Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Upping home security with first pfSense build

    Scheduled Pinned Locked Moved Hardware
    7 Posts 4 Posters 1.5k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • W
      weingeist
      last edited by

      Hi everyone,

      After silently reading for a few weeks, it is time for my first post on the forum.

      Background:
      I have been running a TrueNAS home server for 5 years. My family and I use it as file server with some addons (Nextcloud, Plex, and lately also Bitwarden server, all of them in separate iocage jails). Especially this last addition made me rethink my security architecture.

      Security today:
      At the moment, I have a standard modem/router (the one provided by my ISP), forwarding ports 80 and 443 to my nginx reverse proxy jail on TrueNAS, as well as a higher port to my openVPN jail.
      The reverse proxy handles SSL encryption with a letsencrypt certificate and with IPFW dropping all requests with IPs from outside of my small country. All jails have as tight IPFW rules as possible to the best of my knowledge, blocked port 22 and disabled sshd (I access them via host system).
      OpenVPN allows me to access the host system remotely, and all my services when I am abroad.

      I hadn't had any (detected) intrusions in this past 5 years of operation. In my non-professional opinion, the geoblocking and not listening on port 22 already adds a lot to overall security and keeps 99% of bots and low-skilled intruders out.

      However, I am a bit anxious of some exploit of any one of my services or infection of my more exposed devices, which endangers the rest of my network (e.g Bitwarden or personal laptops). Because, and this I don't like, it still is a very basic home network without any subnets/vlans, etc. In the lower IP range, all smartphones, laptops, printer etc can be found, and the higher IP range is used for the NAS host system and all the jails. And if root access in a jail is compromised any outbound rules on IPFW are of course moot.

      Plan for the future:
      First, I was thinking about a managed switch, allowing for separating personal devices and the host system from the exposed jails. But more and more I think a pfsense box may be the better, more secure and more versatile choice. Reverse proxy and OpenVPN would sit on pfSense (?), the rest stays on TrueNAS. I was imagining something like this:
      43bf623b-8f83-4ac3-810f-e864c5080f0f-image.png

      What do you guys think about this strategy?

      • Reasonable?
      • Does it add to the security or need I do better?
      • Realistic? I don’t know pfSense yet, can I deploy plugins in jails?
        o Reverse proxy
        o OpenVPN
        o Geoblocking?

      EDIT: after reading this article, it may not be the best idea to keep all personal devices in the same VLAN as the TrueNAS host. How would you guys tackle this? Would I need a firewall AND a managed switch?

      Hardware
      For pfSense, I was thinking about getting one of those small Protectli/Qotom/etc boxes with 4-5 Intel NICS and maybe a i5-5200U and 8GB of RAM? It seems like most of the CPUs in those mini PCs are 6+ years old. But this one seems more recent: 5 Intel i225 NICS and a Celeron J4105 (J4125 seems unavailable).

      Would this be enough for downloading from Nextcloud with let’s say 500 Mbit/s to 1 Gbps and 1Gpbs LAN traffic (few users, maybe 1-3). I read that OpenVPN tends to be a lot slower due to single core performance only, but this I don’t mind. But does this mean in general, that if I have a passmark score of 2000 of a 2 core (2x1000) and a 4 core (4*500) CPU, I should rather pick the 2 core CPU?

      Thank you already in advance, I’d also be happy for some pointers of reading up on the topic, anything else than filling up IPs form 0 to 255 is new to me : )

      Cheers,
      Weingeist

      1 Reply Last reply Reply Quote 0
      • stephenw10S
        stephenw10 Netgate Administrator
        last edited by

        Well obviously I'd rather you used our hardware....

        I would definitely consider separating your internal devices into different VLANs. IoT devices should not be on a general subnet with other hosts IMO.

        I would question why you are forwarding http/s traffic at all. That's inherently insecure.
        It would be far better to access those services over a VPN if you need to access them externally.

        Steve

        W 1 Reply Last reply Reply Quote 0
        • AndyRHA
          AndyRH
          last edited by

          I would still consider the managed switch, this will allow you to add devices to a VLAN easier.
          That system is more than enough to handle 1Gb, although I cannot say how fast it will run a VPN.

          o||||o
          7100-1u

          1 Reply Last reply Reply Quote 1
          • W
            weingeist @stephenw10
            last edited by

            Thank you already for your fast answers. I appreciate it a lot.

            @stephenw10 said in Upping home security with first pfSense build:

            I would question why you are forwarding http/s traffic at all. That's inherently insecure.
            It would be far better to access those services over a VPN if you need to access them externally.

            Well, since I use Nextcloud a lot for sharing and requesting files with/from various people, VPN alone is not really an option.
            For clarification, port 80 is only forwarded for being redirected to 443 by the reverse proxy. There is no unencrypted traffic to the internet, only behind the reverse proxy to the backends, which does not seem uncommon to me. And chances for a MITM attack in a wired home network should be slim : )
            But could you please elaborate? Are you saying SSL itself is inherently insecure? How would you make such services accessible for multiple people in a secure way?

            @andyrh said in Upping home security with first pfSense build:

            I would still consider the managed switch, this will allow you to add devices to a VLAN easier.
            That system is more than enough to handle 1Gb, although I cannot say how fast it will run a VPN.

            I am a bit confused about some distinctions:

            • where would I want a managed switch for managing my Vlans, where do I need the firewall?
            • Do I need a physical port for each vlan (in the blog example linked above, there were about 10 Vlans)? Or can I also setup logical Vlans?
            • If yes, where should I use physical Vlans, and where are logical Vlans sufficient? Is it just a question of priority, more critical devices should rather be physically separated?
            1 Reply Last reply Reply Quote 0
            • stephenw10S
              stephenw10 Netgate Administrator
              last edited by

              SSL itself is relatively secure it's more a question of what you are connecting to. So you could imagine a new exploit discovered in nextcloud that would immediately start being actively probed for and used. If the NC container is compromised what would that imply? Hopefully nothing if it's sufficiently isolated but....

              You would usually have a single connection between the firewall and a managed switch that carries all the VLANs. That could be lagg of two ports. Then have the VLANs brought to access ports at the switch. That way you don't need 10 NICs in the firewall.

              Steve

              W 1 Reply Last reply Reply Quote 1
              • W
                weingeist @stephenw10
                last edited by

                @stephenw10 ok, agreed. Thats why I want to put those services in DMZs and setting rules that prevent them from being able to connect to one another.

                Aah, now I understand much better regarding Vlans and switches. I will rethink my network architecture based on the new insights

                Thank you Steve (and Andy)

                1 Reply Last reply Reply Quote 0
                • ?
                  A Former User
                  last edited by 

                     DMZ2 Layer2 Switch ------ Server 2
   |
   |
pfSense-------LAN----Layer3 Switch-------VLANs
   |
   |
   DMZ1 Layer2 Switch ----- Server1 

                  pfSense-------LAN----Layer3 Switch-------VLANs
   |
   |
   DMZ Layer2 Switch -------- 2 Servers

                  For big concerns (large files) and routing much traffic
                  and on top what installed packets will be there in game too! Do you plan using IDS or IPS (inline mode) and if so
                  where you are want to use it. Is there one or more radius servers in game too? Is there another ids instance inside
                  this setup, like OSSec or so?

                  1 Reply Last reply Reply Quote 0
                  • First post
                    Last post
                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.