies

Thanks for making these videos. I notice you do explicit deny rules for each separate VLAN. Is there any benefit to doing this? I make a rule in each zone (that I allow internet access to) that allows access to everything except RFC1918 address blocks which to me seems less prone to human error.

👍︎︎ 1 👤︎︎ u/wookiestackhouse 📅︎︎ Jan 05 2022 🗫︎ replies

I’m curious what kind of hardware you’re running pfSense on at home ?

I have a SG-3100, and while it works wonders, it is EOS with EOL coming up in October. I’m a bit confused about the upgrade path though.

My main usage is internet (of course) with symmetric speeds below 500 mbit/s, site to site VPN between my home and summerhouse (currently running a UDM), as well as road warrior VPN connections.

I don’t run IDS/IPS on the SG-3100, and only pfblockerNG.

I’m pretty set on an appliance, and preferably a plug and play one (as in running, not configuring). I have no desire to drive for 2 hours to reboot a faulty AliExpress box :-)

Netgate recommends the SG-2200 as a direct replacement, but as far as I can tell it doesn’t even come with half the performance that the SG-3100 does. Next step up is the 6100, which besides being overkill is also insanely expensive in Europe.

👍︎︎ 1 👤︎︎ u/8fingerlouie 📅︎︎ Jan 15 2022 🗫︎ replies
Captions
tom here from orange systems and a really popular question is what are the firewall rules i need to properly and securely set up pfsense for my home and i'm actually going to be saying for my home in the literal sense of my home and the rules i have it my house on my pf sense now i should start with what is on my home network because that's obviously very relevant because if you have more things you may need to do things a little bit differently but i do have the more common questions and the common things that you see at home i do have a plex server well i've actually got an mb server and a plex server because i kind of like mb but either way home media server i also have a trunas and a nas is something that's going to be a popular thing to see in the home because you know we got to store all that media somewhere i also have a synology in my home now synology is really nice and i use it for both media storage the photo backup which i've covered technology backups of using this for your phone and i've covered you know some of the other fun things you can do with analogy especially the cameras and yes i have cameras at my house another popular thing for home but i've also talked about unified cameras and you could substitute unify cameras and do the same rule sets that i have here they're going to generally work the same now i also have really not a lot else at my house i have chromecast and some of the usual things so i'm going to cover on what goes on what network because i think it's a really important aspect and something that's often overlooked and one of those aspects is of course where does the phone go and i want to cover that part right away that this is an iot device i know there's some myth that it's not because it's my personal phone and we like it so much and we should protect it from the bad people that may be outside of these firewalled walls but honestly this is made to be in hostile environments it's running some of the same or similar software that some of the media casting devices run and if you want to cast media or use this to control your chromecast will be an easy example i highly recommend this be on that same network now let's start diving into and breaking down the actual network rules and functionality of it and how i have all this configured and i'll talk a little bit about vpns and rules and all that fun stuff but first if you want to learn more about me and my company head over to laurentsystems.com if you'd like to hire a shared project there's a hires button right at the top if you'd like to support this channel in other ways there's affiliate links down below to get your deals and discounts on products and services we talk about on this channel now before we get to the rules i wanted to cover very quickly here kind of a basic rundown of what goes on what network and this is all my opinion feel free to disagree with me down in the comments down below the gaming systems phones guest devices smart tv iot controller chromecast and connections for mb and plex i put all these in this particular network because i want to be able to stream media from mbe plex or maybe my phone to my chromecast i actually recently got an oculus quest and it's kind of cool that you can also stream that to the chromecast having those on different subnets while possible adds more challenges and sometimes there's updates that break them because these devices are looking for things to be on that same network and i do put these all in the nsfw or not safe for work category because this is where all the noise and things of these devices bouncing around guest devices doesn't necessarily mean guest network this is more my friends who do have my wifi password for this network because maybe they'd like to share something or we're playing a game together or they bring your laptop over and we need to you know cast something to the chromecast and sonos would be another example i don't have a sonos on my network but this is one of those things where this would go on the network because you want to play music on your phone as i said phones and iot device so the phones go on here you'll cast it to different music devices and i just put these all in one place right here now things these don't have access to will cover in the firewall rules and pf sensor how i set them up but they're not allowed to talk to this network or this network and i have specifically put blocks on those network so it can't from here admin any of the other devices then we have this right here it is referred to as lts tom lawrence technology services tom's network there's really just my work computer on it that's it it's really limited on here we also have the admin interfaces for ipmi and network controllers anything that admins the network goes on here this is also essentially the base network that is where my unifies controller my actual unify switches have their ip addresses all that is all locked down into here any admin interfaces or ssh or any type of access for any of these so even though i have connections for mb plex over here the synology that actually this runs on has limited firewall connections well limited by firewall connections within this analogy that actually has it inside of this network so it can talk to nbmplex and the same thing goes on my true nas but the admin interfaces are on this network this is the extra layer of security so you can easily let all the people come over and visit and be on here but if for some