pfSense VirtualBox Installation and Firewall Rules Basics

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

okay so as you can see here's my my download that we just did of pfSense the Community Edition 2.3.4 64-bit alright so when you download it it's gonna come with the ISO GZ extension and really what that means is that it's a zip file so you can't use you can't just assign this as as is to a virtual machine because it doesn't know what this is so you have to just double click on it and you'll see that says it's now expanding the file that's within and now we have the the straight-up iso file the the raw iso file they're all image that we need that we can now attach to other things very similar to you can see this a bun - 1604 server ISO okay so we can really go ahead and just trash this now we don't need it now that we've extracted the real PS that's ISO out of this so I'll go back to VirtualBox and we will say new and this will be a name the pfSense will say Linux and we'll just say other 64 actually oh this is actually BSD it's not Linux and I believe Oh pfSense I believe is here I'll tell you okay so we've determined that pfSense does actually run on FreeBSD and it's not Linux and so we'll say continue and we'll give this a gig of ram obviously in the real world if you were you know specking out a physical hardware build for pfSense to run on which I highly recommend in a production environment you do install this bare metal don't install PS since as a virtual machine there may be people that do it but I just I would not want my firewall also being on the same physical hardware as a whole bunch of other important virtual machines not just for security but then you also think about performance as well if your virtual machine gets attacked and it's your firewall you really don't want that bringing down the rest of everything else you do you see what I'm saying there so for security for performance separate your firewall and keep it on its own little part of the network and its own little I mean it can be in the same rack obviously doesn't have to be in a different room as everything else but it needs to be its own physical piece of hardware and then the cool thing about PF sense is you can actually set it up in high availability mode where you can have multiple pfSense firewalls running at the same time but to the network they just appear as one device so that's pretty cool I highly recommend that if you if you require the high availability firewall setup then definitely go that route and you know depending on your number of users the cost of doing that the hardware that you would have to buy really isn't that much you know it's not that much so anyway if you had a production environment you would want to see how many users and the required bandwidth and then calculate your memory based on that and that is all available in the pfsense handbook the P essence website and probably thousands and thousands of different forums where people have asked how much memory do I need how much RAM do I need I have 500 users in a gigabit connection I can't answer that question because there could be a million different scenarios of why you may need more or less CPU RAM disk space whatever so for testing purposes one gig of ram is perfectly fine and let's see create a virtual disk now create recommends 16 gigs I have no idea I mean it just says we recommend 16 gigs I have no idea how they calculate that number I've only told it it's a 64-bit install of FreeBSD but dynamically allocated 16 gigs is probably too much actually let's just do like let's just do 1110 ok so ok like so this is a I mean that the layout is definitely different than VMware fusion but you can kind of see like you know it's pretty straightforward here snapshots that's cool I didn't know that VirtualBox support is snapshotting but anyway ok so this is where we get into the actual setup of the network interface that we want and the linking of the ISO file to the DVD Drive so that we can actually install PSN's so we'll link the ISO first you can see here storage we've got the 10.59 gig ide primary master which is the hard drive that this virtual machine is going to see and then we have optical drive and we'll choose the disc image and it was on the desktop and it's pfsense there it is open okay you can see the size of the eye so after we expanded it and unzipped it you know increased significantly it's almost double okay and so now we've got the pfSense eye so the pfSense CD actually linked to the VM there is one more thing to do and that is change the let's see so I want to come here and do a bridged adapter and what the bridged adapter does is basically say that the internet connection of the host which in this case is the MacBook Pro and it's connected wirelessly what it's basically saying is allow other devices on this host to show up as their own network interface on this network so my Wi-Fi access point right now sees my macbook pro it sees one MAC address it's handed out one IP address to this MacBook Pro and as soon as I enable this bridged adapter and I spin up this virtual machine this pfSense box it's gonna have its own MAC address as well and so my Wi-Fi access point will see that a new device has connected and it will also assign an IP address so I think that's kind of like the easiest approach for setting up the virtual machines you know if you do not then it's kind of like the virtual machine is on and we're getting there may be situations where that's what you want to do adapter 1 2 3 & 4 that's that's pretty cool that that's pretty cool that you can do that right from here I believe you can do that in VMware fusion but I like this layout better actually in the free VirtualBox than I do that VMware fusion interface so in a firewall you know you have the win and you have the land connection and then the land connection is gonna be your outside world that's where all the bad things are happening and that's how you get you know out to the cloud and then on the land side your local area side that's where your your your clients you know are connecting and that's your your private side that's the safe side and so you can see how if you're installing pfSense in a virtual environment that it can get sort of tricky to figure out where your interfaces need to be on your virtual machine and how that relates to the actual physical host that the virtual machine is installed on but in our situation basically adapter 1 and this bridged adapter that's pointing to you know the Wi-Fi network which can get out to the outside world that is going to become our new win for the virtual machine ok so we're basically gonna create a new network and in the pfSense world for its its land alright so adapter one will set that up as our wind connection our external connection and so basically to get to the outside world since we're doing this as a virtual machine and it's not our actual firewall our actual router we're basically adding a extra hop for traffic behind the pfsense firewall to get out to the outside world it will go from the pfSense land through the firewall through the real modem and router and then go out to the outside world whereas right now like on our host its weave we don't have the whole PSN's firewall in the mix it's just macbook pro modem access point you know out out to the outside world so I hope I didn't make that too complicated or too confusing and that might have been in a situation where less was more but anyway so on our pfSense box we've got adapter one which is our win and so now we need to create a second adapter for the landside so we will do adapter two will enable it and let's see I'm trying to think of you know if we do internal network and there's really no way if I do bridged on here as well if I do bridged here let's see I mean it's gonna get tricky because the land and the land are gonna have to be on they're gonna have to be on separate subnets I believe unless we set pfSense up in bridge mode you know I tell you what like we'll just do internal network here so that okay so we've got that figured out audio like you can probably come in here and turn a lot of this stuff off not that you have to is probably gonna work fine if you don't come in here and turn some of this stuff off but yeah like it doesn't need a USB controller we don't need to share any files between and use your interface hmm this is cool looks like you can sort of customize the the interface that will surround the virtual machine after you power it up pretty cool it seems it seems like they definitely are focused on allowing you to customize the experience way more than they let you in VMware Fusion but you know again VMware fusion is designed for you know a certain a certain flow and then VirtualBox being free is you know probably a lot more open to customization so I think it's cool I think it's cool I think I would definitely you know use this again as long as you know everything seems to work and be stable so let's see here Wow network boot that's cool I know that's available and being wearing fusion but it's cool to see that that's available in in VirtualBox as well so processor this is cool so you can set either one or two CPUs acceleration we don't really need that so we'll just do one processor that's plenty this is not going to have any load whatsoever I'm still the network has me a little I'm almost thinking you can see I need to be able to access the local area interface you know and if it's an internal network then I'm not going to be able to do that let's do bridge on this as well okay if I do bridged on the second adapter as well then I'll be able to at least