pfsense Firewall Setup and Features in Depth Version 2.4

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

1hr 50mins, you're a legend my man.

👍︎︎ 8 👤︎︎ u/SnowballFromCobalt 📅︎︎ Nov 23 2017 🗫︎ replies

Overall, this is among my favorite tech channels. It’s always very informative and is a solid source of information about products, issues, and networking

👍︎︎ 4 👤︎︎ u/zezgamer 📅︎︎ Nov 24 2017 🗫︎ replies

Captions

we're going to take an in-depth look at pfsense version 2.4 it's gonna be the latest version as of November 2017 now the first few things are going to be some slides from a slideshow here but don't worry the rest of it goes onto a live demo where I walk you through all the features of PSN so YP have sense built on a very solid bsd platform which is great has a lot of enterprise networking features open source code can be audited and that is very important and becoming more and more critical every day that make sure that the firewalls and devices that we have are to protect our networks and router networks do not have some type of hidden backdoors in them and we've actually seen lots of firewall companies for convenience not necessary or nefarious reasons add backdoors to their system to make it easy to admin such as hard-coded admin passwords horrible idea very configurable and customizable can be completely managed via a well-designed web interface has full command line access nothing hidden Enterprise features such as VPN Carbon QoS the failover in this is really cool you can actually bridge firewalls together and create failover modes for your real enterprise level support third party plugins they have a whole database of third party plugins that are maintained by the pfsense folks commercial support available you can get a gold subscription which adds some better support options and you get their cool newsletter and then of course you can actually buy support packages from net key directly which is the people behind pfsense pfsense install the requirements are fairly minimal so it does not take a whole lot of horsepower to run this so you're looking at a 500 megahertz 512 Ram 1 gigahertz recommended one gate Ram cd-rom or USB for installation now they recommend less than four year old Intel and be clocked at 500 makers I think this is probably a little older because 500 hasn't been around for a lot more than four years how about this is what's still on their page but it can show that you don't need a ton of horsepower to do the routing on this a 2 gigahertz older AMD will you know route up to 500 Meg's a second which is faster than most home connections if you're running this at a business with gigabit fiber then you may want to look at something a lot faster like enterprise hardware with PCIe when you go to download from the website they have the options of the AMD 64 bit and they've deprecated the 32-bit version 241 is the actual latest version right now so that's the subversion is that one you can get the daily snapshots as well when you're downloading this you get a USB mm still or CDI so if your choice I thought that was kind of cool that they have them on there it's kind of strange because when you download it you download one or the other there's not much difference in them but I guess BSD is a little different than Linux when you're pushing it to a thumb stick versus an ISO then you're brought up to the menu and you first click the install and then from here we're gonna go ahead and jump into the live demo so after it boots this is the first thing you see you get to accept the code and copy our distribution notice you can do a rescue and install or recover all your data for pfsense is stored in a config dot XML file when it's loaded so that's the only thing you have to recover if we pfSense box somehow becomes unbootable or crash but you can access the drive all you need is the config.xml file to restore it again this does have an option to work to recover it we're just going to run through an install I'm not gonna change the key map but you have a bunch of different key map options in here now this is really cool because you have the auto f su FS that's a standard version that they've been using forever then you have Auto ZFS and this is where it's a really neat feature they add it into 2.4 Series so we can choose and this is really kind of neat we're gonna go and do a raid Z one because I've actually added three hard drives here you can create raid arrays not just mirrored but actual Z level raid arrays with ZFS for redundancy on your system that's pretty novel that makes it pretty cool for doing things like really solid installs that you're worried about a hard drive failing instead of just a mirror you can do this is it's probably overkill you can but the fact that you can do is pretty cool you can customize names partition sizes swap sizes mirror encrypt the swap you encrypt the disk but I warn you this is going to come with the consequence of going through and having to deal with every time you boot it up having to put the password in so it's really not that convenient when you do that so we'll go ahead and select this oh when you're done I'm sorry I'd to go back up to the top here and hit boom are you sure you want to destroy these yes and away it goes it's gonna install and install goes really fast I'll fast-forward through this and we'll jump to the web interface once we're done well this takes you through the installer and then I'll show you that what once it boots up so we can look at what the counselor faced and then once we look at the console on the face we can jump into the web interface so this is the counsel from a fresh install by default the lan gets the first whatever the lowest number is these are virtual network cards so its em0 and the land gets the next one and the rest of them are on it's science so even if you have multiple network cards for six network cards in here it only assigns the first two WAM and land now from here you can assign the interfaces change them around the default if an interface is going to be DHCP and a default laying in her face is always 192.168 one one all this is gonna be changeable when we run the web wizard you can even start changing it from here if you want but these are the basic options now from this shell and I'm not gonna really return here but from here basic functions are all available for a signing interface send an interface IP addresses so you can start matching your network settings a sign interface is cool because you also get the option to build VLANs and I have three Network virtual network adapters attached to this two of them are attached one of them is not attached and it tells you the link state of up up and down because don't have any what a virtual network cables plugged into it you can set up your VLANs here and assign them to the interfaces if that's something then you enter the ones or just hit a for auto detection but we're just gonna go ahead and enter and cancel out of this you can reboot the system factory reset the system halt the system ping a host make sure something could be gotten to so you can just you know drop the show real quick run PF top with option 9 it shows you the network actions and statuses on their cue brings you out of that update from the council PFS P shell and pfSense tools which is kind of neat so it's got some tool options on here so change password and things like that we're gonna go ahead and exit restore recent configuration is really important if you have goofed things up but you can get to the council you can go here and just run a restore and you can say list all the backup options and actually choose different previous backup options when we get to the backups to the web interface you can see by default there's 30 different backup revisions that are kept and easy enough to restore and whatever you do the restore it just applies it and research a system real quick and the last thing you can do is enable secure shell from here or just drop to a shell or if you SSH then this is the same interface you get when you SSH in now all this can be locked out so if you want there's an option in here to lock yourself out of this or lock people out is that way if they come up to a council they can't just jump on here and do things but I've I don't usually do this because on the off chance one if someone goofs up a password you want to be able to reset it fairly easily to if they have physical access they can just take the firewall and you know pull the config files so if they have access it's kind of up to you depends on how secure your environment is we're not you want to lock this interface out all right so let's jump into the web configurator so the default login is admin and pfsense it does force you to change it in a couple clicks here and now we're into the wizard which is pretty straightforward nici global support is available they let you know that right off the RIP which is nice they don't annoy you though and that actually makes me really happy they don't like pop prompt you you should buy support you should buy support you can this is completely optional we're gonna throw in some DNS servers now these can be overridden in that and later I just want to put some in now or it'll will poem just from PE of senses DHCP settings as we left the land here at dhcp we're gonna go ahead and choose detroit as our local now when you're setting this up this is where you can set up DCP or static if you're doing static and you have a block of IPs just so you know you only assign the first IP here and later you add the rest of home as IP aliases to this configuration so we're gonna leave it at DHCP it does support PPT pppoe configurations and I am going to uncheck this normally you don't have to but block pogon networks you know block Private Network RFC 1918 s I'm not doing that because we're running us internally and it will cause some issues because it won't be able to route networks because it says hey wait your van is actually a LAN address yeah I know so go ahead and do this one nine two one six eight one one subnet twenty four we're gonna leave it at default here but of course put in whatever works for you admin password set the admin password it does not check if you typed in a weak password or not please use a good password though for your firewall and done and as and it says if you want to learn about support or just click here to continue accept and all's I did was accept the License Agreement in here so now we can get started on walking you through all the features of the firewall alright so once you complete the wizard you're in here with the dashboard and you can customize the dashboard you have the net gate support and once again asking if you want to register and the links here easy enough to get rid of just close that if you're not interested and let's customize this a little bit I like to have the traffic graphs son here we'll go ahead and throw in a SMART status interface stats the gateways service stats and we'll go ahead and throw OPM VPN on here too now it's got a lot you can scroll down on here so you can see everything the services I'm going to move them up because I generally like those right here at the top so you get an idea and it's easy enough from here just to you know restart stop a service and once you rearrange something on here so when we do a move like this the Save icon readiness back up to top shows up up here and we click Save to save the positions of everything and we just moved around on this side you have the system ID now this is the ID you use if you do get support by the neck a device ID it's an identifier that was generated to identify this particular system this tells you some other information CPU type well you can force it to check if there's a new version here Hardware crypto that it supported in here tells you yes well they're not has turned on now this is an issue it's going to come up with version 2.5 because they said that for version 2.5 no release date set for it but they're gonna require the AES support and chips this chips an older one and still has it it's been around for a while it's not hard to find a system that has AES support in it but just keep that in mind if you're building something new today and they're not that expensive to find those older processors so then we have our smart status now this is on a virtual machine so we don't have actual smart status what I'm gonna do is jump over to my real