reason one of these systems goes rogue or always the fear that people have iot devices is the cloud will send some terrible command to them and make them try to move laterally through your network well they're isolated to only finding the other devices over here now let's get down to the cam land down here now the camera one's actually really simple it's not a lot i'll talk to the internet these two can talk to the internet this can talk to in the 172 network and talk to the 192 network but not the reverse but the cam lan network can be talked to from the 172 network but that's it it's not allowed to reach out to the internet once again synology has an interface in here this allows the cameras to talk to the synologies i do have the ability and we'll cover those rules in a second here for the cameras to talk to the pf sense in a limited fashion in order to get ntp because cameras being all on the same time matters you want all the time stamps and all that to be the same so when you issue your dhcp which will cover you set all the cameras up to be this way but without any internet access so your worries of what about the firmware is probably full of bugs and holes in these cameras i absolutely agree it's very likely it is not having any access and these only being able to talk to the synology and the synology and nothing on this eight 192 slash zero network gets any internet access means it's a mitigated risk at that point they talk to the synology server if they ever someone were to get on the network and even try to exploit them you can't do anything from this network you can't leave this network to go to the internet now the first rules i want to start with under firewall and nat of which i have no rules i don't have anything forwarded for external access on my network because i do all of that via vpn now mileage may vary for some people i get it there may be services you want externally accessible and that's fine but when you're trying to reduce to the most secure it is not opening anything to directly to the internet but if you really need to obviously you need to and you can't get around it but if you don't start with do you actually need it and then we go over here to rules and when because this is where i do allow it now you can ignore these top three rules these aren't really something home users need this is just allowing the lts office ip connections the sources and alias of our public ip addresses and it filters for those to allow access to for example the firewall admin interface and so is avex monitor not something a home you're just going to need but these two rules down here this allows for wire guard and allows for openvpn because yes i use both i have wire guards set up on my phone and openvpn on my computer here at the office and it makes it really simple to get to all those services that i want to get to without having to deal with port forwards vpns are well tested they've gone through code reviews so they're a reasonably secure way to do it and much more secure than opening up a random port to a device on the system that hopefully is patched against whatever problem obviously there could be some flaw found in wireguard or openvpn that would allow someone in but it's just less likely to happen and even so finding your way in through one of those only gets you on the network but only to the next layer where another username and password prompt to be met just an idea for how to do that over here my nsfw land not safe for work lan now the first thing we do is block the firewall and we have firewall service port set up as an alias i set these up as an alias that way if i open up or load another service on pfsense that has another port open and the examples here are going to be 10443 is my web admin 22 for ssh another example might be if you load something like dark stat or other services on here that open up ports you can just add them to the alias and because i use this same rule across different subnets it will apply the same when i don't have to go edit a bunch of rules that means all these different devices that connect to here if something were to happen to them they can't talk to the firewall admin ports if a friend comes over and connects to the nsfw network they cannot try to log into ipfsense or ssh into it it's just blocked at that level the next block because the rules are top down so you have the block rules at the top lts tom net that's this network over here and yes we want this network to be blocked so is the source this network destination this network if those two things are true then we try to block it then we have the cam lan there's no reason for the nsfw network to talk to the camera network not needed so you block that traffic as well and i did a video on this this is setting up a privacy vpn so this is route out over pa you create an alias and i'll leave a link to that whole video of setting up privacy vpns and i can say anything i throw in this alias route it out over that particular network so you throw devices in there on an as needed basis and then once all those rules are matched and anything that needed to go out through this particular vpn is going out through that vpn the final rule which is where everything else falls under go ahead and allow it and because it's at the bottom it has to pass through all the rules that are on the top now cameras cameras are a big topic one i blocked once again the firewall service ports then we have the cam land net address the kamlan net address says from the cam lan network and to cam lan address which means the firewall itself you're allowed to talk as long as it doesn't match these ports here so you can talk to dns i could put an exclusion in for dns but it doesn't matter to me that the cameras have the ability to look up dns because it just doesn't matter to me and if i ever needed to put certain dns aliases in i like having pfsense be the dns because having dns resolution does not get them out to the internet still because this will not allow this to give a destination up out to the internet this does allow the cameras to get their dhcp reservations grab all that information including ntp protocol of which i have enabled so you go to services ntp i have this enabled inside of here and this allows the cameras to stay in time synchronization so it makes it really nice they're all synchronized working and they have no access to the internet because those cameras yes i have a random grouping of cameras on there i'm positive the firmware has holes in it have that have been discovered or yet to be discovered kind of depends but because there's no way to get to these cameras it's not really an issue the only way that these cameras and it's all on the same subnet is one of the network interfaces for