you know get into pfSense through the web interface and configure it I'm not sure how the when interface is going to operate and I may you know it's not like I'm gonna use this as a real pfsense firewall anyway it's not like I'm going to start redirecting all my machines on my land to use pfSense as the gateway and and start using using this virtual machine as my as my as one of my gateways because that would make no sense as soon as I close the lid on this laptop that means the internet would go down so let's see everything else seems to be okay like Giga RAM it's gonna boot off the optical and then the hard disk which as we know optical isn't really optical it's what it thinks is the CD drive which has been linked to the ISO that we did not have to burn which is kind of cool and so I believe we're ready to start now I believe we just clicked this here with sis little down arrow normal headless and detachable yeah let's do normal if it starts smoking and flames shoot out everywhere then we know we did the wrong thing but hopefully not I like I like this you have the auto capture keyboard option turned on this will cause the virtual machine to automatically capture the the keyboard every time the VM window is activated and make it unavailable to other applications running on your host machine this is kind of cool because you know in VMware fusion you pretty much have to like get the operating system installed and then you install VMware tools and then you have the option of clicking into the VM and then clicking out this basically is saying that the currently assigned host key is shown on a status bar at the bottom of the virtual machine okay so it's the left command key cool okay wait what's this now the virtual machine reports that the guest OS does not support mouse pointer integration in the current video mode hmm well we don't really have to worry about that okay do not show this again that's the same thing okay except we will do the quick and easy install okay and then for those of you that aren't really like experts or really have much knowledge with virtual machines and VirtualBox VMware fusion that type of thing if you don't really know what's going on then you probably would be in total panic slash freakout mode that it appears that I'm installing pfsense on my macbook pro and then I'm totally blowing away everything on the hard drive and just deleting everything on my macbook which isn't the case and I'll tell you why because when you set a virtual machine up and you set the size of the hard drive that is its own little slice of heaven it's it's own little entity it's not touching anything as far as my real actual bootloader boot volume the hard drive it's just utilizing a little bit of space but as far as the virtual machine is concerned it has a you know a 10 gig hard drive that is its own little thing it's it's own little deal so anything we do here when we say yes sure delete everything on here and yes blow away all the partitions and start over with with new it's not touching the actual MacBook Pros hard drive if it were I'd be in some pretty serious trouble but so anyway yeah it's it's fine to say yeah just you know do the install let's see we'll use the standard kernel [Music] I actually need a drink refill well this machine is about to be shut down after the machine has reached its shutdown state you may remove the CD from the CD Drive reboot and okay so I can see one problem that we're gonna have immediately is this [Music] 192.168.1.1 that is the same that's on the same subnet as my actual land and so when these network interfaces come online and join my network interface I'm probably going to have a an IP conflict or an IP duplicate but we will fix no problem it'll just take the internet down for a couple minutes while we get that taken care of shouldn't be too big of a deal since we are since we are network experts okay so one thing is like see how I'm moving the mouse around now and I can click on this and I can drag it around and we can minimize this we can just play around with this we can actually minimize this if we want to or fullscreen it whatever and so down here on the bottom right where it says left command button and actually you can resize this too if you want oh it's not actually increasing that screen size it's just making more white space around it okay cool so anyway the that message that kept popping up if you didn't really understand what was going on there it's basically saying that like while you're in your host operating system which in this case happens to be Mac OS you know when you're clicking around and whatever if I hit enter right now then it's I didn't expect that to happen I didn't think of just gonna actually do anything I actually want to go back okay you think you know something what if we hit escape ok so anyway I don't want to change the video font and work anything else for that matter I guess when you click on the title and the window that like now the keyboard inputs are being thrown into the virtual machine because if I hit the left command then you can see this little thing down here goes green which means captured oh that's a cool little pop-up there to explain that so it says keyboard is not captured when it's not green well actually that's not true because if I click here this isn't green and yet I'm still airing up and down so not quite accurate I mean that's not a huge deal it's it still works it's just a little little odd that it would say that anyway so now you can see why I was confused of why the keyboard was working because it shouldn't be but it is anyway but if I click over here and click outside of the virtual machine then if I do the arrows up and down you can see I'm actually cycling let's move this out of the way I click here I'm actually cycling up and down you know on the icons on my desktop ok so apparently you don't really have to click into the virtual machine if you just click the title bar here and it's the active window then your keyboard inputs will be captured by the virtual machine ok so enter and actually we don't want to do this we just did this we have to it booted off the CD again okay and so this is this is another change from from VMware fusion is it if you assign the CD drive and do the install when you reboot it automatically boots off the hard drive so what we have to do is unmount or eject the CD drive so you can see i right-clicked over here on the CD drive and we'll just say remove disk from virtual drive which is basically the same as ejecting it and pulling it out and we will force the unmount okay and then we'll just do reboot here and it's gonna give me a whole bunch of errors because I eject the disk before I was supposed to so how do we do a power cycle on this thing machine reset yes so you know a little bit of a learning curve that's not necessarily you know like a huge design flaw by any means from VirtualBox it's not anything that I would say just turns me off totally - VirtualBox I mean if anything that was more of a user error than than a VirtualBox err so again though like using VMware fusion and knowing how virtual machines work and kind of like the flow let me know that oh it's booting off the disk even though I've already done the install I mean booting off the CD and I've already done the install and so now I don't want to do that anymore so I just need to eject the CD and that will boot off the hard drive and it kind of goes back to do you remember seeing maybe some preferences no machine settings I think it's here kind of goes back to system maybe yeah this boot order okay optical and then the hard disk and you know if the machine was powered off at the virtual machine was powered down we could probably come in here and actually change these by clicking up and down so if you always wanted to boot off the hard drive first you could just click here and then click up and it would move it to the top so anyway if the virtual machine was powered down we could actually come in here and say you know what never boot off the CD drives ever again until we come back in here and turn it if we ever wanted to do that so that is what was happening and that's how you that's how you fix it okay so NP F since the default behavior of the LAN connection is to go ahead and utilize DHCP see if there's a server out there grab an IP address and as you can see it did it got 192 168 dot one dot 28 slash 24 which for those of you that don't know what slash 24 is that's the subnet mask of 255.255.255.0 okay the LAN side must have detected that there was already a 192 168 1 not one actually no it didn't do that the reason that the LAN dropped the 192.168.1.1 is because that would be on the same subnet as the LAN side which makes no sense basically so that's why there's basically it's it's blank okay but what we can actually do is we can have some fun with this we can come in here and we can assign a LAN interface IP address that is on a totally different subnet let's put it on the the 10.0.0.0 is and then what we can do is to try using pfSense we can actually point our macbook pro to 1001 as its gateway and use it as DNS and use it so that would be kind of interesting because what what happened is the MacBook Pro which is the host device would be using pfSense as its gateway which is running on the host device as a virtual machine that virtual machine is connected to its LAN side is connected to the access point and then going out to the cloud from there so in theory that that should work just fine I've never done that before well we'll try it out and we'll see if it works ok so we will set interfaces set the IPS on the interface and