Configuring the SG-1000 to create a secure and filtered home network [SOLVED]
-
Hi all.
I got the impressively small SG-1000 as my first ever device running Pfsense. I was hoping to get some help on how to secure, filter, and log traffic on my WAN and LAN interfaces. I would like to proclaim that i have a fairly broad knowledge on IT in general - but if you would be so kind, please go easy on me (i am not very adapt with networking and Pfsense systems).
What i would like to configure is:
Firewall (LAN AND WAN):
-
A way to block government spying/tracking, advertises, companies spying/tracking, sites that hosts and provides malware and viruses, and other specific internet websites.
-
Block my LAN users from sending (what i consider) undesired traffic.
-
Protect my network from unwanted incoming WAN traffic (by blocking or denying).
So far i have been messing around with the "pfBlockerNG" add-on. Is that an add-on you guys would recommend for these desired tasks?
Logging (perhaps with a proxy):
- I want to know what sites my users visit (i know you might call that snooping.. but its rather a question of me wanting to know if they are visiting something that would harm them).
VPN (with OPENVPN?):
- I have a paid VPN at PrivateInternetAccess that i would like to use to secure traffic from specific VLANS and users.
Others:
-
Is there anything i should know regarding downloading files via. torrents?
-
Protecting my IP while gaming - a way to do that without sending my ping sky high?
-
Any way to get rid of the "strict NAT type"?
-
I have a bunch of Unifi AP's. Anything i should know concerning security?
–------------------------------------------------------------------------------------------------------------------------------------
I would like to say huge thank-yous to anyone helping me out! Please let me buy a cup of coffee or something ;D!
Let me know if this is posted in the wrong forum section - or if you would like to acquire more information from me.
I am a Pfsense gold member, so feel free to direct me to pages in the guide book.
Thanks, and greetings,
- Harry.
-
-
For starts, the best you're going to get is the 80/20 rule, short of just pulling the plug.
A way to block
government spying/tracking,advertises, companies spying/tracking, sites that hosts and provides malware and viruses, and other specific internet websites.Like you already mentioned, you can block most of these using pfBlockerNG. Certain types cannot be blocked because they're co-hosted with other services that you may need. Government tracking is not going to be something publicly known. Most government dragnetting is sourced from 3rd-parties or they just sniff your unencrypted connections. You're only hope against this is to not use any 3rd-party services. If you're worried about targeted attacks, you've already lost.
Block my LAN users from sending (what i consider) undesired traffic.
Again, much of this will be covered by pfBlockerNG and just blocking known tracking or otherwise malicious IP addresses. It's incredibly difficult to block undesired outgoing connections. You can't both trust you users and not trust them at the same time. If you don't trust them, don't let them on your network.
Protect my network from unwanted incoming WAN traffic (by blocking or denying).
Easiest part. PFSense does this by default by assuming all incoming traffic is unwanted. Up to you to decide what comes in.
I want to know what sites my users visit (i know you might call that snooping.. but its rather a question of me wanting to know if they are visiting something that would harm them).
You can trivially do this HTTP, as can the government, but HTTPS is a whole other story. The government can't even do this, yet you want to? You can technically do this by using an HTTPS proxy and using your own cert that you sign the traffic and install your cert on all of your user's computers, but this opens your end users to all kinds of possible attacks. HTTPS doesn't just encrypt, it also signs and verifies aka trust. If you make your own cert and tell everything to trust it, you are not responsible to make sure the site they're connecting to is safe. HTTPS did that for free.
Protecting my IP while gaming - a way to do that without sending my ping sky high?
Your VPN tunneling should do this. Just find a low ping VPN service. The biggest issues with needing to protect your IP is P2P apps like Skype or games that are P2P, where your IP is known to the other parties. If you don't play games like these or use VoIP services like Discord, you should be fine.
-
For starts, the best you're going to get is the 80/20 rule, short of just pulling the plug.
A way to block government spying/tracking, advertises, companies spying/tracking, sites that hosts and provides malware and viruses, and other specific internet websites.
Like you already mentioned, you can block most of these using pfBlockerNG. Certain types cannot be blocked because they're co-hosted with other services that you may need. Government tracking is not going to be something publicly known. Most government dragnetting is sourced from 3rd-parties or they just sniff your unencrypted connections. You're only hope against this is to not use any 3rd-party services. If you're worried about targeted attacks, you've already lost.
- I understand that by being on the internet, you can never be truly "safe" or "hidden". I was reading from this https://turbofuture.com/internet/How-to-Configure-pfBlocker-An-IP-Block-List-and-Country-Block-Package-for-pfSense - which suggested using costum IP block lists. Do these lists even work/benefit in protecting against what i mentioned above?
