My pfSense Setup - VLANs, VPN, Firewall, DHCP

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

do you ever wake up pour yourself a bowl of cereal sit down and think gee I wonder what Brett's PF sense configuration looks like well if you do a that's weird B today's your lucky day because that's what this video is going to be all about my PF sense configuration so no sexy intro let's just dive right into it and if you're watching this video I assume you already know what PF sense is and if you don't it's essentially a FreeBSD based operating system that can run on pretty much any x86 based system and acts as a firewall slash router and it's awesome it's free you can throw it on pretty much anything and it's a solid setup so let's dive into this and I will show you what I'm running I'll be honest I'm not running anything super crazy but I did a poll on YouTube and you guys wanted to see what I'm running because you're a bunch of perverts so let's dive into it so here you can see the dashboard nothing crazy you'll see all of my interfaces over here when you first load up PF sense you'll have just a Wan and a lan you can see I have quite a few extras most of these are vlans I will get to that in a bit over here you can see stats about my system you'll see I'm running a netgate 4100 you can run pretty much anything like I said any x86 based system currently not available on arm systems maybe one day if you want to know more about my network layout in terms of hardware and configurations I do have a video on that I will link it up below up below what I'll link it up here you can check that out if you're interested and as I go through this video it's going to be more of a high level thing if I do touch on something that I have a video on already that goes into more detail again I will link it up here and down in the description all right as I said we are running a netgate 4100 everything is up to date I am running build 22.05 you can see the specs here nothing too crazy blah blah blah and over here like I said I have a bunch of interfaces I'll get to that when I'm talking about vlans and vpns down here you can see the openvpn configuration you can see I have quite a few now I do have a server set up as well well as client instances so this is what lets me communicate back into my home network by hosting a server but then the clients allow me to use a VPN the one I'm using is Pia you may hate that I know everyone has a strong opinion on certain vpns but I've had no issues with it I'm perfectly fine with it if you don't like that um deal with it down here we have our ha proxy info more on h a proxy in a bit but it's one of my favorite features about pfSense AJ proxy is a reverse proxy that allows me to self-host a lot of services and expose them to the outside world and when I try to access those Services back home AJ proxy is what takes all the traffic and routes it to the right service and Gateway is more on that in a bit I want to talk about routing and then my services that I'm running again nothing too crazy your basic DHCP stuff ha proxy a cup couple of VPN instances I don't think I need three but there they are in Unbound for DNS resolving so yeah that's the dashboard nothing crazy let's jump into the first thing I want to touch on and that is going to be your routing okay so going into routing is where you will see essentially your Wan interfaces or your isps and I only have a single ISP but I have multiple gateways here and that is because of my Pia client that I've set up so when you set up a client VPN in pfSense it's essentially going to act as a whole another Wan interface and give you another Gateway so if you have multiple wands or multiple isps this is where you'll want to go in and specify not only a default gateway that you want to use but you'll also want to go in and set up a Gateway group so if we go over here you'll see I have one set up I don't really use it but this is just for an example so in here you'll see that there is a tier one and a tier 2 Gateway the first one being my main ISP and the second one being my Pia VPN Gateway um you would never do this with a client VPN because if the main ISP is down the VPN isn't going to work so this is more if you have dual isps and two physical Wan connections coming in let's just assume this one is a secondary actual secondary win just for the sake of showing off Gateway groups so the way it works is you specify a main one and a second one you can put two in the same tier meaning that they'll essentially split the load but I want to have a primary and a backup so we're going to do tier one and tier two and then the trigger level is going to tell you when you want to move to the next Gateway interface so there's different options member down means that it will only move to the next Gateway if the one before it is actually completely down no response then it goes down to more extreme all the way down to packet loss or high latency meaning that if my main one is experiencing really high latency or there's a certain amount of packet loss it will move to the next one and you can specify that here I used member down when I used to run a dual ISP setup but yeah it's completely up to you then going back to routing I don't think there's much else I want to cover here if you go into your specific Gateway you can configure certain things like Gateway monitoring and which ISP you want to monitor or which IP you want to monitor I have it disabled because I only have one ISP or one Wan so if it's down it's down I mean it's just not going to work so I don't need it to fail over to anything so going into interfaces and interface assignments this is where you will