we'll leave when on DHCP which is what we want and then we will change the LAN static IP address to something else which is actually there's nothing right now so we'll go ahead and set it so what you do like ok this is all this is considered the console of a PF sense after you get this initial step completed then you can do pretty much everything else you ever need to do through the web interface which with the new release is really nicely polished they took you can tell they took a lot of effort on getting the web GUI sort of like refreshed and to where it makes more sense and it's more intuitive so anyway we will configure the LAN interface and so to do that you just see here it says enter the number of the interface you wish to configure and so we have one - one and two - LAN so that obviously means if I want to configure the LAN interface then it will be number two and you may have you know on a real production environment you may have multiple interfaces you know more than just these two here you could have maybe you know four or five six different interfaces or more so we will go here and we said 1000 one entered the new and subnet okay so that'll be twenty four and see it says for when you would want to enter the upstream gateway IP address okay so since this is a LAN side the the upstream gateway IP address is actually going to be the the firewall itself that the way inside that's where all the land traffic is going to take its next jump is to the the win interface which is why it's basically saying if this is a land side connection if this is part of your land network then don't set anything here because pfSense will take care of it for you so what does hit enter for none since it is a land network and it's asking for ipv6 addresses which we do not want to configure so we'll say enter for none do you want to enable the DHCP server on LAN now if I had this LAN interface totally isolated from the rest of my network then I could say sure yes turn on the DHCP server okay and so for those of you that don't know or maybe have forgotten the DHCP server is what actually hands out the IP addresses to your devices so that you don't have to manually go into every device and type in the IP address you know for every single different device that's gonna connect to the network so but since this network interface is connected to my real LAN then I want to make sure that I say no here because what would happen if I said yes and turn on the DHCP server for a PF sense is then it would be fighting with my access point that's on the same network it also has a DHCP server running on it that's how I got one into 168 got 120 8/24 that's how my win in her face got that is it picked it up from the DHCP server that's running right now so the last thing I want to do is take an interface that's connected to the same network and turn on another DHCP server you know this is one of the cases where more is not better you know the more DCP servers you have on the same network the more disastrous it would be you can't have more than one so we will make sure we say no here so that we don't create a disaster now what that means is when I do want to connect a device to this new land network that we're creating on the pfSense box what that means is that we have to manually configure it well actually go into the network interface settings on the clients and say you know 1005 you know with the slash 24 subnet and then 1000 dot 1 as the gateway not a big deal this is just a test environment we don't really care right so we'll say no to the DHCP server so that we don't take our network down totally and it always asks this I'm not really sure you know why this is this is here but it it always asked if you want to revert to the HTTP protocol for the web configure web configurator access I mean I know why you may want to revert back to it or whatever but I don't know why that's asked here in particular but whatever so we'll just say no because we do want to continue to use HTTP and in your production environment you would definitely want to you know keep HTTP enabled so we'll say no we do not want to revert back to unencrypted HTTP web GUI access and okay so basically you know shows you what it did and it lets you know that the the web GUI the web configurator as they call it is now available at HTTP 1000 dot 1 which we will not be able to access from any devices right now because they're all on the 192 Network will change that will change it on this MacBook Pro we'll see if what I think is gonna happen is actually going to be able to be we'll see if it's possible to do what I want to do so enter to continue and then it sort of just drops you right back to the main console where you have you know the individual options and you just type in a number of what you want to do okay so just to sort of recap when is connected to my actual local area network it has a 192 168 IP address from the DHCP server running on my access point and then the LAN is 10.00 dot 1/24 which is 255.255.255.0 for the subnet and if I pull up a terminal here and just for fun try to ping 10020 dot one and you can see that I didn't get any responses unreachable okay so if I go into my system preferences and I say let's check out the network information manual okay Tendo 0.5 and we said that we put it on the slash 24 subnet which is 255.255.255.0 and then the router which is the gateway it's funny how different operating systems call it different things 1001 and we'll just make sure that that ipv6 is manual ok and then DNS we can come in here and well I'll leave those installed I'll leave those the same so 1000 at 5 and this could be anything from 2 to you know whatever 255 is you know it doesn't matter there is nothing as long as it's not something that's already on this network which as we know this is a totally different subnet that we just created there's nothing on this network except for 1001 which is the firewall so I'm just gonna make it 5 ok you could just as easily come in here and make it 100 or 250 4 or 200 well let's make it 5 ok then like I said router is the gateway which on this network that we're joining we know that as we just set it up over here pfSense is going to act as the gateway and it's 10.0 1/24 so that's where i got all those numbers from ok the subnet mask has to be the slash 24 that's what we've defined here now if you did a slash 23 or a slash 21 well then you need to unless you know those subnets off the top of your head you need to get the calculator and figure out what that is that you need to put in here I mean I know it's a slash 23 would be 255 255 255 can be anything you could have done 1000 dot 1/8 doesn't have to be you know 24 I mean that since in our test environment but if you had done / 8 then you would be at 255.0.0.0 okay and okay so I probably wasted enough time on that but you see the general gist of what's going on here okay so now what's gonna happen is if I save these settings then I'm taking my my macbook totally off the 192 network I'm adding it to the 10.0 Network and then using pfSense as its gateway okay so we'll hit OK and we'll hit all hit apply and then we'll close this and then we'll go here and if that's how you like let's make sure that nothing from other pfSense installs interferes code 1 advanced and you get all these error messages because it's basically saying that like you're trying to connect via HTTP but the certificate that is on the pfsense box we don't know what it is where it came from what's going on and it's basically saying do you trust this this person do you trust this server and of course we do ok I believe ok so the default username and password to get into the web GUI is admin for the username and then pfSense for the password and so as you can see we have connected to the land side of the pfSense box ok so we've actually connected to to here ok and you can actually see you know in the log here it's saying that hey someone tried to sign in with the admin credentials it failed because I typed in admin admin I thought that was the default user would pass which it is not as I just said and then you can see that there was actually the successful login for the user admin and then it actually tells you from what IP address the user signed in so 10.05 ok so we're actually you know coming in on the lan interface of this pfSense box and once we get PSN set up we could actually start accessing the inner it threw PS cents which is kind of cool because then we can set up some extra firewalling we can do you know being able shaping we can do lots and lots and lots of cool things through a PF sense for you know testing out different features of it this is also a great way to you know try things play with some firewall rules and see you know oh hey we have this application that we have to have working and and all of our ports are are blocked except for what we allow you know we only allow whitelisted ports to be you know accessible going out and obviously coming in so this would be a great thing to say you know I don't really want to in the production environment start playing around with the firewall rules in the middle of the day or wait until the middle of the night to try this stuff out so you can actually come here and see if things react the way that you expect them to in your test environment so the first time you sign in to the web GUI it's gonna take you through a nice little setup where it says hey this is how you this is how you do everything and this is what you have to setup this is talking about pfSense gold which if you're going to use this in a production environment I actually really recommend I think it's like $99 