Set up a Full Network using OPNsense (Part 2: OPNsense)

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

welcome to my second video on how to create a home network using opensense in my first video I showed all the hardware that I plan to be using to create this example Network and in this video I plan to set up opensense on my VP 2410 Mini PC Appliance here and if you wish to follow along you need to have similar Hardware you're going to need a USB thumb drive and you're going to need to be able to connect your box either to a monitoring keyboard or the console Port connected to another computer using a USB cable either way it will work but I will talk about both methods as I go along with the installation of open sense once we have opensense installed we will configure the rest of it using the web interface so let's begin [Music] and [Music] the first thing we need to do is to download open sense if you go to opensense.org download you'll see this page you have before us the only architecture option is 64-bit AMD 64. so open sense will only run on 64-bit software it's just like PF sense that they both both projects have abandoned 32-bit compatibility in favor of 64-bit since most modern day Hardware now runs 64-bit Hardware even devices such as a Raspberry Pi have gone 64-bit right so for the image type there's several images you'll see Nano DVD VGA and serial DVD image is useful if you're using like a Mini PC or a micro PC or whatever that a desktop PC as your router firewall Appliance even though those are a little bit some of those options are a little bit less efficient you could use existing hardware and if you have a DVD drive in it you might want to use the DVD option it's just basically an ISO image for the for most users I'm probably going to use the VGA option if you're going to use a thumb drive it's like we're going to be doing in this example and and you're and you have a monitor and keyboard plugged into your device to install open sense you're going to want the VGA option if you're using the serial console whether it's USB or other type of console you'll want the serial image it's um so that it'll actually load your display properly um so those are your main options so we'll pick VGA and then you can pick your mirror where you want to download it from depending on what country you live in you might want to pick one that's closer to you instead of the instead of the default option which um might be in the Netherlands where where opensense the company is based so basically you're going to click download and if you really want to verify the checksums you can do that here's the hash right here for it but I'm not going to bore you with the download I already have it downloaded so I'm going to switch over to to enter I like to use etcher for my USB um flashing because it's just a nice utility it's really easy to use just three steps you basically pick from the file you won't be able to see this box come up but I'm going to pick um once I find it I don't want to pick my open sense that I already have pre-downloaded ahead of time so let me do that real quick so I'll get distracted here and I picked the VGA option right you'll see there's the image there and then I'm going to select Target I already have Ubuntu installed on this disc I'm just using this as an example um flash drive you'll see all your Flash stops flash drives that you have plugged in will show up here in Etter you just select the one you need and then you click the flash button I'm not going to actually do it because I already have that step done ahead of time so but once you do that it'll go through and right to the disk and then I'll verify that everything looks good um so once you have that done you just plug the USB flash drive in your monitor and keyboard into your device or serial console and to continue I'm not going to show the serial console step there's an extra step involved in that you have to have software that you can do serial consoles with you can do with putty or termius and applications such as those will work just fine before we get to the open sense installation portion of this video one thing I like to mention that I discovered when I was going through this insulation process and I actually re-recorded this section because to make this more clear this installation that I'm going to be doing is not going to quite follow the written guide that I have for setting up a full network using opensense because I I assumed a normal Ami standard bios because I actually did it in a virtual machine to make it easier for me to get screenshots but that process I wrote about is like what you would normally would encounter and expect for open sense but I noticed when I use core boot BIOS with like vp2410 um and if you have any other particularly models of core boot you might experience this as well that the boot process is a little bit different so that actually affects the open sense installer so you'll notice in the screens following this that when you get to the the boot screen of open sense installer it'll act it normally has like an ASCII graphic text that says open sense and some other information on there like pressing a key to the configuration import and that kind of thing um but it just looks like question mark gibberish and then it skips that portion and you don't get to do any kind of pre-configuring pre-configuration of open sense before you get to your the prompt to start installing so that process I walk through to my website and if you want more details on that you could go through there but I'm going to do it this way because that's what I have installed on my machine's core boot so without further Ado let's get started with the open sense installation you'll see what I'm talking about as we get into this okay now I'm building up my open sense box and I'm going to uh hit the delete key to enter the setup process you could hit the f11 key to get the boot menu to pop up but I'm using a screen capture uh you know ikvm type um yeah KVM over IP whatever you want to call it uh with tiny pilot um so I don't want to hit f11 because it'll take me out of my browser and you know minimize what I'm trying to do here so um I'm just going to go through and show you if this is what the core boot menu looks like for the the protectively vp2410 there is an option here for a one-time boot which would be saying the same thing as hitting f11 and you'll notice that I have a protectively USB drive in here and it's abbreviated as protect for short so we're going to click on that hit enter on that key and here's the question mark menu that uh that I was telling you about it's supposed to say open sense and all kinds of stuff and ASCII text Graphics I should say but now we're going to boot this up um and normally it would walk you through the configuration process like I mentioned earlier but it's actually skipping all that and it's going to take you straight to a login prompt and that's where we can do our normal open sense installation so we're going to do that installation first and then I'm going to configure I'm going to reconfigure some of the the default interfaces because it's going to put them in the opposite order that we want them to be in it doesn't really hurt anything but I like having the wind interface as the first interface and and I like having it the interface is two through four to be the Lan interfaces it's just easier to keep track of instead of having the wind interface plugged in one of the random ports in the middle of the I don't know it's just a matter of preference but I'm going to do that because it'll match the written guide and it'll also match what I showed um on my first video of this series of how to have everything connected together and as you can hear in the microphone the particularly box actually makes a little musical tune which is kind of cool it lets you know when you're booted up that's pretty handy when it's in my server closet over here uh when I reboot it makes a little tune and then when it boots back up it makes a tune um and so I know just by listening that oh it's booted up I can log in I don't have to guess you know um keep trying the the web interface see if it's going to come back up because I can hear it actually it came when it comes back on and that's kind of a feature you can actually enable disable in open sense you can turn off the beep to the beep tones not all of these little fire mini firewall PC appliances actually have a little speaker in them like the protectly does to actually make those little beeps and sounds so that's one kind of a neat little feature that you know nice to have I think if you like it if not you can turn it off okay so now we're at the login prompt we're going to type installer as the username if I'm actually clicked on the screen since I am using a screen capture program I gotta make sure my click the line screen okay installer and then open sense um is the password default username password by default it's going to use the US keyboard mapping so you can say Enter if you're using that you're going to have the option for ufs or ZFS file systems in general it probably doesn't really matter which one you choose but ZFS has some more robust features even if you're only using a single drive you can still take advantage of snapshotting the file system some people like to actually take a snapshot of their file system before they do an update so then if an update gonna go sideways it goes wrong or whatever they can actually just revert that back to that snapshot and the entire file system and get back to where you were before the update this is probably a very good option for you if you're not using virtual virtualization and virtual machines and you are doing a bare metal installation normally I would recommend you know just backing up a config file but that doesn't capture everything um and you know a snapshot restore way quicker as well but it's awesome it wouldn't hurt to have both you can have your configuration file as a backup and you can actually just revert back to ZFS snapshots so it was installed as EFS file system um since I just installed this in a previous run of this video I did have it cleared off I'm just going to roll with it but it's going to say Z root is already taken because I already have a ZFS file system installed on my box so I'm just going to replace it because this was just one I just did in a previous video that I am not going to keep because it I had technical difficulties um so you can do a stripe mirror or any kind of raid Z whatever structure for most people for a firewall uh Appliance you're either gonna do a striper a mirror a stripe is if you only have one drive a mirror if you're going to do two drives you can do more drives three drives or whatever but for the protectively VP 2410 it actually supports two drives two SATA drives so you could actually do a mirror in that in that box so we're going to do stripe and the drive that's in there is an m.2 it's a particularly branded drive because I got it from protectly so the first drive here uh to select it you just hit the space bar it doesn't tell you anywhere on the screens you'll see down here that you can see the eight gig the eight gigabyte emmc drive that comes with the protectly you can install in there as well but I don't think eight gigabytes is enough especially if you're going to do logging and stuff for the firewall but we're going to go next uh and we're going to say yes let's destroy that you're always going to get those kind of warnings in the install um a an operating system in general um so you'll see that it's cloning the current system uh the cloning process actually is pretty quick as you'll see um it actually takes a little bit longer to verify the file system didn't actually clone it and install it I'm using a USB 3.0 thumb drive connected to one of the you know the the ports on the VP 2410 are 3.0 USB 3.0 ports so that allows the installers to be a little bit quicker than a slower thumb drive I haven't actually been smart the thumb drives I probably should and my accessory review I could Benchmark that see how fast it actually is it would be worth checking into this is actually the process is quick enough I don't really need to even skip it um I guess talk a little bit through it and and have this done um so this will be done very soon um what what's going to happen next is it's going to prompt for uh changing the root password before you reboot your open sense because it's finished installing so I recommend if you can to change your password right away um but if you're not connecting anything it goes change in the web interface later you just gotta make sure you don't forget because that's important security I'm glad they prompt you for that before you finish the install because that's nice so we'll do that here let's hit enter I'm going to type in my root password [Music] trying not to mess it up for the video it just takes a few seconds and it'll come back to the same screen and then we can say continue complete I mean complete install right so now it's actually going to reboot and it says that the open sense web interface is going to be available at 192. 