Creating VLANS And Firewall Rules with PFsense

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments

Solid multiple vLAN config video. Great work!

šŸ‘ļøŽ︎ 4 šŸ‘¤ļøŽ︎ u/Dave2SSRS šŸ“…ļøŽ︎ Aug 06 2020 šŸ—«︎ replies

+

šŸ‘ļøŽ︎ 1 šŸ‘¤ļøŽ︎ u/ron_mexxico šŸ“…ļøŽ︎ Aug 06 2020 šŸ—«︎ replies

Iā€™m a month late, but at 6:10 was exactly what I was looking for! Thank you for this.

šŸ‘ļøŽ︎ 1 šŸ‘¤ļøŽ︎ u/kracknutz šŸ“…ļøŽ︎ Sep 04 2020 šŸ—«︎ replies
Captions
hey everyone cody from mac telecom networks in this video i am going to show you how to create different networks in pfsense create the vlans the dhcp servers and how to create some firewall rules if you guys are new here please hit the subscribe button make sure to hit the bell icon so you know when new content is available if you'd like to hire me for network consulting visit www.mac telecom networks.com you can visit us on instagram at mac telecom networks and if you want to support the channel we do have an amazon storefront and i'll put the link down below okay so this is how my network is currently we have the isp and that link is going down to my netgate sg 1100 and right here these three links this is just one physical link connecting to my unify switch but it's representing each vlan or each network so this is just one physical cable but it has three different networks on it down here i have a synology nas which is on the admin network and then we have one unifi ac lite that will be having every single vlan trunking to it and you can see that by all the different colors so it will have admin student and the iot network all right so we're on my pf sense sg 1100 now what we're going to want to do to create a new network and a vlan we want to go to interfaces click on assignments and then go to vlan so i'll click on the vlans and then we're going to want to add so i only have the one interface on here if you have different models of the netgate appliances that's g3100 you may have different interfaces so i'm going to select that one the vlan tag for this first network that we're going to work on which will be the admin network will be in the 10 vlan so we'll put it at vlan 10 and then we'll go description and we'll say admin and press save so now the vlan 10 is actually created let's go ahead and create the other two so it will be vlan tag of 20 and then description will be students and i'll go ahead and press save and the last one will be our iot network which will be on vlan 30 and we'll go iot and press save now that we're done with the actual vlan creation we're going to want to go ahead and go to the interface assignments and then we need to add the vlans to this interface assignments so available next ports we're going to click on the drop down button right there and we'll select vlan 10 which is our admin network and then we'll press add now we have to put the other vlans in here as well so we'll go down and we'll add vlan 20 and press add and then we'll add vlan 30. so right now these interfaces they're not enabled we have to go into each one and enable them and we could change this interface name so it is easier to read so i'll click on opt2 which is our admin and then we're going to click on enable and we could change the description so i'll just call it admin and under the ipv4 connection type we're going to put static we're going to go down to static ipv4 configuration we're going to put in the ip address 192.168. and then that will be a slash 24 and we'll scroll down right here if you click this block private networks these networks won't be able to talk to anything so we're going to leave that unchecked we will create firewall rules to block inner vlan routing so i'll press save and i will press apply changes now vlan 10 is done we need to do that for the other two so we'll go back to assignments and i'll go to op3 and i'll enable the interface and this will be our students and we'll do the same thing so ipv4 static ip address and ip address 192.168.20.1 with the slash 24 and i'll press save and apply changes and last but not least we need to do our iot network so i'm going to go down to op4 enable the interface and then we'll go iot so the connection type will be ipv4 our static ipv4 and then 192.168.30.1 with the slash 24 and press save and then apply changes okay so now that the interfaces are actually enabled we need to go in and create the dhcp servers for each one of these networks so you're going to want to go up to services and then down to dhcp server and here you could go across to each one of your networks so our first network that we created was our admin network and we want to enable the dhcp server on the admin interface so click the radio button and then scroll down so available range of ip addresses are between 192 168 10.1 to 254. so we'll start our ranges at 192.168.10.20 and we'll go up to 200. and you could add your dns servers in here as well i'm just going to use uh the cloud fair flare as my first dns and then we'll go to save and we have to do the same for the other two networks so i'll click on student we'll enable that and then go 192.168.20.20 to 192.168.20.200. add in our dns and then press save now i will click on my iot and do the exact same thing so we'll enable it we'll do 192.168.30.20 to 192.168.30.200 and add our dns servers and press save