tie a specific interface to a physical port and here you can see we have quite a few my Wan is on IX 3 My Lan is on igc 0 and then all the rest of these mostly vlans as you can see over here are also on igc which share a physical port with My Lan and that is because essentially I have my main Lan and then I want a bunch of tagged packets to propagate throughout my network with specific vlans so I do also have a lan 2 and a lan 3 that get their own physical Network Port and those essentially act as vlans but they're essentially given their own port so I don't really need to tag it and these are used as test networks so with my UniFi stuff that I'm testing as well as my omada network I give them their own physical interface and it really kind of acts as a VLAN but it's really easy to set up vlans in pf sense you'd go over here into vlans you can create one you can edit them you can see I have four of them here if you want to add one it's extremely easy you specify which parent interface you want to use so for example if maybe I wanted this one on one of my other test networks I could go to igc one I could give it the tag 99 and you will see it is created I can go over here to interface assignments then from the drop down you will see my new VLAN that I just created you can click on that add and just like that we have our new VLAN created on the igc one which is also which one is that let's see that is my land two really easy I recommend using vlans if you don't know what they are it's just basically a way of segregating your network into different pieces so that certain devices don't have access to other devices so if we want to manage a specific interface you can click over here on the interface itself and then you'll have some configurations you can mess with here one being the MTU if you want to use like jumbo packets or something most of you are just going to stick at 1500 this is where you will specify the ipv4 default address and the subnet so if you want it to be at 10.0.0.1 do you if you want to be a 192.168. whatever this is where you would specify it and then depending on how many addresses you want how large you want your subnet to be this is where you'll specify it it'll probably be 24 if you want something larger I would use 23. let's dive into firewall and this is going to be one of the biggest features of pfSense one of the main reasons why you get eight fancier router slash firewall operating system is for its firewall abilities so let's jump in and look at what I'm running and this may look very intimidating at first but don't worry it's it's not all these grayed out ones are just test ones that I was using so ignore that let's focus on the main ones so this is on my Wan interface meaning that these are the firewall rules that I'm allowing to open up um to my Wan interface so here you can see I have at the top uh this is a Nat rule for my Minecraft server so I'm opening ports 25 565 through 25 566 and that is just open for TCP and UDP uh to my Wan so that I can host a Minecraft server and that is set up through Nat rules so let's take a brief detour and go into Nats under firewall and you will see a matching setup so down here here it is destination address is wan these are the ports this is the IP I want to forward it to which is the IP of my Minecraft server and there's the reports I want to translate to so you can see I have a couple I have a few for Plex I have one for I think this was testing for something I don't think I'm actually using this anymore 1195 what is that this might have been for mail server stuff that I was testing anyway uh this is where you would set up port forwarding for your Wan under the NAT configuration when you do that it'll automatically create a rule for you in here so cool but how do I do firewall rules on my interfaces well you just click on the interface so let's look at Lan now this is going to be a little strange and this is where a lot of people um get stuck because the way you will configure interfaces to talk to each other or not talk to each other meaning that when you set up multiple vlans by default your vlans aren't going to be able to talk to anything like I said when you set up an interface or a VLAN by default it has access to nothing so you'll have to come in here and give it the accesses that you want so let's skip over land for now I'll come back to it because I think explaining the actual VLAN firewall rules will be easier first so let's take a look at Guest you can see this is much more simple much less spooky so let's talk about what's going on here so the first thing you'll see is an allow rule each rule will be either allow or a block meaning that you can specify I want to allow these specific things or I want to block these specific things so first thing you'll see is an allow rule for everything coming from the guest Network on any port going to this specific destination which is on another VLAN and I believe this is my kubernetes load balancer so I'm giving my guest Network direct access to my kubernetes load balancer for routing traffic and I believe that's specifically for uh pie hole so you can see that's an allow Rule and that's the only thing it's allowed to touch next up we have a block Rule and what this is doing is saying anything coming from the guest Network and is trying to access my external network block it and same for guest to iot the next one and the last one is guest Network going to anything that's not my private networks allow it and tell it to go through Wayne 4. okay let's break this down so we're going to dive into it and I will explain what is going on here so this is a pass rule meaning that it is allowing traffic