Excelllent. I added a feature request for it: https://redmine.pfsense.org/issues/14050

@stephenw10 Yes.

@johnpoz haha yes I did use the wrong name I have a Netgear switch and a netgate router. Thanks for your suggestion. I will have to research some more ! I think my issue is my lack of research. I might have gotten into something that was beyond my understanding but I do think the pf software is quite a sophisticated piece to everything. Having a parameter firewall, VPN, Snort, Proxies etc it was definitely worth the purchase. I will have to learn more about networking haha. Cheers.

@aledio

try to set up wifi aps instead of repeaters.
use the maximum of 63 chars long password (not supported at all vendors)

small raspberry pi with linux and install

OpenLDAP for wired devices FreeRadius for wireless devices.

put all wifi clients into vlans, e.g.
vlan10 for family = radius certificate - internet & LAN
vlan20 for guests = vouchers - internet only

Alternatively:
Install a small wifi card into your pfsense and turn on
hotspot with voucher system for guests, can also be a
solution

give all clients a static IP address in the entire network
and then narrow down the DHCP address space to them,
that means no other free dchp addresses will be able to given out.

Setting up snort and/or suricata on pfsense and OSSec
on any other devices, you may need another small server
but also another security line.

Turning on wireshark and sniff on your wifi for a while
perhaps on an rapi or notebook or your laptop at the weekend. Watch out any other IPs then your own ones.

try narrow down the entire signal strength of your wifi
so it is enough for you but only in the near area of you
house or apartment. Try to implement WPA3 where ever
you can do it.

Alternatively you may be also able to get hands on
UBNT wifi aps and then you may get also a small
edge router from them and install there the radius
server.

@alroute said in 3rd Party Hardware Request:

I'm guessing Netgate doesn't want to price the 2100 down at home user prices because it might lose small business revenue and the same for access points which I'm guessing are universal to all.

Perhaps you can't simply make it any cheaper without loosing money? Because all electronics prices have gone through the roof and nothing got cheaper at all? There's a reason why consumer/SOHO electronics is cheap, while more flexible hardware and software is not. That's not something to do with "they don't want to make it cheaper" or "they don't like their software running on toasters". It's just that no one wants to pay for that. You can't just throw the software on cheap SOHO hardware and hope it will work just because "it's also an ARM SOC/CPU". There are vastly different ARM SOCs and they have licenses etc. for accessing their tools and drivers etc. Why is Netgate running espressobin-like hardware on those SG1100-3100? Because it's mostly the same SOC and was (guessing) relatively easy to adapt FreeBSDs ARM branch on it.
We can see how "identical normal x86/64 hardware" runs every day. They aren't the same just because they may have the same NIC and CPU in it. Developing on different hardware is far more complex than "just throw it on and have a look at it". Otherwise one could simple extract the installer from e.g. a SG1100 and throw it on a Raspi4 (won't work - different ARM SOC) or on a smartphone perhaps? Those are ARM, too? Nope. Not that easy. And the menhours that go into such things as developing and testing on new hardware is what makes things time consuming and expensive to ensure the stuff is actually running quite nicely when you try to install/update it. Add to that, that many hardware vendors for WiFi, SOCs (Quallcom for ARM etc.) like to have "binary blobs" in their drivers that may only work on Linux or have problems to get them to run on FreeBSD - or even incompatible licenses to BSD/Apache Licenses? Those are just the problems on top of it.

Have you seen 08/15 SOHO hardware with more then 1-2y firmware support? I found them very rare. Mostly the have have a few updates and are then abandoned for the next bigger better version. Also because of ever evolving HW standards of WiFi and such, most SOHO routers tend to get switched out around 2ys. Firewall hardware normally lasts way longer than that in my experience in our company (not Netgate BTW).

@alroute said in 3rd Party Hardware Request:

I noted from the Netgate Website that youa re intending to provide support for Pfsense to be used on 3rd party routers.

Actually don't know where you found that. I only know of "supporting 3rd party hardware" and with that they are only talking about compatible (x64 Intel/amd) 3rd party hardware router boxes or barebones that you can buy/build yourself. I found nowhere they state, that they plan to run on 3rd party routers as an alternative firmware like OpenWRT or DD-WRT or Tomato. That's - AFAIK - far outside the project scope.

Cheers
\jens

Technically you could do it by running pfSense as a virtual machine in Windows using hyper-V or VBox etc. But pfSense is a complete operating system, it cannot run as an application on your desktop. It expects to be running on it's own dedicated hardware but running virtualised can also work.

Steve

@wmheath586 you might also want to drill down further to the MAC address tables in your router. If you are using a managed switch you should be able to telnet into your router and inspect the MAC address table. This would be relevant if you are running multiple VMs and have left the MAC addresses at their defaults.