okay there's one more very important step that people miss all the time and the network will not work without it so i'm gonna go to interfaces and we need to go to switches so we could take a look at the ports that we need so we'll go to ports and we need to do on the lan uplink and the lan so port 0 import 2 so we'll go down to vlans we'll add a tag so the vlan id for admin will be 10 and the description you could just put admin so the member will be zero and we want to make sure that it's tagged and then we could add a member and that will be two and then press save so we need to add another tag for 20 which will uh vlan 20 which will be our student network and do the exact same thing so zero and then add another member of 2 and press save next we'll add the iot vlan which is vlan 30 and then we'll call it iot and then add the same members 0 and 2 and press save so the next step to make sure that each one of these networks actually has internet access we need to go over to the firewall rules so we'll go to firewall and then we'll go down to rules from here i'll hit my admin and then we need to add a rule so i'll click add and then here we're going to want to pass the address family will be ipv4 the protocol we're going to put any and then the source will be any and destination will be any and press save so that will give us full internet access i'm going to do the same for student and iot so we're all set up now within our pf sense to have full internet access on the networks that we created now we have to move over to our unifi controller to configure the switch to access these actual networks so i'm going to go over to my controller right now i only have the 24 port po or poe switch and then a ubiquity uap ac light so what we want to do for each one of these networks we need to create a vlan only network within the controller so i'll go ahead go down to settings we'll click on networks local networks create new local network create advanced network and under network purpose we're going to put vlan only our network name will be admin and the vlan id will be 10. so we'll create one for the student network so we'll call it student go down to vlan only and vlan 20 and press save now we need to create one more for our iot network so we'll create advanced network go iot go vlan only and vlan 30 and press save so now we could actually put whatever port we want on the unifi switch in one of these networks by default unify switches um our trunk port so they will let all vlans span over them it's good practice to put the uh ports into which vlan they're supposed to be so from say vlan 2 to 10 that could be your admin block and then from 10 to 15 that could be your student block and so on and so forth if we want to have these networks used in wireless what we have to do is go to settings go to wi-fi networks create new wi-fi network we'll go to advanced and i'll do admin the security protocol will be wpa personal i'll go test one two three four and then under here we wanna use the vlan so for the admin network we're going to want to use vlan 10 and then we can press save so now we have to make that for the student network so i'll press or type student for the wi-fi name wpa personal and i'll just go test one two three four again and we'll go down to the vlan and it will be vlan 20. and done and the last one we'll make is our iot network and the wi-fi password again will just be test1234 and we will put on use vlan and then it will be vlan 30 and we'll go done so under the port where our access point is connected we want to make sure that that is spanning all the vlans so that could actually be a all ports so if you click on the little edit pencil you can see that the switch port profiles it is all right now which means that all our vlans are actually going through it and that's what we want for our access point if you want to have one certain port in a certain vlan all you need to do is go to the port click on the pencil and then put whatever vlan you want so if we want port 2 to be in vlan 10 we'll just click on that and the switch port profile will be admin 10 and we'll press apply so now that pc or whatever you're using on that port will be in vlan 10 and get an ip address from that dhcp server so now everything is actually uh configured on our unifi controller for our switch in our access point we could go and log on to the wi-fi and we would see that we would get one of the ip addresses from the other networks we'll do that after the next step which will be to create some firewall rules so that each of the networks can't communicate with one another so i'm gonna go back to pf sense i'm gonna go create a alias and this alias i'm gonna add so the name will be rfc 1918 and i'll put that as the description as well and the type of alias it will be will be networks so we'll go 192.168.0.0 and it's going to be a slash 16. and then we're going to add another network which will be 172.16.0.0.12. and then our last network will be 10.0.0.0 and then that will be a slash 8 and we'll press save so what this does this actually will allow us to block out any private ip address range so to block the inner vlan routing on each one of your networks go to firewall go to rules go to admin so that's our first network and then we're going to want to add the actual