through it is allowing traffic that is coming from the guest interface on ipv4 using any protocol so you can see that's specified here our destination is private networks what is private networks that is an alias what is an alias well if we go under firewall you will see aliases and this is a really cool feature going in here you can give an alias to a list of a bunch of networks a bunch of specific IP addresses whatever and you can use that in rules so that you don't have to manually type out you know dozens or a hundred IP addresses or networks so here you can see I have a cloud flare one which is a list of all of cloudflare's server IPs and networks and then I have a private Network so this is both of my lands land 1 and land two these are the full networks so I call them private networks so if we go back you'll see I'm saying allow everything think from the guest Network to go through if it's not private Network meaning that if it's trying to access the outside world the internet Let It Go through because it is not one of my private networks and that is where this invert match comes in if I if I had this set here all this would be doing is saying allow guests to talk to my private networks now I'm saying allow it to talk to everything as long as it's not private networks and going down here you'll see I've manually specified a Gateway this is one of my gripes with PF sense I don't know if I'm doing something wrong here but I've talked to other people who also have this issue in that if you have multiple gateways set up in my instance like we talked about before I have my main win and then I have the Pia client VPN that also acts as a Gateway if I set the default gateway as my main one which I have before and you guys saw that that was my main default gateway and I just say use default it for some reason doesn't default to what I've specified as my default gateway in my routing configurations I have no idea why I've tested it with multiple isps multiple VPN client setups and this is why I'm manually specifying the Gateway which is the Gateway group that I created before I honestly don't need to specify that it would be the same as just doing this so yeah now I'm saying just to use my default gateway so I've had to specify it in two places which is quite annoying okay so if we go back into Lan you'll see I have quite a few rules a lot of them are grayed out for testing purposes and whatnot but you'll see a lot of sources like um we saw before with using aliases one of the big ones is Pia devices so let's dive into this one here and it's very similar to the rule we just talked about so it's a pass rule on interface Lane and it's saying if the source is one of these Pia devices and this is an alias I used to specify devices in my network that I only want to go through the Pia client VPN interface so these are devices that are in my network that are maybe doing some type of Captain Jack Sparrow stuff and I don't want that to be tracked so yeah those will only go through through Pia and not through my default at T Wan and the way we do that is we say yep if it's a Pia device and it's going to anything let's go down and only go through this Gateway so specifically Pi devices will be routed through the Pia Gateway so yeah I think that's enough on firewall rules I'm I'm finding out very quickly that I could probably make an entire video on firewall rules this video is already probably going to be pretty long so let's move on if you have any questions let me know down in the comments I'm going to try to cover as much as I can without spending too much time on stuff one last thing I want to touch on under firewall is the traffic shaper so you can go in here and specify you know whatever interface so maybe your guest VLAN you only want a specific bandwidth allowed for that interface you can specify that here the reason I'm not doing it here is because I'm actually doing it in my UniFi configuration so I'm doing it all within unify but you can do it in pf sense this is where you do it it's really easy to set up and limit your guess to you know 10 kilobits per second and then they'll want to go home perfect okay moving on to Services there are a crap ton of services there's so much stuff you can do in pf sense I'll talk about the few that I'm using uh main one you're going to use you know if you're using pfSense it's probably going to be your DHCP server so let's dive into that and take a look at some of the things we have here so once you go into here you'll have DHCP servers for essentially every interface you've set up so here you can see you know all my vlans all my physical interfaces up here and here is where you can go down and tell it you know what the range that you want the DHCP server to hand out on it's where you can see all of your static DHCP leases that you've set up you can see I have quite a few and you can also specify custom DNS servers per interface so if you want your Mainland to use a specific DNS server but you want you know maybe your guest network to use a different one maybe you have different pie hole instant instances for different vlans you can come in here and specify that there and if we look at the range I've set up you'll see I'm running from 0 100 to 1.245 meaning that I have quite a large range of DHCP addresses to hand out but I've also given myself about a hundred to hand out statically so you know you can adjust this you know that's just what I have set up and it works well for me let's compare that to the guest Network pretty similar here you can see it's a 192 Network it just makes it easy for me to see you know when a client shows its IP address is pretty easy to specify that