168 1.1 that's actually the same default IP address range you'll see in a consumer grade router so if you are transitioning from a consumer grade router to open sense this part should be very familiar to you because it'll it's the same IP range of your devices so when you plug in so I'm hoping this will um when we plug in you'll have the same yeah up here ranges I'm hoping it's actually going to boot into it um and not off my USB drive um you can kind of tell maybe if it's booting a little bit faster than a USB drive that that's kind of one General indication but with the but the easiest way to know is if you use your the root username and use your new password you just put in if it logs you in successfully then you know you're not booting off the USB drive because I didn't want to bother taking it off it's behind me but um I don't really need to take it out because I didn't make my USB drive my primary boot disk that's why I like I kind of like doing the one-time boots because I don't do it very often so you don't have to worry about it always booting into it every time and after it gets past this PF log there's the beep tones okay now we're at the login so let's do the root Pat user and we're going to use the the new password that you've that we typed in and see how it logged me in so now I know that I'm not booting off the USB drive which is really cool that's what we want um one thing we're going to do before we do the log into the web interface is we're going to change the assignments of the Lan and Wan interface because by default as you can see igb 0 is actually interface one igb1 is interface two how it's labeled on the box it's labeled one through four igb 0 um we want that to be the WAN I always like making the first interface the WAN interface and I like to make the interfaces two through four in My Lan interfaces so I'm going to swap these two interfaces and I'll show you how to do that um before we log into the web browser um and then we'll do the rest of the configuration through the web browser so as you can see with the menu options we want to go to menu option one to assign interfaces normally if we were to walk through the configuration like like how my guide written guide was done um not using core boot these interfaces would already be in the correct order and then we would just go right to the browser so so you said you want to configure lags now and we're going to know we'll do that stuff in the web interface and no vlans um okay so now it says enter the win interface name so we have four interfaces zero through three the protect lead boxes are pretty straightforward because zero is one one is two two is three and three is four we're just going to go with igb zero for the win okay and then for the land we're going to do igb one and so optional we can set up optional interfaces for the the second the third and fourth Port which is igb2 and igb three we could do that here but I'm going to do all this stuff in the web interface because um but since we're doing a lag I don't want to do all that configuration to the command line you can do that I just want to show how to do all this stuff in on the web interface because that's how most users are going to be configuring things so what we're going to do for the option interfaces we're just going to say just do nothing I'm going to say enter and that way we just we're just reconfiguring when on land notice uh at the top of the screen land was igb 0 and when was igb1 but now at the bottom here when is igb 0 and Lan is igb1 so that's what we want so we just basically swap them and so luckily just by swapping the interfaces uh any of the configuration that was with the interface by default before like the Lan uh it actually still has it which is nice because we don't have to change IP addresses for now I'm going to leave them the same for the Lan um I'm just going to use the defaults for that so that's great so now um we got those interfaces swapped at this point we're ready to plug in to the Lan interface so I want to show you the physical connections that I want to be using to actually configure the remaining portion of this opensense guide I'm using the Goin r86s box that I have here as a Ubuntu desktop this could be your laptop or PC or whatever device it says convenient for me to use these little devices this is my vp2410 the first Port is the WAN interface the second one is is the land and the other two are going to be our lag that we're going to create that has only the VLAN traffic so we're just going to plug this port we're going to plug it into Port two and once once you connect this here what we're going to do all the configuration on open sense first and then we'll eventually in the next video we'll we'll do the network switch so now we're over on our um little mini PC here that we're using to configure opensense uh first thing I might want to do is you know you can't look go by judge by this icon if you're connected or not because you're not connecting the internet so it's going to probably have a question mark there but if you do IPA space a you can actually see Fusion Linux you can actually see that we have a valid IP address a 192 168 1.100 so that's a good indicator that we're connected to the Land network and um now we can type open uh these IP addresses in here I have I've logged into different configurations with different ports and stuff so basically type in 192 168 1.1 and it should redirect you to https so we'll be configuring our open sense firewall box except the risk can continue um I have this saved from where I've been playing around with other ones so basically you want to type root as your root user and you just enter the password that we entered um during the installer so I just say don't update um so when you first log in opensense I don't want to take you through this wizard that you can walk through um several steps um you don't have to do the wizard what I like to do is skip the wizard and show you where the actual settings are because if you want to change this stuff in the future you won't know where they're located based on the wizard because you can always rerun the wizard if you want but I think it's better to learn where the settings are located than rely on the wizard maybe if you're first time user you can walk through it it has a it has a good basic set of um General system settings you might want to tweak right off right out the gate you know a lot of the settings for the wizard are located in the settings pages so we're going to look at settings um General system settings General page so this is going to be our host name for your box um for your open sense box itself you can give it a domain name basically or a host name um and a domain name for your network so for the host name I like just calling this what it is right a router uh or whatever it's it's also firewall too but we'll just call it router um and about to follow this local domain because you don't want to do you don't want to call it local by itself you don't want to do this because a lot of um that that that domain name is used a lot for like local Discovery and stuff like that so it'll come it'll conflict with all that stuff so you don't want to it'll conflict with all that so let's just do I'm going to do home network guy.com a little plug there right for a website um you can use whatever domain you name you want you can use real domain names like uh I I own my own domain name for uh for that I use for my network um that is also a real domain name so I like doing that because you can have internal and external host names so you can just resolve between them seamlessly and you can do split split DNS and those sorts of things which I wrote about on my website so I like using real domain names um that you don't have to um it's you just got to make sure you don't pick one it already exists because you'll you'll get you know conflicts with DNS right if you pick like amazon.com you don't want to do that you won't be able to go to Amazon probably if you do that um and then just pick your time zone you can change the time zone I'm just going to leave it for this purpose you can change it to whatever you want there are some different themes you can pick if you install them all right out of the box there's no themes installed but they do have dark themes and a lot of people like dark themes um so this might be confusing for some people having a DNS server this is what the system will use as this is because there's several places you can enter DNS information in open sense and if the the system settings DNS servers and on this page is what the system opensense itself will use as its DNS um so by default it says allow DNS to be overridden by dacp or or point-to-point protocol on Wan so by default if you're connected to your ISP and you're and you have a you're weighing connections DHCP it'll use whatever servers your ISP uses and so um um you that's something you may not want to do if you want to use your tweak your own DNS but for now we can probably just leave that because if you plug this into your network then it'll use the DNS of your network um whatever Network you're attached to um so it'll use that as the Gateway which is fine for our purposes um but I'll come back around later and we'll tweak the DNS settings later but for now we'll just leave that and we'll just hit save okay and then we'll go to the administration page settings Administration and you'll see it's set to https by default it already has a certificate generated self-signed certificate um which is fine you'll get warning messages um you know there's probably there's ways you could probably create your own if you really don't want that you can do HS TS the HTTP strict Transport Security you can enable that to get extra security um yeah so you can't people can't hijack or http sessions as easily um disable web GUI we don't really need to do that let's see um I'm trying to see if there's anything else you want to do you can do some HTTP compression um so this this is one thing that I recommend changing if you want to have extra security we can you can set the open sense web interface only listens on the land we don't have any other interfaces configured right now um it says I know what I'm doing so I'm going to click that um but we're going to only allow it to be to listen on the Lan interface because that's going to be our management Network so that means we can only configure up since through the land interface if you really want to you can allow devices on any network to access your open sense interface all you need is a firewall rule um but at least it's not listening by default for any device