Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Smacked from sort of experienced back to novice

    Scheduled Pinned Locked Moved General pfSense Questions
    15 Posts 7 Posters 636 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • DigiguyD
      Digiguy
      last edited by

      A bit frustrated. Let me explain

      I installed and been running my pfsense router/firewall for 6-8 months. This was an Out-Of-Box (OOB) setup. Its a pretty simple setup, using old/free equipment ($100 is a financial investment to me lol ) - Cable Modem, old Dell PC with 3 3com 3C095 NIC cards as my pfsense, Netgear switch, and a wireless tp-Link setup as WAP. I got it all working with my known devices needing internet access. Life is great! I try to monitor/watch what goes in and out. I definitely learn quite a bit from you all.. thanks!

      Now I would like to advance from just Out-Of-The Box (OOB) configuration to something I configured for my needs. Also be active in managing/monitoring my Pfsense but after this weekend I was made aware of how much I don't know.

      I followed a YouTube video pfSense Firewall (totally) Rules! Basic rule setup... in an attempt to "harden" my firewall rules. Checked on a few devices and all seems to work great. Then the son and family came over. 1st, the Vizio TV upstairs could not connect to LAN. 2nd, the grandson could not play Roblox... THAT was a crisis!! reverted back to OOB and went about enjoying the weekend.

      Now to my point/questions:

      1. Do I try again to change my LAN rules from OOB (allow all out) to a custom set of rules or do leave as OOB rules?
      2. OOB I believe IPV6 is enabled. This confused me when looking in the firewall logs. So, do I keep IPV6 enabled or disable it?
      3. logging into webgui from PC on lan is showing as unsecured. Do I need to setup acme?
      4. What is the next step? Some IDS/IPS - Snort? Suricata? pfblocker? attempt to setup a DMZ?

      Wait... don't answer #4 as they are personal choices. I apologies for so many questions. Will keep on trying. So much to learn, so little time.

      Bob.DigB S 2 Replies Last reply Reply Quote 0
      • Bob.DigB
        Bob.Dig LAYER 8 @Digiguy
        last edited by

        @Digiguy Beginners often don't know how the rules work and pfSense doesn't stop you from creating rules it will never evaluate and use.
        I think time is key if you are not a network pro with pfSense.

        1 Reply Last reply Reply Quote 0
        • S
          SteveITS Galactic Empire @Digiguy
          last edited by

          @Digiguy I would write down in words what you want to accomplish. Yes you can block access from LAN to (somewhere) the questions are what and why.

          IPv6 is a tool, no harm in using it.

          pfSense has a self-signed certificate by default. We never bother changing that.

          Snort/Suricata is much more useful when hosting a server. If you are not, there is no inbound traffic. They cannot see into encrypted traffic so can't scan HTTPS etc.

          A DMZ is useful if hosting a server and you don't want it on your network.

          Pre-2.7.2/23.09: Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
          When upgrading, allow 10-15 minutes to restart, or more depending on packages and device speed.
          Upvote ๐Ÿ‘ helpful posts!

          DigiguyD NollipfSenseN 2 Replies Last reply Reply Quote 0
          • bmeeksB
            bmeeks
            last edited by bmeeks

            You should first figure out what's most important to you: (1) top flight network security, or (2) a happy family where Internet things mostly just "work" and your network is reasonably secure.

            For top flight network security, there is no easy path. You will need to do a ton of Google searches and reading to understand networking fundamentals and the operation of modern firewalls and their role in network security. Note that the heavy use of end-to-end encryption in networks today has made a significant difference in how intrusion detection and prevention systems work (or don't, mostly ๐Ÿ™‚). Top flight network security also means you should be prepared to frequently be troubleshooting why website or game XYZ is suddenly not working. That's just a natural consequence of tightly locking things down.

            I suspect, though, that your life will be much easier if you choose to craft a network security posture where Internet stuff mostly just works. You can still be secure with this setup without needlessly breaking stuff. After all, your typical home network is not a big juicy target for a bad guy. He's after big money and/or big impacts and consequences. He's very unlikely to get that by hacking some random home user's network.