Block my LAN users from sending (what i consider) undesired traffic.
Again, much of this will be covered by pfBlockerNG and just blocking known tracking or otherwise malicious IP addresses. It's incredibly difficult to block undesired outgoing connections. You can't both trust you users and not trust them at the same time. If you don't trust them, don't let them on your network.
Protect my network from unwanted incoming WAN traffic (by blocking or denying).
Easiest part. PFSense does this by default by assuming all incoming traffic is unwanted. Up to you to decide what comes in.
I want to know what sites my users visit (i know you might call that snooping.. but its rather a question of me wanting to know if they are visiting something that would harm them).
You can trivially do this HTTP, as can the government, but HTTPS is a whole other story. The government can't even do this, yet you want to? You can technically do this by using an HTTPS proxy and using your own cert that you sign the traffic and install your cert on all of your user's computers, but this opens your end users to all kinds of possible attacks. HTTPS doesn't just encrypt, it also signs and verifies aka trust. If you make your own cert and tell everything to trust it, you are not responsible to make sure the site they're connecting to is safe. HTTPS did that for free.
- I suppose i could instead block sites i consider unwanted. Where might i find that function to block both a sites IP and URL or specific keywords?
Protecting my IP while gaming - a way to do that without sending my ping sky high?
Your VPN tunneling should do this. Just find a low ping VPN service. The biggest issues with needing to protect your IP is P2P apps like Skype or games that are P2P, where your IP is known to the other parties. If you don't play games like these or use VoIP services like Discord, you should be fine.
Thank you a lot for answering a ton of my questions and concerns! Hope to hear from you soon ;D.
Lots of greetings and thanks,
- Harry.
-
Firewall (LAN AND WAN):
-
A way to block government spying/tracking, advertises, companies spying/tracking, sites that hosts and provides malware and viruses, and other specific internet websites.
-
Block my LAN users from sending (what i consider) undesired traffic.
-
Protect my network from unwanted incoming WAN traffic (by blocking or denying).
So far i have been messing around with the "pfBlockerNG" add-on. Is that an add-on you guys would recommend for these desired tasks?
I have used Pfsense for home use for about 4 years now and I have use pfBlockerNG including its IPV4 feature, and DNSBL. At the beginning, I blocked everything under the sun, but that caused problems as it did a great job in/out and many sites were blocked on the way out and many times I couldn't VPN into my network when on the road. I now have better understanding of pFBlockerNG and have limited use of Geoblock and DNSBL. My entire purpose is now to keep people out of my network, anonymity and connectivity, very little with where/how my users use the network.
I also use Snort, but likewise, if you don't know what you are blocking you end up causing lots of headaches as it will block many sites that you visit regularly or that some local devices use (FireTV, AppleTv, etc)
as a Proxy, I currently use Squid+ Squidguard, but if you want a Corporate like proxy, I have used Diladele https://docs.diladele.com/administrator_guide_4_8/index.html. They have a feature to integrate it with pfsense 2.3, and it does a better job in capturing the traffic going out, it also provides nice features in blocking sites that you consider harmfull. It uses Squid. as any other blocking/tracking packages in pfsense, I have gone in the direction of being far less restrictive than more.
- Protect my network from unwanted incoming WAN traffic (by blocking or denying).
Indeed, pFsense does a great job at this…i recommend this guide https://nguvu.org/pfsense/pfsense-2.3-setup/ -for a new pFsense user...both from the router on a stick setup, and https://nguvu.org/pfsense/pfsense-multi-vpn-wan/ for the use of multi-VPN gateway use not protect your identity. I have 3 OpenVPN servers I have setup at VULTR.com ( yes I host my own VPN servers in the cloud..fairly easy thing to do) and use to group my vpn gateway and load balance in case the latency deteriorate any given moment. I do not use the WAN gateway for home network, only for my guest network. As indicated by others, its a balance. Things that break with VPNs...as you may already know, Netflix, and Xboxes don't do well under VPNs. I haven't found a way to get rid of the strict NAT….the closest I've gotten under VPN, does not allow XBOX to join parties in gaming. So, I setup the XBOX by itself in the DMZ and hardwired to the internet…buffering was an issue under the VPN. I don't allow the XBOX to communicate to the home network. I don't see a reason for it anyways.
- Is there anything i should know regarding downloading files via. torrents?