machine and show you kind of what that looks like for a couple parts of this video so it's not that important obviously it just says what is a problem and they're the gateways this is kind of cool the gateways will tell you the ping time between the first hop and if you have multiple gateways for things like failover it will tell you the ping time on each of the gateways and determine if there's a problem unknown when there's nothing hooked up for example we're not using DHCP 6 but by default a DHCP e 6 or ipv6 is turned on so it doesn't have anything a ping right now because nothing in my network is handing that out but it will give you the status of it and it turns red or yellow when there's a little bit of packet loss and read wonders complete loss or a drop of a gateway in here for the monitoring also we have a little wrench icon and we can just say I don't want to show this on here save and we've now removed that from the Gateway now the reason it gave me the leave page is because I moved something it didn't hit save and if you do that you'll get the leave page when you're editing one of the options now common through the interface in here and we just pull it up over here for example in the services any services you're gonna have these related status related log entries you're gonna see that for all the different services and servers on here so really status related status what these do these bring you to the different options for example you can go and jump right into if there's log entries for it by going from that service to that you go right to the log entries for that particular service and this works across the firewall works across a lot of different parts so here's our current firewall rules we can see the status of the firewall rules or we can jump right to the logs that are in the firewall rules so you'll see that those are common across all of them they're all also accessible here under all the Status page so I can get to a lot of those same statistic things inside of here for example my interface here is the interfaces and here's the settings for the interface so there's the status of the interface and settings dislike this is common throughout all of pfsense and on a couple different options like in the logs in and on the dashboard here you get the little wrench which means you can customize that particular view just want to make sure you're clear and that's the common way all of this is laid out so let's start from the top system menu advanced so protocol by default is HTTPS and it writes and designs its own SSL certificate you and I have actually added another assert here which when we cover that in a CA part you can add your own cert there is options it's a more advanced and I haven't really played much with it but I know they added features for supporting let's encrypt in case you're wondering if you leave this blank to default tcp port is for 4:3 still max processes i've never really had an issue here but you can if you I guess if a lot of people are using a firewall multiple people using it multiple logins you can set up more processes to handle that everything else here I leave at default now disable DNS rebinding checks just so you know if you have a a leus like firewall dot yourdomain.com and that equates to your firewall for remote access you have to add the alternate host names in here if not by default it only wants to use IP so it sees something coming in from a domain refer it will fail to login it'll say DNS rebinding attack you can disable that or add the aliases that you're going to add here so it understands which attp refer is when it comes in just a side note there and this is where you can disable all that enables secure shell sure let's go ahead and turn it on it gives you the option to disable password authentication and there is an option to drop your keys right in the user so you don't have to enable it push your keys over you can actually drop them in into the user interface serial terminal enable first serial port now this is kind of cool because for a lot of systems they offer serial interfaces it's an older school interface but it does it is supported here and you can set it to be the primary Council if you want this is also where you password protected Council menu if you want to go and save and it's gonna take a second because I just abled SSH now just so you know by default SSH is only accessible internally on the land side not the land side so it doesn't you know open you up to any security risk or anything like that other than from internally being able to access it firewall and add options you can leave all these at defaults but it does have algorithmic actions for higher latency more address for more conservative and you can read about what some of those different options do but it's basically how it handles all the state tables and how long before it lets them expire or keeps them going you can disable all packet filtering to firewall scrub you can really get in a lot of details here set maximum state tables maximum fragmented static route filtering to bypass firewall rules for traffic on the same interface I've only had to do this one time with a client with an unusual setup but basically if you segment your network but they're all on one interface but Jen you have series of routes that push it to different sections of that network you because it doesn't technically pass your PF sense it's just routing but they're all on one interface not split across them that is something you may need to turn on if you have a weird network like that for most default networks or when you have PF sense at the middle of your network no need to change any of these options if you make aliases it has verify HTTPS for some of the aliased URLs like I said do some more unique things but completely options you can change now NAT reflection this is important one here so network had just tradition network reflection we're gonna change it to pure NAT what this means for every rule I create I want that same rule to automatically be mirrored internally so let's say I point to a camera server which is popular you have your in VR you have your external access but then when you're inside the network you want to be able to get to it what peer NAT does if you set this as default option this can be changed on a per rule basis this allows it to create the rule externally and then when they try to access that external one it realizes you're inside the network and creates an automatic redirect and that can be turned on and off on a per rule basis that's just that also we're setting up here is the default state timeouts if you want to adjust the timings for the state timeouts for different parts you can fine-tune all that I've never had a need to adjust it but it's there networking allow I P v6 traffic we can turn this off if you don't want any ipv6 you know if you're not using it I'm yeah it's there ipv6 is neat it's fully supported in a firewall but obviously as you know it's not really taking off quite like everyone thought it would Hardware checks some offloading no I really recommend you build these yourself use the Intel network cards disable Hardware checksum offload is for when the network card handles the offloading you want to make sure the network card can handle the offloading with the driver and it does comment on some of the real tech cards have a problem with this I generally always build these with Intel cards you can find them used on eBay for really inexpensive including like the four port ones build them with the Intel cards you don't have to worry about it it works with a lot of different network cards but the Intel ones particular I know I never had an issue with I've never even had a problem with the real tech ones but just you know that's here miscellaneous you can run this through a proxy if that's something you have a you know maybe your provider or forces you onto a proxy not really an issue I've run into load balancing enable default gateways switching now I've had this where I've had to turn this on I don't know if they fixed this but you're supposed to just when you're setting up a load balancing which we'll get to that on the interface side be able to automatically switch I've had it when earlier versions where I had to enable this but for the most part you should be able to leave this unchecked unless you have some special scenario what it is if one Gateway goes down and supposed to roll over to the other one but there's a way you set that up separately in load balancing power saving options kind of neat that it has it I don't really imagine that there's a lot of times people are running at pfsense on battery but if you are it's got options for AC battery and unknown crypto dev now if you have an Aes CI AES and I supported acceleration in your processor go and turn this on I usually turn on this and the BSD crypto device just long as are enabled you can turn them on if you have thermal sensors you can turn them on here supports Intel and AMD thermal sensors do you not kill connection States when schedule expires this is actually kind of interesting because you can schedule the firewall rules and you can say even though I scheduled the firewalls to block or allow something you then can also say whether or not the connections that occurred while it was in operation whether or not you want to force them to expire or do not kill them so kind of neat that they give you the option there flush all states when a gateway goes down you may want to use this on the gateway monitoring because what happens is if the Gateway goes down and there's some states there you want to make sure that they're all clear to pursue if you're doing failover so it jumps over to the other gateway and there's nothing hanging on there I've checked it it seems to help with the switchover instead of using slash temp and slash fire you can force them to use memory file system so if you had something you didn't want a lot of read rights going to a hard drive like you installed this from a USB stick to a USB stick that's an option on there save now I'm not going to get too detailed in here but we have all these system tunable x' you can customize a lot of functions and add your own parameters I don't have a guide to all the ones in here but kind of neat here's all the defaults if there's some reason to update those you can notifications email server SMTP port numbers yes it supports SMT SSL TLS from email address notification email address this is great first one little note though when you're putting all in here you can't test the functions until you've click Save once so even if you fill out all your mail server information here then you click test it fails you have to go down here click Save then you can click test and then you'll know if the SMTP is working but this allows notifications and changes at a firewall to be sent to your email address such as gateway monitoring if you have failover you it goes down or a problem with the hard drive or some other alert in here we have the alerts up here at the top for the notices and what this show you how they work is little bell icon SSH key Jen SSH shut up and let me know that it generated a new key for that I marked as red and now the bell went away so that's it for all the notifications everything on here next one down is certain managers here is the demo VPN cert VA and we're gonna walk through the details of this when I get to the VPN of how this was created but you can add your own sea age you can import them create new ones and these are for like doing yourself signed certificates for whatever reason you want to do them for in the demo part is of course for the VPN here's the web configurator default this one's generated on load and this is the LTS search so Lawrence Technology Services cert I did for the demo VPN and there's a certificate revocation built in here general setup this is where you name the firewall and the domain add the DNS servers now kind of novel you can attach if you have multiple gateways you can attach a DNS server to a gateway so whenever the query goes in it goes out over that gateway kind of novel and probably if the DNS servers are local only to that provider you might even need that and you can add more of them just by going here and add as many DNS servers as you want this is where you can go and change the time zone time servers language options which there's a handful languages in here