Smacked from sort of experienced back to novice

Digiguy

A bit frustrated. Let me explain

I installed and been running my pfsense router/firewall for 6-8 months. This was an Out-Of-Box (OOB) setup. Its a pretty simple setup, using old/free equipment ($100 is a financial investment to me lol ) - Cable Modem, old Dell PC with 3 3com 3C095 NIC cards as my pfsense, Netgear switch, and a wireless tp-Link setup as WAP. I got it all working with my known devices needing internet access. Life is great! I try to monitor/watch what goes in and out. I definitely learn quite a bit from you all.. thanks!

Now I would like to advance from just Out-Of-The Box (OOB) configuration to something I configured for my needs. Also be active in managing/monitoring my Pfsense but after this weekend I was made aware of how much I don't know.

I followed a YouTube video pfSense Firewall (totally) Rules! Basic rule setup... in an attempt to "harden" my firewall rules. Checked on a few devices and all seems to work great. Then the son and family came over. 1st, the Vizio TV upstairs could not connect to LAN. 2nd, the grandson could not play Roblox... THAT was a crisis!! reverted back to OOB and went about enjoying the weekend.

Now to my point/questions:

1. Do I try again to change my LAN rules from OOB (allow all out) to a custom set of rules or do leave as OOB rules?
2. OOB I believe IPV6 is enabled. This confused me when looking in the firewall logs. So, do I keep IPV6 enabled or disable it?
3. logging into webgui from PC on lan is showing as unsecured. Do I need to setup acme?
4. What is the next step? Some IDS/IPS - Snort? Suricata? pfblocker? attempt to setup a DMZ?

Wait... don't answer #4 as they are personal choices. I apologies for so many questions. Will keep on trying. So much to learn, so little time.

Bob.Dig

@Digiguy Beginners often don't know how the rules work and pfSense doesn't stop you from creating rules it will never evaluate and use.
I think time is key if you are not a network pro with pfSense.

SteveITS

@Digiguy I would write down in words what you want to accomplish. Yes you can block access from LAN to (somewhere) the questions are what and why.

IPv6 is a tool, no harm in using it.

pfSense has a self-signed certificate by default. We never bother changing that.

Snort/Suricata is much more useful when hosting a server. If you are not, there is no inbound traffic. They cannot see into encrypted traffic so can't scan HTTPS etc.

A DMZ is useful if hosting a server and you don't want it on your network.

bmeeks

You should first figure out what's most important to you: (1) top flight network security, or (2) a happy family where Internet things mostly just "work" and your network is reasonably secure.

For top flight network security, there is no easy path. You will need to do a ton of Google searches and reading to understand networking fundamentals and the operation of modern firewalls and their role in network security. Note that the heavy use of end-to-end encryption in networks today has made a significant difference in how intrusion detection and prevention systems work (or don't, mostly ). Top flight network security also means you should be prepared to frequently be troubleshooting why website or game XYZ is suddenly not working. That's just a natural consequence of tightly locking things down.

I suspect, though, that your life will be much easier if you choose to craft a network security posture where Internet stuff mostly just works. You can still be secure with this setup without needlessly breaking stuff. After all, your typical home network is not a big juicy target for a bad guy. He's after big money and/or big impacts and consequences. He's very unlikely to get that by hacking some random home user's network.

Out of the box, pfSense is plenty secure. It has a default deny-all rule on the WAN for unsolicited inbound traffic. With that and NAT your internal networks are quite well protected. The only other essential requirement is an anti-virus client on all capable endpoint devices on your internal networks. And keep that AV client updated! Ditto for security hotfixes and operating system and other installed client software updates/patches for devices on your internal networks. Don't go experimenting with firewall rules until you graduate with honors from "Google University" and fully understand how pfSense rules are evaluated and what the various rule options are for.

For some folks with a lot of IoT devices that are phoning home to who knows where, maybe some advanced VLAN segmentation is warranted, but be aware that will likely break some IoT devices such as music streamers and will interfere with casting of multimedia content from one device to another. These technologies usually depend upon mDNS and similar protocols that do not work across IP subnets natively.

The default IPv6 settings in pfSense are fine, so don't change anything there. You should only do further configuration of IPv6 if your ISP specifically offers native IPv6 in addition to the regular IPv4 setup and you wish to use IPv6. The specifics here can vary from one ISP to the next. So, setting up true dual-stack operation will require knowing what your ISP requires. But again, there is currently no benefit of doing any of the IPv6 stuff because as of now there is no Internet site that you could reasonably want to visit that has only IPv6 access. Restated, you can go everywhere you should need to go on the web using only IPv4. I'm not saying never do IPv6. But it is not a requirement today, so to keep things simple initially you can skip worrying about IPv6.

