Configuring pfsense Firewall Rules For Home
Video Statistics and Information
Channel: Lawrence Systems
Views: 89,812
Rating: undefined out of 5
Keywords: LawrenceSystems, pfsense firewall, pfsense tutorial, pfsense firewall rules, pfsense vlan, firewall rules, pfsense (software), pfsense home firewall rules, secure home firewall rules, secure home network, secure home network setup, network security
Id: bjr0rm93uVA
Channel Id: undefined
Length: 17min 27sec (1047 seconds)
Published: Wed Dec 29 2021
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.
Oh man, I've been waiting for this sequel to the greatest Pfsense tutorial from Lawrence Systems. Tom the community and I are still grateful wedding photography didn't work out ;-) but all the video skills transferred over to this new gig! You have a very comfortable persona and trusting when you lead us through this.
I guess I’m both more and less paranoid :-)
I have the following, where VLANs cannot access resources in a VLAN above it, except for mDns broadcast and Plex/Emby ports from streamers.
Funnily enough, my work laptop goes on the trusted IoT network. Not that it matters since it won’t connect to anything except a VPN server at work.
The above networks gets squished into 3 WiFi networks, LAN, IOT and Guests. LAN is LAN only, and kids share with both IoT VLANs, and use MAC assigned VLANs. That way I can assign VLANs to gadgets, while allowing kids friends to connect by assigning a default VLAN of “kids”. Should an attacker get creative on the IoT networks and change the MAC address, they won’t gain much access anyway. Kids can access a few devices on the trusted IoT network, as well as gadgets.
I also keep IDS/IPS running, and also have zero open (TCP) ports (not counting VPN ports), and while I agree that it probably doesn’t have much to do in todays world where everything is encrypted, it can still block access to known bad hosts, as well as prevent potential malware on the client networks from calling home. It is however only a question of time before malware writers learn to thwart IPS by using encryption, so it (probably) becomes less and less relevant as time passes. You can of course setup a SSL proxy and decrypt everything in transit, but that kinda defeats the purpose of encryption :-)
I switched my DNS to NextDNS, which allows me to assign different profiles per subnet, so each VLAN is running with its own rule set, so should an IoT device attempt to leak DNS information, it will only see what’s exposed to the IoT network.
!remindMe 5 days
(I hate videos)
New video from Tom! Excellent!
Thanks for making these videos. I notice you do explicit deny rules for each separate VLAN. Is there any benefit to doing this? I make a rule in each zone (that I allow internet access to) that allows access to everything except RFC1918 address blocks which to me seems less prone to human error.
I’m curious what kind of hardware you’re running pfSense on at home ?
I have a SG-3100, and while it works wonders, it is EOS with EOL coming up in October. I’m a bit confused about the upgrade path though.
My main usage is internet (of course) with symmetric speeds below 500 mbit/s, site to site VPN between my home and summerhouse (currently running a UDM), as well as road warrior VPN connections.
I don’t run IDS/IPS on the SG-3100, and only pfblockerNG.
I’m pretty set on an appliance, and preferably a plug and play one (as in running, not configuring). I have no desire to drive for 2 hours to reboot a faulty AliExpress box :-)
Netgate recommends the SG-2200 as a direct replacement, but as far as I can tell it doesn’t even come with half the performance that the SG-3100 does. Next step up is the 6100, which besides being overkill is also insanely expensive in Europe.