a year which this right here this benefit of the Auto config backup is fantastic that's definitely that alone is worth the $99 a year every time you go into pfSense and you change something or update something whatever a configuration backup is automatically done and then that config file that the change that it noted is actually uploaded to PS census cloud okay so if you have like a major catastrophic hardware failure or you have a fire or some other sort of disaster where you lose everything when you need to get back up and running it's as easy as installing pfsense signing in with your gold credentials and clicking restore from last configuration and you'll be back up and running so it could say 2 hours and hours and hours of downtime and depending on how complex your scenario is it could be you know days of downtime of reconfiguring anything from firewall rules DHCP static leases DHCP servers captive portals and this Auto config backup saves all of that it saves your vouchers if you're doing captive portal saves the roles and the tickets and which ones are expired which ones have been used it will save everything so it's pretty fantastic it can save you a lot of a lot of time and a lot of money but I'm not a pfSense spokesperson or salesman and I don't care if you buy it or not but I'm just saying that for me it was worth the 99 dollars a year and you get the the pfSense manual and in a PDF form that you can print and it's it's a lot more in-depth than what's available online anyway promise I'm not a reseller you know don't buy it just just don't buy it ok hostname you know whatever you want you can call this gateway one you can call it firewall whatever you want who cares that's totally up to your your networking environment in your naming structure let's see um local domain you know what if you had my company calm or my college et you that's where you would put this in will leave this my domain calm primary DNS and secondary DNS servers these are the actual DNS that you want PF sense to forward on to okay PF sense can be set up as a DNS server or as a as a forwarder or relay and these what you put in here are what they're actually going to relay to or forward to so if you have another internal DNS server that you want requests if pfSense can't handle them and you want PF sense to forward that request on to another DNS server that's internal you can put that in if you wanted to go to google you could type in you know google's servers right here if you have your ISP DNS you want to use some sort of uh I guess it's called and what is the name of that Open DNS if you if you want to pay for an Open DNS subscription and get a little bit of DNS protection then you can put Open DNS as DNS servers in here the sky is the limit pretty much you can put whatever open or whatever DNS servers you want here just know that whatever you put in here is where the traffic will be forwarded to the DNS requests will be 42 this checkbox here okay basically what it's saying is allow the DNS servers to be written over written by your provider your LAN connection so if you leave this checked and you come in here and say oh I want to use Google or I want to use Open DNS and you type in your DNS servers in here if you leave this box checked and your internet service provider upon throwing out its DHCP leases if it's providing DNS servers and you have this box checked then these will be overwritten and you will be using your ISPs DNS servers so I prefer to leave this unchecked because I don't want to use the ISPs DNS servers you know most people I would say most people probably don't unless you're more like an a residential or small business environment but you know if you're in you know education or hospital or healthcare environment whatever you are probably going to be using something other than the ISPs DNS servers so I would uncheck that of course you need to think about your situation and decide whether you want to use your your custom DNS servers or not okay and then come in here and set the time zone we are [Music] do Chicago next obviously you would select your time zone there okay and then this is talking about the win interface which by default is set to DHCP I have no problem with that because in this particular environment we were wanting the win connection to connect to our land and get an IP address that could be still set to DHCP even in a production environment but I you you typically would want your firewall if you have a static IP address from your ISP if you pay for that you typically would want to come here and say static and then actually put in the IP address the subnet and the Gateway that your ISP gives you that way all of your traffic from your your college or your work place you know whatever is always flowing through the same IP address and you know you get into a lot of cases where you want that to be true because sometimes you pay or there are cloud-based services that require the IP address to come from a certain or they require the logins to come from a certain IP address and if that's changing all the time you could either you could you could do a couple things there you could say here's the range of IP addresses that our students or our employees will be connecting from and then the software company that's providing the service can put in that range or you can come here and say the static IP address is this and then you hand them the one IP address where you say the traffic will be coming from here you get into situations where you may have multiple LAN connections for load balancing or failover and you know that's where you would get into a situation where it would probably be a lot better if your man connections were all statically assigned that way you know that you're either coming from this IP address or you're coming from this IP address it's any one of the two okay so in our situation though we will leave this DHCP because it doesn't matter and then if you had selected static this is where you would put in the static IP address the subnet mask and the upstream gateway it's pppoe p bt p and RFC 1918 okay so this you know you can see why they have this checked by default and then you could you can also think of why someone would need to come in and uncheck this for example in our situation right now our LAN side is an actual 192 168 and it's it's within the / 16 network okay so if we wanted other devices that are on our real LAN the real network that's connected to the access point that are on the one and two one sixty eight dot one dot whatever if we wanted to set up like port forwarding or something like that from the LAN side of pfSense into the landside if we have this checked to block private networks from entering the LAN side then that traffic isn't going to make it because the originating source is from a LAN RFC 1918 private network so in our case we actually want to uncheck this because we're not the the LAN side isn't exposed to the outside world where it has a real IP address that's accessible from the outside world so yeah we can leave that checked next and then this is basically just the same thing we did on the way in interface but it's just for the land and it's basically saying do you want to keep your land interface to this or do you want to change it to something else and if so what do you want to change it to we want to leave this the way that it is okay next admin password they don't want you to keep pfSense as the password which is totally acceptable I like that they force you to change it so we will make this ultra high security and click reload and so if we go here we might actually see that the server is going to restart I don't know if reload means restart the server or just reload with the new configuration options okay so it's not actually going to restart the server okay let's go ahead and do that though I'll show you what that looks like if I can figure out figure out where that is yeah here it is reboot it's under Diagnostics okay so if we come here and we say let's reboot the server and then we go take a look at our VirtualBox we will see that now the server is actually going to restart okay and hopefully that doesn't take forever I have to say that for the first time using VirtualBox in years I'm just gonna go in it hit enter on that so we know the wait for using VirtualBox for the first time in years I'm I'm impressed and I really don't know if you if you used VirtualBox and hadn't already paid for VMware Fusion I don't know if you're just doing basic server installs like I'm doing I really don't see why you would pay for VMware fusion it seems to be stable enough I mean granted I haven't done a whole lot of testing with it yet but unless it's just super unstable I don't see why you would pay for being my fusion like I said if you're using it in more of a server type install that's not to say that if you're not using it for servers and you actually are installing Windows or something like that or you know a Linux distro with a with a GUI that doesn't necessarily mean that I would be against it I'm just saying I haven't I haven't tested it I don't really know if it's any better or worse or whatever but initial impressions are I'm impressed and I see no issues with this at all so we will minimise our virtual machine and get back to the web interface and sign in release Day 2006 for the BIOS that's pretty funny initech gmbh anyway so let's see if by my MacBooks network settings using the pfSense box let's see if i have a network connection to the outside world ok so remember my my gateway on my macbook pro is no longer directly pointing to my access point and modem and getting out