this is kind of a neat - and I'll switch it once just so you can see it save and we've now changed the theme of pfSense so I usually leave it at default kind of novel it's got a couple different options on there so we're gonna put it back at default over here you get the Refresh to page each time when it does even though it saves and away we go you can change all the themes in the colors you can decide one at the top scrolls with the page or remains visible at the top of the page I kind of like when it remains visible that way if I'm down here I'm gonna save it and now the pfSense menu stay at the top I don't know I kinda like that better but obviously it's options you can change dashboard columns sort alphabetically you can turn on or off more associated panels display welded on a state table without a filter these are all the more little customizations to the UI that you can make including do you like blue green red purple grey orange for the login screen show a host name and login banner likes it more customization stuff I it's novel they have this for a firewall that you can play with all those things now PF sync transfer state insertion update and deletion message between firewalls this is a way that you can have high availability sync so for redundant and failover firewalls and create your peer IPs and one system so you only have to edit one firewall and then the connections will sync between them it's not something I've really set up but if you have an enterprise environment and you want to have redundancy in your firewalls this is how you would do that it has all the different syncing options and it's granular so you can say you know toggle all I want all the rules aliases everything about the firewall the sync or only parts of it to sync and maybe you want the firewalls to be different from each other only sync certain changes that you make here is where the log out is that just logs us out package manager the package manager is pretty slick and the open VPN client is one of the packages I loaded here's a big list of available packages and we're gonna load them real quick so like I have top in here I'm gonna search for it there it is where I could have just scrolled you run through click the install confirm and it runs through and installs the package for you it also automatically installs any dependencies that that package may have had it when got them all it does is all through the pfSense repositories go back to install packages and now we have that package installed if I remove a package click that it removes it really straightforward this is viewing from view more information about the package and this also is an update so what it does is it turns yellow here when there's an update available and the icon looks a little different this will reinstall a package as well so if you've played with the package you've goofed it up you can actually just do this and it'll confirm that you want to reinstall that particular package now the packages to do updates and things like that automatically will update themselves as well when you're doing a system update but if there's a package update in between system updates you can go here and manually do it I don't think there's any notification you get one of packages out-of-date though not that I've seen routing so your gateways are located here your gateway groups are created here in your static routes so if you have a static route that you want to add you can pick which interface you want to add it to and this is where you can do your static routing options gateways this is where you're gonna add a gateway so you can put this in put the Gateway name in what enough can be the default gateway by default everything gets monitored as a gateway but you can override that and disable it we can force the state of it and everything there's a non parce description so you can give a friendly naming for it you can also simply take and duplicate a current gateway so you meant if the way your network set up and it's they're very similar you just want to duplicate the same settings you can do that now the Gateway groups this is kind of clever you create a group and this is what you would do for failover so we only have one gateway on here one way on system but if we wanted to create a failover group we're gonna name it failover you would have each of the gateways in here and you set their tiers of priority so you tier 1 tier 2 to tier 3 and that's the order by which they will be used you can say this is a Gateway but this is my failover one would be the tier 2 1 the third failover tier 3 so on so forth also if you were using this in like he round-robin for kind of more load balanced setup you would set them to be the same tier you said each one of the gateways like I said there's only one showing up here but she said each one of them to be the same tier and that would allow a load balanced type so you can have some of the data going between both networks now you can also say what is the determining factor of switching between it from tier 1 to the next tier down member down packet loss high latency or a combination of packet loss and high latency these can be fine-tuned fact in some of the editing or you can say just how much high latency is high latency but what this does is allows you to determine when it should go to the other one if they're both at the same tier you can also say high latency should just start pushing them over to the other one too so that's an option on there and you create multiple Wang failover groups when you're doing these so you don't have to just have one you can create multiple them so if you have a really crazy enterprise network that's actually something that's supported in here setup wizard you can just run this again that's the setup wizard update it's up to date update settings if you want to change to be a release candidate or any of the other latest development snapshots that's an option in here the updates to stated update available you say yes and away they go I think they fixed it but I don't want to point for the only bug I seen with the update was sometimes you had to hit it twice at it would say update failed you say do it again it would pass it just wouldn't download the first time but so far since switching to 4:1 that's a probably that was fixed so in case you've seen that problem just clicking it twice fixed it and that was and then I believe the notes of the two-for-one update that that was a problem solved alright the user manager so you can obviously it has its own local database the user manager it does support adding either LDAP or radius servers for external authentication you can set a couple things like which allocation server auto refresh time session timeout you can build groups which by default there is all and admins and then right here is pick your user let's just walk you through adding users we're gonna put time in here you can expire users leave a blank if you don't want them to expire use individual customize GUI options and a dashboard layout for this user so it allows you like individual customizations like you can set their theme and a couple other things in there kind of novel what what membership they have authorized us a SSH keys in IPSec pre shared key don't save now let me go back and edit this user then we can find grain go through all the permission options and this is pretty slick because you can if you have a user that's only able to do certain things cuz you say I only want them to admin one thing you can set that up so they only have to admin those things in there now because of the way this is just a local user database you can give the person no permissions and they would still be able to access the VPN for example it doesn't allow them to log into a web interface but it can just be used for basic off vacation for the VPN side of things so I'm gonna go ahead and clear this and go back this is where you add individual certificates if you wanted to each user to have their own certificate for the VPN you could add each important existing create creates any requests all the standard certificate options for that particular user it could be assigned and of course like I said the SSH keys you can also disable the user this user cannot log in this is often what I do with admins once I create the new user I'll create a secondary admin user maybe disable the admin on admin login but when you disable the admin login and pfsense that also disables the root login via SSH just an FYI so if your SSH again you can SSH in as the individual users but you can't SSH as route anymore because root privilege was reserved for the admin user so once you disable that you disabled root also routes password is whatever the same password for the admin user but ideally you should be using key to authentication so the password doesn't become very at that point so that's it for the user manager pretty straightforward it doesn't have the option to create a special group special I was calm the firewall group break it tight firewall group definition save then we can go back and edit and I have the fine-grained permissions and let's say we just want to go everything that's firewall related now also if you notice there's two rules in each of these ones of rule ones that edit so you can actually have them just view verses that maybe you want to create a user read-only if you got that new guy you want to be able to look at the firewall and understand it but I'd actually make the changes without supervision so that's definitely some of the options you may want to choose but it gives you a nice fine-grained control here and type in fire and it's a little narrowed down everything firewall related and let's do this select save here's all the firewall permissions for this particular group save and we can go back to the user edit the user member of firewall save now Tom's part of the firewall group really it's pretty straight forward user management but I do like that it hasn't because this relates back to you'll see further in our firewall part where which user did what it does track what where they were logged in from and which user made what changes to things like some firewall rules that's all logged in the change logs interfaces assignments so the interface system allows a lot of different options here so this isn't assigned interface that's why it's deletable here's an unassigned interface actually there's two of them in here so we can choose which one we want and we'll get into that in a second so interface groups you can group interfaces together and that allows you to apply firewall rules to groups of interfaces which is kind of nice so if I did this and then I selected two interfaces and give it a name I can apply rules and functions to that now what's kind of cool is you can apply this as a group to these or you can provide them individually in the firewall they all show up together like that so let's actually go over here and give you a little better idea so we're gonna add this other network interface save it and now it's called opt one we're gonna enable it I'm gonna add an IP address to it so ipv4 save apply and now we have this other interface now I can rename the descriptors on any of the interfaces here so it's opt one-way and land all these are edible editable not edible so we can edit all these now let's jump back to our assignments interface groups and there it is here these are our lands let's call them that save and now they show up as lands right here so I can apply the rules to them so that's what the groupings for which is really slick that you can do these interface groups and you can delete them just as easy so we're gonna head and remove it and away we go now Wireless I'm going to have to skip some of this right now but you have full wireless where I just don't have an employ this interface plugged into this but it does have full wireless port and setting it up so you can actually plug in a supported wireless card I don't have the active list but you can find them in a BSD list if it's a supported wireless card and VST you get all the features of the Wi-Fi then you know sitting up as an access point setting up the password wpa wpa2 and a lot of the options in there kind of neat if you want to use this at home as a wireless device definitely possible VLANs VLANs are kind of interesting way they're handled in here because they also add an interface so you offer them on any of the any of