New to pfSense!
-
Hey everyone!
I've been running pfSense for about 2 weeks in my home, moving from an ancient Asus RT N66R WiFi router running Tomato. It was getting a bit long in the tooth, and I wanted to try something different with my next generation system. So after a boatload of hardware research to support pfSense I ended up on a machine based on the Supermicro Atom C2758 board with 16GB of memory and a mechanical harddrive. I know it's overkill, but hey, that's kind of the fun part right!
I'd say we're a modern technology household… lot's of computers, laptops, phones, tablets, kindles, IoT devices, consoles, NAS/Plex, network printers, etc., and so I wanted to have a system that let me manage my network(s) more securely than I had things previously. I'm running a good mix of wired and wireless devices all running through a Cisco SG300 series switch and a Ubiquity UniFi access point.
So far I've been running everything with a single WAN and a single LAN with DHCP, DNS Resolver, and NTP configured; I wanted to get up and running so I could have a better system in place that I could work with over time, and sweet lord I couldn't be happier. Within a few minutes of getting pfSense and my new hardware in place, I saw a nearly 5mb/s increase in my download speeds and a minor increase in uploads!
So now I'm working on setting up some VLANs and I'm finding that I have a few questions, or maybe better said, some guideance and perspective on what I want to do.
The network I'm thinking of is pretty simple and looks like this:
LAN 10.10.1.1/24 (A typical, simple local area network for personal stuff)
WLAN 10.10.2.1/28 (Wireless LAN via UniFi Access point, Tagged at the UniFi)
GWLAN 10.10.3.1/28 (Guest Wireless via UniFi Access point, Tagged at the UniFi)
ENT 10.10.4.1/28 (Wired/Wireless Entertainment network for playstation, xbox, etc., Tagged at the Cisco/UniFi)
MAN 10.10.5.1/28 (Management network for IPMI, no internet access)My requirements seem pretty simple, at least to me:
1. LAN and WLAN have internet access and can see each other and MAN
2. GWLAN has internet access only, no access to the other networks
3. ENT has internet access + access to the Plex server that sits on my LAN
4. I don't trust IPMI, so I want it as isolated as possible, though still access the IPMI devices from my LAN (or workstation)With these requirements in place, I have a few things I'm unsure of:
1. Other than the Plex server, I can't see any reason for the networks other than LAN and WLAN to be able to talk to each other
2. I have several IoT devices such as Raspberry Pi and Arduino as well as a Nest thermostat
3. What's the best way to test if I'm configured properly? Should I attach one of my laptops to each of the networks and NMAP everthing, or is there a better more efficient way to test?So far, I've configured the following things in pfSense:
1. Configured the VLANs and assigned the interfaces (super easy)
2. Set up DHCP appropriately for each interface (super easy)
3. Set up an Alias for the Plex server on my LAN (super easy)
4. Set up an Alias for the TCP ports for the Plex server (super easy)
5. Set up an Alias for the UDP ports for the Plex server (since they are different, super easy)
6. Struggled mightily to understand how to set up the firewall rules to make it all fancy (omg I feel dumb!)So here's where I feel like I'm stuck; I'm not sure exactly how to best set up the firewall to keep things isolated and secure, yet still have the access that they need. I don't really understand when you'd use a floating rule vs. an interface rule, which interface to create which rules on or whether to use block or reject rules for what I'm doing.
I feel like I understand a lot of the basic networking pieces, but not necessarily the firewall part of gluing them (or not) together.
I understand that there is a lot in here to consider, but I'd really appreciate any thoughts on either my design or its implementation; I'm feeling pretty stuck in analysis paralysis; Are there things I could do better?
Thanks a ton for your help
-
I'm trying to create a similar setup. It sounds like you're further along than I am. Would you mind detailing the specifics of 1, 2, and 3 in your configuration below? Maybe some activity on this thread will bring the experts. I have been having a hard time even figuring out which subforum this kind of topic would be in. Thanks!
(I'd suggest changing the thread subject to something much more specific, to dial in the focus.)
-
I have something similar, albeit with > 15 vlans (or networks for that matter), so I shall chip in a little.
For starters, you need to understand the priority on rule tabs.
Floating rules take priority over the rest of the tabs.