to the outside world that way directly now I have pointed my gateway to pfSense and so now the traffic will flow to the the gateway on the land side of pfSense go through the firewall and all of its rules out the win interface then travel to the land side of my modem slash access point go out the LAN side of my modem to the outside world so you can see we basically have add in an extra hop right in the middle so let's go here and go to speedtest.net and look at that you can see how slow my my internet really is it's pretty terrible now it could be a little bit slower than normal because if you think about the the routing of this traffic and and how it's basically making a loop it could be some things down a little bit but let's see what happens here well it's actually right on I mean it's no slower than what what it normally is I pay for 12 Meg Internet so you know to get you know 1314 really isn't that bad because a lot of times you pay for something and you end up getting half of that and then you call and complain and they say well it's you know we say up to this amount we don't really guarantee that you'll get that amount so you know for what I'm paying for what I'm getting I really can't complain too much is 12 Meg's or 14 Meg's the best speed in the world no but I'm not paying for more so I don't expect more so no complaints today but then as you can see pfSense is working fine out of the box with basically no firewalling no firewall rules setup at all no custom configuration except for the stuff that you saw on the console to assign the local IP address which you really wouldn't have to do because it would have come pre-programmed with one already there had the win not been on the same subnet so let's go take a look and we'll say interfaces and we'll go to the LAN interface no we want to go to firewall rules okay so let's go to LAN this is where you start to get into the fun part of firewalling but and so as you can see there's not much here really all that's here right now is we have the ante lockout rule and we have ipv4 allow all and ipv6 allow all and what that means is anywhere any port that I want to use to get out to the outside world whether it's 80 or 443 or 25 or 110 or 444 whatever I can get out to the outside world now just for fun I mean first of all we can delete this ipv6 allow anywhere because we don't need it and since we're not using ipv6 it's actually a good thing to do for security reasons to just get rid of it so then this ipv4 if we go here and disable this then I can still so basically I'm not allowing any ports to get out to the outside world now okay the one rule that let me do that go out to the outside world I'm any port I wanted has now been disabled okay and there are no other rules defining that I can get out on a eighty or four or three or whatever this anti anti lockout rule what that is for is you can see that the destination is the land address ok so 1000 dot 1 is the land address and why they put this here this anti lockout rule the reason this is here is so that when you're doing things adding and removing firewall rules you don't accidentally delete this or cause a situation where you have now locked yourself out blocked yourself from getting to this web interface because without this rule here by disabling this rule I would have just locked myself out I the firewall would have said oh it's an ipv4 address it's coming from the land net and it's coming from you know any port any destination and it's been blocked so no you're not getting in and then everyone including me would have been locked out of the the web GUI of the firewall so this anti lockout rule is there to protect you now in more complex environments you can't really leave that like that because then you're allowing you know once you get into V laning and multiple interfaces and multiple subnets you you really want to get away from the default lockout rule because you can see here that it's allowing it from any source in any port to get into the land address well you may have a guest network or something like that where you don't want no guests getting in here but anyway that's for a future video but so if I try to get out to the internet now with the one rule that I had set up allowing me to go anywhere I wanted to being disabled now everything's blocked so if I go back to speedtest.net it's not gonna work I can't get out because speedtest.net is on port 80 or 443 if I could type in HTTPS speedtest.net so HTTP s lets me test on that I can't I can't connect I can't get to the outside world okay because no ports are available going out so what can I do to make a really really secure Network okay I could just come over here if I wanted to be a little less secure I could come over here and to say enable this rule that allows any client on the land to get out on any port that they want so that means that services like Steam that may use a wide range of ports they'll just work I don't have to go in there and create a rule that says allow this port range UDP or TCP you know define the protocol I don't have to do anything like that if I just enable this one rule that means that everyone can get out on any port so that means like Skype any other you know video conferencing software that may use a different port besides you know the basics like 443 and 80 that means all of those will just work out of the box but that also means that a lot of other stuff will work out of the box including you know some nasty things like viruses and malware ransomware will all be allowed to just once they're installed and once they're active just go out and phone home through whatever port they want and so it can be a security risk to keep your firewall open where any device can just shoot out to the outside world connect with whoever they want to connect with that can be a dangerous thing so what we would do is actually disable this rule and now let's say that there are two ports right off the start that I know have to be open for normal use which ones do you think those will be 443 and 80 okay 443 and 80 is HTTP and HTTPS okay those pretty much has to be open if you if you don't have a 80 and 443 open you are going to have some major major problems unless your network only needs 2 unless your users only need to access certain applications on their workstations and that's it if they don't need web access if they don't need you know web-based email and they don't need Facebook and they don't need to be browsing the Internet then then don't don't turn on 443 and 80 that'd be a easy way to stop all of that and its tracks if you have employees that come down to their office they sit at their machine they open one program and that program connects to the outside world on port five five five then open port five five five and closed everything else down if you don't want this person or these employees doing anything on the machine that'd be one way to do it another way to do it would be to just you know uninstall the web browsers on the machine you know there's a lot of different things you can do but one of the easiest would be to just block all traffic except for what they need to be productive so as you can see you know we have no internet access right now but we say in our environment let's say we're at college and yes the the faculty and the staff they're gonna connect through this particular network and we want them to be able to go to Gmail go to Facebook you know whatever so what we would do is is add a rule and we want this action to be to pass we want to pass what we are about to define okay and there's there's different things you can do here there's different ways to go about designing a firewall and designing these rules you can basically take a whitelist approach or a blacklist approach sort of a allow all and blacklist certain ports that you want to close or block all and allow the certain ports that you want to be open obviously the block all and specify the ports that you want open that you want to whitelist is the much more secure approach because then you're basically saying you're not getting out on any port unless the network administrator knows about that port and has opened it and has opened it for the right protocol and maybe even has opened it for the right IP address and maybe even has opened it for the right external IP address because you can define the destination and say oh okay the the VoIP phones need to connect to the server that's in the cloud and we know what the IP address of that voit PBX is and so we will put that in there and so yes Boyd connections are allowed out but they're only allowed out for the VoIP extensions and they're only allowed out to this particular phone server so there's a lot of different things you can do you can be as strict as you want or as lacks as you want it all depends on your environment and it all depends on what the what the usage is and how secure you want to be there's there's always a trade-off you know there's there's a trade-off and there's a middle ground because you don't want to be 2 lakhs with potentially sensitive information being compromised but then you don't want to be too strict where you say any connection going out 443 any time someone types in HTTPS into their web browser we want to specify the IP address that they're going to connect to and allow that I mean that would just be insanity complete insanity unless you had a very short list of websites that you wanted to allow access to so you can see there's there's the there's the middle ground there's the the trade off and so it's up to you to decide how secure are we going to be what makes sense for my environment because