Where do us complete newbs start?
-
So - my astute son, who's fully aware of my internet paranoia, convinced me I'd feel better if I was using a dedicated firewall rather than simply relying on whatever my very current and expensive router is providing even though said router is "designed and assembled" in the U.S by a U.S. company. He thought a Netgate appliance running pfSense was just what we needed for our large-ish home network.
So - I bought a 2100 and have it setup with my aforementioned router now operating in AP mode and a couple of POE Ubiquiti UniFi APs serving the fifty or so wi-fi devices in the house.
Now what?? Evidently, our son is big on advice but thinks his Pop needs to work out the details himself. His paranoia doesn't run nearly as deep as mine, apparently.
Yes, I need to read the docs and learn all the jargon, but in addition to reading, I need to understand it. Some of that will come with time, although at 70 years old, my retired brain has become just lazy enough that complex new concepts take quite a bit longer than they used to. I mean, merely reading the thread titles here is seriously intimidating.
In the meantime, I'd really like to feel like my new firewall is working for us even without a full understanding of how to create rules, etc., etc., etc.
All that said, could/would anyone please impart some basic knowledge from what must be a vast repertoire that exists here and provide a few starting tips for configuring my new firewall so that it's providing at least a little more peace of mind to help alleviate some of my paranoia.
Thanks so much!
-
@SilverFoxFL
pfSense like any rational firewall will block incoming connections.What are your goals? Right now it seems more like you have a solution but are missing problems. :) I suggest making a list.
Netgate has videos: https://www.youtube.com/c/netgateofficial
As do others.And really good docs: https://docs.netgate.com/pfsense/en/latest/index.html
https://docs.netgate.com/pfsense/en/latest/recipes/index.htmlPosts in any forum are often about problems people can’t solve on their own but one can pick up lots of info over time.
-
Thanks for the quick reply, Steve. You make really good points.
Case in point, I don't really know what my goals are at the moment, other than me being able to worry less about some hacker getting into our network and wreaking havoc. I don't even know for certain that it's much of a possibility as long as our OSes (Windows 11 and MacOS) are up-to-date. Hence, your remark eluding to me having a solution to an unknown problem is spot on.
I suppose, maybe, I'm trying to determine if there are one or many "standard", "typical", "ubiquitous", or otherwise, firewall rules that I should add to the 2100 to keep our network as safe as reasonably possible. Your comment about "any rational firewall" makes me think that it's already configured, for the most part, to provide all the protection we need(ed) - until it doesn't. In other words, maybe I don't need to worry about fiddling with configurations until/unless some sort of issue crops up as a result of an outside intrusion, at which time I may have a specific question for a specific problem. Please school me if that's not close to being correct.
Curious, though, would you say that adding the 2100 to our network in a strictly default configuration in any way diminishes our network protection from what our router provided? I wouldn't have considered that to be possible but, obviously, I'm more than just a little confused about the subject matter.
In any case, thanks for the links to the info to which I should be paying attention.
-
@SilverFoxFL out of the box pfSense allows all outgoing traffic. Some people may choose to limit by country, or say forward DNS to a Quad9 or CloudFlare Family to block adult sites.
It’s not going to make your network less secure, no.
-
@SteveITS Thanks again, Steve. I'm encouraged that the new appliance will be beneficial especially when it comes to the dozens of IoT devices we have all over the house these days. I shudder to think about how UN-secure 99% of those things are.
-
@SilverFoxFL A lot of people will add vlans to their networks just to isolate all those IoT devices. Because, as you said, they are unsecure for the most part.
Putting them on their own subnet keeps them away from your 'more secure' devices but still lets you access them as needed. -
@SilverFoxFL along the lines of defining your goals, establishing a philosophy is also helpful. For example one firewall philosophy is "that which is is not explicitly permitted, is prohibited" which is implemented as a set of rules allowing specific traffic and a default rule blocking everything else. These rules are added to your LAN interface. The downside is that you are now asserting your control which may end up driving your family nuts if/when you inadvertently block something that they were using (intentionally or otherwise).
Another perspective is that the addition of a firewall is building a defense in depth strategy. While it is important to keep software up to date, from a security perspective, it makes some sense to have a degree of mistrust between the firewall and the various systems being protected. In other words the firewall shouldn't assume that the clients are all patched and protected, while the clients shouldn't assume that the firewall makes them entirely safe. This is particularly relevant with a bunch of IoT clients.
I think as you get started down this route it makes sense to look at the Netgate as a filtering and control device, mainly for the traffic leaving the house. The two primary areas of control are firewall rules (assuming the default block scenario above) and DNS filtering.