firewall rule so we're going to want to block so the interface will be admin we will want to block all protocols the source will be the admin network and the destination will be in alias and this is you'll need to know the alias name so the destination will be rfc 1918 and i'll press save so now on the admin network we won't be able to reach anybody on the student network or the iot network so now we have to do it for the other two networks so i'll click the add button we'll go block so our student network and any protocol the store source will be student network and the destination will be alias of rfc 1918 and we'll press save so last thing we need to do is the iot and we'll click the firewall rule to add it and we're going to block it and it will be protocol any the source will be iot network and the destination again will be the alias of rfc 1918 and we'll press save so now i'll show you guys that this will actually work i'm going to enable my wi-fi adapter i'm going to go in to one of the wi-fi ssids that we created which will be my admin network and then i'm going to disable my ethernet adapter and then we could do an ipconfig and we will see that i am in the correct network so ipconfig right now you can see we're getting an ip address of 192 168 10.22 so if we try to ping the student network or the iot network or their router we won't be able to so ping 192.168.20.1 and now the request will timeout are you try the same with 30.1 and it times out as well just to show you that this actually works i'll go ahead and i will delete that firewall rule from the admin network press apply changes and we'll give it a minute we should be able to ping those addresses so now we'll try to ping the dot 20 and you can see that the requests go through and same with the dot or 30.1 and it goes through as well so now we with those rules in place we can't hit any other device except the ones that are actually in the network that we're on okay so now say that we're in one of these networks and i have a synology nas if i'm in the admin network i'm gonna be able to want to reach the synology nas if we try right now we won't be able to ping that network because it's blocking all of the private addresses and i could show you that it's blocking my access to the synology nas by pinging the actual address of the nas which is 192 168 100.114 and right now no requests go through so we need to create a rule to allow this admin network to be able to talk to the nas directly so to do that we need to add do the add rule with the up arrow and we want to pass traffic from the admin interface the protocol we will do any so the source is going to be the admin network and the destination will be single host or alias so the destination address we're going to put in is 192.168.100.114 we'll go down and we'll press save so you need to make sure that this is above the rfc blocking if it's below you will not be able to access your synology nas so i'll apply changes and then i'll show you that we're able to actually ping that device and there you have it and now it's accepting traffic and we could get to the synology nas from the admin network so that's pretty much it for this video we may go into more firewall rules but that is the basic that you guys should be putting in your network so that you could begin to secure it down if you guys like this video please hit the thumbs up button if you're new here please subscribe alright guys thanks
Info
Channel: Mactelecom Networks
Views: 23,659
Rating: undefined out of 5
Keywords: pfsense firewall rules, pfsense setup, firewall rules, unifi vlan only, pfsense tutorial, pfsense vlan, pfsense firewall, pfsense firewall rules configuration, pfsense vlan dhcp, pfsense vlan tagging, pfsense vlan iot, netgate sg-1100, netgate sg-1100 setup, netgate sg-1100 vlan setup
Id: CDUyMpBC8bw
Channel Id: undefined
Length: 17min 39sec (1059 seconds)
Published: Wed Aug 05 2020
Related Videos
pfSense Firewall - pfSense Administration Full Course
Knowledge Power
30K
Home Network Setup - pfSense, VLANs, VPN, HAProxy, 10G, and more
Raid Owl
16K
Inexpensive Budget Switch: TP Link TL-SG108E HW Rev. 3.0 With VLANS & pfsense Review
Lawrence Systems
325K
pfsense and Rules For IoT Devices with mDNS
Lawrence Systems
74K
2020 Getting started with pfsense 2.4 Tutorial: Network Setup, VLANs, Features & Packages
Lawrence Systems
589K
āœ… pfsense on 1 network/ethernet port PC using VLANS
Nick's Hardware
125K
pfsense VS OPNSense
Lawrence Systems
101K
Managed VS Unmanaged Switches and Support For InterVLAN Routing / Layer Three Switch Routing
Lawrence Systems
181K
PfSense Advanced Configuration - VM Setup, Virtual IPs, Alias, NAT, Rules
Steven Koselke
24K
pfSense - Basic LAN Firewall Rules
Gateway IT Tutorials
32K
Netgate SG-2100 pfsense Firewall Hardware Review
Lawrence Systems
106K
I Built This From A 1972 Popular Mechanics Magazine Plan. Does It Work?
Fireball Tool
2.2M
my SUPER secure Raspberry Pi Router (wifi VPN travel router)
NetworkChuck
373K
UnIFi & pfsense Deployment, Setup and Planning with WiFi, VLAN & Guest Network
Lawrence Systems
143K
How to Have One UniFi AP-AC-LR & Two WiFi Networks with pfsense, VLANS, & No Managed Switch.
Lawrence Systems
70K
Tutorial: pfsense and pfBlockerNG Version 3
Lawrence Systems
82K
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.