Thanks
-
Hello Everyone,
First, a little butt kissing. Thank you everyone on here. I have set up my new router, after my Asus RT-N66U was just not capable of pumping out my full bandwidth over openvpn. My ISP is 150/10. That old router was just not up to the task, it would usually fall down to the 10-15Mpbs range. I got fed up with the dismal performance and starting reading other options. Hence how I found Pfsense. Everyone in these forums floored me, there seemed to be no stupid question, and no one really ever answered someone rudely when it came to questions. That impressed me, and really helped me pickup the info that I needed. It says something about this community of people.
So, now I am running a AMD A4-5300 3.6 Ghz, on a MSI FM2-A75 board, with 4Gigs of ram (cheap Kingston ram stuff), with a 500 gig hdd, inside a Fractal Design Core 1000 mATX case, with a extra intel 10/100/1000 card. I was having issues with the 2.0 install of Pfsense, it would just hang, so I moved to the 2.1 build and no problems. Got it up and running. Ran some security tests to make sure its locked down, (which by default it is, and that's cool!)
Still figuring out some best practices.
-
I currently just manually back-up my configuration file to my PC via the webgui. After any major change I usually do this. I assume that should I ever bork my box, a simple reset to factory default, login to the webgui, upload the config file, I should be back to normal. <–--Would this be correct?
-
Now, I am sure I am doing something wrong here. Firewall rules elude me. Its a learn as I go type of thing. Basically, what I have done is this. (FORGIVE ME NOW, for any misuse of tech terms) My assigned DHCP pool range is 192.168.1.100 to 192.168.1.199. I have created static mappings based on MAC address for many of my devices. These all have IP's in the range of 192.168.1.2-192.168.1.15.
Next, I only wanted specific IP's to go through openvpn, the rest of the IP traffic goes through to my ISP. So, under the firewall rules, lan, I created a rule for every single static IP mapped address, and selected which gateway I wanted it to exit through. So, if I wanted 192.168.1.2 to exit via my isp, I selected that. Seems to be working perfectly. Specific devices are going through my vpn provider, the rest are going through my ISP. I also created a rule, which is the last rule under the firewall, rules, lan, for my lan subnet, to pass any traffic via my isp. <---I assume that will cover any devices that get a IP address from the DHCP in the pool range, and ensure they exit to my isp.
Is this a good way to be doing this? I haven't exposed myself to any security risks? I get that if a static mapped IP is not available, a device could get a pool range ip, and then be routed out the ISP connection, but that's fine.
What happens if I add rules from the firewall logs to allow something that was blocked? What happens to this rule, since it would usually be at the bottom of the list. Since I am IP specific, and the firewall works top down, would a rule added to allow something that was blocked, actually work?
Thanks
-
-
- I currently just manually back-up my configuration file to my PC via the webgui. After any major change I usually do this. I assume that should I ever bork my box, a simple reset to factory default, login to the webgui, upload the config file, I should be back to normal. <–--Would this be correct?
That is correct. The configuration file is supposed to contain everything needed to restore the box. However there are some limitations:
1. You might not have saved RRD graph data.
2. SSH keys are not preserved. If you reinstall and then apply old configuration you will get new SSH keys, not the old ones.
3. If you apply a saved configuration file to new hardware you will almost certainly need to change the physical interface names. If is generally most convenient to do this before uploading the configuration file. For example, your old box might have physical interface names em0, em1 and msk0 while the new box has igb0, re0 and msk0.What happens if I add rules from the firewall logs to allow something that was blocked? What happens to this rule, since it would usually be at the bottom of the list. Since I am IP specific, and the firewall works top down, would a rule added to allow something that was blocked, actually work?
I would guess the new rule would be inserted at the top of the list to ensure it is processed before existing BLOCK rules.
In you case, I would be cautious about assuming the new allow rule would specify the correct gateway. PERHAPS the new rule would inherit any gateway specified in the original block rule.
-
So, under the firewall rules, lan, I created a rule for every single static IP mapped address, and selected which gateway I wanted it to exit through. So, if I wanted 192.168.1.2 to exit via my isp, I selected that. Seems to be working perfectly. Specific devices are going through my vpn provider, the rest are going through my ISP.
You can make your life a little easier by creating an alias (Firewall->Aliases). Make 1 rule sending that alias to the VPN. Put all the devices that should go over the VPN into that alias. Less "almost duplicated" rules to manage, and 1 easy place to add/remove devices from the list.
You could also allocate static mapping IPs for the "over the VPN" devices to a nice "power of 2" range of your subnet - e.g. 192.168.1.16 to 31 - that means they are all in network 192.168.1.16/28 - then you can make your alias just be the network 192.168.1.16/28. Static mapping something inside that network will result in its traffic going over the VPN. If you are comfortable with thinking/using variable-sized network masks then that can be easy.