the interfaces can I have another VLAN so we're gonna have a VLAN attached for Al and VLAN 20 to test VLAN 22 save now you've added a VLAN you're kind of wondering where did it go let's go back over here to interface assignments feel an-22 we have to add it again over here save it called it opt to but we actually gonna call opt VLAN so it has a name no spaces in here let's give it a configuration I gave the other one 22 so we'll give this one to two to that one actually let go one 11.1 and there's gonna be a slash 24 so I hit save and abel apply but forget it click Save now we're applying snow it's called out feeling I like so these can be renamed at any time and now let's look over to firewall there's van'll and opt one opt VLAN in the firewall rules and in the interfaces here now in case you're wondering the difference between a one and LAN interface so if you wanted to make multiple way interfaces when interfaces have a gateway LAN interface is do not so four over here on a LAN interface at Gateway option is here once we add a gateway to this it's technically a wanne interface so that's some of the differences that's how pfsense identifies them not at all by name you call them whatever you want the default is when and land and opt and so on and so forth but of course you can rename them and what we do for some where clients make it less confusing is will call the way an interface with redundant connections maybe Comcast and the secondary way in their face AT&T if that's their backup would in having an assignment way makes it very clear this is the comcast line this is the AT&T line and we understand which ones which one we're assigning him I usually leave Danny went in there so I'll say like Comcast plan an 18 t win but it's just a clarification and no big deal so back over here to the assignments so we created the VLAN we assign it and you can see it's attached to that network and it also everywhere else shows up so it's something else we can create an interface group for okay back to the interface assignments link aggregation is supported so you can take and use the link aggregation protocol to link together interfaces bridging is supported gift tunnels and GRE tunnels and PPP are supported so you can do some tie-in for the PPP configuration now I'm not real familiar with it but I know it's an older serial interface I believe for PPP it's not something I'm overly familiar with so but it has a couple different link types in there for PvP pppoe PPTP and LTP so kind of crazy configuration option or not I don't have much use case for a lot of these I'm not overly familiar with the GRE and give tunnels but just like you know they are support in here now let's get a little bit detailed on the bridging though because the bridging feature and pfSense is really clever you can bridge a couple interfaces together and when you create this let's go ahead and test bridge save now let's go back and edit this bridge a bridge interface causes pfsense to treat all the ports you bridge together as a switch so it can act as essentially a standard switch and where it gets pretty cool is you have spanning ports you have edge ports auto edge ports it works like a managed switch auto PTP port sticky ports private ports as and you can set up isolate network isolation on them it supports spanning tree protocol options both of them are TSP and STP you can choose the interfaces for that to make sure when those are setup and the options for and lots of details in between here so this is kind of novel for being able to have it so speak you act as a switch so if you have a bunch of network interfaces you want to just to switch together you can do this without even happen sign anything to them they'll just act in a switch mode which kind of kind of neat that it does that I've seen people build ten gigabit switches with this I don't know how effective it is for thorough put but you can get those dual and quad cards and then use pfsense to tie them all together in a bridge mode so kind of novel and so we don't break anything I'm going to delete the bridge because I'm sure it'll mess something up that I want s later on so there's pretty much all the interface option assignments in here it also supports this which I'm not overly familiar to you the q and q options as well not a feature I'm overly familiar with but if you are you know what this is already and you're excited that it's in here so let's look at the interfaces themselves and what can be done them so for our way interface we're gonna turn off DHCP six don't need it we have it set to DCP here but we can just easily statically assign IP addresses if we need to advanced configuration now this is kind of neat so as they DS should be client you can force overrides on things so you can change different presets change different lease requirements send options receive options give you a lot of little customizations in here which is kind of cool now if you're doing this static it's nice that you can add the Gateway here and it brings up the Gateway menu so if you're statically assigning you just type in what you want assigned here the IP address now if you I have multiplied P addresses like image before you're gonna want to add them secondary you only add the first IP of a block in here and the net mask over here that that's assigned to the IP but you add all the extra IPS elsewhere not here and I kind of like to the leaf shortcuts here to take you right over to the gateway so you can add them here manually as opposed to adding them in a little pop-up window but both work once is a pop-up window to keep you at that way in gateway when you're adding it without having to go to a second menu when you can put it all in at once now for the landside like I'd said when there's no ipv4 efficient gateway it becomes a LAN address not a when port so pretty straightforward and this is just for an assignment and once again here's the IP address and then the net mask over here for it so pretty straightforward on there you can enable/disable them right here and just click Save at the bottom and there's our other interfaces so on and so forth it's no big deal there now let's jump over to the firewall rules now because I just mentioned it I'll actually start at the bottom here virtual IPs so if you want to add another IP to the LAN you would type in that address here so when I do that once the way and the dress right now is what you see up here I know it's internal because this is for right demo so if we add like 2 to 3 we would just click Add and you can keep adding each virtual IP address with the right mask to it and that's how you would get all the IP addresses for your way and so if your way on offers you a block of IP addresses this is where you add them all here also in the virtual IP options you can add your carpet dress for the failover proxying ARP is an option and then there's the other and this is some of the things the other part can be used for I'm just jumping over to the help can be used for net cannot be used by the firewall itself to run or buying services so I guess it's a unique way if you have some unique use case where you want to NAT something but not have it necessarily completely controlled by the firewall and everything else like a normal interface so definitely an option there which is kind of neat so there's all the virtual 'wipeys most of the time I'm just using the IP alias because clients have several IP address assigned to them this is a simple you know go to the way and that is related to and assign the IP address is pretty straightforward aliases now this is a great feature in PF sense why would you want to a leas things well convenience so we have the option for all of them to be listed here URLs ports or IP now the URLs might not be what you're thinking we'll get to that in a second but let's say we want to have camera ports here and NVR camera server we're gonna go porch now you can choose host ports URL IPS network so you only have one create and then this is the filter by choosing what type you're creating so you can create a series of hosts in there and an IP or a fully qualified domain you can use networks so here's the network or fully quality name in the description the ports and we'll do those in a second here URLs now this is where it gets interesting enter as many URLs desired after saving the URL we downloaded and the items imported to the alias you can put in a URL here that downloads into the firewall so instead of having a bunch of stuff typed if you have them saved in a list and web available this allows you to import those any right into here same with the URL through ports using the same group support numbers let's say you have you know 300 400 ports you have to set you can then tie them to an alias and then import them from a URL this one is interesting as well because this is table of IPs or table of ports now when you do this this isn't a mask this is actually the number of days for how often you want to pull that so you can actually create these lists host them on a server and have it every now and then recheck that URL based on you know schedule that is in here and refresh that information so after slashes frequency update date so once a day pull from this URL and pull these IPS into this list for something so really novel that you have that level of controlling here we're just going to do ports so let's say our NVR needs port 80 open is the HTTP at a port 443 for HTTPS add port let's say it's 9000 to 90 100 and what I did was just put a colon in there and we'll call these control ports and we're gonna hit save apply now we have an alias for the cameras things and we're gonna get to these when you get to the firewalls but if I would have called this a URL or anything this is so you can categorize all the different things you have in here you can also if you wanted to have a mail server in here and assign the IP so you can remember it so you put the mail server there it's a host IP address mail server and then we can have a hosted one in there whoops Oh mail servers apparently a reserved keyword didn't know that the mail there we go save and then when we're sitting Elia says I can actually put this in instead of IP so this one there's nobody owes their support and there's all they just show up in a list here so we're gonna go ahead and leave these two in well actually we'll add one more so we'll apply changes add and VR recorder and VR recorder here it's a host a IP address once they 8.1 dot 100 and we'll pretend this is our fake env our server for the cameras save apply all right now when we do some firewall rules we have some aliases to play with so let's start over here at NAT so you have port forwarding 1 to 1 if you must want to do a whole one-to-one mad mapping of everything outbound outbound you can leave the same unless and there's a couple exceptions when you're doing peer-to-peer VPNs where you're connecting to pfsense box together I have a whole separate video on that this is where you're gonna want to mess with this because you're gonna want to change the way the outbound rules are right now by default the outbound says send everything out automatically over the LAN interface that's fine that's what you want but you may want to create specific rules and these are all auto-generated as I generated those other interfaces it auto-generated all these rules enter dynamic it'll keep updating because it's all set to automatic and what this is allowing you to do is choose what is the outbound route for a particular piece of traffic so you can actually turn this into manual and you could say this network goes over this way and this network goes over that way and so it gives you all the options and when we set this to manual all these become editable and duplicatable so you can get really fine grain you can also over here and create your own NAT mappings for how things go these are all real advanced use cases but it's completely there for the outbound options now this is different than outbound rules this is outbound mapping of data as it goes out so let's go over here to port forwarding this is mostly what people want to do is some basic port forwarding so interface when lots of protocol options UDP TCP I see PEP so on and so forth you can even port forward like GRE ipv6 a little bit of everything in here even I see MP protocol comida and we're just gonna do TCP Way an address if you had multiple addresses in here