to connect to it within each Network each interface that we're going to create for each Network um I like to I like to change that setting for extra security if you want to allow SSH which I recommend doing SSH so you have another way getting into your box if something gets messed up with the web interface you need to restart something or whatever um you can permit use root login if you want but if you do that I recommend using a key so if you use a root login with a key it's a lot more secure than allowing if I hit prevent password that's the this is the least secure way of allowing access with for root um if you're really paranoid you can create a separate admin account and don't permit root at all but one thing to keep in mind which I wrote in one of my guides is you don't get that nice menu of options to help you walk through some settings in open sense if you don't use the root user if you use another admin account you don't get that nice menu so that's one privilege of being a root user get those extra options so let's uncheck that permit password but what will that root log in but we'll have to set up a key right now there's no key you have to go into the user and add a key to SSH key in which I won't really go through right now um but we'll come back around to that maybe in a circle back around and afterwards when we get all the the videos done to do some of these extra features here um the console drivers the VGA that's how we uh set up open sense we used the VGA console driver um you can actually set up a secondary one if you want to allow serial console connections so you don't have to have a monitor and keyboard plugged in anymore which I unplugged mine I'm planning to use this SSH and the web browser that's not two main ways I access my box I don't really connect the VGA once I get it set up anymore um and actually I like using the console to actually install open sense as well with USB console is pretty nice [Music] um but anyway so um this page is not really much to change you know there's a couple extra security things that we enable we enabled SSH because I think that's important um so once we do that um we'll save that I'm trying to go through some of my notes here to make sure I include everything as I go through just reloading it shows us even though we didn't really change any settings that would cause um the um you know like we didn't change the port number or anything like that so we're not going to lose access to this page we didn't change it back to http or anything like that so nothing crazy there um miscellaneous the miscellaneous page in here is helpful for uh if you want to do thermal sensors you need to change this to um this system has an Intel processor so we want to choose the intel if you don't pick this setting here for your thermal sensors you'll get like One sensor Readiness and it stays the same and it's not it's not really your CPU temperature I'm not sure what it is if it's anyway temperature or if it's just the some value that it just randomly gets Frozen on I'm not sure it's actually not helpful at all so you definitely have to pick the thermal sensor Hardware um that's the most beneficial here um you can do some periodic backups of some of your um you know reporting and stuff here um Power savings this option is actually interesting to use you can use power D um and do high adaptive which is the default settings this allows you to get more performance um and since it's adaptive it'll actually kind of ramp up your CPU and then ramp it back down so it tries to save some power but you can actually set it like minimal if you want to you know use minimal power but you don't care about performance but for firewalls if you probably want the max performance these devices are pretty energy efficient anyway but I feel like I I haven't tested that thoroughly but it seems like to me you can maybe crank out a little bit more performance by using power D because I feel like it allows the CPU to kind of ramp up and down a little bit more because I think without it I don't know if it actually does it because you can look here at this setting it says it monitors System state and various power controls so it kind of it you know it kind of does some I think some more automatic adjustments where instead of keeping it at the same level all the time I think if you don't have it enabled so I played around with that I think it does actually help a little bit um if you want to change you know do some stuff with swap files you can do some of that stuff here I'm not going to go through all the options I'm just trying to do the some of the the bare minimum options to kind of get started I went through a lot of these options I went through my guide and actually took notes on what I want to change for this video because I don't have time to do like a ton and a ton of settings that's why I'm going to circle back around and you know we can kind of tune up some stuff and make it a little more secure later um okay so those are just kind of a couple options I didn't really tweak all out there there's just a few little things that are that are helpful to change there um but now we can actually get right into the you know some more than me to this finally right you're probably like why didn't you do this quicker but I want to I want to explain things in detail like I do in my written content so that you know you can have a better understanding of this stuff so because the interfaces menu you'll see we just had the land and win that we configured um by default um so what we need to do now is actually um go to other types um so since we're going to create a lag because we already got the Wayne and land we just need to configure the other two interfaces now the remaining two and we're going to create a lag in it you don't have to create a lag if you have one gigabit uh appliances it's a good idea to probably do a lag because I feel like it's well supported um even works with like uh I feel like it works well with Zen armor and some other things like that where uh where sometimes those interfaces don't really work that well with maybe the lags and stuff like that so with some of the ID you know IDs IPS because of netmap you know all those kinds of things there's a lot of things that play there um so um since the interfaces are slower if you have one gigabit interfaces like the VP 2410 that we have back here creating a lag can give you a little extra bandwidth if you have it only helps you if you have two devices running a full gigabit it doesn't allow any device to get two gigabits for a single device so you still only get one gigaby that's the speed limit but you can get two devices at one gigabit at the same time without bottlenecking each other which if you are transferring files between a couple computers you could easily hit that and so I feel like having a lag is helpful because yeah if you just if you have one computer transferring files and you have some other network activity it might not be saturating your network I feel like it would help alleviate a little bit of this bottlenecks and they're gonna not and it'll allow you if you're transferring one gigabit across the networks it will still allow you to have a little extra overhead even if you're not maxing out both one gigabit streams I think it can still help a little bit you know alleviate a little bit bottlenecks that way one device isn't hogging up all your network what we're going to do is go in a lag we're going to go to the live page and we're going to create a new lag so we have to create if you're going to create Bridges lags and uh vlans and those sorts of interfaces we got to do those first before you can assign them so um just keep that in mind because you have to create you're basically creating different logical networks on top of physical Networks so you'll see because for a lag you'll see that you'll be able to pick igb2 and igb3 because they're not currently assigned to anything so you're allowed to create a lag with them you can't create a lag with anything it's already assigned because it's already been used so we'll just pick these two Networks and then for the protocol we're going to pick lacp and there's different options if you just want like a simple failover or load balance between those are simple Protocols lacp are supported by networks managed Network switches pretty well I like lacp because automatically you know we'll balance the load and stuff for you which is nice the hash layers you want to pick at least um level two and three for your hash layers because that gives you more allows you to mix um or balance the traffic between uh your interface is a lot better you could do all four because then that gives you even more um if you do all three I mean options and do level two three and four it'll use all those things to help balance the load out and this is you know optimal if you do l two three and four at first I didn't know if I could select L4 if my network switch only supports L2 and 3 but it doesn't really matter what the network switch side says as much I've noticed because I just did L2 or L3 one time and even though I had on the switch I had I had L2 and 3 both enabled but because I only had one enabled and oga since I was playing around um it actually didn't balance up very well at all even if the switch says it should bounce better but when I put L2 and 3 on open sense it balance up way better so traffic was being split up a lot more evenly um so that's all you got to do you just have to um you can put a description in there if you want um which let's go ahead and do that actually let's go ahead I forgot to do that we'll just call it a lag isn't that original because this description I think is going to show up when we go to sign interfaces so it's important to put a description in I'm going to sign the vlans next because um I want to get all these interfaces assigned before we configure each interface so once we have all this assigned we can just click through each interface and we'll just configure each of those interfaces that's kind of how I did in my guide I think um kind of walking through each each part of those um getting everything set up first um before actually assigning them so we can actually do this part and this is where I'll need to okay click on one see the device is like you can leave this empty and it'll do it'll automatically generate a name so you don't really need to put anything in there it used to be back a long time ago they didn't even have this option here but now you they change how the interface names are generated so they actually give you a way to actually control that a little bit instead of just leaving it at the default but what is the default the parent interface is going to be for all the vlans notice you still you can actually still select igb two or three but we're doing a lag now so we're going to vlans are going to sit on top of the lag that way all the traffic that goes across vlans will be it will go to that logical interface that's the lag so we can distribute the traffic uh we don't want to use igb two or three for the vlans because we actually want it to be on the lag so for all these we're going to pick lag and we're going to pick VLAN tag we're going to do 10. and we're gonna do this one TMZ there's VLAN priorities you can set I'm just going to leave best I prefer for all these um uh you could if you don't like a Voiceover IP network or something you can you know you can pick a video or you're doing like streaming video that you want to make sure it gets more priority I'm not sure how much it actually affects um it's kind of aquatic quality control services but I'm not sure how much extra effects performance between networks that would be interesting to actually test that out to see what happens but you'd really have to stress test that to see how well that actually does any you know does performance wise you know so this