Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Would anybody be willing to give me some conceptual networking information?

    Scheduled Pinned Locked Moved General pfSense Questions
    24 Posts 6 Posters 5.0k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M
      Mr. Jingles
      last edited by

      Congratulations, you won ( :D :D :D).

      I am taking the knowledge, experience and wisdom that you have extremely seriously, just as a I am extremely grateful that you devote your time to helping me out (thank you, again, very much :P).

      As you go to great length to tell me I should not be wanting this, for now I will, finally (I am a stubborn person  ;D), follow your recommendations. I will not do Radius for the time being. You won  ;D

      So I will be using WPA2-PSK with the maximum key (63 characters, I think I read somewhere). But still, I am wondering how to secure it more. The old wish is still this: I would like to allow my own laptop (and later on the tablet I will be buying for my lovely wife who still stays with me despite all my shortfalls ( ;D))) to access the wired Synology NAS (pictures of our long gone but very very beloved dogs, ebooks, movies). At the same time minimizing the risk of a hacker to access that Synology.

      There is one option in the Pfs DHCP that says 'deny unknown clients'. Would this be sufficient? Or should I indeed go into the route of different VLAN's, one for wired and one for wireless, and then 'some' firewall rules that allow specific (fixed, all my LAN-devices are fixed, as this makes rsync scripts easier) IP's access from VLAN1 to VLAN2?

      Not that I have a clue as to how to set this up. Just to clarify: in addition to donating financially (although not much, I am not rich) to the PFS-project, I have also bought the book 'PFS the definite guide', also to sponsor this project. I've read parts of it, and it definitely is a good book. I do realize however that I am some sort of a 'strange breed': the book obviously has been written assuming more background knowledge than I have (I am an economist, not an IT-technician), so at some points in the book I have difficulties attaching to the subject. So I feel the book alone is not sufficient for me (still stressing it is a good book).

      So would you perhaps be willing to give me a some high level instruction how to proceed? Again, I don't expect a 'click here and click there' reply, but if you would be willing to tell me: 'setup VLAN x and VLAN y, make firewall rules as follows to allow/deny XYZ, make sure ABC are right in the PFS configuration', then I would have a clue as to what to study next.

      I apologise for me being such a noob, and I do assure you: I really can do your taxes, that is my area of expertise  ;D ;D ;D

      Thank you again for all your help, it is deeply appreciated,

      Bye,

      6 and a half billion people know that they are stupid, agressive, lower life forms.

      1 Reply Last reply Reply Quote 0
      • johnpozJ
        johnpoz LAYER 8 Global Moderator
        last edited by

        "So I will be using WPA2-PSK with the maximum key (63 characters, "

        Dude that is just over the top ;)  20 should be enough, if your paranoid use 25 ;)

        Setting up mac controls in dhcp or not even running dhcp is also suggested in the 6 dumbest way to secure your wireless lists.. Are not security methods, they are controls.   But do you really think someone that just hacked a 63 character psk is going to have an issue with you not giving him an IP address via dhcp??

        If you want to isolate your wired from your wireless - then sure vlans or actual physical segments is the way to do it.  Does risk of possible breach of your secure PSK in a home setup warrant it, prob not.  But hey if you want to segment your network and put in ACLs between them - sure have fun.

        An intelligent man is sometimes forced to be drunk to spend time with his fools
        If you get confused: Listen to the Music Play
        Please don't Chat/PM me for help, unless mod related
        SG-4860 24.11 | Lab VMs 2.8, 24.11

        1 Reply Last reply Reply Quote 0
        • stephenw10S
          stephenw10 Netgate Administrator
          last edited by

          Separating your wireless and wired traffic is something I would recommend just to make it easier to control your traffic.

          If you want to get a paranoia level of security you could setup a vpn server in pfSense and then configure your wireless interface firewall rules to only allow access to that. Then all your wireless devices would have to connect to the vpn server to get access to anything. VPN encryption level can be anything you choose.  Potentially you could use two factor authentication or something!  ;)

          Steve

          1 Reply Last reply Reply Quote 0
          • M
            Mr. Jingles
            last edited by

            @stephenw10:

            Separating your wireless and wired traffic is something I would recommend just to make it easier to control your traffic.

            If you want to get a paranoia level of security you could setup a vpn server in pfSense and then configure your wireless interface firewall rules to only allow access to that. Then all your wireless devices would have to connect to the vpn server to get access to anything. VPN encryption level can be anything you choose.  Potentially you could use two factor authentication or something!  ;)

            Steve

            I still have to do this all, but I don't have enough time  :-\

            Thank you for your reply, Steve  ;D

            6 and a half billion people know that they are stupid, agressive, lower life forms.

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.