Good luck, it is an interesting journey!
--Larry
-
@Jarhead Great idea! Now I have two new major networking skills I need to master. Better get started.
-
@LarryFahnoe Thanks for that perspective. I'm beginning to think I've opened a big can of worms for myself, but I fully agree, particularly in this age of massive hacking, it's better to assume devices are under-protected and do what we can to make them less vulnerable. I also believe I'd never find the time to adequately administer the first type of philosophy you mentioned. I'd be the one going nuts. Somewhere along the line I'm hoping to find that happy medium of balancing too much against too little.
-
I agree one of the most important things you can do to improve security is segregate devices onto a separate internal subnet to allow filtering between them.
But, like most things in computing, it comes down to security vs convenience. You make it more secure some things are probably going to become less convenient!
-
@stephenw10 Yep, that seems to be the consensus.
Funny that I'm writing this on my Windows 11 laptop. A few minutes ago I happened to be doing a quick email check on my iPad Pro. When I saw the Forum email about your post, I touched the "View Post" button. Safari opened the link and showed me this: [[error:blacklisted-ip]]
I feel certain this must have something to do with my new firewall. Sad thing is I have no idea how to even approach fixing it for the iPad. Why blacklist its IP if my laptop's IP presents no problem? Is it a DNS issue in reality? Seems unlikely since my laptop browser should be resolving "forum.netgate.com" to the same address? Questions abound!
Still not understanding much about the 2100, I'm guessing there must be some way for me to add/approve the iPad's IP to avoid such an error. But then what happens when my iPad connects with a different IP at a later time? I haven't, and don't want to, reserve IP addresses for every internet connected device in the house.
As I mentioned earlier to @LarryFahnoe, it's becoming the can of worms problem, I'm afraid, and I know just enough about networking to be dangerous. This is all going to be a very long work-in-progress me thinks.
-
@SilverFoxFL pfSense doesn’t have that message, it’d be server side error I expect.
-
@SteveITS Very interesting! Of course, the server is "forum.netgate.com" Full URL is "forum.netgate.com/topic/199561/where-do-us-complete-newbs-start/12".
Why would the server return that error ONLY on every iPad browser? Every Windows browser I've tried resolves without error. Obviously, something is very, very different between Windows and iPadOS networking. But how do normal people determine what those differences might be? And how do I begin to learn where in the 2100 I would find settings to fix anything like this?
This is exactly the kind of stuff that I'm afraid I'll be spending endless hours trying to understand and to no avail. Sorry for the pessimism. I'm feeling like the "hot mess" my kids sometimes accuse me of being.
-
@SilverFoxFL Are you by chance using Apple's proxy service? I forget what it's called but it's via a paid subscription to their online services.
-
@SteveITS OH. MY. GOSH! I just figured it out and I’m really embarrassed.
I have Proton VPN installed on my iPad, but I only activate when I’m feeling especially paranoid which actually isn’t all that often. Much to my surprise, the “Connect on demand” option had gotten turned on, probably with a recent app update. So, despite me toggling the VPN off, it turned itself back on, and I hadn’t noticed it. Still …
I’m not sure when it might have occurred to me to look for that, but I opened the netgate.com site and started clicking around to see if the error popped up anywhere except the Forum. It didn’t. That got me seriously wondering what was up with that. Then I remembered, that for one of those completely unknown reasons, every VPN I’ve ever had on the iPad had similar problems with certain sites in much the same way. I opened the Settings app, turned off the Connect On Demand VPN setting and, voila, here I am using the iPad to post this message.
My sincere apologies for sending anyone on a wild goose chase. That’s one setting I will never forget to check at the first sign of any similar problem.
Finally, thanks to all who have taken an interest in my questions and troubles. I truly appreciate the assistance while ignoring my ineptness in the process. Cheers!
-
@SilverFoxFL Generally blocks like that are because some people are using those VPNs for malicious reasons, causing the shared IPs to be blocked. Or I’ve seen sites block VPNs for licensing reasons…they can only show content in certain countries.
-
Yup, that's coming from the forum server because that particular ProtonVPN address is on a blacklist.
-
@stephenw10 Well, OK, I have to let my curiosity get the best of me: why would this forum's address be on a ProtonVPN blacklist. I'm having a hard time believing it's a security risk. Is there something a whole lot of people here know that I don't?
-
It's not it's ProtonsVPNs public IP that's on our blacklist. Almost certainly because at some point some bad actor was using ProtonVPN and got the address flagged.
-
@stephenw10 Ohhh! Another of my misunderstandings. Now I get it. Thanks for humoring me and my curiosity.