week we're going to create our DMZ network of VLAN 10. so I'm just going to go through these real quick because is this going to be the same thing okay we're just gonna oops repeat uh of course we can only we're on Cape lag it's not the bottom anymore so we're gonna repeat all these and this this step is you're supposed to creating all the vlans we're getting different VLAN tags I like to make my VLAN tags kind of similar to the IP address because I'll do like 192 168.20 and to match the VLAN type makes it easier you don't have to do it that way that's usually what I like to prefer because it's easy for me to tell what the VLAN number is um so we're going to do 30. I'm trying to make this match my guide I did online this will be the iot network I'm just creating a couple sample networks to show what you can do you don't have to create these you can create less of these you can create more of these actually do more of my own network than these might seem like Overkill but I actually like separating things by logical um function or about you know by functional domains as well like to call it or whatever so that even if there's only a couple devices in there it's I'm not doing it because I'm worried about too much broadcasts on one network and stuff like that necessarily I always like to have them separated because it allows me to group devices together and apply the same firewall rules to those group of devices so it's a nice way for me to to group and contain and and do firewall rules in every type of group that I want controlled a certain way and usually if I put all my IP cameras on one network and I put all my two iot devices on One Network and and there's patterns that kind of emerge that of how I want to allow access between the networks so thinking about where you wanted to put your devices and how you want to separate them uh really helps you formulate how you want to set up your vlans for your network so I think it's very important to be able to think about that how you're going to do that so here is a lag and we're gonna do uh 40 this will be our guest Network so the reason I have several networks that I'm creating um is mostly to show different examples of how you can use different networks and I try to create different firewall rules um for the different networks so that I can actually um show you like a little bit like okay what some of the reasoning is behind some of these networks that we're going and that is because I just did five vlans just to show you some examples here and this one's IP cam save okay I'm gonna apply this and now when we go to assignments we'll be able to see VLAN one through five right here so we're just going to assign this and we're going to use the same description that we used for the VLAN tag just and there's our interface name because that way they're all the same it keeps it consistent um there's that and it's automatically going to be selecting these it looks like so um oh I just realized I need to change something that's why I hesitated iot this is what happens when it gets laid I actually messed up something and I was demonstrating something but hey we're doing this on the fly right we're doing MP cam oops okay all we're gonna have is we have our Wan and we have our land for our management interface and we have our 5V lands set up and we can just click save okay and now that we have this set up we can go through each interface and see what we need configured here I want to start with the WAN you know but there shouldn't be anything you really need to configure here unless your ISP uses something different than dacp so by default we should be able to leave DHCP oh yeah the only thing we do need to change I forgot about IV IPv6 we need to change the prefix delegation size This is highly dependent on what your ISP gives you it will probably be for residential isps it'll probably be 56 or 60. um I'm going to pick 60 because I know that works with Comcast Xfinity Internet uh not sure if I give you 56 unless you're a business I'm not sure so this is your prefix the delegation and then you could say send IPv6 prefix prefix hint I think that's usually recommended if you know to try to kind of Say Hey I want this you know kind of forces you or kind of like gives a stronger indication I want this prefix size um so those are the only things you really need to change in the land is your prefix delegation that's important if you want to have multiple networks with IPv6 on it if you only have one network which is a flat Network which is a real basic Network you could do it that way you can leave it at the default if you're doing that but we're going to make a more advanced sophisticated Network right so we're gonna we're gonna have IPv6 on all the networks so we're going to apply those changes let's go to the Lan that's what we're going to do next um this is our management interface and you'll notice for it already has static ipv4 and it has track interface this is what we want for IPv6 if you have Dynamic IPv6 which is probably a lot of people I wish it was static but it's not um for a lot of us so if you do track interface luckily the Lan has already set how I'd probably want to set it so it you just track your we're going to track the WAN interface and because we have the prefix delegation of 60 your first 64 bits is your your network uh portion of the address because we only did 60 bits out of 64 we have four bits which means we can have 16 networks that we can work with so that means we can have a prefix uh ID starting with zero which we have here going all the way to 15 0 to 15 but but it starts getting this is hexadecimal this prefix ID so it'll go zero through nine and then when you get to 10 it'll be a and then 11 will be B 12 will be C and then it goes all the way to 15 which is f right so so you could go 0 through F basically so zero one two three four five six seven eight nine a b c d e f um that'll be all of your prefix IDs that you have available if you don't slash 60 or you know your previous delegation is 60. um you will have 256 networks if you have you know size 56 right you can have a lot of Networks not more I should say um so that this is what we'll we'll do here we actually don't need to change anything for the land because it's set by default I just wanted to show you what it looks like now for the other networks because we created them these are new networks that we created not out of the box so we always have to we're gonna have to enable and prevent interface removal so it can actually delete them without unchecking this box um we're going to say static ipv4 and then uh we're gonna do the same thing here track interface back interface okay ipv4 one so we're going to do 192 168 move the mouse so you can see and we're going to do 10. this is where we we're going to dot 10 for our Network um and then this is static ipv4 you want you want your interfaces that usually to be dot one um and then you want to make sure it's slash 24 because that means you can have 200 uh 255 you know 1056 256 total addresses under that network but point one that takes one the dot one it takes the address and you can't use dot 255 so really you have 254 addresses that you can use in that Network and not 256. um so and then we're going to do Tech interface and four this one we're going to use one prefix how do you want we're just going to increment each one okay and then we're going to do allow manual adjustments at dhcpb6 router advertisements so after doing this I realized I probably do need to change something to land I thought out of the box it's good I forgot to mention I'll mention it when I get to the land page and I clicked apply United settings when I need to to save time because it does takes a few seconds you know to apply these changes um did this this part of applying changes is actually a lot quicker when you have a little bit faster system this is not a slow system but it's slower than like the my VP 2420 which doesn't take nearly this long um and I feel like depends what changes you're making if it takes longer okay let's go back to the land I I messed up yeah but that's what I'm winging it right so go to prevent interface removal um just so you you know it just makes it where you can't excellent and delete it and I forgot for IPv6 I like to do allow manual adjustment to the hpv6 router and advertisements so this allows you to make some additional tweaks we're going to not hit that just yet because you'll see every page has this right uh you know we didn't change anything so DMZ is our first Network our VLAN our users our second one so we're going to use our Network so click on user we'll go to enable prevent and then ipv4 Gunner phase okay and then it opens up these menus down here this part is just going to be a little bit repetitive right some of these configuration options I really fumbled my keyboard there okay really bad okay and then we'll pick 24. this part's the same so I'm just kind of mumbling a little bit we're gonna pick two make sure we hit okay save um we do have to make sure hit save we don't have to hit apply yet until we're done but we can you do have to hit save um the third network is iot I'm just going to order just so I can keep it straight here right click these two options ipv4 static ipv4 track interface um and two one six eight thirty this one's gonna be thirty that one right you see the pattern that we're doing here 24. this will be three right 33 kind of goes together right um helps keep the networks nice and organized and then the fourth Network we got two more to go just bear with me you guys wanted uh a video that said it's going to take a lot longer than uh a lot longer than a written guide I apologize I'm probably gonna have to split this video up into pieces uh I was going to do all the open sense configuration and one video about my actually I don't know I might actually do two or three videos right I don't know aesthetic happy before track countries because I want to explain a little bit not just you know do it really fast some people just do really fast uh videos oops I don't do that um do really fast videos and try to skim over stuff really fast I want to make sure you guys understand this because I know it'll help be helpful because I wish I had detailed information when I was doing this first starting out I just had to kind of learn read play around I already had a little bit of networking background which helped because I did have a CCNA Cisco CCNA back in the day I got it back in the year 2000 I thought it was how old I am back in the year 2000. this sounds so old when I say that man so old why not to be so old I had it I got a fresh out of high school so I was in high school year 2000 I graduated so if I told you how old I am right uh okay this one's gonna be 50 because we're this is our fifth Network make sure we're on slash 24. if you only put slash 32 that means one IP address so you can't have any networks underneath it's just one interface so that would be a useless Network we cannot we gotta make sure it's slash 24. um and this will be five right all right finally made it through our interface and now we can hit apply to all of our interfaces changes okay now we wait for this um next up will be so you got the ACP um because uh by default the hcp is only set up on the Lan and when interface um but now we need to set up for all the vlans as well um because every Network should have a little bit of a DHCP range in general unless you for some reason IP addresses in every for every device in that Network which yeah depending what it is maybe if it's camera IP cameras you maybe you want to do that I don't know um but I'm going to show you how to do it for each Network as soon as it just loads they did that maybe I didn't click it sorry oh there it went okay maybe I didn't do it I don't know I was just sitting there waiting just uh just talking away and I didn't realize I last night I