NGFW-esque functionality with add-ons?
-
Hello,
I'm trying to figure out if pfSense is capable of specific functionality. By default, I closed most WAN_out ports for my home VLANs. However, certain applications and games require vast port ranges to function. For example, one application requires:
- TCP: 1119, 3724, 6113
- UDP: 5060, 5062, 6250, 3478-3479, 12,000-64,000
At this point, I may as well not close anything. So, I was curious if there were add-ons that would be able to allow conditional port traffic, ie traffic originating from <app> allowed on <ports>. I've stumbled across OpenAppID which seems like it can provide DPI, but I wasn't sure if what I'm looking for is currently possible in pfSense.
-
What do you ultimately expect to gain by such a setup other than a continual headache trying to figure out why app "X" suddenly quit working or never worked from its installation?
With a home network, just block unsolicited inbound connections and you are 90% or more of the way towards "secure". Trying to control outbound can be a real headache because no apps do a good job of documenting what ports they use to connect with or connect to.
If you have IoT devices you are concerned with, just put them on a VLAN by themselves and don't give that VLAN any access into your regular LAN or other sensitive VLANs except as stateful replies (meaning something in the secure VLAN or LAN started the conversation with a walled-off IoT device).