I recommend Synology NAS (XPENOLOGY is free) and use Transmission, SABnzbd, Couchpotato, Sonar, all feeding into PLEX, works flawlessly. Here's a guide that can be adapted https://www.cuttingcords.com/home/ultimate-server/plex ,however, doing torrenting from open sites (Piratebay, etc) does record your ip address (even under OpenVPN), and unless you find a service that uses bitcoin and are completely anonymous…perhaps Tor...you may get some nice letters from lawyers to cease and desist. Besides if you are worrying about users and where they are going, the easiest way to get some nasty stuff into your network is through torrenting...so my recommendation is to not use it.
- I have a bunch of Unifi AP's. Anything i should know concerning security?
I have 3 UniFi AC Pros in my home connected to a Cisco SG200, under the UniFi Controller, I have 2 wireless networks 1) connected to my home LAN (VLAN network, not on VLAN 1), and 2) a guest network connected to my guest VLAN. Both wireless networks use WEP2 personal. I do not use the built in guest network that come with the UniFi controller. Why?, i find it easier to control via VLAN in PfSense…but that's just me.
-
-
Firewall (LAN AND WAN):
-
A way to block government spying/tracking, advertises, companies spying/tracking, sites that hosts and provides malware and viruses, and other specific internet websites.
-
Block my LAN users from sending (what i consider) undesired traffic.
-
Protect my network from unwanted incoming WAN traffic (by blocking or denying).
So far i have been messing around with the "pfBlockerNG" add-on. Is that an add-on you guys would recommend for these desired tasks?
I have used Pfsense for home use for about 4 years now and I have use pfBlockerNG including its IPV4 feature, and DNSBL. At the beginning, I blocked everything under the sun, but that caused problems as it did a great job in/out and many sites were blocked on the way out and many times I couldn't VPN into my network when on the road. I now have better understanding of pFBlockerNG and have limited use of Geoblock and DNSBL. My entire purpose is now to keep people out of my network, anonymity and connectivity, very little with where/how my users use the network.
I also use Snort, but likewise, if you don't know what you are blocking you end up causing lots of headaches as it will block many sites that you visit regularly or that some local devices use (FireTV, AppleTv, etc)
as a Proxy, I currently use Squid+ Squidguard, but if you want a Corporate like proxy, I have used Diladele https://docs.diladele.com/administrator_guide_4_8/index.html. They have a feature to integrate it with pfsense 2.3, and it does a better job in capturing the traffic going out, it also provides nice features in blocking sites that you consider harmfull. It uses Squid. as any other blocking/tracking packages in pfsense, I have gone in the direction of being far less restrictive than more.
- Protect my network from unwanted incoming WAN traffic (by blocking or denying).
Indeed, pFsense does a great job at this…i recommend this guide https://nguvu.org/pfsense/pfsense-2.3-setup/ -for a new pFsense user...both from the router on a stick setup, and https://nguvu.org/pfsense/pfsense-multi-vpn-wan/ for the use of multi-VPN gateway use not protect your identity. I have 3 OpenVPN servers I have setup at VULTR.com ( yes I host my own VPN servers in the cloud..fairly easy thing to do) and use to group my vpn gateway and load balance in case the latency deteriorate any given moment. I do not use the WAN gateway for home network, only for my guest network. As indicated by others, its a balance. Things that break with VPNs...as you may already know, Netflix, and Xboxes don't do well under VPNs. I haven't found a way to get rid of the strict NAT….the closest I've gotten under VPN, does not allow XBOX to join parties in gaming. So, I setup the XBOX by itself in the DMZ and hardwired to the internet…buffering was an issue under the VPN. I don't allow the XBOX to communicate to the home network. I don't see a reason for it anyways.
- Is there anything i should know regarding downloading files via. torrents?
I recommend Synology NAS (XPENOLOGY is free) and use Transmission, SABnzbd, Couchpotato, Sonar, all feeding into PLEX, works flawlessly. Here's a guide that can be adapted https://www.cuttingcords.com/home/ultimate-server/plex ,however, doing torrenting from open sites (Piratebay, etc) does record your ip address (even under OpenVPN), and unless you find a service that uses bitcoin and are completely anonymous…perhaps Tor...you may get some nice letters from lawyers to cease and desist. Besides if you are worrying about users and where they are going, the easiest way to get some nasty stuff into your network is through torrenting...so my recommendation is to not use it.
- I have a bunch of Unifi AP's. Anything i should know concerning security?
I have 3 UniFi AC Pros in my home connected to a Cisco SG200, under the UniFi Controller, I have 2 wireless networks 1) connected to my home LAN (VLAN network, not on VLAN 1), and 2) a guest network connected to my guest VLAN. Both wireless networks use WEP2 personal. I do not use the built in guest network that come with the UniFi controller. Why?, i find it easier to control via VLAN in PfSense…but that's just me.
Much appreciated for the detailed answers! Differently very useful :D.
-