            Out of the box, pfSense is plenty secure. It has a default deny-all rule on the WAN for unsolicited inbound traffic. With that and NAT your internal networks are quite well protected. The only other essential requirement is an anti-virus client on all capable endpoint devices on your internal networks. And keep that AV client updated! Ditto for security hotfixes and operating system and other installed client software updates/patches for devices on your internal networks. Don't go experimenting with firewall rules until you graduate with honors from "Google University" and fully understand how pfSense rules are evaluated and what the various rule options are for.

            For some folks with a lot of IoT devices that are phoning home to who knows where, maybe some advanced VLAN segmentation is warranted, but be aware that will likely break some IoT devices such as music streamers and will interfere with casting of multimedia content from one device to another. These technologies usually depend upon mDNS and similar protocols that do not work across IP subnets natively.

            The default IPv6 settings in pfSense are fine, so don't change anything there. You should only do further configuration of IPv6 if your ISP specifically offers native IPv6 in addition to the regular IPv4 setup and you wish to use IPv6. The specifics here can vary from one ISP to the next. So, setting up true dual-stack operation will require knowing what your ISP requires. But again, there is currently no benefit of doing any of the IPv6 stuff because as of now there is no Internet site that you could reasonably want to visit that has only IPv6 access. Restated, you can go everywhere you should need to go on the web using only IPv4. I'm not saying never do IPv6. But it is not a requirement today, so to keep things simple initially you can skip worrying about IPv6.

            For the web GUI login, that's your choice. For a home network, having HTTPS enabled on the LAN firewall interface is not a biggie in my view. Others will probably disagree. Depends upon who you let roam freely on your home LAN. For me, it's just me, my wife, and the occasional iPhone or iPad from the grandkids. So, I opted to leave the web GUI set for HTTP for simplicity. I hate fiddling with SSL certs and the renewal things unless I just absolutely must.

            DigiguyD 1 Reply Last reply Reply Quote 1
            • DigiguyD
              Digiguy @SteveITS
              last edited by

              @SteveITS - Greatly appreciate your answers! Short and sweet, right to the point! I am trying to learn what is coming in and what's going out. Trying to analyze and understand the traffic that is being blocked by looking through the firewall logs. Maybe that isn't the way to learn about inbound/outbound traffic. Guess I was under the assumption to block all outbound unless I know what it is... in doing this as I said I am learning there is a lot I don't know! I did learn some things in the process.
              Leaving IPV6 alone.
              I was interested in hosting a DMZ. Now my I have to figure out if I do it at home or at a place like Cloudflare.

              Again GREATLY appreciate the responses from all!

              bmeeksB Bob.DigB 2 Replies Last reply Reply Quote 0
              • bmeeksB
                bmeeks @Digiguy
                last edited by bmeeks

                @Digiguy said in Smacked from sort of experienced back to novice:

                I was interested in hosting a DMZ. Now my I have to figure out if I do it at home or at a place like Cloudflare.

                If you intend to host a server behind your firewall, then a lot of my formal "simple approach" is no longer applicable. But I would strongly consider hosting a server at a dedicated hosting service.

                I read your initial post as askng about simplicity versus tight security.

                1 Reply Last reply Reply Quote 0
                • DigiguyD
                  Digiguy @bmeeks
                  last edited by

                  @bmeeks WOW! 1st I Thank you for the detailed response! pretty much in line with others. you stated two ends of the extremes. I would like to be somewhere in the middle. I feel guilty with the "Set it & Forget It" mentality. To be somewhere in the middle I agree a LOT of Google searches and Netgate searches will be required and as another poster said... time...

                  Again, so much to learn, so litte time :)

                  bmeeksB 1 Reply Last reply Reply Quote 0
                  • bmeeksB
                    bmeeks @Digiguy
                    last edited by bmeeks

                    @Digiguy said in Smacked from sort of experienced back to novice:

                    Again, so much to learn, so litte time :)

                    Learning can be fun and a great challenge. Just remember that until you gain a lot of experience you may inadvertently break stuff. Make frequent manual config backups in pfSense so you can quickly roll back if you make a mistake and the wrath of momma and/or the kids comes down upon you.