Interface groups take priority after that (VPN etc).
Specific interface rules are the last in the line.With the exception of floating rules (without quick match set), all rule sets are matched top-down, first rule matches. i.e. The traffic is compared to the rules top down until the first rule that matches it.
For floating rules without quick match, it's the last rule that matches which will take effect. For floating rules with quick match set, the first rule with quick match will be the one that applies.My recommendation is: Use the specific interface tabs for rules as far as possible.
For each tab, from start to bottom:
Set the explicit allow rules first:
ENT network is allowed to reach ENT gateway address.
ENT is allowed to reach PLEX server alias with PLEX ports.Followed by the default block rules:
The block rule (block ENT to all local subnets - you might want to put this in an alias).Lastly, the default allow rule to access the internet:
The Default allow any (basically internet access). -
For each tab, from start to bottom:
Set the explicit allow rules first:
ENT network is allowed to reach ENT gateway address.
ENT is allowed to reach PLEX server alias with PLEX ports.Followed by the default block rules:
The block rule (block ENT to all local subnets - you might want to put this in an alias).Lastly, the default allow rule to access the internet:
The Default allow any (basically internet access).Would you be willing to provide a screen shot of one example tab?
Thanks!
-
Would you be willing to provide a screen shot of one example tab?
Thanks!
Sure.
See the attached picture.
Internal_Net is just an alias that encompasses all the internal networks.
-
"6. Struggled mightily to understand how to set up the firewall rules to make it all fancy (omg I feel dumb!)"
Dude sounds like you got the hard part out of the way, and fairly impressed your using /28 segment. Most the time around here we would get users using the default /8 on all of those and wonder why its not working ;)
I have sim setup with wlan, guest wlan, iot wireless lan, my directv is isolated from rest of my segments etc..
So to your number 6.. What is confusing about the rules? Rules are evaluated top down, first rule to trigger wins, rest of the rules are not seen. So for example here is my normal wifi segment. These are my devices that have to auth via eap-tls, etc. And this is their restrictions.
So lets go thru real quick
First 2 rules allow icmp and just ping for ipv4 and ipv6 to the pfsense IP in that network.
Next rule lets my ipad do whatever it wants. Not really secure, but hey its my IPad, it gets IP from reservation, etc.
Next I allow devices in my secure wlan, ie my other laptops, my phones to talk to plex
I then allow anything on this wlan to talk to my harmony hub and my dtv for management via apps, etc.
I then let any thing in this segment talk to my ntp servers
I allow them to use pfsense as dns
I let my AP talk to pfsense via radius so my wireless stuff can auth ;)
I then block anything coming in this interface that tries to talk to any pfsense IP be it this segment, other segments or even wan.
I then have rules for ipv4 and ipv6 that allow them to talk to anything they want as long as not any of my other networks, ie rfc1918 space or any of my ipv6 segments via an alias as well. I have multiple ipv6 segments using the /48 I get from hurricane.So post up your firewall rules, and explain what they do and don't do and we can work out best ways to do things. But looks like you have a rocking start for someone just new to pfsense..
2nd pic is locked down guest wifi
I let them ping pfsense, just to validate they have connection.
I then block them from any address on pfsense for anything, they can not even use dns.
I then allow them to go where they want to go as long as not any of my networks via rfc1918 alias.They have no ipv6, sure they get dhcp this is from hidden rule in pfsense when you turn on dhcp server. But other than that, they can talk to internet and nothing more.
You might notice that both my rules that block access to firewall are logged, since I want to see what would be trying to talk to a pfsense IP be it another lan or the wan IP, etc.
-
These are fabulously helpful to see, especially with the reasoning spelled out. Do you use floating rules?
-
These are fabulously helpful to see, especially with the reasoning spelled out. Do you use floating rules?
You certainly can do so.
I only advised the OP to use interface tabs instead because he doesn't seem very familiar with the way the firewall rules works.
The same can be achieved in the Floating rules tab (in fact, you can put all your rules there) as long as you are careful with the rules order. Floating rules are great if you need to apply common policies to multiple Interfaces and such.
-
For a new user I would recommend keeping it simple and organizing your rules per interface. Leave the floating rules for traffic shaping.