clicked it or clicked too soon or something okay so what we're going to do now we're going to go down to Services menu and we're going to go to dhcp4 and we're going to start with the land we're just going to look at the land see how it starts with 100 it goes to 199. and I think uh so uh I had to cut out there a little real quick uh on the video because I wanted to check what I actually had on my guide so that I'm consistent but by default it does 100 to 199 I just did 100 to 200 it's not that one extra p is not gonna be that big a deal but I just want to make them all the same and consistent with my guide that I wrote um you don't you can pick less smaller range you probably don't have 100 devices I don't know if you do if you have more you can pick more I'm just going to make them all 100 to 200 just keep it nice and clean uh consistent um but so that's all I'm going to do for each of these networks right so I'm going to start with uh I just go all the way down let's start with DMZ you can do this you can just copy this and then paste right and uh do you say that way you could just do this and then and then 200 so it's just kind of the same kind of boring thing here I guess uh let's do this but this should be a little bit quicker let's copy this I don't have to type as much 100 we're still 100 to 200 on each one of these and so this is when you plug a device into your network or or connect through Wireless that's what IP addresses are going to get right so you're gonna get one in that range and then if you're going to manually assign static IPS you should pick it outside that range some devices uh or some firewalls or routers or whatever will let you pick a device Within your range and be fine with it but open sense likes to have it outside um might even give you you know a fit about it if you don't let's see here we go maybe I'll just maybe I should just speed up these parts where I'm doing this I'll just continue with the rest yeah it'd be easy huh uh here we go we're on the last one final stretch maybe that's what I'll do I think all right I just realized um I messed up again I just messed up again so I forgot to enable it we got to enable all these man okay uh it's getting really late and so this is probably the worst time for me to do this because you gotta stay focused because I'm trying to narrate this and click on all these settings but at least I caught it and I didn't have to like go back and redo the video I'm just gonna roll with this I'll just show you that I'm just going to enable each of these and go all the way down right and let's see Lan is already enabled user right and okay okay there we go now we have that enabled now we can go to DHCP V6 for IPv6 all right okay so for IPv6 the interesting thing is you actually can't assign the HTTP V6 because it says there's no available range configured because we're not plugged into the network everything is all Dynamic for IPv6 the way we have it configured right now so you can't even enable IPv6 yet until you're actually getting a the ACP IPv6 range address range so what you normally would do is it enable just like ipv4 and we're just going to do one thousand to two thousand and the way to do that the IPv6 is you do two dots and then you type your you type that so you're just assigned in the last few bits or whatever of the IPv6 it has to be 1000 to 2000 and it'll take whatever Dynamic part of that portion of that IPv6 address and it'll fill in a little bit of zeros and it'll have one thousand two thousand so it keeps your addresses pretty simple so we can't actually save this but you would just do that for each of these interfaces um once we're connected to network I might maybe show that when we Circle back around because I want to be able to show um I guess I could probably show this like so after you configure that part you will go to router advertisements and you click on DMZ and whatever interface guest iot and then you could say uh you know I like to pick assisted because if you look at the description here it says it'll use um assistant actually uses stateful dhcpv6 and slack so uh it'll I think it's how to use DHCP V6 not all devices support that um it seems like which I've read about maybe even some older Android devices and stuff like that so it's kind of interesting that not all devices support that so but almost all the devices that don't support that was support slack sometimes that's the only way you can get an IPv6 address assigned is to be a slack so if I so I like to do a system because that way either way you can hopefully get um uh an IPv6 address because I noticed that sometimes the devices wouldn't get it if you don't do Slack so I'm going to hit save and see if that works but I think so we can actually do this part of it we can actually just say assisted on all these oops hit the wrong one assisted um so we actually will save these and we'll at least have this part of it done we just can't do that one part until we're connected to a real Network um because we're not we're connected to any network I should say crew don't actually connected anything right now um assisted assisted all right um okay one thing one thing that I want to show is once you have DHCP enabled um you can actually start plugging devices in it actually will start working as far as connecting your network together one thing I like to show is um is actually Unbound DNS so if we go to Unbound DNS um we can we can go in here and look at some of these settings here real quick um by default it listens to every interface is mostly probably what you want um I like to enable register DHCP leases so that um when you have a you know any device that gets an automatic IP address has a host name associated to it it will register that so you can do you know use that host name when you uh when you're refer to devices on your network same thing with DHCP static mappings you can register those dacp static leases as well so I like to enable both of those options so that I can type I like type of host names in on my network instead of IP addresses all the time I think that's very handy way of doing things um so one other thing that you might want to do is maybe I mean I don't think it hurts performance it might slow down queries a little bit I like the flush DNS cache flush the DNS cache during reload because if I'm making DNS type changes hostname changes and stuff like that I have problems with you know it hanging on to the old IP address unless I can sit there and flush the cache you know on open sense and flush it on my device itself because it all everything wants to Cache DNS right so it's good to be able to flush that stuff out sometimes you know because they do it for performance but if I'm making a change to a hostname or IP address or something moving stuff to different networks sometimes I need that that stuff to get fleshed out one thing that I want to mention is if you temporarily want to connect this box to your existing Network so you do updates and those sorts of things I'll go ahead and mention it here but if you go to query forwarding and you can click on use system name servers um because we have an assistant name servers that I showed you earlier uh it's set to DHCP override the name servers as DHCP whatever since we're not plugged into the network we're not going to see anything here but if you're plugged into your network you'll see like a local IP address or if you're plugged to your ISP modem you'd see a ISP address or a DNS server there but if you're behind another router I've noticed if you use the system name servers and do queer DNS query for it and it seems to work a little bit better um because I've had some weird things happen DNS because I'm behind my network and if I'm doing all my DNS stuff that I normally do on my main router if I have another router behind it I usually just forward the queries to my other router because it just it seems like DNS works better that way so you might want to check this option temporarily if you're working behind your other router because otherwise you might have problems trying to like download update stuff because DNS isn't going to work right maybe for you then when we're done you can uncheck that when you make out your main route or you can uncheck some of these options and we can we can go in and configure like DNS over TLS and those sorts of things but I'm going to come back around to those those issues there okay now that we've finished some of the looking at some of the basic settings of Unbound DNS um I'm going to create a couple of DHCP static reservations for static IP addresses for a few of example devices on this network um because we're getting ready to create firewall rules um I'm going to create firewall rules for each VLAN that applies to the entire network but I'm also going to create a couple example rules for specific devices within each Network because it's better to uh to you know have its fine grain control you know firewall rules as possible to limit access as much as possible so a good approach is to have Network right wide rules that applies to everything which are a little bit broader a little more general rules it's a catch-all for every every device that isolate various portions of your network but it's also very handy to be able to uh and more restrictive and more secure right to actually do it between individual devices if you just need to access if you want your whole network to access a specific machine or you want a specific machine to access another specific machine it's good to have those fine grain controls and then static IP addresses I feel like make it a little more reliable between the networks because you can you can create firewall aliases that actually have Dynamic host names host names that have Dynamic IPS but I found that to be unreliable at one point in time when I tried this a while ago maybe it was a bug they fixed but whenever I use Dynamic I or I keep saying Dynamic Coast that uh host names have Dynamic IPS it would lose the IP address sometimes and so then my name the name wouldn't resolve anymore and so the rule would not block access or allow access like it should and so I didn't find that very reliable so I started making DHCP static reservations and then creating an alias that points to that that same you know host name which has a fixed IP address and that seems to be much more reliable um so that's what we're going to do next so as you can see I'm going to click over here we're going to go to dhcpv4 I'm only going to do static IPS for ipv4 you can do it for IPv6 if you want as well the process is pretty similar but I'm focusing on ipb4 as I did in my guide so we're going to create a static IP reservation on each Network um you can go to this leases page under dhcpv4 and you can see all the devices that have uh leases here and this is kind of a quick nice way of adding it a static you know mapping for an IP address for a MAC address I mean um straight from this page which is nice because you don't have to type in this Mac address if you use this page so once you're on the DMZ interface page at the bottom you can create DHCP static mappings if you create it from here instead of from the leases page you are going to have to manually type in the MAC address and so I am going to do that real quick and it's not very fun I was going to try copy and paste but since I'm using the screen capture program I forgot I can't do that so anyway we'll just type it in real quick so we're just gonna make this 192.168 10.10 notice that I'm using dot 10 instead of anything within dot 100 to 2.200 because that's our Dynamic IP addresses we want to be less than that so I'm just choosing this and we're going to use we're just going to pretend we have a web server on our DMZ Network which is a plausible scenario and so what does that save right and then you'll notice down here we can hit we can hit apply changes but um we can just like when