you would be able to do those as well so if you had a whole block of addresses they would all show up in this list custom Kim reports now I could type it in or I can autocomplete it so cam reports cam reports and we know that where do they want these to go the NVR so here's the NVA record and I can type in the IP address here just the same like it shows here I could put in the IP of the Machine just like that or it autocompletes with that also it's not case-sensitive so I type in even a lowercase and it'll autocomplete and it's doing an alias lookup in in here to find that so there's a camera ports mapped to the NVR real straightforward nat reflection use system default which is pure napa this is where we can override that this is also default they had associated filter rule so we're gonna save and show you what that means so source address source ports which means any doesn't matter where they came from what address reports they're coming in on if they land and I like the mouse over here on port 80 443 or 9,000 through 90 100 land it on the NVR recorder and this gives me the IP address of the NVR recorder so it's real easy now to update these rules if I move the NBI recorder or if you're doing things like grouping them together this is how it looks now let's duplicate the rule and we'll just put port 25 we're gonna create a mail server in here but we'll do it all manually just show you the difference so everything is the same in here save apply and this is what it looks like when you're doing it here so here we have an alias so it shows the values and things like that here we're typed it in raw and it auto-completed to be that all right so let's create a couple more mail server rules here and one quick way to do it I can keep hitting add and create a new rule each time or I can say add a new net rule based on this one so I want to change the port this is only thing we're going to do different so goes to the same server to go 993 and change this one here you can choose some of the lists in there but when you're editing them it's obvious easier to type in custom if you just know the port number so you've been doing this a long time it's easier but of course you could choose from and it'll put those in here so you can't remember what the SNMP or smtps ports are or in this case I know that's the IMAP s port is 993 yep - I'm at best hit save apply and now we have mail server IMAP s if we wanted to have one more go in here and actually just duplicate the role and change this to IMAP and change this one to IMAP and this is the IMAP not secure save apply and you can kind of see we're quickly building the rules for our pretend mail server here but as you can also see this could get really complicated really fast so if you go here and we're gonna say let's put a separator these are our mail server rules and we're gonna make them green and hit save and drag then let's put another separator and these are NVR rules believe that one the default color I move it up here this is a kind of nice thing so the rules are all drag and drop you can move them around sort them by order this applies to the firewall rules is well so you can actually reorder a firewall rule by dragging dropping it so then we're gonna go ahead and hit save and that just saves all the positions in the rules so if you rearrange them you do have to click the Save button you notice how its kind of grayed out and once we've rearranged stuff you got the becomes not Gray's you can click the Save button we can't it's not clickable right now but yeah putting separators in and then we can say like you know web server rules make those red save and from there we'll add in whoops sorry I forgot to click Save stamp page save now we can go add again and let's do port 80 eighty and we'll just call this HTTP server save apply they put it at the top I want it underneath here for making it look pretty and you can see we've quickly built all these port forwarding rules from the LAN address to an internal address here now if you want to disable a rule you can just click that hit apply the rule just comes grayed out that means disabled so you just check the box apply really easy if you want to quickly leave a rule there but disable it for now now another question it comes up a lot is access to that rule and this is where your sources come in and you can say a single network and you can say let's well we'll do a single IP address single host or alias so for example you only want a specific IP address to be able to access this you can put in that IP address in here and then only this IP address and wouldn't save here so source address has to be this in order to see that though it's a common option we actually when we set firewalls up a lot of times when we're doing remote work we quickly throw in only our IP address so where it can easily get to the web interface but don't want anything else to be able to access it so that's a pretty simple way to do that in filter so it only does there and you can even create an alias list for the addresses so you can keep like a list of addresses that are allowed to access that it's it's a nice way if you if you have a predefined you need something open to the web would you have a predefined list of IP addresses this gives you a really easy way to do that and won't change it back to any save apply back to normal you know Asterix as in wild-card all but now there's two pieces to the firewall this is the Nats side and now we got to talk about the firewall rules side and when you were doing these and reading the rules and we just show you the very bottom again an Associated filter rule so go back over here whoops yeah sometimes you get back it does that and you're not supposed to click just a back button inside here so we're gonna go to the firewall rules you notice how the word NAT is in front of each of these NAT mail server NAT this NAT HTTP server these are the other rules we added and mouse-over still works tells you what ports they are and there's no traffic being passed over these right now but it can actually log the traffic so in this number of states that are associated with this so evaluations packet 0 evaluation so it has the you know huge some fine details in there and what these are doing and the separators and everything else in the drag-and-drop you can rearrange the order of the rules here you can also disable the rule just like you can so we can disable it there or there it's the same thing but when you try to edit the rules so here we go and here is the Associated filter rule so when you click on a firewall rule it can take you back to the NAT rule that created because obviously I can't change any of this stuff because it was created from here but it hyperlinks right to that which is really clever so you can say okay here's the rule and here is the net rule associated with it so we'll go back into the firewall rules and if you want to just add a brand new firewall here firewall rule here pass block reject disable this rule protocols same list of protocols are in Eric's HT I think one more because a PF sync you can set the protocols for how that traverses the firewall ipv4 ipv6 the interfaces now another side note here so this is just a filter to say here's the LAN ones the land ones off to one optimum VLAN Open VPN rules but once you also when you're creating a firewall rule if I go over here and create it for opt one so let's say we want to open up this port here destination any description save I didn't put a description here but it now is over here so it didn't add it under way and even we click the Add button under way on because I changed the interface and also if I go here change save apply it's no longer under here it's now under here for port 666 being open so really the firewall rules when you're looking at them this is just a filter for the rules but it's moves based on where you apply it to so if whichever option or interface you apply it to here was where the firewall rule will move so a couple more advanced things in the firewall this is really clever so you can turn on logging so if you want to log all the packets handled by this particular rule you can have inverse matching so for any of these that you can match you can also invert the rule with but then the Advanced Options is really neat we have source OS fingerprinting now obviously it's limited to as good as OS fingerprinting is and it's very spoof able but it is kind of novel that you could actually create firewall rules that use OS fingerprinting and say only accept or pass this rule based on that if it matches this OS so this is like fine grain you can actually create a filter rule that creates a tag then you can filter a secondary rule that filters again on those tags that you created from the first world so this is a rule where you can tag things this is another filter or if it matches a certain tag then apply this so you can kind of create an entire matrix of firewall rules under the advanced of things that happen to a packet if you have some real advanced use cases there's absolutely a lot of details you can do VLAN priority valent pretty set scheduling if we create schedules and I'll show you how the schedule works we can actually have this rule applied to a schedule now you can leave everything at default and then just create the scheduled rule definitely an option and we have the in/out pipes this is a way to choose an out virtual interface for these so once again more rules that can be applied for where you want to push the data based on certain policies now let's show the scheduler so let's go to scheduler we're going to add a schedule and we want the firewall work on these days here I hit add and now Wednesday through Saturday all day is the schedule we got to give this schedule a name wend Sat hit save there's our Wednesday skate let's go back to the firewall rules go to edit our six six six role advanced schedule and as you can see here now this is a rule Wednesday through Saturday to make this firewall rule work so it works on a schedule now kind of clever that they have that in here I don't have a lot of use case for it but if you dude if you did want to create rules that only work on certain times of day or certain days of the week that is certainly an option it also has a option to expire the rule so they don't start working till a certain time and then end at a certain time and date so kind of clever but definitely interesting how that happens it also has some cue options if you're want to create specific firewall rules for some of the traffic shaping which we're gonna get into next so go ahead and kill this rules we don't need it apply if you want to know the status of the rules this is the related settings related status which tells you that what the filter is doing this is like the quick on-screen display every time the filter gets reloaded and you can jump right to the log and see any of the filters for this including the logging of this filter dynamic views summary view and then if you want to advanced things like this and filter it real quick so let's just filter it for source IP and you can filter it just for a single IP address just like that and follow it through there and what the action taken was then this is the quickly add a rule to pass that or add it to a block list you can just mouse over these and create your passes and blocks real quickly but you can see how quickly this is easy to jump from the firewall to the rule to filtering something very directly and it just supports regular expressions to do the filtering so let's go back over to our firewall and just under the firewall rules is traffic shaping now it's got options individually that I don't know how to use where you create all these but obviously that's tedious and creating bandwidth and queue size limits and some of the details that's difficult we're gonna jump right to the wizard which makes it really really easy so the traffic shaping wizard run this how many way in interfaces one we have a let's say we're pretend we have a 10 megabit connection up and then the download is 50 next actually I think I chose the wrong one one local interface is land I miss that so 10 10 I'm sorry 50 next prioritize VoIP traffic you've got a couple built in generic load delay and if you know your sip server you can put that in there and let's say we want a reserved one megabit for the parameters so this is going to keep want that much open based on our