For the web GUI login, that's your choice. For a home network, having HTTPS enabled on the LAN firewall interface is not a biggie in my view. Others will probably disagree. Depends upon who you let roam freely on your home LAN. For me, it's just me, my wife, and the occasional iPhone or iPad from the grandkids. So, I opted to leave the web GUI set for HTTP for simplicity. I hate fiddling with SSL certs and the renewal things unless I just absolutely must.

Digiguy

@SteveITS - Greatly appreciate your answers! Short and sweet, right to the point! I am trying to learn what is coming in and what's going out. Trying to analyze and understand the traffic that is being blocked by looking through the firewall logs. Maybe that isn't the way to learn about inbound/outbound traffic. Guess I was under the assumption to block all outbound unless I know what it is... in doing this as I said I am learning there is a lot I don't know! I did learn some things in the process.
Leaving IPV6 alone.
I was interested in hosting a DMZ. Now my I have to figure out if I do it at home or at a place like Cloudflare.

Again GREATLY appreciate the responses from all!

bmeeks

@Digiguy said in Smacked from sort of experienced back to novice:

I was interested in hosting a DMZ. Now my I have to figure out if I do it at home or at a place like Cloudflare.

If you intend to host a server behind your firewall, then a lot of my formal "simple approach" is no longer applicable. But I would strongly consider hosting a server at a dedicated hosting service.

I read your initial post as askng about simplicity versus tight security.

Digiguy

@bmeeks WOW! 1st I Thank you for the detailed response! pretty much in line with others. you stated two ends of the extremes. I would like to be somewhere in the middle. I feel guilty with the "Set it & Forget It" mentality. To be somewhere in the middle I agree a LOT of Google searches and Netgate searches will be required and as another poster said... time...

Again, so much to learn, so litte time :)

bmeeks

@Digiguy said in Smacked from sort of experienced back to novice:

Again, so much to learn, so litte time :)

Learning can be fun and a great challenge. Just remember that until you gain a lot of experience you may inadvertently break stuff. Make frequent manual config backups in pfSense so you can quickly roll back if you make a mistake and the wrath of momma and/or the kids comes down upon you.

But many users just want a functional home network. You can get that and still have plenty of security following the process I described in my post above.

NollipfSense

@SteveITS said in Smacked from sort of experienced back to novice:

IPv6 is a tool, no harm in using it.

You're so right and message to me as well...thanks for the well-put short, sweet.

Digiguy

@bmeeks

@bmeeks said in Smacked from sort of experienced back to novice:

Learning can be fun and a great challenge.

EXACTLY! And a big reason I am exploring, experimenting, and as you said breaking things. I always say, "A mistake is okay as long as you learn from it (and no one gets hurt)"

mer

I like to start with pictures.
Draw a box, label it "pfSense".
Now draw arrows, label them WAN, LAN1, LAN2
Draw a few smaller boxes to represent devices and connect them to the different LANs

Then think about what traffic you want to allow, what directions, what interface.
Remember that by default, pfSense will drop traffic into WAN from the outside world unless there is state.
That means "something from my network initiated traffic to something in the outside world, pfSense keeps state and allows the responses from the outside world".

That lets me write words that lead to being able to write the rules.

Bob.Dig

@Digiguy said in Smacked from sort of experienced back to novice:

Guess I was under the assumption to block all outbound unless I know what it is...

That is a very hard task I guess almost no one is doing. Block it all, for some special VLAN with IoT, or let it all go out to the internet, not your local subnets though. There is no in between with that.

stephenw10

Yup. You might find basic web browsing works fine with only a few outbound ports allowed (80, 443, 53) but you'll soon find out just how much other stuff uses other ports.

You can add allow rules for services as you find them but that can take a while.

Digiguy

@stephenw10 said in Smacked from sort of experienced back to novice:

you'll soon find out just how much other stuff uses other ports.

Definitely the lesson I have learned . So then as a "network administrator" how does one "monitor" or check to make sure all well? I have looked through the firewall logs and I get lost rather quickly...

stephenw10

It depends who/what the users are. If they are real people they usually let you know pretty quick when things don't work.

If it's IoT devices etc you have to test yourself.

As with all things it's a question of security vs convenience. Though the actual security benefits are questionable at best and the inconvenience is significant so.....