the interface Pages we can actually um do this later but I'll just go ahead and click it because it's pretty quick here um so you'll see down at the bottom we have our DHCP static mapping and we're going to do this for each interface I actually have uh for the guest Network actually I don't oh my God I want to follow my guys I'm gonna go to the user Network sorry um and we'll click at the bottom because I actually didn't create a device for each Network because you know it's just the guide was already getting really long anyway right so we're gonna do this Mac address um doesn't really matter I'm just kind of following it real quick it doesn't have to be exactly the same but I'm gonna make it consistent 192 168. um 20 out of 10. and then this was going to be our PC in our user Network next we're going to have iot for all your iot devices um so we're going to go to the bottom I'm getting distracted here and kind of Focus right Focus just like I mentioned earlier it's late at night and I'm recording this on multiple nights so that makes it [Music] um this makes for a long recording sessions all right so this one's again I'm kind of following the guy just so you can see where I'm coming from if you are following the written guide as well you can see me actually doing what I wrote about [Music] one video have it document it on video here uh so this one's gonna be 30.10 and this is going to be our printer so now we're finally on the final one I'm doing the IP cam Network I'm actually I actually have three um three devices I'm set up here I'm going to pretend I have three cameras um just as a an example for all right so IP address so these ones I'm going to make these I will make these ones so Queen tool because I kind of wanted to show a viral rule with how you can have sequential I forgot 168. we can actually have sequential um ranges in your firewall rules which is pretty cool a host name or put our hostname in I'm just going to call IP cam one okay and we'll wait to apply changes because I'm going to add two more here sorry this part's slow but I'm just kind of showing you real quick I actually used a website to Generate random Mac address to say look you know legit it's getting late I'm just losing my mind here guys okay I'm doing this for you I'm doing this for you really okay doing it for you so I hope you like it um so so two three six third one eighty see eight nine 50. 12. I became three all right IP cam 3 coming up okay I'm now going to apply changes there okay now now we're actually able to get to the point where we can create firewall rule aliases um aliases are really nice because it allows you to make your rules a more repeatable or uh readable readable it makes them easier to maintain as well which is very handy I'm actually scrolling down to um on my guide here to make sure that I'm matching when I'm writing here okay so um let's go to firewall section the menu and then we're going to go to alias's page and you'll see um normally you have seven shown by default but I change it to 20 so we can see all of our aliases these aliases that are on here are all the ones that are created out of the box because we never created any yet right so you notice you have some uh we got the bogons those are filtered Lil Wayne IP address side and these get refreshed uh periodically I think monthly by default um and then so um down here at the bottom you'll see various Network Alias is created by default and you'll see what these descriptions are when you go to create firewall rules and you see when net land there and all yeah you'll see these in there whenever you go to create rules you'll also see Wan address and land address and one for each interface the address ones actually don't show up in here only the network ones which is kind of interesting to me um I found that I found that to be kind of interesting but we're going to make use of these actually as we create some of our firewall rules especially if you're using IPv6 you don't really need to do it if you're not doing IPv6 necessarily unless you really want to and I'll explain why in a minute um so what we're going to do is the first one Alias we're going to create if we click add button down here is we're going to call it private Networks we're going to use this rule to help isolate all of our networks because we're going to block anything that's a private Network on each interface for each Network so when I say interfaces interfaces and networks are kind of interchangeable and then you talk about it from a firewall perspective so you'll see it even in the interface on open sense in the web interface let's say not the internet so in the web interface you'll see the terminology a lot of times we'll say interfaces but each interface can have a whole entire network off of it that that's why we do like slash 24 off interface instead of Slash 32 because slash 32 is a single ipv4 device address and if we do slash 24 that's a whole network you know as we mentioned 254 usable addresses because you know you have to subtract the two off there because one's used by interface and one is a broadcast the 255 about 255 is a broadcast address so um so we're going to create private Networks uh Alias so we'll need to select networks so what we're gonna if you're only using ipv4 in your network I'm showing IPv6 as well because some you know a lot of people are interested in as well but I I'm keeping it kind of basic because I don't use it fully in my own network because I've had issues trying to get IP addresses and certain things will default to IPv6 and if things aren't set up exactly right you'll have issues so if you're only using ipv4 you can actually use um the RFC 1918 private IP address ranges which is 10.10 10.0.0.08 and if hit comma it'll um uh I hit it sorry I typed in the wrong box um 10.0.0 don't type in the categories box like I did so type in the content box if you do slash eight and then hit comma it'll yeah group it in a little box there and then 172.16.0.0 slash 12. right you can look up what these ranges are online as well they're not a secret um so 192 168 0.0 16 right and I'll just hit I would say common just to get that box to show up okay so excellent type next for character but anyway um so this these are your uh private IP addresses for ipv4 this will block everything all your existing networks you can use it to block all your existing networks from each other um the nice thing about doing it this way for ipv4 is if you add a new network new VLAN in the future you don't have to remember to add it to this Alias every time so it's less maintenance um but because we're doing it you know this way what what will account for this in the rules I'll show you later but because we're doing IPv6 I want to take this out and because we're doing Dynamic IPv6 actually because if we're if we're doing static IPv6 you can actually type in your full IP you know you would have your IPv6 range it would be yeah whatever whatever it is let's say it's 2001 653 yeah I'm just making up one okay so let's say what it is first half of the network address I'm just typing in random and then random address and so if you're not a static IPv6 you would you could do something like this especially if you had slash 60 let's say um you could actually do this along with your ipv4 addresses that we just typed in and that would block everything ipv4 and IPv6 of all you that you would consider your private networks even though IPv6 is publicly addressable but this will be one way we're gonna we're just going to use this Alias to isolate our Network so that's the whole purpose of what we're doing here it might be a little bit confusing but I'll try to explain it as we go along but you'll just need this just remember how we want to do this Alias so we're going to do it two ways but I want to show you the way I'm going to do it in this guide because this should work for ipv4 and IPv6 if you have Dynamic IPv6 it could work for static as well but if you have static you can just type it directly in like I just showed you so someone showed me that um in my original guide I actually had to addiction did this a longer way but you can actually type underscore underscore and bring up those aliases that are already created and notice we have one for each Network so we actually can say LAN all right and then we'll and we'll do underscore underscore you know option two and they're gonna be called different depending on how you added your interfaces option three um so we're going to add each of these networks in here and just do add them all um all of them except the WAN of course um all these optional interfaces these are these represent your VLAN Networks so if we add all of these to our Network this will be our private you know IP Network ranges so this will be what we describe in our description here so this will be what we use to block and isolator Networks so I want to show you you can see what's inside of these aliases as we go through here if you go to diagnostic so let's just jump to there real quick and click aliases and then you can actually go up to um their op says pick option at R2 you can see this is our DMZ Network it has the ipv4 address whenever you're plugged into the network and you actually have IPv6 addresses assigned you will get that Network address for IPv6 in there automatically so we've got ipv4 and V6 in this so you can use this Alias for both ipv4 and IPv6 to isolate your Networks so that's a little trick that I learned from someone that said you can do the underscores because um I noticed you couldn't pick um yeah I was trying to like interwin not net or land.net and that doesn't work I'm like oh it's underscore and you have to use that those uh aliases so I was doing some other way it was a little more complicated so um now that we have that one created we're going to actually go and create one Alias let's get back to our aliases page up here we're going to create one Alias for each system and so these will just be hosts okay that we're going to create because we're just going on this so we can refer to them in the firewall rule so we don't have to type out the IP addresses if we change the IP address we want to move it to different network all we have to do is just change it in this Alias so it minimizes the places you have to edit server yeah um okay for um for the IP cams cameras um we can actually um the cool thing about this one is we don't need to create one Alias for each camera because I I made the IP addresses close to each other on purpose the cool thing is you can actually add a range in here you can say one six nine ninety two 168.50 Dot 12. or dot 10 I mean two and you can see I put a hyphen in there 192.168.50 dot 12. I'll make sure I type this right and you see if I click off of it it actually puts it in a box like that and I'm going to say IP security cameras right so that's pretty cool so you can actually the content here it actually put that Network range in there um I somehow missed I accidentally typed this in the wrong box so I want to fix my mistake I type it in one box it gets me every time if I'm not really paying attention because I'm assuming it's going to be that first box but it's not it's not the first box this is iot Network make sure I get it right now now that we have our aliases we're going to create some rules this is where you know some people might get uh confused about some things so I want to go to the floating rules flooding rules can actually apply to all interfaces which is pretty neat so it's not tied to a specific interface that's why they call them floating rules because you can just kind of assign them to whichever interfaces you want by default a floating rule will apply to all interfaces um but you can pick any set of interfaces that you want for floating rules which is kind of interesting it might get a little bit confusing which ones get applied to but open synth actually recently added it