traffic you could have a penalty box so you can set a lower priority for a specific IP address lower priority appear to peer traffic and this supports things like a mr. BitTorrent buddy share lots of different ones in here I don't know how many of them be size fit Turner is relevant anymore how's Napster still in there I don't know how much Napster traffic we're really seeing well go ahead and click Next well posted van with catch-all one able dog on Kara traffic units let's just say in percentage don't let it go to 90 Oh actually it says between 2 and 15 is the value so we'll put at 15 so keep that much free I believe is what it wants probably tell you scheming traffic sure let's create queues for all these to make sure my gaming traffic's prioritized it actually has a few old school ones there's kind of Unreal Tournament Wolfenstein some newer ones in here too so next enable our numbering protocols sure let's say we have MS RD P and V and C we want those to be high priority protocols it's got a bunch of other ones in here get dns why not have DNS at a higher priority let's have ping at a high priority if you're passing SMB keep it at a high priority next finish and it just created all the rules decorator traffic shaper here are all the rules here's the queue for the games other and let's take a look here at related status what this doing is measuring the bandwidth going through each of these queues and automatically is doing what we wanted to do from the wizard that's how quick it is to set up the QoS on e so you can build rules that prioritize your void traffic and actually the rest blank is most frequently what we do for our clients they just need their voice to work properly this firewall has no problem doing it I often will put whoever their SIP provider is in the SIP provider field to make sure understands that that sip fully qualified domain is the right one but it's that easy to set up a traffic shaping Innes and tweak it you can then go inside of here and actually tweak some of the settings directly like I said I'm not an expert at actually using all the different cue limits but you don't have to be you know he's just rerun the wizard if you need to and if you do didn't want the traffic shaper on anymore remove done queues are all gone nothing needs to be done you're all set and you can just run the wizard again and it does have a multiple LAN LAN option and a standard dedicated land win for the wizard for traffic shaping so pretty straightforward to use so let's jump over here to captive portal so that's all we have on the firewall list captive portals really interesting that they put this in here so we're gonna create a test zone testing and evil and we're gonna put this on the land now what this allows you to do is like for when someone logs onto your network they can go in and have an authentication web page that comes up for them and it's got lots of detail so you can really fine-tune this idle time out maximum concurrent connection so this is using coffee shops for example where you want them to go to a splash page agree to some terms of service and once you agreed from service they get on the internet but this goes a lot further than that so here's waiting periods log out pop out windows pre authentication after authentication redirection usually want to redirect them to some type of landing page with your specials you know we've set this up in schools too and it works really well there and you can set passwords it also has built-in default bandwidth upload limitations and download limitations so you can use a per user bandwidth restriction and put the restrictions in here it has a voucher option radius authentication so if you have an external radius server it's got a couple different options there but the local vouchers is one where I talk about here in a second create your own HTML file kind of clever do you download this little template and customize HTML around it these are a couple parameters that could be passed around there for a username password an error page and a logout page you can upload all those here and once you have all those uploaded to the system you can also push in certain files and things like that also as a CPS direction so once you load your assets and create some photos you can actually load them into pfsense it'll serve them up this is our authentication page bla bla bla and away you go so the vouchers part that's where this gets pretty interesting it has the ability and these are some of the keys you can use in word we can do them three four five six and you pick a character sets to use the default character set is everything but oh oh oh and 0 1 and L it removes them because they're ambiguous and it creates you can generate keys generate an entire voucher set for example series of numbers to hand out to people so this voucher and you say the voucher is valid for however many minutes or however any long you want them to log in and then once they get disconnected they have to put a new voucher in it's really integrated well into here so you can have the tickets all this in here it also supports an external database now they didn't I don't have all the details here but I think there's some forum post how to set this up but still really clever if you wanted to have a ticketed based system to hand out Internet you know in a metered way to clients that come in or let's say a hotel where they get a voucher assigned to them based on their stay you can give them a voucher number it expires and now everyone has a unique trackable system so you understand who got out and when and easy to kick them off so you don't have people leeching on your system and over here is that file manager that we were talking about where you can upload some of the assets to there such as pictures or whatever else you want to upload for the web serving part of it you also can do things like allow host names or allowed IP addresses or allowed MAC addresses you can just copy your own MAC address and permanently pass you or permanently block you this is really clever when setting up the school networks because we've just had each of the teachers logged in real quick copy their MAC address sign here and boom boom boom their systems automatically based on their MAC address I know it couldn't be spoof so I'm at the spoof of MAC address but it's on a system of convenience unless they really know the MAC address on there of what's passable it makes it really easy to say these computers or devices get on automatically or when you have devices like a chromecast for example or other IOT devices that you want on here to bypass the voucher system well then you want them to automatically in this list that way they can't just jump on the network and have internet access so that's the captive portal the system does support DHCP relay across different interfaces I've rarely ever had to use this think one time I had a claim if you have it in the middle you have a head end EGP server and another subnet you can have this pass the DHCP services across and I have a destination where they get forwarded to so that's DHCP relaying I'm gonna jump over here to my firewall to show you the DHCP server because we have reservations and more things set than I do in my demo server so here's a DHCP server enable DCB server on land interface you choose one for each interface so you can turn on DHCP land win and all the different ones that are set up you can add additional pools so if you had different areas you want like a one range and another range from there options override the default gateway override a lot of different things so if you had another something else you want to put in here that is definitely an option be able to do that and it'll enable static ARP entries so you can actually keep create some persistent ARP entries in there change TFTP server to UTC or local time enable in the graph dynamic DNS MAC address controls you can actually filter to deny certain max or ranges of max which is kind of cool NTP servers which I have in here as well T FTP servers which I'm actually using because we have 80 ftp server on the network and network booting options this is really clever so with the network booting I can specify the BIOS file name it's fully UEFI compliant as well which not all DCP servers understand you if you efi that's built-in here and this is actually part of a network boot system we have set up on our network so that sort of thing I want to show you here so we actually put this information in we have the server the file the boot files and this is all supported in PF census system we can also go here to advanced if you have a few other boot P DHCP options those can be added in here as well and down at the bottom we have a few static preservations for things and let's talk about how those got added so I actually can go here to related settings I'm sorry go to status and if I wanted to here's our Amazon echo happens to be at the top I can add a wake-on-lan wrapping or I can add a static mapping and I just click this brings me to the static page for this particular device Amazon echo I type in an IP address that's not an arranged I can override anything in particular about this including what TFTP server it gets so this is kind of clever for example if you want one network and you want if your phones are all on the same network you wanted them all to go have different TFTP servers for your phones versus some of the other devices you can actually assign all that in detail to each one another kind of novel thing if it senses the device has wake-on-lan that shows up here too so things they have wake-on-lan I can actually send a wake-on-lan packet too and this adds a wake-on-lan mapping so we can actually do this land save and this brings us or chat awake on land part which will just jump to that right now so DCP server really extensible very well done one side note and I'm gonna jump here real quick about this one 92168 3 0 3.2 39 when you change to LAN IP range you have to go in here you'll get an error that you have to go back and change this so you change the LAN IP first then changes if you change this first he'll tell you it's outside the subnet so you actually have to change the IP address first then you go into DHCP server and edit it just a little side note there but like it's a pretty pretty straightforward wake-on-lan we'll just jump to this real quick you can add wake-on-lan mappings you can wake all devices add a list of devices here kind of neat that they did this you choose which interface you want to push that across this one because it's already a mapped one already has in there and you can just press that and it wakes up the device edit the device or go ahead and delete the device next on the services list DCP 6 relays server RNA both those are in here genus forwarder is the old DNS server it's still in here but by default it's not enabled I don't know if they're going to remove it from future versions but it's no longer the default everything's moved over to TNS resolver dns resolver is really nice DNS sex support a lot of options in here go ahead and view it over here so a lot of options in here these are all the defaults everything works perfectly fine as defaults it also has an option like I mentioned before pfSense has a lot of these a custom options box these are where you can pass options directly to the service from the command line so to speak so I want to add some option it didn't have a checkbox for you can do that but the clever thing you can do is this here so we're gonna call this test and let's say we wanted to do this this is a test server apply now what this is done is test lawrence systems comm will return to this IP address this is really an e when you want things that have external mappings and you may not want to use an @ reflection on them but you want to make sure they resolve internally you can simply put them in here so there's the host there's that you can also just do it a domain override or you can take a domain override it to a different IP address now this actually works as well for things like Facebook if you put a domain like Facebook in here and then redirected it to localhost you could redirect it to somewhere else and when they're inside the network so it's a real quick way to simply add mappings inside of here we actually have a bunch of stuff internally mapped so when we cuz everything we in our office is web-based so this is an easy