                    But many users just want a functional home network. You can get that and still have plenty of security following the process I described in my post above.

                    DigiguyD 1 Reply Last reply Reply Quote 1
                    • NollipfSenseN
                      NollipfSense @SteveITS
                      last edited by

                      @SteveITS said in Smacked from sort of experienced back to novice:

                      IPv6 is a tool, no harm in using it.

                      You're so right and message to me as well...thanks for the well-put short, sweet.

                      pfSense+ 23.09 Lenovo Thinkcentre M93P SFF Quadcore i7 dual Raid-ZFS 128GB-SSD 32GB-RAM PCI-Intel i350-t4 NIC, -Intel QAT 8950.
                      pfSense+ 23.09 VM-Proxmox, Dell Precision Xeon-W2155 Nvme 500GB-ZFS 128GB-RAM PCIe-Intel i350-t4, Intel QAT-8950, P-cloud.

                      1 Reply Last reply Reply Quote 0
                      • DigiguyD
                        Digiguy @bmeeks
                        last edited by

                        @bmeeks

                        @bmeeks said in Smacked from sort of experienced back to novice:

                        Learning can be fun and a great challenge.

                        EXACTLY! And a big reason I am exploring, experimenting, and as you said breaking things. I always say, "A mistake is okay as long as you learn from it (and no one gets hurt)"

                        1 Reply Last reply Reply Quote 0
                        • M
                          mer
                          last edited by

                          I like to start with pictures.
                          Draw a box, label it "pfSense".
                          Now draw arrows, label them WAN, LAN1, LAN2
                          Draw a few smaller boxes to represent devices and connect them to the different LANs

                          Then think about what traffic you want to allow, what directions, what interface.
                          Remember that by default, pfSense will drop traffic into WAN from the outside world unless there is state.
                          That means "something from my network initiated traffic to something in the outside world, pfSense keeps state and allows the responses from the outside world".

                          That lets me write words that lead to being able to write the rules.

                          1 Reply Last reply Reply Quote 0
                          • Bob.DigB
                            Bob.Dig LAYER 8 @Digiguy
                            last edited by

                            @Digiguy said in Smacked from sort of experienced back to novice:

                            Guess I was under the assumption to block all outbound unless I know what it is...

                            That is a very hard task I guess almost no one is doing. Block it all, for some special VLAN with IoT, or let it all go out to the internet, not your local subnets though. There is no in between with that. ๐Ÿ˜‰

                            1 Reply Last reply Reply Quote 0
                            • stephenw10S
                              stephenw10 Netgate Administrator
                              last edited by

                              Yup. You might find basic web browsing works fine with only a few outbound ports allowed (80, 443, 53) but you'll soon find out just how much other stuff uses other ports. ๐Ÿ˜‰

                              You can add allow rules for services as you find them but that can take a while.

                              DigiguyD 1 Reply Last reply Reply Quote 0
                              • DigiguyD
                                Digiguy @stephenw10
                                last edited by

                                @stephenw10 said in Smacked from sort of experienced back to novice:

                                you'll soon find out just how much other stuff uses other ports.

                                Definitely the lesson I have learned . So then as a "network administrator" how does one "monitor" or check to make sure all well? I have looked through the firewall logs and I get lost rather quickly...

                                1 Reply Last reply Reply Quote 0
                                • stephenw10S
                                  stephenw10 Netgate Administrator
                                  last edited by

                                  It depends who/what the users are. If they are real people they usually let you know pretty quick when things don't work. ๐Ÿ˜‰

                                  If it's IoT devices etc you have to test yourself.

                                  As with all things it's a question of security vs convenience. Though the actual security benefits are questionable at best and the inconvenience is significant so.....

                                  1 Reply Last reply Reply Quote 1
                                  • First post
                                    Last post
                                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.