let me tell you if every time someone wants to go to a new web site and you have to manually add that in and they're creating a ticket and they're waiting minutes or hours or days to get access to a web site you are going to cause a problem if you may not be the network administrator or the IT specialist or whatever your title is if you're doing this type of firewalling you may not be in that position for very long if you if you piss off enough people ok so anyway let's get back now that we've explained you know allow all blacklist these or block all and allow these we in this particular example have opted for block all and allow what we specify the safer of the two so since we are blocking all and allowing what we define we want to make sure that the action is set to pass okay if we come here and say block it doesn't make any sense we're already blocking everything by not having the allow all rule okay so we want to make sure that we pass what we define interface is going to be on the land and if you had multiple local area network interfaces the cool thing is that in this drop-down you would you would see those here so you could say mm I have a guest network that does not communicate with my other networks where the sensitive data is and so therefore if you're on guest which has no access to the sensitive information then sure you can will open all the ports for you you can do whatever you want you can get on Steam you can get on Xbox Live you can get on skype we don't really care about this guest network because it's it's own little entity and it's not able to access anything that's important so in this example we only have the one so we'll choose LAN IP v4 this rule we are going to do for port 443 and so we only want to allow TCP out on 443 so we'll leave it TCP you can do TCP you can do UDP you can do both you can do TCP UDP or you can do any you can basically say any of these protocols just allow them all we don't really want to open it up that far okay so what does do TCP and then source this is where you could specify a certain a certain host on the LAN has access on this port you could have maybe some printers on the same network where you're saying uh you know there's a lot of malware coming in and a lot of bugs and the software and the firmware on these printers that are connected to our network and so we may not necessarily want all of these printers phoning the home all the time or having an active internet connection so what you could do is actually say ok 10 dot oh oh 10 11 12 13 14 and 15 those are all printers and they're not going to get this rule so we want to start defining the people that can access the internet you know let's say your boss says you know I don't want anyone getting out on the internet but I would like to get on the internet sometimes well you find out his IP address and make sure it's statically assigned and then you could come in here and say okay so this single host my boss's IP address is 1000 20 or actually let's pretend we're our own boss we are 1000 top five okay so we we are the special people okay no one else can get out on for 43 on the network but us we're gonna make a special rule just for us okay so a single host er eight or alias which is us and if you'll remember 1000 dot five is the IP address that we assigned to our our macbook ok so make sure that the source is 10.0 dot five and that the destination is any so basically what this does is says that we can go out to the outside world and we can connect to any IP address that we want to okay or you could say we only want to allow ourselves to connect to the outside world on port 443 to a certain IP address let's say it's a camera server or something like that that's using whatever port and we want to make an exception and allow this person to get out to this certain IP address or you can just do any and there's a lot of other options that you have there as well but we'll do any because who knows we may want to get to Facebook we may want to get to Google we may want to go to YouTube whatever so we'll just do any and then the port range this is where we actually define what port we're going to allow what port is going to pass on this rule so let's say and there are some you know that are already prefilled here HTTPS or 4 3 click on that and you're good to go you don't need to do anything else in the destination port range okay so um you can specify the port or if you say any that means that 10.5 our computer will be able to go out to the outside world on any port we can FTP we can SFTP we can SSH we can use 84 HTTP we can use 443 for HTTPS we can use SMTP pop we can we can do it all okay and you know if we're the boss and we're kind of wanting to go you know do whatever we want anyway it might be a good idea to just do one rule that allows all you know because for crying out loud we're the we're the IT guy we know what to click on what not to click on so anyway you can do any or you can come in here and start specifying each individual port or you can do a a custom port here if you leave it other you could say oh I know that you know port 50 50 through 50 60 is a range of ports that a certain you know service uses and so will allow those to go out I think I'm gonna do HTTPS for this example and then in the description you always want to make a note of what this rule does and it's very important this is this is an important step that I think a lot of people for whatever reason they just they overlook it they just completely they're in a rush or they'll there they're thinking I'll remember what this is for I don't need to type a description here I'll just know that it's 443 HTTPS and that 10 not zero to five is my IP address I'll just remember that well maybe you will maybe you want not only that but what happens if something happens to you you either get fired or you quit or you win the lottery and you don't come back to work the next guy coming in it would be so beneficial for him to see or her to see that you know oh 10025 it says right here that this is the you know IT tech one or IT tech admin allow pc 2 443 PCP okay there you go it took you know five seconds to type that description in and now it'll be tagged and you'll know exactly what that is in the future okay we will skip the Advanced Options for now but I will just say that in the Advanced Options there are things you can do you can say go out on a specific gateway there's a lot of cool things that you can do in that in the Advanced section you can do that's where you set up if you have like a multi LAN environment you could say this PC always goes out on this gateway or it always goes on this gateway a lot of cool things we can cover that some other time so we'll go ahead and hit save and when we do we'll see that right here it's been added and so what this means and by the way the order of these rules does matter it starts at the top and works its way down and whichever matches first wins okay so just remember that that if you had a block all rule and you're in your mix here that if your block all rule was above this new rule that everything below it wouldn't wouldn't take effect it would hit the block all rule and then that would be it it wouldn't go on to the next one it would say oh I've been blocked okay so and I actually I will try I'll try to give an example of that Oh I just want to put that back there save okay so the block all rule and the ordering I'll go over that in just a second I want to show you first how adding this one rule remember when we disabled this rule right here and it was just this rule and this rule our internet connection stopped working because we basically said no ports are allowed out okay so but now that we've added this rule that 1002 Oh dot five can get out on HTTPS let me test that starts working on HTTPS Oh for this example I don't want to go into explaining this right now I had a custom DNS server installed long story short I was trying to access Google's DNS servers and DNS is on port 53 and as you can see here we don't have DNS allowed to the outside world so DNS wasn't going to work so I changed the DNS server back to the the Gateway here okay so now DNS should work its be test not hopefully maybe I am 10 dot o dot 5 right well go to YouTube okay then of course who knows if the internet is actually working all right so to make sure that our rule didn't do anything here we'll disable it apply and then we'll come back here and enable the allow all and hit apply and if this works which it doesn't so it looks like the internet has gone to crap again okay so this isn't really like it says nothing to do with the firewall rules it's the Internet is not working there we go okay so disable apply Mabel this yeah something's going on and then sometimes after you make a change you have to go in here and do I'm drawing a blank here okay so anyway as you can see that opening opening HTTP here has allowed me to connect to HTTPS you know youtube.com/ and but that what that does mean is that if I just go to google.com without typing in HTTPS if I go to google.com in my browser and try to connect via port 80 it's not gonna work it's not gonna go anywhere okay so that's why the bare minimum most networks you have at least 443 and 80 open okay that allows you to browse to pretty much you know anywhere and then another group of ports not to forget is your email ports for all the mail clients that we'll be connecting whether it's Outlook or Thunderbird or iPhone and Android mail clients that are connecting on IMAP SMTP pop3 you know whatever you want to make sure that if if people on your network are going to need access to email services like