Insalled pfSense, what's next?
-
I installed pfSense and all seems 'ok' on my home network. All devices can communicate with each other and Internet is accessible.
Beginners question: What's next? Before I had a flashed router with dd-wrt on it. Default config, no portforwardings. Did I added a level of security by swapping my dd-wrt router with a pfSense box with default config on it? Does the pfSense needs extra config now? Rules that have to be changed?
I ask this question because I have two kids that are at an age to 'experiment' a lot on the Internet… if you know what I mean. And I don't want to populate my network with viruses through the devices of my kids (smartphones, tablets, laptop).
A while ago I read something about Suricata or something like that. It's on my 'todo' list. It's a opensource IDS/IPS.I just managed to get openvpn running. Connection from remote network to my pfSense box works fine. I can't access the Internet though but that's another topic and I'll look into it first. This forum will probably have the answer.
-
I would assume and suggest to install perhaps the following other packets but please have a look on
your hardware that you are using, it must be also able to performing well and delivering on top the
wished throughput at last for your network;- squid with user auth. for getting more logs about there doings!
- squidguard for working together with blacklists
- SARG for having a proper tool to inspect the squid logfiles
Squid is a proxy so now device will be connected to the Internet directly - pfBlockerNG to block whole countries or their IP ranges
pfBlockerNG please read by your self about it - Snort or Suricata to have an IDS/IPS system that is watching the WAN interface
or the LAN interface regarding to your kids doings inside of the LAN, who knows
IDS system to get an alarm if something "occurs" in your network
-
Hello Frank,
I still didn't tried your suggestions but it is on my to do list… and I will get there! :-)
You didn't mention 'egress' filtering. I am into that for the moment. Good idea or not?
I am logging my 'any allow' rule now to see what rules I have to create to be able to function normally at home, before I disable that particular rule allowing everything outgoing to the outside. -
… I don't want to populate my network with viruses through the devices of my kids (smartphones, tablets, laptop)...
That's hardly a job of your pfSense device.
Personally I would separate my network in trusted and untrusted subnets with the kid's gear being in "untrusted". This way they cannot infect parents stuff. -
Regarding pfSense I'm a bit of a noob round here but I would humbly suggest that what you need is a UTM rather than a firewall such as pfSense. Your NAT router will give you as much protection against direct intrusion attempts as a firewall. You could probably use pfSense to block TOR or port scanning attempts and the like, or to shut down Internet access after bedtime, and you could spend the rest of your life trawling through Snort alerts, but a firewall as such won't do much to counter the most prevalent threats faced by naive Internet users such as malvertising, compromised websites, phishing and malicious email attachments. If that's your threat model then something like the free-for-home-use UTM from Sophos (formerly Astaro) would be a better fit.
-
Don't forget to teach your children how to be responsible Internet citizens and not get virii. I got a virus once when I was 7, it was from a floppy disk I got from a friend. I have never gotten malware or a virus since.
-
Regarding pfSense I'm a bit of a noob round here but I would humbly suggest that what you need is a UTM rather than a firewall such as pfSense.
I tend to agree 8)
If you need FW and some other service like VPN, then pfSense is one of the right solutions but at home without technical knowledge, building solution based on pfSense is not really straightforward and may generate more problems than solving few.Are you hosting internal services exposed to internet?
Do you need remote access to your LAN?
Do you need to segregate internal subnets? Isolate guest wifi from LAN…all-in-one UTM will do the job with less flexibility but more efficiency... if you don't know how it works behind.
e.g. fighting against viruses requires to deploy anti-virus at MTA (mail) and HTTP proxy levels as well as at workstation and storage levels.
"antivirus" is a whole project by itself ;)
pfSense may help but is only one part of the solution.Isolating subnets can be achieved with physically isolated networks (and pfSense in the middle) but this is often not practical. VLAN will help but this requires switches and potentially WAP with VLAN support.
-
Thank you all for your replies. Quite interesting to have different views on the situation.
I use the vpn service so my pfsense is not only used as a fw.
In the meantime I also activated egress filtering. For some of you maybe overkill, but it's also to learn how to use the pfsense (making aliasses and rules, check my fw logs etc..).Are you hosting internal services exposed to internet? NO
Do you need remote access to your LAN? YES
Do you need to segregate internal subnets? Isolate guest wifi from LAN… Not today, but could be in the near future.all-in-one UTM will do the job with less flexibility but more efficiency… if you don't know how it works behind.
Well apart from protecting my situation, I'd like to learn how it works behind. It's fascinating.
Don't forget to teach your children how to be responsible Internet citizens and not get virii. I got a virus once when I was 7, it was from a floppy disk I got from a friend. I have never gotten malware or a virus since.
I absolutely agree on that point too.
Regarding pfSense I'm a bit of a noob round here but I would humbly suggest that what you need is a UTM rather than a firewall such as pfSense.
I'll have a look at that UTM stuff.
Personally I would separate my network in trusted and untrusted subnets with the kid's gear being in "untrusted". This way they cannot infect parents stuff.
With vlans, yes this could be an option too. But the "untrusted" part will need access to the "trusted" part. For example: ipad is using application to navigate in the gui of the Kodi Media Player. I'll have to check that.
Again, thank you all for the interesting advises.