@lucas-0 Yep. That is how I have my rules ordered.

The x3 block rules for "HiddenWasp Linux Malware" will never be reached because they are below the two allow all rules (Default allow LAN to any rules) for IPv4 and IPv6. Same for the NORDVPN_VPNV4 rule. It will never be reached because LAN traffic will take the "Default allow LAN to any rules).

Rules are processed in a top to bottom order (with an exception of floating rules). I will not get into detail. But this is a good read to explain how to order rules.

If the pfsense box has at least x3 ports it could be set up as follows:

port1: WAN
port2: LAN --> Switch1
port3: LAN_IOT --> Switch2

This would give the same result as using VLANs to separate LAN from LAN_IOT. If LAN devices need to access LAN_IOT devices then a firewall rule will need to be put into place. Depending on how the IOT device is configured a NAT Outbound rule may also need to be put into place if the IOT device does not respond to IPs out of its IP address range.

For me, I just set up a generic NAT Outbound rule (allow LAN to LAN_IOT). The NAT rule does not do anything until there is a firewall rule setup which also allows (LAN.deviceX to LAN_IOT.deviceY). Don't be afraid to put pfsense into hybrid outbound NAT mode. It just moves the auto-generated rules to the bottom and allows the creation of custom rules.

But as always; before any changes are made to the pfsense box make sure there is recent backup configuration easily available for restoring in the event a mistake is made during the learning process.

Good luck and have fun!

@Parakinesis

or Ruckus and UBNT (in this order) 😉

I would not expect a port forward to be required there as Plex can usually be accessed from anywhere, even externally.

UPnP is disabled by default in pfSense and you should leave it that way unless you have a very good reason not to. Plex can open port forwards in the firewall to allow access otherwise.

Usually when people device their network like you have it is for security. Consider what would happen if one of your cameras was found to have a vulnerability and was hacked for example. What would that give anyone access to?

You probably want firewall rules on the 192.168.2.1 interface in pfSense that allow only the required access outbound. So the cameras may not need any external access or maybe only to a known IP or set of IPs. Wifi IoT style devices may not need any access to to the LAN subnet. Though maybe you want Alexa to be able to control Hive....

What you want to do is allow only the traffic that is needed and segregate devices as much as possible to mitigate any security issues should they occur.

Does your access point allow for multiple SSIDs / VLANs?
If so I would create more so you can separate general access devices like laptops and tablets from IoT devices like cameras and Alexa.

Currently you have separated devices simply by wired or wifi and that might not be the best way. The Hive and Hue hubs are IoT devices. I would want those on a separate subnet to desktop PCs and servers if possible.

Steve

ok so here are the results of my efforts last night until 0130!
I am currently unable to get my plex to work.
the plex server is on the server 192.168.1.251 and I am trying to access it via the tv firestick. can anyone help?Skynet.jpg

I have to disagree on one thing only..
"planned obsolesce" is a fact not a myth,
not everyone applies this policy of course but there are alot of example out there proving this
the more evident one is for example to limit the life of a light bulb
Apple's use of pentalobe screws in their newer devices is an attempt to prevent the consumer from repairing the device themselves
Non-user-replaceable batteries
Smart chips in ink cartridges to prevent them from being used after a certain threshold constitutes "planned obsolescence"
when you design a board and you put capacitors in a place where the temperature is hot you know that the capacitor itself would last no more than 3 years. there are alot of triks to make everything with "planned obsolesce" in mind 😉
last example ... server grade vs consumer grade

Some of those Realtek device should be supported:
https://www.freebsd.org/cgi/man.cgi?query=rtwn_usb&apropos=0&sektion=4&manpath=FreeBSD+12.0-RELEASE&arch=default&format=html

You might find they work OK. You alreadt have them so nothing but time to lose by testing them.

Steve

You can still do some filtering on HTTPS without the MITM. On E2 Guardian, I have multiple groups setup, some which have MITM enabled and some such as in your case that are for Guest Wi-Fi where I can't properly sneak in the CA. On Squid I believe this is referred to as Bump and Splice all.

For my guest Wi-Fi setups, I just use the non-MITM method. This is where the proxy is able to see the domain name without the resource path at the end in order to decide if a website should be let through or not. MITM would obviously allow the proxy to look at the entire URL with the resource path and make a informed decision as to whether or not to allow a website through. I prefer it way more than DNS level filtering as it's more flexible. You can set it up for specific users while others can browse those sites just fine.

If you've got sometime, I recommend you give E2 Guardian a shot. It worked out a lot better than Squid in my use case and it has the added benefit of actual phrase filtering.