that where they're using sort of like the old school email platform where they have a thick client on their device that's actually downloading email or synchronizing email if they're not just utilizing the web interface then you'll have to open up those email ports if everyone uses Google Apps for Business or Google Apps for Education or you know Gmail as their personal whatever or really any web-based email service is gonna run through 443 HTTP so if you want to allow web-based email it's as easy as coming in here and saying yeah 443 you know go for it have at it but just this one port is not going to open access for you know non web-based email communication so we'll close that and so a very typical thing would be to actually not have this based on a single IP address it would just be that any computer on the LAN interface can get out to any server outside on a certain port HTTP okay so we would change this to say allow all to 443 on TCP safe and then another thing would be to allow HTTP okay so we would come here this little thing this button right here is basically to duplicate or copy this rule so if we're if we're saying we want to rule really similar to this we're just gonna change like one or two things about it instead of coming here and adding a whole new rule and starting from scratch and having to set all the fields we can basically just say create a copy of this and let me just change one thing about this we're gonna allow all on 80 on TCP a TCP safe okay and so you can see it dropped it right below the rule that we copied you know and if that's not where you need it to be then you can you know just drag it wherever you actually need to be in the in the order of the rules here so we'll just hit apply and basically what we've done is we've allowed all computers all clients on our land so that means anyone that connects to this land whether it's on their their workstation or their or you know whatever they can all go out to anywhere in the cloud on ports 443 HTTP and port 80 HTTP and like I said if you allow those two ports you've pretty much just 90 98 percent of all the traffic that needs to get out is going to get out through those ports and like I said the other 2% is gonna be random things random one-off things like Skype and email and you know and connect and EDX press if you're in the higher ed world software update for miscellaneous pieces of accounting software you know whatever and so as you run into those problems of certain things not being able to connect then you can come in here to your firewall and you can add new rules that allow these pieces of software to connect if you need to if this is a legitimate piece of software that needs to access the outside world ideally you you get a list of all the software that your clients need or that the employees need and you figure out what services and what features of said software they're actually using and then you find out the ports and the port ranges of that software and you make a list and then you build your firewall rules before you deploy this in production that way there's really not a lot of downtime of saying oh well you know we didn't know that you needed you know port 444 but you do so we have to go add that but there are situations you're gonna run into where a lot of people just don't know they they don't really know what portes they're using and they're gonna be those situations where you make the change and you think you have everything programmed in to the firewall list the rules list and there's going to be some things that are missing and it won't be long until those things that are not working surface you'll see people saying hey this this this widget over here that connects to a server that no one ever ever looks at and hasn't looked at in five years it needs to get online too and it's using port 53 eight one one okay so if that's legit then you would go add you know 53 eight one one on whatever port it needs to be on I mean whatever protocol it needs to be on and then you would allow that rule for that IP address of that that device so that's basically how you come in here and you know add rules if you add let's see block okay so but before we add a block rule let's just test this out look speedtest.net which hopefully the Internet is working I'm actually gonna go ahead and do I think something's going on with a DNS server access even though I've changed to the firewall so I'm gonna show you how DNS let's tell you what let's do a test here let's do ping google.com yes yeah I can't resolve Google Calm it would have done that if it was if it was gonna be able to find out what it was then it would have done that so what we do is let's copy this one pass LAN ipv4 TCP UDP from any source to any destination and we want to do DNS so allow all two DNS save apply and now if I go back here and change my DNS servers to Google's servers then I should be fine I should be able to to connect so we'll do oh man that's the sign that's getting too late hey it's that 4.4 all right hit okay it'll hit apply I'll close this and now as you can see we can resolve now it couldn't actually connect and ping google.com and the reason for that is is we're only allowing all of our clients out on for 43 and 80 and 53 well what is a ping you know a ping does not fall into HTTP HTTP or DNS all right so it can't get out to the outside world but the good sign is is that when we tried to ping google.com it was able to resolve google.com to 70 4.1 25 21 102 so what does that tell us that tells us that DNS is now working the way that it should so if I come here I stopped net there we go and we can hit OK and we can see our art sluggishly slow its luggage ly slow 12 Meg Internet all right so we know if that's working so we'll close that now let's take a look we've done some pass rules to allow people to the outside world all of the land computers can get to the outside world so [Music] let's get a little let's get a little crazy here and instead of adding more pass rules let's add a block rule and we'll put it in the right order and then you will be able to better understand how pass block and the order that these are done in can make you capable of really really customizing your firewall rules to do lots and lots of cool crazy things like for example allow everyone out on HTTP HTTP DNS except a few printers ok so let's say we want to block a printer from getting out to the outside world or let's even be more mean let's say that let's say that Joe he really is not productive if you can if he can get out to the outside world and browse the internet and let's say he's a Facebook junkie he's always on eBay he's always on Craigslist and his his productivity has gone down the tubes since he got a web browser and can do whatever he wants so let's say we have permission from his manager actually not permission but let's say his manager came to us and said you know what I really need you to block access to Joe he's just completely worthless if he can get on the internet then that's not a problem for us all we have to do is come into pfSense and create a block rule and we'll say block on the LAN interface on the ipv4 address family protocol any so he's not getting anywhere he's not doing anything he's not gonna ping anything he's not gonna use TCP he's not gonna use UDP he's not gonna do anything to the outside world source will say is a single host because remember if we don't do a single host if we left this on any then that means all traffic coming from the land interface would be blocked and they would be blocked to anywhere because we're making this in any protocol and in any destination so let's say we want Joe's IP address and I'm going to use 10 0.5 in this example so that I can show you how it works so I can easily show you we're gonna pretend that our machine is this Joe's machine so we'll say single host er alias and this is Joe's IP address and the destination we're gonna say any which basically means anywhere he wants to go anything he types in anything he tries to do is gonna be blocked let's see and then description we will say block all internet access for Joe's PC Save why now what this basically means since we have this anti lockout rule in place is that the first rule is going to match Joe's PC so Joe's PC will still be able to do exactly what we're doing right now connect to the web GUI of the firewall and if he has credentials and he can sign in and he can do whatever because this would match and remember we said the first match wins it doesn't just keep going further and further and further it just basically says oh yep Joe's computer is any protocol any source any port he is going to the land address of 1002 o dot 1 he's trying to connect on port 443 therefore he's good to go he can get on yes allow that action and it would okay so let's say that we're okay with that we don't care if Joe tries to connect to the Gateway or tries to connect to the web GUI he doesn't have credentials anyway okay he doesn't know the password to get into the firewall so we're fine with that let's drop to the next rule Joe's PC is 1005 and therefore anything on ipv4 that comes from Joe's computer any port any destination any destination port on any gateway he's denied he's blocked not gonna go out to the outside world okay so that one would match if he was trying to go to anything other than the land address okay so as we said remember the land address is this 1002 Oh dot 1 which is the firewall which houses the the web configurator pages and everything so he could get to that but if it's anywhere other than this LAN IP address if he tries to go to Facebook if he tries to go to YouTube