Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Securing a Home Network with PFSense (using a SG-2220)

    Scheduled Pinned Locked Moved General pfSense Questions
    7 Posts 4 Posters 2.8k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M
      mlevison
      last edited by

      Computers:
      2 x MacBooks (all macOS Sierra)
      3 x Windows laptops (all on Windows 10 current)
      2-3 Android Tablets
      3 Android Phones
      1 IPad (stuck at IOS9)
      1 IPod (stuck even further back)
      2 Brother Printers
      Synology DSM 415 - is primarily a file server and used for house backups
      Roku
      Sonos

      Networking Hardware:
      Modem -> SG-2220 -> 8 port Network Switch -> House Wifi

      Most of the portable devices spend time out of the house. One of the MacBooks and one of the Windows machines spend alot of their working life out of the house. Often connected to public wifi networks. Yes, I VPN when using a public wifi. Others in my family, not as much

      I bought the PFSense after discussing with a friend what regular NAT style firewalls don’t defend against. In addition, my friend who has a lot of experience with network threats and defense against the dark arts - explained that even the most careful computer user can get infected when traveling. Along with all of the obvious things from a firewall, he suggested that a good firewall could be helpful, to detect compromised machines (presumably through Snort).

      How would secure this network?

      1. Reduce leaks from stuff inside our house (we don’t have an IoT devices yet), so we don’t participate in botnet attacks
      2. Reduce risk of attacks like Wcrypt i.e.: https://arstechnica.com/security/2017/05/an-nsa-derived-ransomware-worm-is-shutting-down-computers-worldwide/
      3. So Netflix, the Sonos etc still work
          1. Presumably, this is a game of knowing which ports need to remain open and which don’t
              1. How can I even survey which ports are being used over a 2-3 week period?
      4. So that I get warnings when computers do odd things
      5. So that my family doesn’t get annoyed because the entire internet goes away when I start testing i.e. My first and only attempt to setup Snort

      I read the PFSense documentation and it is technical very clear, it's just unclear what to enable/disable and what to leave in the default state.

      Where do I start reading, about securing a case like mine which can’t be all that abnormal

      1 Reply Last reply Reply Quote 0
      • NogBadTheBadN
        NogBadTheBad
        last edited by

        Everything inbound from the internet is blocked by default, don't touch the WAN rules unless you need to NAT.

        You can set snort not to block also run snort on the LAN not the WAN interface.

        Set your firewall rules to log.

        Regarding logging traffic, your best bet IMO would be to forward your log entries to syslog on the Synology NAS, then after a couple of weeks export the data via CSV to a spreadsheet.

        I'd class the Roku as an IOT device, I classify my TV, PVR, Apple TVs and Nest smoke alarms as IOT type devices.

        You could also setup a road worrior VPN connection.

        IMO if you have a smart switch thats VLAN aware set up your VLANS now.

        Andy

        1 x Netgate SG-4860 - 3 x Linksys LGS308P - 1 x Aruba InstantOn AP22

        1 Reply Last reply Reply Quote 0
        • M
          mlevison
          last edited by

          NogBadTheBad - you seem pretty good to me. I struggle with formatting here so please forgive as I misquote. You've given me several weeks of spare time work - Danke.

          Firewall Log - sending to Synology - thanks. In two weeks I will see how badly I screwed this up.

          Roku - agreed it is an IOT.

          Not sure what a Road Warrior VPN is? I.E. VPN home? Not convinced that my ISP needs to have more information about what I do on the Internet, don't mind the expense of an annual PIA VPN subscription.

          VLAN - Smart Switch - I vaguely understand what that means, I doubt the switch is capable of that. I will need to look into that.

          Snort, Snort, Snort my friend - I'm certain it will help in the long run, I need to learn how to how figure it out to listen not block and on the LAN. That's my task in the next week or so. Watch me come back here and to the snort mailing list when I fail :-)

          Cheers
          Mark

          1 Reply Last reply Reply Quote 0
          • NogBadTheBadN
            NogBadTheBad
            last edited by

            Use the pfSense router as the VPN server when your away from home.

            https://doc.pfsense.org/index.php/IKEv2_with_EAP-MSCHAPv2

            Andy

            1 x Netgate SG-4860 - 3 x Linksys LGS308P - 1 x Aruba InstantOn AP22

            1 Reply Last reply Reply Quote 0
            • ?
              Guest
              last edited by

              Securing a Home Network with PFSense (using a SG-2220)

              I would think about to install some things to get a better or higher security level for my entire network such as;

              • OpenLDAP Server for private cable sorted (wired) devices
              • FreeRadius Server with certificates and encryption for private wireless devices
              • Captive Portal with vouchers for WiFi Guests

              Each of them get into his own VLAN and inside of the Guest WiFi VLANs I would enable "the client isolation" too!
              Might be sounding odd, but serves more security as you might be expecting!
              You need pfSense, a VLAN capable Switch, some WiFi APs!