between one of my main Network versus one on a VLAN that's why I use 192 on all my vlans and then the tag number here again you don't have to do it that way that's how I do it and I'm running from 10 to 250 meaning that I have from essentially two to nine for static ones and then from 255 or 250 to 255 and you can see I have a custom DNS server here which is my pie hole instance so guest Network you get the pie hole DNS and a whole bunch of nerdy stuff down here not going to cover that let's talk about DNS resolver so pfSense connect as a DNS resolver giving you local DNS and resolving custom DNS records that you've set up so here you can see I have quite a few I'm using the local domainradourlab.com and I've specified a number of different devices that I want to use so for example my main epic server the host would be epic the domain would be raidalab.com and it points to 10.0.0.73 so that when I type epic dot raid owlab.com [Music] it goes to my proxmox server so that I don't have to use IP addresses neat it's very similar if you don't want to do resolving you can do port forwarding not port forwarding DNS forwarding mode down here DNS forwarder but I use DNS resolver in forwarding mode when I was using it not in forwarding mode in resolving mode I was having issues between that and pie hole so it's in forwarding mode meaning that it's not going to try to resolve itself it's going to forward DNS request to the main DNS server that you have set up okay moving on h a proxy this is a big one I'm gonna try to rip through this one pretty quickly so the video is not longer than the Titanic this is deserving of an entire video so I do have a video on this setup specifically in self-hosting again links up there if you want a more detailed explanation but what this is doing is allowing me to self-host things and Route the traffic coming in to those specific instances or specific services so within AJ proxy you'll essentially have a front end and a back end so a back end is going to be all your services that you're hosting you can see I have my qnap stuff overseer photo prism file browser nginx proxy manager for testing a little link Heimdall a lot of things that I'm hosting on the back end the front end is going to be where it's taking those requests and saying okay what are you requesting to access parsing that and then pointing it to the correct back end so if we go into my main one let's take a look at what's going on here you can see it's listening on Port 443 so standard https requests coming in I've set it up through cloudflare so those requests come in and what it's going to do is use ACLS it's essentially parse and say you know if they're looking for dashboard.hosteyboy.com which is the domain using then forward that to a specific back end which is specified here if I attempt to go to dashboard.hosteyboy.com its name is Heimdall and what that means is that it's going to use the Heimdall ACL and then point to the back end Heimdall and I know I just glossed over a lot of things here but again in that video I go into more detail about how to specifically set these up but this is a really cool feature of PF sense it's what one of the main things that keeps me tied to PF sense is the ability to host a reverse proxy directly within your firewall slash router operating system it's super convenient it handles all of the certificate and encryption for you it's fantastic one of my favorite features and some of the services here you guys can read um you know UPnP stuff I don't use that wake on land captive portal if you want to set that up look real professional optional for your grandparents when they come over and try to log into your guest Network okay vpns there's quite a few to pick from I use openvpn if you don't like that okay and in here you can easily set up servers and clients so you can see I have a server set up I initially talked about that where no matter where I am in the world I can remote back into my entire home network using my openvpn server setup so it's really easy you can add one I'll go over the one I have here go in specify device mode what protocol you want to use the port a lot of this is default it'll generate a TLS key you can specify the authentication you want to use the server certificate this is essentially going to be a self-signed certificate that openvpn will use you can specify the encryption algorithm there's a lot of stuff in here but honestly a lot of the default stuff will work for you you'll want to go in here and specify your ipv4 network so I just made one that looks like a VPN or a VLAN but one that's currently not in use so when I'm 2.168.70 and that's going to be the IP you know Network that it's going to use to allocate incoming connections to and then it's going to ask what local network do you want this to essentially be hosted from or be exposed I used my main Lan Network so one thing you'll notice as I'm scrolling through here there's a lot of configuration in pf sense pfSense is not the sexiest operating system around it's not the sexiest GUI but there's a lot a lot in here I strongly suggest if you're using PS sense to at least test it out first get in here mess around with it you'll probably break some things but that's okay that's how you learn if you're doing it on a test Network it's much less stressful because because when you break something on your main Network everything goes down and your wife gets mad at you so use a test network over here in clients you'll see I've set up two different clients using my Pia account so uh let's take a look at this one for example you'll go in uh get a description Pia a lot of the same configurations as the server this is where