way for us to map all those web-based things that are internal but still we wanted to have host names attached to them more customizations under the advanced resolver options you can get really fine grained detail in here including some of the logging levels and things like that you can also create access lists for who you want to access allow denied denying on local refused non-local more options here once again so you maybe you only want a certain segment of the network to be able to ask that's your internal DNS that's definitely an option here for the firewall custom order for the DHCP server customizations UPnP completely supported so if you have a device and this is come up a couple times where people can't get all the mappings to work right for things like an Xbox or Playstation because they support you P and P you can turn that on and it allows all the different protocols of you p and p @ p @ p @ p and p port mapping what interface is going to be external and what internal interfaces now this is actually kind of cool because it does support like we created the option VLAN if you wanted to put your gaming systems in option v lamb and then only allow you p and p on the option of e lamb or iot vices in general that may use this this is a great way to do it to keep your network secure so you put everything on its own VLAN and then you can able UPnP not globally but just for the interfaces you want you can select multiple interfaces holding the control key in case you want it on more than one interface there's also some restrictions for traffic shaping logging uptime specific entries that you can do for you p and p access control lists so you can really narrow down what's allowed to do this now this does have the option for a pppoe server never set one up I don't have a lot of use case for it but it's got all the options in here if that's something you wanted to do and TP serving if you wanted to have your own time server this kids kind of weird because they didn't just put a time server in they let you choose different pools cool you can add more than one if you want so we can add this one here and you just put another one in so whatever the other ones are you can put in each one go from there go from there select to prefer it so you can put a whole lot of different time servers and that's neat common access control list for your time servers kind of cool serial GPS this is weird that I to me that they put this in here but great that they did I guess it has a few different generic depending on the protocols used and Garmin GPS is you can plug a GPS and is and have it pull this for your timing I don't have a good use case for it maybe someone does I think maybe some ham radio operators might want to use this where they're in a remote location needs type of time sync with the firewall I'm kind of not sure on that but it's kind of cool that's it's been in here for a while it even in previous versions i GM p proxying that's an option in here load balancing now this is really cool the load balance options and I got a couple things set up in here for load balancing an smtp if we go here and edit this well this is not load being on seeing outbound traffic this is a little balancing inbound traffic and let's say you have three mail servers because you have some incredible volume of mail coming in you can actually take the servers on and off the list here and it can load balance the incoming to that server and it doesn't just support smtp we call that mail server you choose the port I mean you could choose port 443 and have it load balance things and the that's a sell port you can have it port 84 standard HTTP pretty neat so it's definitely a little bit Allen Singh options in here I'm not really used it much I'd also let you tie them together as a virtual server and then monitor how do you want to monitor it the different options in here it's not something I've really used much of but it's definitely an option here there's some documentation on their site which of course I think I pointed out before you just click the question mark it'll bring you right to the documentation page for any of these options so they have all the little details of how to set that up dynamic DNS is the last part we'll cover under services for now you can if you have you know have a changing IP set up dynamic DNS so dying dyndns is a specific company it's very popular for this and their support in here so is hover and Namecheap and no IP no-ip free just open dns tons of companies own at it CloudFlare custom a lot of stuff in here as options which is kind of cool so it changes the menus based on the different companies username password and will do it and you can put more than one so you get into multiple providers in here which is really clever it also has some specific options for things that are just RFC 2136 which is the dynamic dns RFC 2136 will click here and it'll bring you to that page and get the details the internet standards for tracking protocol so it's got some standardized options in there for that it also has check IP services so I thought this is kind of cool it's check IP that Diane Diaz horrigan we actually go there tell your IP address so you can actually add more services that do that and it's a way to parse it and just get that information for your system moving on to VPNs now it supports IPSec so here's all your standard IPSec settings it has mobile client options pre-shared keys and some advanced settings for some of the details in here not an IPSec expert it's been a long time since I set one of those firewalls up it does have l2p in here you can able the l2p server bind it to one of the interfaces and configure that it has its own user manager for the LTP server which i think is kind of neat because Open VPN which we have set up here it uses the internal database by default now you can use some of the other options we're going to show you that here now here is the open VPN with one already set up to use the local database with remote user auth and some of the options now I've done an entire tutorial on how to set these up and I really recommend when you want to SAP especially like a road warrior one use the wizard the wizard will start with the question of are we doing a local user LDAP a radius local user database it'll have you created an authority we don't need to add one we'll just use the same one again next when now we already have one 1194 so it's going to give me an error if I choose this port or I could choose a different port to bind it to and it'll bring you through all the default options and they're pretty much fine like I said I have a journal on the details how to do this but when you're done you end up with Open VPN being completely set up and ready to roll through the wizard now the one thing I added and over here in the package manager is this open VPN client export utility absolutely if you're going to use VPN you're gonna wanna load this and we show you why so that puts and adds these menus here this is client export and we scroll down and this is where it's really neat because the Open VPN has a Windows installer that inline put everything I needed to authenticate that you except for the username and password here so I go and create a user and the user manager and then I go and install the VPN they run it in a way it goes it installs VPN they typically using a password now if you do the password a little bit differently and we use the this is remote user but no SSL we use remote user SSL that means create a certificate per user now even without if it's just remote access user you still have the other keys and certificates that are needed to connect it's just not a per user certificate so when we're over here doing it it shows certificate name none it's actually still has the cert for the system now if you add certificates per user each user will show up because you'll have to download each user and their certificate and this succour supports the Open VPN Connect for Android inline client which basically just means an inline file that has everything all continuously in one file that actually works great for Linux you can just go from the command line if you download file type in Open VPN space the file name will su do or make sure running as root and it'll connect your Linux box to that so Open VPN is my favorite one to use in here works really really well and has a lot of options now because we have this VPN set up it shows up under our firewall rules as open VPN by default we have and I called it Open VPN demo wizard the wizard creates the rules for you there's a secondary way that you can add even more rules like if you wanted the Open VPN to also act as a gateway when we're over here in the interface assignments you can actually add it as a network interface so ovp and s1 demo VPN it will add that as another interface so it can act as another interface to add rules to and against and each server you add also can break out more rules that you can against in my demo video for this I have I kind of detail the use cases for that and when you have to do it and walk you through a tutorial on that so that's pretty much the whole VPN setup and then the user manager for it of course is just the standard user manager now the status menus are just a repeat of what was already the status as you could see for most things like you know this is the settings for the DHCP and then this is going to be the related statuses or for the DHCP and it's all in here so we have your DHCP leases your filter reload the Gateway statuses interfaces everything that you've seen mostly as we've been going through this we click on the Status page you can see is right here this is just a different way to get to it versus clicking up at the top right here a couple things that aren't in here though is like the services page now this is the same like we have on the dashboard we have the services but we go to status services you get a few more options just to restart the service jump to the settings for that service related status and related log entry so it's kind of a quick way to say ok these are all services are running I want to jump to the option so if I want to jump to the options page for the DNS resolver that takes me right there and this is the log entries for the DNS resolver so it's a quicker way to do that size on the status traffic graphs this is not a this is kind of expanded view like you've seen here on the dashboard we have the traffic graphs lets me choose the little more details of things I want to see your ran local remote where things are going to sort by H redress hostname fully-qualified donate main so as I access things that go through the network I can kind of filter and see in real time what's going through here the other thing in the status is the system logs they're actually understand it's not Diagnostics kind of thought that was a little strange but it's really put them and this gives you all the logging options so you can detail and go through them you always notice you have the plus here and this allows you to use regular expressions to filter anything that's an air filter by time process PID whatever you need to do on the firewall to take a look at that now while you're here we started system of your two settings you can change this over here an increase in the log file size and I usually check this box here which it shows log entries in reverse order at the top I like them at the top but you also have some more options in here if you want to display as a second row column how you want the logs displayed reset the logs and the option to send everything to a remote logging server so I hit save what make the size even bigger wrong number in there change have been applied and now the log files it tells you how about the approximate size of the log file here displayed currently uses 517 run key of 149 gig which is how much is on here for extra storage so now when I go to the rules here's all the things in there and that's displaying the latest one at the top I just think that's better also has a summary view for the firewall which is kind of neat so it'll tell you interfaces information about those interfaces data points the IPS it's traversing through it kind of a quick summary page of the firewalls the naming view has an auto update updates I think it's everything 10 or 20 seconds it'll refresh and put the latest entries in here but everything in here has different options