he tries to go to gmail.com it's not going to connect okay so let's try it out let's pretend our MacBook Pro is this Joe's computer on 10 0.5 and we'll just double check to make sure here we are yes so now that this has been saved and we are on Joe's computer 10.5 if I track it's a no-go not going to work if I try to go go not going to work okay now let's say that this block Joe's PC rule was in the wrong order let's say we added it and add it to the bottom because I clicked this button instead of this button so that when I added a rule it added it to the bottom of the list and we will save that order and so now you can see that we've got the anti lockout rule which is always there so Joe can get to the land address and we skip down and then it's like oh oh he can also get anywhere on HTTP HTTP and DNS because 1000 dot 5 is any source and any port on ipv4 and the TCP protocol okay so if we go then now all the sudden Joe's computer can get out to the outside world he can go anywhere he can do anything we didn't really fix the problem even though we created the block rule for Joe's computer we have the positioning in the hierarchy we have it in the wrong place okay so what you can actually do I think no see I was gonna say if we can if we can drag this above the ante lockout rule then that would also block Joel from getting into the PF since web configurator but unfortunately the the default anti lockout rule it has to be the first one in there and they're doing that to make sure that you don't lock yourself out because you know if I create this block all rule and I didn't have an IP address here but I just had the asterisk where it's blocking everything and I dragged it up above this thing and it's saved and I've locked myself out so how you get around this anti lockout rule if you do want to start getting more granular and you want to block people from accessing it is you basically go in here and you disable it you delete it and you start creating your own rules and you have to basically say you know to the web configurator yes I know what I'm doing yes I'm aware that I'm disabling the anti lockout rule and deleting it and therefore I'm going to be extra cautious and extra careful to make sure that I don't do something stupid and put the rules in the wrong order to you know to block myself from getting into the firewall so anyway that's how if you really you know if you are really worried about Joe let's say he's a little bit of a he thinks he's a computer expert or a network expert and you think you know he might he might try to do something like get into the firewall or I think he may know you know the password or he may try to get into it or you know whatever you you could just block Joe's computer from getting to the pfsense firewall at all you can block the web configurator access for him and you know in a production environment I really do recommend that that is the case that that none of your workstations or your clients can access the web configurator of pfSense you know you don't want anyone being able just to type in the gateway which is easy to find all they have to do is look at the DHCP information on their computer and they will see what the default gateway is and so if you have pfsense running on the standard port 443 and they know what the IP address is then anyone can go to the you know anyone can pull up a web browser type in an IP address and be prompted with you know the the portal and really at that point they're just a username and password away from you know totally effing up everything so you definitely and obviously you know no one should have the password but you know things happen and sometimes other people let something slip or politics start you know playing a role and next thing you know Joe has access to the firewall and he's doing things that you don't want him to be doing okay so I know you're probably thinking politics in in the real world that exists which obviously insert as much sarcasm there as you want but yes absolutely especially guest networks student networks public networks you really don't want to be allowing web GUI access to your firewall so figure out the best approach to you know limit that and block as much as that as as you can but I think you can see that you know if we come back here and say this and apply and you can see that you know remember when we had this at the bottom you know it was in the wrong order we put the rule in thought we were blocking Joe's PC from getting out to the outside world but we had it in the wrong order so he could anyway but that's basically how the ordering of everything works and so you can see that you know if you had a few printers on this land that you didn't want to be able to get out to the outside world you would come in here just add more rules for those IP addresses and let's say you know you saw I clicked the copy button because I'm just really only changing a couple things here I want everything else to be the same so let's say we have a printer on 10000 dot six and we also pay printer LaserJet know whatever 5500 so hit save apply and so now what we've done is we blocked that printer from being able to get out to the outside world it's just it's not gonna be able to do anything it's not going to be much of a security risk for your network it's not gonna be phoning home it's not going to be possibly compromised and doing all sorts of nasty things on your network of course don't get me wrong there's always ways to compromise things from from other from other ways but this would take one of the most one of the easiest approaches this would take it out of out of commission so but don't forget just because we've blocked network access to the outside world for this printer doesn't mean the printers gonna stop working okay this printer is still accessible within the land so just because Joe and the printer cannot get out to the outside world doesn't mean that Joe can't print that printer he would be able to eat be able to establish a direct connection to the printer and print just fine so you know you would do this for all the individual hosts that you don't want to access the internet or you could do specific ports you can see how you can customize this and just keep going and going and going and you can really have a long firewall list here with a lot of customization allow rules block rules and then you can have lots and lots and lists for lots and lots of different interfaces as well like I said we only have two right here we've got win and land well you could have a couple different lands for failover and for load balancing and you could have multiple land connections or LAN interfaces where you have wired and wireless and guests and you know printer lands and void plans and you would want to customize each list for each interface as as necessary so that is you know pretty much the basic you know install of of pfSense and some basic you know playing around with some of the firewall rules in the land section and you know you can do the same thing for when as well if you want to allow if you're trying to pork forward a certain port let's say you had a web server sitting behind pfSense and you had it on your land or a different local area network interface maybe like a DMZ or something like that if you were going to port forward let's say port 443 to your own web server sitting on the other side of PSN's then you could go into the landside and allow ports from when access to ports on the land and actually a lot of that stuff is created automatically if you go into firewall and go to NAT if you do a one-to-one if you do a one-to-one NAT and this is starting to get outside the scope of what I want this to be anyway you can do one-to-one nodding or you can do just a typical port forward and say you know coming in from the wind interface I don't want anything that's TCP coming in on you know HTTP to go to you know 10.5 let's say we wanted the Joe's computer to be a web server which sounds like a terrible idea you could actually forward that traffic to anything you wanted to okay so if I were to create a rule here and get all this set up then when I go to firewall rules and take a look at the when page right here there would be a rule automatically generated for me that basically says allow port 443 from the outside world to go to Joe's PC on port 443 okay so that would be automatically generated for me or you can come in here and you can manually add things if you want okay so I think that's pretty much it that that I want to do for this video we covered you know the install the setup the initial setup and how to do some pretty you know common things I think one of the most common things that people have a problem with is the initial land set up of getting computers to connect to the outside world but starting to lock on some of those ports it's kind of a complicated thing if you've never done it before it's a really complicated thing if you don't have a lot of networking knowledge to begin with it sort of makes a somewhat complicated process even that much more difficult when you're not really sure what what you're doing okay so yeah that's going to be it for this video and hopefully you know I feel like I covered you know 1% of the features of pfSense and there's still another 99 percent left so have fun

Info

Channel: Rocket City Tech

Views: 23,329

Rating: undefined out of 5

Keywords: pfsense, firewall, rules, LAN, netgate, VirtualBox, gateway, router, bridged, wifi, WAN, DNS, HTTP, HTTPS, ports, tcp, udp, networking, ISP, internet

Id: F0LRwuCx4v4

Channel Id: undefined

Length: 126min 36sec (7596 seconds)

Published: Thu Jul 06 2017