you'll kind of enter the information that Pia gives you Pi is pretty good about giving you the information that you need to make this connection uh specify the server you want to use the port that it's on Pia username and password and a lot of the configurations that they give you you enter here and once you do that it's honestly that easy it'll create a client and then spit up an interface and you'll essentially be able to use that as its own kind of Wan really cool really awesome feature okay statuses this is going to be a lot of information stuff so you'll see a lot of the same things that you saw over here on services but if you want to get more information on how they're running you can go over here and it'll spit out some information for you but um yeah it's pretty self-explanatory there's nothing really too useful over here the one is DHCP so if we hop in here you'll essentially see all the leases that are out there and we can sort these and you'll see the static ones you'll see the dynamic ones and if we want to turn one from a dynamic into a static we can go over here and click this little white plus and then give it whatever you know whatever new static IP that we want and click save and it'll it'll now be a static IP address it's really that easy okay Diagnostics there's a lot in here the main ones I mess with are ping when I have issues where I can't access certain websites or I think a network is down you can specify a host name to ping you can specify the source address so if you want to do that on a lan address for a local device or you want to do this to the outside world using a specific interface you can do that here ping it it'll let you know if it's working or not States you can go in here to give you your State's table if you're interested in nerdy stuff like that that's all listed here Tracer out a lot of the stuff you're used to seeing reboot you're going to reboot a lot if you're if you're testing out things uh packet capture really useful to have backup in your store that's something you're going to want to do a cool feature with pfSense is that you can back up your entire configuration in the event that you break something so if you're messing around on your production system and you're making a big change I strongly suggest you go up in here and download your configuration before making that change so in the event that you make a change and break something which I've done multiple times you'll have a backup file to just essentially reload PS sends to where it was before and I've broken PSN so bad to where it wouldn't even Boot and I had to physically attach my laptop to the netgate device and access the console so maybe I'll do a video on that one day because I've done it quite a few times so I'm a little bit more comfortable with it now and then if you end up needing to restore something you would just go down here to restore you'll choose that backup file that you created and then it'll just do its thing bada bing bada boom you're back to where you were before so one other thing that I think I skipped over is Dynamic DNS over here in services this is extremely useful if you have DNS provider others that are routing traffic back to your home network and you have a dynamic IP from your ISP like I do sometimes that changes and you'll want to make sure your DNS provider knows what your new IP address is so within pfSense it can handle all that for you you can go in here into Dynamic DNS you can create a new one you'll you saw I had quite a few there and then it has so many different service types here the one I use is primarily cloudflare depending on which one you select you'll enter information about your accounts and it will automatically update that information so that if your IP address iPad IP okay I was right if your IP address changes from your ISP that'll get propagated down to your DNS provider so when I use is cloudflare another one is no IP for my Minecraft servers you can set this this up so that all your friends all your cool friends playing Minecraft on your server uh won't get mad if your IP address changes but yeah I think that is all the stuff I wanted to cover I know I I didn't cover so many things in pf sense but those are the main things that I have set up within my setup and like I said there's a lot more here and if I covered something that you want more information on don't hesitate to ask questions down in the comments join the Discord ask me over there I'm more than happy to share the knowledge that I've accrued with pfSense with you guys but yeah that is it let me know down in the comments if you're using PF sense or if you're thinking about switching to it what are the concerns you have what do you like about your current PF sense setup let me know I'm interested to see what you guys are running but yeah that is it if you like this video then drop a like below if you like content like this then please consider subscribing it helps Channel a ton if you want to join the Discord link is down in the description come hang out with us a bunch of nerds we're real cool don't worry we don't bite unless you want us to I want to give a huge shout out to my patrons and my YouTube members you guys are absolutely amazing you guys are my Dynamic DNS service that is constantly updating you guys are awesome that is it if you're still around watching to The Bitter End you're awesome too thank you so much for watching and I will see you in the next one [Music] foreign [Music]

Info

Channel: Raid Owl

Views: 66,806

Rating: undefined out of 5

Keywords: networking, firewall

Id: 12WrJCf-0-g

Channel Id: undefined

Length: 31min 48sec (1908 seconds)

Published: Tue Dec 06 2022