um on the pages where the firewall rules are for each interface they actually showed the floating rules and firewall groups and anything it gets applied before the interface which is really cool I'm glad they added that because that allows you to see what other rules are coming you know or being applied first because some sometimes these rules that get applied first will trip you up because it's doing something before you you can even get to it into the interface and you might be something might be happening you don't want to be happening right so we're going to create one rule here in my in my example I'm only showing one rule actually you'd make use of this for different reasons on my own network but for my for this example I'm only going to do it for IPv6 actually so because IPv6 relies on icmp um much more than ipv4 and you almost always want to enable um certain aspects icmp you can get real granular granular which ones you want to apply but to make it easy I'm just going to allow all icmp because some people see it as a security risk but the IPv6 is is icmp is a little bit different how it's designed and it's it really helps make the robe the network functional a lot better so um and if you do like online tests for networks you you're online online test for IPv6 you're going to get a lot better scores if you allow icmp they're going to get dings for that and because it it allows for discovering stuff you're still protected by your firewall I don't know what the exploits are for you know this scenario but um I haven't heard of too many things so I feel like it should be pretty safe it'd be better if you get more granular with it but we're just going to do all IP icmp might make you feel uncomfortable but you have to allow at least to at least allow it to the Wayne interface even if you don't allow it to your whole network um so we're going to pick the TCP version of the IPv6 and then we're going to go to uh we're going to pick the protocol we're going to pick icmp and then we're going to say source is Indy and destinations any description I recommend say allow icmp V6 on all Networks we're going to start with the Lan Network and you'll notice there's two allow all rules here so you can actually get to every network from the land some people like to do that with a management I worked a lot of access everywhere but I like to restrict a little bit more even from the management Network because if you get something in there you know that's the worst most sensitive Network for something to get bad to get into but at least it'll your other networks will still be protected if you only allow access that you need allow access to um so what I'm going to do is we can actually just delete these but we're not going to apply changes because we'll lose accent well we have a anti-lockout rule so you shouldn't get locked out of the web interface but we're just going to go ahead and delete these okay because but we're not going to apply changes so we don't have to worry about you know we have anti-lockout rule we won't worry about getting locked out here so I'm going to clear this out so we can start fresh so I wanted to create a rule um the first rule which we're going to use our private Network Alias that I just created earlier um that is going to we're going to say pass leave it at the default and we'll say Lan default and default flow we're going to do IP 4 plus IPv6 and we can actually combine the rules together in this one and we'll say any protocol and the source is laying there because we're in the Lan Network you can start typing it in to get to it um and destination we're going to actually pick oh we're going to do a destination invert so don't forget that this is critical and I'll explain what that does here in a minute um we're going to do private Networks as your destination and all you just do now is do a description that says allow access to only the internet okay so this is going to what this rule is saying it says anything that's coming from the land Network which is this is a rule applied to the land Network any anything that's coming from the land Network and going to any network that's not a private Network so it's allowing this so one thing I forgot to mention is if when I deleted all those rules off if you have no rules on an interface it means everything is blocked so only the only traffic that's allowed is local traffic between devices on the same network those devices can always communicate it does because nothing's being routed across networks so whenever yeah one thing you need to keep in mind is when if nothing matches any rules if it gets all the way to the bottom of your rule list and it doesn't match any of these rules um it will be blocked all that traffic will be blocked so you don't have to put a rule at the bottom that blocks everything right it's always it's going to happen anyway when it gets to the bottom of of all your rules so it's just going to fall out the bottom and then be blocked so basically we're kind of doing almost like a white list we're only allowing access to things we don't allow access to um but there are still cases of needing to use blocks but I actually use passes almost more than I use blocks because what I end up doing is I allow anything it doesn't match a pass it's going to be blocked anyway so I don't really I don't always use blocks a ton actually unless it's like a like a an IP malicious IPS that I want to block then in that case you definitely want to hit you know block uh those but for um for allowing access across the networks um you know because of how these rules are constructed you actually don't need as many maybe block rules as you might think you need um so this is actually saying uh when you do destination invert it has an exclamation point here in front of the destination which means this means not so so if you're and we're doing a pass rule so I'm saying it's saying allow traffic from Land network uh where it's not a private Network so that means anything that is a private network will be blocked because it won't match this rule won't match this rule at all so it'll fall out the bottom so by having this one rule in here where we've blocked access to all other private networks in our Network Okay so this this rule right here will give us isolation that we want but we still need one more rule to complement this rule because if we just leave it at that you're going to block your DNS and anything else that's running on your interface like ntp like for your network time protocol server anything that's running off your interface DNS is the biggest one if you're not using ntp your local ntp for your devices that might not be as crucial for you but we need to add one more rule to allow DNS and we're going to put it before this rule so the way we do this we're going to need a minimum of two rules to have an isolated Network there's other ways you could probably do it like if we weren't blocking all private IP addresses and we were only blocking the other networks that we have and not our own no you know the one that we're already in you could get away with one one rule but you'd have to keep updating your network addresses all the time so you could do this in one rule but I like doing it this way because if you add new networks it's already blocked by default I rather it'd be blocked by default than Allowed by default because you might forget that to add that Network to your restrictions and then it'll just have free access to everything so you could open up a secure note accidentally so that's why we don't this is kind of why we're taking this approach so we're going to do a pass rule here on the LAN and we're going to do ipv4 plus IPv6 again it's nice that we can do both with one rule and we're a protocol we're going to do is TCP UDP uh DNS is supposed to be UDP we're going to say source is land net just like before it's always better to say land net than any normally because if you're in the land it's a little bit more restrictive um and then destination of course is going to be Lan address so this is your gateway for all your devices on your on your land Network the Lan address is your interface address and that's your gateway to the internet and to other networks in your local network right so that is going to be 192. 168 1.1 that's what the land address is and DNS server and when you do Unbound DNS when it's listening on all interfaces it's going to be uh on every you know Network address like that Lan address DMZ address iot address all those things that's your gateway for each of your networks have its own Gateway based off your interface that's how it gets to any other network even your local networks so destination Port range is DNS there are some built-in aliases here for ports and so we have we can just make use of that with DNS and then we're going to say allow access to DNS okay and then when you add new rules it's going to put it at the bottom every time so what you can do is you can click that check this check box over here to the left of that rule and then you click this Arrow which means move it above this rule so we want to get make sure this order is correct because the order is important um because it it executes rules and the order that they're in this list um so we're going to say apply changes now this is the bare minimum rules that you'll want for most networks I'm going to create a rule for icmp for for ipv4 this one's just kind of nice if since the your Your Land network is going to be the management network if you're following this guide I think it's kind of nice for the management Network since you're we're controlling all your network infrastructure that allow icmp for ipv4 um so you can ping other devices on your network you might some people don't like like block ping completely you know icmp which includes ping and all the trace route and all that kind of stuff um but you might be useful to actually have this enabled for your management Network so you can actually do troubleshooting on your network so we're going to do um TCP we're only going to do ipv4 the default we're going to do protocol icmp and then we're going to say um land net we're gonna allow our devices on land net and if and you could you could say um you could if you had a specific device that you want to only use for troubleshooting you could do that but we'll just thought of the whole network because it's our management Network right and destination is any so and then we're just going to say allow it's good to have good descriptions all right so you know what this is for allow icmpv4 um from Lan to all Networks of course I didn't hit the space bar here we'll make it pretty make it readable okay well and then we gotta just like the last one we're going to move it above the bottom rule so we're going to put it in the middle here you can actually put this at the top it'll be fine if you had it to talk um no big deal no big deal but we're done with the land Network okay now we just need to create rules for our other interfaces what we can actually do um in my I didn't mention this to my guide but for to make this quicker for the subsequent interfaces we can actually clone if you notice this button here we can clone these rules because they're going to be similar for each Network we're going to you know most these networks we're gonna are gonna have at least these two rules and so we're going to actually clone them so I'll show you how this works because this saves a lot of time I do this a lot when there's rules that are similar cost networks I try to minimize duplication across interfaces but some of these rules to isolate the networks have to be done yeah you know on each Network and some of the stuff you do have to kind of duplicate and just tweak them a little bit or if you have a rule that's really similar to what you want to do but not exactly the same you can use it to give you a good start a head start on it so you