so like your Open VPN rules when you're looking for something you can find it use regular session to find a specific thing this is really handy for troubleshooting as you go through here and you just follow all the message in there and it's nice too because right here round OpenVPN now we're at the Open VPN so you can jump right between the log and the settings or even the Status pages between there to make sure the service is running really I like the way pfsense does this right here because now I can just change the setting log the setting is there an error without having to jump through any of the menus and it keeps me all related to what I'm looking at so I can gay okay I need to check this and do that it's kind of a nice design and layout of the firewall last thing when it covers the Diagnostics pages we have an ARP table so we can look up all the ERP going on delete entries things like that authentication testing this is clever you have local database options so if I want to know if a password works and it does let's try what about this guy authentication failed kind of novel backup/restore is awesome on this so all we had to do to back this firewall up we're gonna save the entire config file it's saved now we've downloaded the config file for it by default it wants to backup everything but I can just back up a specific thing so if I know all the aliases we created are relevant to another firewall I can say just give me the alias file just give me the settings for DNS resolver so on and so forth just give me this things for Open VPN and it will do that including a the CA information will get tied in there as well I always found doing backups I do an all backup restore much more fine-grain so if you have a backup from another firewall and you want to push it to another firewall you can only restore what you want like static routing tables or the aliases for example say I always do a backup of all but when I'm doing a restore sometimes I want to do is selective restore you just do that it reboots it and where you go you can't encrypt the file probably not a bad idea is to keep it password protect especially if your VPNs in there because if someone has you config file they can distract your VPN credentials and logins out of it and if the file is encrypted it has the password option here and the same thing you put the password here to create the file and there also has an option at the bottom just to reinstall the packages this gets a step further of cool when you go here to captive portal now this little + here by default is keeping 30 backups but you can override that and change it tells you how much backup space is being used this is where it gets neat is because you can differential these so change change system logging options configuration change for your pfSense diff it's an XML file it will do the diff of what changed it also tracks who did the changes what it was a system or if it was a admin whoever changed the role options are all in here so let's do a diff between like these to see more rule changes DIF and it highlights the changes between the two versions now the cool thing too is these logs and bring back this over here and we're gonna go to restore configuration list backups and they're all listed here on the council as well so I can read and say I have one two three four I can just type in the restore backup on there and restore to a previous configuration right from here it'll restart the firewall and have that configuration back in place so it works both ways from the command line and if you do something to lock yourself out easy enough to go back and do it going back down the list here command prompt you can grab a file so conf configuration is the location of that config.xml file download I can pull the file right out of here if you know where a file is you can just type in that hit download if you want to upload a file you can do that and you can do this too it'll execute PHP commands it will do commands in a shell so PWD it works out of user local www you can actually do an LS and in here too it'll jump this right to the screen so you can execute commands without actually logging in DNS lookup you can just do this real quick and look up anything you want kind of clever so there's the Google's mail server here's the name servers it used here's the results from that and the records related to it you can write from here quickly build an alias on that record this is really handy when we log into clients when they're saying they're having a problem on their network we can use this to quickly look up to see how it looks from their network factory reset edit file edit file is kind of like it sounds it actually lets you edit a file so if we went comp slash config XML load we can load that file in here edit and save it if you want to edit anything in a firewall manually you know the location of it does have a browse option so you can pull certain files and edit them factory defaults is like it sounds it'll reset the system factory defaults it is a two-step process so you can click it but you didn't get to go another step further here Hoult system kinda like it sounds turns it off limiter info that is if you have any of the limiters set it up under the queues for the traffic shaping it'll give you the details on there and PD tables packet capture this is pretty cool you can grab a certain interface and turn it on pretty miscues mode it has some limitations on that I've answered one of the cards two parts it but you can grab all the data a certain count level of detail full can't have a fast enough machine to be able to do this do reverse DNS lookup on ApS how many counts of packets packet lengths or port or a specific host address specific protocol or ipv4 only for example and then you can do a full packet dump and then download the file out of the system PF info this automatically refreshes here so he has some nice network statistics on here PF top so you can see some of the connections sort by age sort by expiration or packet reboot well that's pretty obvious routes show your routing tables this is really handy when you trying to sort things out and make sure the writing teams are there without having to drop to the command line you can see you know all the different options when you're going ok these are all the route tables these are everything in here when you're troubleshooting VPNs this is your best friend smart status I'm gonna jump over to my firewall for this I only have one hard drive in my firewall didn't feel the need to make it redundant but I can actually go here go to all in view and it dumps the entire smart status of my hard drive and all of the details in here it also has a self-test logs you can perform a self-test on there the different options that are related as smart and which hard drive you want to test sockets these are the all socket connections on the firewall directly States you can see every individual state in connection and forcibly delete them now of course these are just standard state tables they'll re-establish but at least you can see what states are there and search for them finding something when you're tracing something out this is really handy system activity essentially like top and it's real-time updated this is kind of neat these are some of the database tables that are in here so we added these ones like we added and VR recorder and a few others that end up in here so these are the NAT subnets that were added kind of weird that it's in here but kind of novel at the same time Boggan networks there's essentially database tables inside the system now test port I like this a lot so if we go here and we know that Google's mail server and we put in port 25 and we hit test and they successfully connected to Google's mail server port 25 and down here is the results from now now this is kind of cool because it lets you choose the different options and source addresses so you can actually come from whichever address you have available ipv4 or ipv6 and do some port testing now this works for internal devices as well as external devices and then we have trace routes so we can do a source address LAN LAN whichever one we want to go on there whether or not we wanna do reverse lookups and hit trace route and it'll do a trace route and dump it to the screen and it looks like it didn't make it all the way to destination but it made it a few hops out and dump some details on here but it's not our built-in function on there so that's pretty much it for the PF sense I will cover one last thing here that I added a package to show you because these are ways the packaging works in a little bit more detail so we added if' top and you may not have seen I have top in any of these lists but I added it some of them this is where you have to look up each package itself will do different things like I have top for example is a command-line package so it runs here the open VPN client export tool shows up under open VPN so let's go back to package manager and look for another one let's look at dark stat and install this confirm package is installed dark stat shows up over here so here's the dark stat settings we click to enable we're gonna use this as the capture and web interface save and access it it's added the interface locally put it here here's some of the hosts it started collecting data right away so this is the one thing may be a little bit confusing about PSN says whenever you add a third-party package there's not a consistent place third-party add-ons go so you have to look up the packages you're doing and when you want to add them in here you want to see where they're going while I was doing this there's a new version of pfSense so let's go ahead and show you how the update works on this we're gonna go ahead and get it confirm and this is all there is to updating it it's really fast it doesn't take long it's downloading the files this is normal it kind of swings back and forth while it's doing the updates it says update complete rebooting so I drag this over here update is complete rebooting so you're getting this broadcast message on here because we had if' top open and it does take a second now we have a countdown here and it's going to countdown how long it can take to reboot it's already in a reboot mode over here now when it reboots from an update occasionally it'll pause and extract some extra files that it added that varies from update to update of how long that may take if there's really much to it it'll also update the packages there'll be a message someone up here that it's doing that here's the extraction part for the files that we downloaded well it's downloaded automatically and that's it updates done configuring an interface it'll be back up and running here in just a second and it's back up and running that quick for an update it's really not a big deal and just in time because this says seven six five four three two one righto patience and now the systems on the latest version updates are pretty pain free in here I've never really had a problem we don't mind even doing a remotely they've even with some of the different hardware not necessarily all hardware that's from the neck gate we've not had a problem with it's really flexible system the nice thing is too you can restore an older backup file so if we have a machine that does brick upon update we replace it and just push their backup file and everything's back to normal like nothing ever happened not been much of a problem but that was it for PF sense it's a good overview of all the systems in here like I said I have some separate videos and specific things a lot of people like to talk boss terracotta I did a specific video on the sericata system that's available to check the links and I have an entire playlist just for all my firewall tutorial videos so hopefully those are helpful if there's something I missed or something I should make us more specific video about let me know if you like the content here like and subscribe thank you very much

Info

Channel: Lawrence Systems

Views: 280,315

Rating: undefined out of 5

Keywords: pfsense Firewall, pfsense, firewall, router, pfsense (software), network, networking, open source, security, pfsense router, pfsense tutorial, network security, pfsense setup, tutorial, nat, pfsense firewall tutorial, how to install pfsense

Id: RrQrt8r_uYg

Channel Id: undefined

Length: 107min 14sec (6434 seconds)

Published: Wed Nov 22 2017