the synology has a static ip address within this network and because it's all within the same subnet that means it doesn't traverse the pf sense system itself and everything stays on this network so cameras have no access and nothing from nsfw lan can talk to them and i don't want to talk to them from the lts tom network so there's not really much the cameras can do back over here we'll cover this briefly this is testing and outside of scope of this i usually create on my networks and i have them in my office as well the vlan 1337 which is usually a lockdown network for testing and i leave it with no rules by default and when i'm doing some lab demos you may have seen that in a couple demos where i'll put something on that particular network for whatever reason and i create the rules on an as needed basis when i'm done with a project just out of good security hygiene i delete the rules not to leave anything open to whatever i was testing there so out of scope out of this then here comes the lts tom network lts tom says first do any does anything on this network need to route out over pi vpn and i have the same rule but these aliases only really apply because they're in the range of nsfw land but that way the rule is the same and if i have something on my network i want to send out that easy enough to do next one is just simply allow all now because of the lack of devices on here other than once again the synology has four interfaces in total so we've got one interface set up with an address in here one set up with an address in here and one set up an address in here it's not like i have to do any special rules for those this allows all those devices to do all their talking and i put the firewall on the synology itself to limit its ability to talk even though it has a network in each of these for example the dsm interface is only accessible from the lts time network it's not something i'm doing inside of here it's something you could force everything through this by putting all things routed but then i would end up routing my camera through it for example if i only had this analogy over here and told my cameras to reach through here this kind of puts an undo tax on the pf sense where everything will be routed through it's it's always best to keep things on their own subnet and then for each device and this also goes for my trueness where i have it limited in scope it can only do admin things on the lts tom 172 network it has an interface over here for file sharing but there's no admin on it so i've just locked that down you just do that inside of each specific device in the case of sheer nas you bind the management interface only to the network interfaces that are in each one of these subnets just to keep it really simple and that's really it it's all about essentially following principles of least privileged keep everything very narrow in scope and because the only other things on here are all the different admin interfaces for the devices i have i've narrowed down and kept limited the risk factor of what happens if something from the nsfw lan goes rogue and tries lateral movement well it only finds all the other nsfw things it doesn't find firewall ports it doesn't find the ipmi login interface for some of my devices that are all on the lts tom network and the lts time work just really has my work laptop on there for when i work from home and it's you know kind of lonely and isolated there it only has the other management devices to talk to but that's perfectly fine and that's good and secure now a few final things that i do have running is like pf blocker i've covered that in previous videos i've also covered cerakata now when it comes to home cerakata may be a little bit more extensive it all depends on how much troubleshooting you want to go through i can leave a link to that video but when you don't have any ports open you're not trying to scan and filter for a series of inbound connections seracota doesn't really have much to do on a home network like this where it just has a lot of mostly encrypted outbound connections which mostly makes it flag some false positives or is just blind to a lot of things going out there so it's not something i necessarily recommend for home users it's a little overkill not necessary and not likely to be incredibly helpful from a home user standpoint but if you are getting into security network engineering i think it'd be great to have from a learning experience of it but if you're just a home user that wants to get things basic set up secure set up a couple subnets this is the way to do it i do have other videos and i will of course in the future make some newer ones to relate to changes to the latest version of psense and the latest version of unify because yes at home i am running unified switches and unify access points so i have the videos that i'll link down below either the latest ones or the older ones that i have depending on when you're watching this video that will give you an idea of how to set up vlans and pf sense and different subnets and different networks i have links down below to pf blocker and sarah cattle as i said so hopefully this will kind of get you building blocks to set up your network and get things secure leave your questions comments down below and head over to the forums for a more in-depth discussion thanks and thank you for making it all the way to the end of this video if you've enjoyed the content please give us a thumbs up if you would like to see more content from this channel hit the subscribe button and the bell icon if you'd like to hire a short project head over to lawrences.com and click the hires button right at the top to help this channel out in other ways there's a join button here for youtube and a patreon page where your support is greatly appreciated for deals discounts and offers check out our affiliate links in the description of all of our videos including a link to our shirt store where we have a wide variety of shirts that we sell and designs come out well randomly so check back frequently and finally our forums forums.laurensystems.com is where you can have a more in-depth discussion about this video and other tech topics covered on this channel thanks again for watching and look forward to hearing from you you
Info
Channel: Lawrence Systems
Views: 89,812
Rating: undefined out of 5
Keywords: LawrenceSystems, pfsense firewall, pfsense tutorial, pfsense firewall rules, pfsense vlan, firewall rules, pfsense (software), pfsense home firewall rules, secure home firewall rules, secure home network, secure home network setup, network security
Id: bjr0rm93uVA
Channel Id: undefined
Length: 17min 27sec (1047 seconds)
Published: Wed Dec 29 2021
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.