don't have to type everything all over again so we're actually going to make use of that when we go to the DMZ network will be the next so I'm going to start with my land Network because it's the one that's we just finished and we'll start with the the bottom one here we'll just clone this one and so since we're going to move it to the DM we're going to clone it to the DMZ Network so just type in DMZ we gotta make sure it's important that you make sure this is on the proper interface which is DMZ and then we want to change land net to DMZ .net right everything else is the same private networks we're still blocking that allow access Internet we can still use the same description right so the cool thing is it'll jump you over see how it jumped us over to the DMZ Network so now we could just say allow excess allow access to Internet only which is cool and we'll Supply the rules at the end just um because it'll save us some time so now we go back to here we're just going to do the same thing DNS we're going to change it to DMZ so this will save us a lot of time here because that's why you got to make use of these features so we're going to do DMZ net um and then we're going to do DMZ address so we've got to retains both of these to get the DNS um allow rule correct and you notice if we start from the bottom when we clone the rules and work our way up to the top it'll actually put them in the right order so from my guide that I did that's all we're going to do for the DMZ because we wanted to be isolated it only has access to the internet we don't want anything you know have it access anything on our Network because that's our the DMZ is intended to be its own isolated network from the rest of your network that the public can access um hopefully have other security stuff in place in front of that as well um you can use cloudflare or whatever else tunnels and stuff like that or whatever um so we're going to go to the user now we can actually start from this network if we want um let's go to apply changes um we'll start with from this network we'll do the bottom and we're just going to do the same process again right we're going to go to user and a user oops user net so here we go and we're going to clone the DNS user user and sir okay okay now in this in the user Network we actually are going to allow some access between from our PC or that we have we're going to allow the PC to or any devices on the user Network could be a PC's laptop however we're going to allow this network to access our web server which is on the DMZ and and also our printer which is on the iot network so you'll get to see how this kind of access works so we're going to create a new rule and we're going to pick ipv4 because we're only using ipv4 right now protocol we're going to use TCP I'm just kind of referring to my list over here so I don't try not to mess this up right um and we're going to say the sources usernet destination is going to be our web server Alias that we created this is why we created aliases so we don't have to type IP addresses anymore makes it real descriptive because you can see our destinations the web server you want to remember what's 192 168 10.10 right and then the port we're going to say it's https and it'll automatically fill in the other two port which is nice um I don't want to say uh allow access to web server and it's actually going to put it at the bottom like we said before right and then we'll move it to the middle right it could be at the very top but I like to put the DNS the ones that access the gateways first um and then I usually put like my any access between networks between my devices I just sandwich them somewhere in the middle I don't want to have any order necessarily in the middle um because it doesn't really matter um for this type of specific access so let's do one more one more to add we're going to do this one we're going to TCP UDP um because the printer I you can allow specific ports on the printer but I mentioned to my guy that I'm just gonna allow all ports because for scanners if you have like an all-in-one printer you have scanners and printers and stuff it uses multiple ports you could figure out which Port says are I I think I tried doing it one one at one point time with my printer and it because it's different Discovery protocol there's different ports that's having issues figuring out which ones I got tired of I was like that's allow any because I just need access to the printer um one day maybe I'll tighten that up a little bit but um so we're going to say destination any uh no destinations printer I mean sorry it's the port that's any so say we have our printer Alias and our destination Port we're going to say all ports and we want to go down here to description and say allow access to printer and we want to move it up as well all right so that should look similar to what I have in my guide okay now let's move on to iot so we're going to clone our rules right to get started iot okay doesn't matter it doesn't matter which network we click on and I want to click on clone iot i o T address okay okay for the iot network we're going to allow access to the web server we have some devices and maybe we have some apps for services on there um we're going to allow protocol TCP and we're going to allow destination web server I like that you can just type in the Alias and it brings it up and we're going to https allow access to web server okay one trick is I forgot you can multi-select rules so we'll actually do this at the end to say I'll show you how to do this so it'll be a little bit quicker so we're gonna do now we're going to add the IP camera feeds and so we're going to allow protocol TCP and it depends on what kind of video feeder you're dealing with but you might need UDP um but if you're using rtsp I think you can just use TCP that's what we're going to do in this example so source is iot Network we're going to allow our iot Network to access the camera feeds let's say the reason being let's say we have a monitor camera monitor or something we can allow specific access even though we it's better to have it completely isolated if you want but this allows us to have some monitors you know to we can have a you know use our phones or whatever to access the camera feeds so the source is going to be wait what am I doing here sorry I'm getting it's getting like destination IP cameras I keep saying that sorry okay IP cameras our destination and we're going to use port 554 you could create an alias for this port if you want which is what I did do so I can make it descriptive but we're going to say 554 is um to 554. that is rtsp that's what a lot of cameras use this real-time streaming protocol allow access to ah this is a delay IP camera feeds okay camera feeds and then we just need one more we're going to allow access to printer so we can print from our phone let's say for example we'll say iot would do protocol with the TCP UDP and it will do Source iot net and destination with a printer so this shows you some examples like how you want to allow access between your networks you still keep things isolated and you allow access where you need it um allow access to printer we're going to save this now we can actually select [Music] um three things at once of course I missed something and then we're going to move it above this Rule and watch you can actually see all three rules will jump up there and I'm going to go back and fix another mistake I forgot to pick a source the iot net okay it stands out pretty easily in that rule set I could see it with Supply changes okay we're almost done with the rules we got the guest Network so we're going to do I want to start down here with private networks we're going to do a guest Network so close it takes a lot longer when you're trying to describe it as you're doing the video and walking through everything if you just typing the stuff in it'll go a lot quicker if you are just you know typing it in without talking about everything that you're doing so I'm trying to be a little bit detailed here so just like my written guide so you can actually see what's happening and understand what's going on I guess not so we're going to take resist the gas this is our usual stuff oops destination I want it to be ah I accidentally clicked the wrong thing address okay and for the guest Network we're gonna allow it access to printer so your print your guest can print on your printer you might may or may not want to allow that but if if you want them to print on your printer if you trust your people in your network um so we're going to pick protocol TCP UDP and then we're going to pick Source we're gonna pick yes and destination printer we could have copied the printer rule probably across the networks as well um I just thought about that but not not too big a deal I guess wow access this takes a little bit longer right so just to think about it you can copy any rule that you want okay so what I did for the um IP camera network is I actually only copied the um DNS rule the reason I did that as I explained to my written guide is just to reduce spam and the firewall logs basically because it's always requesting DNS um all the time when you block everything like a lot of devices will keep calling out calling out so to reduce that kind of spam and that extra traffic of checking for DNS I actually just allowed DNS but I don't allow anything else I still can't get out it can it can just get the IP address to where it wants to Connected but it cannot it can't actually connect to it so that kind of appeases the uh devices you know this is nice because it it kind of reduces a little bit of spam and maybe a little bit Network traffic as well some devices keep trying and trying um all right so now this completes the firewall rule configuration and so this config actually completes all of the configuration that we're going to do for open sense as far as the basics of what you need to do there's a lot more things you can tweak and add but this was like the bare minimum we we set up a couple of system settings that you want to configure about your system to customize it for your network we set up the interfaces we set up the lag right and then we set up the vlans we set up dacp V4 and V6 and then after that we did a little bit of Unbound DNS configuration to allow host names to resolve the IP addresses I also talked about query forwarding in case you're connected behind another router and after that we started working on creating aliases for that we're going to use in our rules firewall rules and then we created all the firewall rules we needed for all of our interfaces so with all that said that's that's just the basics there's a lot there that's why this video is so long but there's just um but I wanted to go over that I want to try to keep it cohesive as possible and focus on just the core aspects uh follow-up videos I can maybe do some more security related stuff because that's just so much it takes hours and hours right so this is the uh list lengthy portion of the setup of your network because there's a lot of stuff to configure uh on your router firewall Appliance to get everything set up for the basic Network Services all set up I hope you found this portion of the video very helpful even though it's long and detailed um this is where a lot of people get maybe hung up on some things so I'm hoping if you're new to this that this will you know find that you'll find it beneficial and my written guide has more details that I go into a little bit further than I do in this video and just because there's just so much there takes a lot of time so you can check that out as well I have a link below um but yeah until the next time I'll see you in the next video

Info

Channel: Home Network Guy

Views: 63,695

Rating: undefined out of 5

Keywords:

Id: h2_cQxTkh3Q

Channel Id: undefined

Length: 110min 46sec (6646 seconds)

Published: Tue Apr 25 2023