Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Insalled pfSense, what's next?

    Scheduled Pinned Locked Moved General pfSense Questions
    8 Posts 6 Posters 2.0k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • czar666C Offline
      czar666
      last edited by

      I installed pfSense and all seems 'ok' on my home network. All devices can communicate with each other and Internet is accessible.
      Beginners question: What's next? Before I had a flashed router with dd-wrt on it. Default config, no portforwardings. Did I added a level of security by swapping my dd-wrt router with a pfSense box with default config on it? Does the pfSense needs extra config now? Rules that have to be changed?
      I ask this question because I have two kids that are at an age to 'experiment' a lot on the Internet… if you know what I mean. And I don't want to populate my network with viruses through the devices of my kids (smartphones, tablets, laptop).
      A while ago I read something about Suricata or something like that. It's on my 'todo' list. It's a opensource IDS/IPS.

      I just managed to get openvpn running. Connection from remote network to my pfSense box works fine. I can't access the Internet though but that's another topic and I'll look into it first. This forum will probably have the answer.

      1 Reply Last reply Reply Quote 0
      • ? This user is from outside of this forum
        Guest
        last edited by

        I would assume and suggest to install perhaps the following other packets but please have a look on
        your hardware that you are using, it must be also able to performing well and delivering on top the
        wished throughput at last for your network;

        • squid with user auth. for getting more logs about there doings!
        • squidguard for working together with blacklists
        • SARG for having a proper tool to inspect the squid logfiles
          Squid is a proxy so now device will be connected to the Internet directly
        • pfBlockerNG to block whole countries or their IP ranges
          pfBlockerNG please read by your self about it
        • Snort or Suricata to have an IDS/IPS system that is watching the WAN interface
          or the LAN interface regarding to your kids doings inside of the LAN, who knows
          IDS system to get an alarm if something "occurs" in your network
        1 Reply Last reply Reply Quote 0
        • czar666C Offline
          czar666
          last edited by

          Hello Frank,
          I still didn't tried your suggestions but it is on my to do list… and I will get there! :-)
          You didn't mention 'egress' filtering. I am into that for the moment. Good idea or not?
          I am logging my 'any allow' rule now to see what rules I have to create to be able to function normally at home, before I disable that particular rule allowing everything outgoing to the outside.

          1 Reply Last reply Reply Quote 0
          • jahonixJ Offline
            jahonix
            last edited by

            @czar666:

            … I don't want to populate my network with viruses through the devices of my kids (smartphones, tablets, laptop)...

            That's hardly a job of your pfSense device.
            Personally I would separate my network in trusted and untrusted subnets with the kid's gear being in "untrusted". This way they cannot infect parents stuff.

            1 Reply Last reply Reply Quote 0
            • P Offline
              pleriche
              last edited by

              Regarding pfSense I'm a bit of a noob round here but I would humbly suggest that what you need is a UTM rather than a firewall such as pfSense. Your NAT router will give you as much protection against direct intrusion attempts as a firewall. You could probably use pfSense to block TOR or port scanning attempts and the like, or to shut down Internet access after bedtime, and you could spend the rest of your life trawling through Snort alerts, but a firewall as such won't do much to counter the most prevalent threats faced by naive Internet users such as malvertising, compromised websites, phishing and malicious email attachments. If that's your threat model then something like the free-for-home-use UTM from Sophos (formerly Astaro) would be a better fit.

              1 Reply Last reply Reply Quote 0
              • H Offline
                Harvy66
                last edited by

                Don't forget to teach your children how to be responsible Internet citizens and not get virii. I got a virus once when I was 7, it was from a floppy disk I got from a friend. I have never gotten malware or a virus since.

                1 Reply Last reply Reply Quote 0
                • C Offline
                  chris4916
                  last edited by

                  @pleriche:

                  Regarding pfSense I'm a bit of a noob round here but I would humbly suggest that what you need is a UTM rather than a firewall such as pfSense.

                  I tend to agree 8)
                  If you need FW and some other service like VPN, then pfSense is one of the right solutions but at home without technical knowledge, building solution based on pfSense is not really straightforward and may generate more problems than solving few.

                  Are you hosting internal services exposed to internet?
                  Do you need remote access to your LAN?
                  Do you need to segregate internal subnets? Isolate guest wifi from LAN…

                  all-in-one UTM will do the job with less  flexibility but more efficiency... if you don't know how it works behind.

                  e.g. fighting against viruses requires to deploy anti-virus at MTA (mail) and HTTP proxy levels as well as at workstation and storage levels.
                  "antivirus" is a whole project by itself  ;)
                  pfSense may help but is only one part of the solution.

                  Isolating subnets can be achieved with physically isolated networks (and pfSense in the middle) but this is often not practical. VLAN will help but this requires switches and potentially WAP with VLAN support.

                  Jah Olela Wembo: Les mots se muent en maux quand ils indisposent, agressent ou blessent.

                  1 Reply Last reply Reply Quote 0
                  • czar666C Offline
                    czar666
                    last edited by

                    Thank you all for your replies. Quite interesting to have different views on the situation.
                    I use the vpn service so my pfsense is not only used as a fw.
                    In the meantime I also activated egress filtering. For some of you maybe overkill, but it's also to learn how to use the pfsense (making aliasses and rules, check my fw logs etc..).

                    @chris4916:

                    Are you hosting internal services exposed to internet? NO
                    Do you need remote access to your LAN? YES
                    Do you need to segregate internal subnets? Isolate guest wifi from LAN… Not today, but could be in the near future.

                    @chris4916:

                    all-in-one UTM will do the job with less  flexibility but more efficiency… if you don't know how it works behind.

                    Well apart from protecting my situation, I'd like to learn how it works behind. It's fascinating.

                    @Harvy66:

                    Don't forget to teach your children how to be responsible Internet citizens and not get virii. I got a virus once when I was 7, it was from a floppy disk I got from a friend. I have never gotten malware or a virus since.

                    I absolutely agree on that point too.

                    @pleriche:

                    Regarding pfSense I'm a bit of a noob round here but I would humbly suggest that what you need is a UTM rather than a firewall such as pfSense.

                    I'll have a look at that UTM stuff.

                    @jahonix:

                    Personally I would separate my network in trusted and untrusted subnets with the kid's gear being in "untrusted". This way they cannot infect parents stuff.

                    With vlans, yes this could be an option too. But the "untrusted" part will need access to the "trusted" part. For example: ipad is using application to navigate in the gui of the Kodi Media Player. I'll have to check that.

                    Again, thank you all for the interesting advises.

                    1 Reply Last reply Reply Quote 0
                    • First post
                      Last post
                    Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.