              Modem -> SG-2220 -> 8 port Network Switch -> House Wifi

              Supports that switch VLANs?
              Netgear GS105E ~$20
              Netgear GS108E ~$40

              Most of the portable devices spend time out of the house. One of the MacBooks and one of the Windows machines spend alot of their working life out of the house. Often connected to public wifi networks. Yes, I VPN when using a public wifi. Others in my family, not as much

              Let them connect directly to your home network over WLAN APs, if to high in price you could set it up step-for-step
              and time-after-time, with UBNT UniFi WiFi APs Pro and light, might be the best bet at this time and also the best
              middle between the price and the quality and the WiFi controller software will be on top of that free of charge.

              I bought the PFSense after discussing with a friend what regular NAT style firewalls don’t defend against. In addition, my friend who has a lot of experience with network threats and defense against the dark arts - explained that even the most careful computer user can get infected when traveling. Along with all of the obvious things from a firewall, he suggested that a good firewall could be helpful, to detect compromised machines (presumably through Snort).

              Not only by traveling but like using often public WiFi networks to connect to the home network, but unsecured.

              TV, PVR, Apple TVs and Nest smoke alarms as IOT type devices.

              Put them inside of their own VLAN or place them inside of the DMZ zone if they are snitching to their vendors.

              Other points that could matching well too:

              A Proxy and logging:
              To gain the level of security once more again you could try out to install Squid & SquidGuard & SARG and then you create
              for each user and device (MAC - IP bindings) a profile and each user must be using then Squid for the most or configured
              activities together with a user authentication. Not transparent, but effective and via SQRG you may be able to control the
              entire squid logs then after something was occurring or not clear to you! But to be clear here at this point I don´t know
              how much this would affect the entire throughput of the SG-2220 then and if it would not be more wise to insert a small
              mSATA or M.2 SSD if capable of installing them.

              IDS/IPS:
              One step ahead you could be trying out installing snort or Suricata too, but this would then once more again perhaps
              slowing down the entire throughput what can be normally expected from each installed packet in pfSense, so it might
              be making more sense to know the Internet connection speed and the entire throughput after passing all installed and
              running services on the pfSense appliance.

              Geo IP blocking:
              pfBlockerNG & DNSBL together with OpenDNS would be also another point to prevent your home network against
              intruders, attackers or simple the many different things that are unwanted to connect to your home network.

              Social engineering:
              Last but pot least you should spend time and talk to your entire family why you are doing that and why you are afraid
              of things that can be occurring. If all peoples are able to touch the mobile devices of your family members you don´t
              have to wait a long time mostly to be able to recognize some unwanted activities in your network.

              1 Reply Last reply Reply Quote 0
              • M
                mlevison
                last edited by

                @NogBadTheBad - thanks for the VPN I will have to give it some background thought.

                In the meantime a simpler question. What to log? Currently I've got the following enabled:

                System Events
                Firewall Events
                DNS Events (Resolver/unbound, Forwarder/dnsmasq, filterdns)
                DHCP Events (DHCP Daemon, DHCP Relay, DHCP Client)
                PPP Events (PPPoE WAN Client, L2TP WAN Client, PPTP WAN Client)
                Captive Portal Events
                VPN Events (IPsec, OpenVPN, L2TP, PPPoE Server)
                Gateway Monitor Events
                Routing Daemon Events (RADVD, UPnP, RIP, OSPF, BGP)

                I suspect that's overkill.

                Also is there a good place to learn about what these logs tell me?

                @BlueKobold - this all made rough sense. I spending a few minutes digging.

                Questions LDAP, Radius and Captive Portal - I mostly get all of this, however isn't this overkill? Wouldn't just setting up a separate VLAN accessible only via an Access Point be more than good enough?

                More questions later.

                Back to running a small consulting company
                Mark

                1 Reply Last reply Reply Quote 0
                • D
                  daysinc
                  last edited by

                  pfsense is a great edge device and makes for a great piece of a layered network design

                  opendns secure internet gateway service prosumer version (20.00) annually

                  isp modem

                  pfsense with snort annual paid subscription(29.99)  same definitions as cisco firepower

                  modern honey net targets on isolated vlan << great for seeing who is probing your network

                  wifi pineapple to keep wardrivers at bay

                  splunk log aggregator free for up to 500M of logs daily

                  antivirus/antimalware

                  internal home network on cisco layer 3 switches

                  for less then a nickel a day you have a pretty solid security system that can rival most corporate institutes or better them!

                  1 Reply Last reply Reply Quote 0
                  • First post
                    Last post
                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.