What are some "Do NOT do this" type of advice in terms of firewall security?
-
So, on a default install of pfsense, the WAN firewall rules are empty with the likely exception of blocking bogon rules. One of the things one should not do is add a pass all rule on the WAN side which will expose the public ip to everyone on the internet. This would allow unwanted remote administration.
Along similar lines, what are security flaws could one accidentally make? Also, is my assumption above correct?
-
Well, I would say a pass all rule on the wan side would definitely create some security holes, however without them being NAT'd it would stop at the firewall. This poses a threat because now your firewall would be open to attacks over 80/443 or 22 if you have it open.
It all boils down to what you want to do with the appliance. It's capable of so many things, and applies to so many different scenarios. Because of the wide range of uses, what would be a really bad idea for you, could be a great one for me.
If you're going to use vlans, it's best not to have an interface that's trunked on the same port you use for vlans. To mean, you don't want the LAN interface sharing the same interface as one you're using for vlans. But this only matters to people running vlans.
Also, it's a good practice to deny access to the pfsense web gui on interfaces that have no business accessing it. I do not allow my wireless network to access the web gui of my pfsense. However there may be a scenario this is your only option… But even in a home environment if somebody breaks into your wifi you don't want to give them the chance of playing with your firewall. It'd be your luck that the web service pfsense uses just happens to have a 0 day exploit the day said attacker comes in.
I personally make sure each network segment cannot talk to one another except for specific services they need.
If you're going to use UPnP, make sure it's only on the interface you really need it on, and even then you can set it to be more specific by MAC address (say an xbox).
If you give a little background on what you'll be using it for, and possible future uses I'm sure myself or others could give some more insight.
-
I want to have an "enterprise" level firewall operating in a home network. The primary purpose is security, so I want an IDS, AV scanner, and IP Blocker as a minimum. I do actually have a device (xbox) that is connected to the network. However, my setup is like this:
Modem (ISP) -> pfSense firewall* (1 wan to 1 lan) -> consumer router (1 wan to 4 lans) -> 4 lans (computers + xbox)
*The firewall I suppose is acting as a router now, too. I have not customized NAT or have it set on bridge mode. The pfsense lan subnet is different than the consumer router's lan subnet. The consumer router picks up pfsense via dhcp.
The reason I am using a consumer router is because I couldn't figure out how to setup the optional interfaces. I have a NIC adapter with 4 ports (LAN), and my mobo has 1 port (WAN). When I configure pfsense (for the first time or after a factory reset), IPs are automatically set for the pfsense WAN and LAN, but OPT1 - 4 needs to be manually inputted. Even after inputting IPs manually for the OPT interfaces (each interface with a different subnet), I was not able to figure out what specific settings to implement regarding NAT or firewall rules. Couldn't find a guide either.
Because of my setup above, I assume I'm not able to implement Web GUI blocking.
-
If pfsense detected the additional ports, then it should have them show up under "interfaces." You can setup a captive portal for any or all of the interfaces if that's what you're asking.
You'll probably want DHCP turned on for each interface, so make sure under Services > DHCP, each applicable interface is configured.
I suck at subnetting, but ideally you only want to subnet the IP space you're going to use. I'm no use here.
When you create a NAT entry, it'll automatically create a firewall rule for you, so port forwarding should be very easy. Let me know where you're getting stuck at exactly and I'll see if I can help.
-
While going through your recommendation, I came across a problem and wanted to ask if you recommend setting DHCP to the OPT interfaces via Interface > OPT#, or should I set it as a static IP in Interface >OPT#, then set DHCP in Services > DHCP?
If I follow your initial instruction of setting DHCP via Services > DHCP, I am left with an incorrect range. For example, if LAN IP is set to 50.50.50.50, and its DHCP range is 50.50.50.100 to 50.50.50.200 (subnet mask 255.255.255.0), and I set the static IP of OPT1 to 7.7.7.1, my available range is 7.7.7.2 to 7.7.7.0, which doesn't make sense (and my subnet mask for opt1 is automatically set to 255.255.255.255).
If I need to create "Additional Pools," is there a walkthrough I can read?
-
If you want said interface to hand out IPs to a network the:
Interface: Static IP address, to keep good form have it end in 1. IE: 192.168.1.1 or 10.0.0.1
Services > DHCP: A range that matches the static IP of the corresponding interface IE: 192.168.1.10-20 or 10.0.0.10-20 -
Ah, the solution was to simply add a pass all rule. Is there a documentation that goes through a captive portal setup? This page wasn't helpful: https://doc.pfsense.org/index.php/Captive_Portal. I don't know where the Captive Portal Tab would be.
-
On the Services tab, the fist one is Captive Portal.
Needless to sey, you do not activate it on the WAN or LAN interface, but on one of the OPTx interfaces.The most easy setup will be : activate Local User Manager / Vouchers under Authentication and add some users to your pfSense box.
Do NOT forget to add a pass-rule on the firewall for the interface that the portal is using.
-
"The reason I am using a consumer router is because I couldn't figure out how to setup the optional interfaces. "
For you examples of trying to setup the other interfaces - I take it you have no idea how to segment or subnet at all.. So why do you think you need 4 interfaces on pfsense – I find it hard to believe you setup a different router with 4 network segments from the example you try to give with 50.50.50 and 7.7.7
And what consumer router are you using that allows multiple network segments on its lan ports? Are you running dd-wrt on it or something. If not assume your 4 lans comment is to the fact it has 4 lan ports. Which would all be on the same network.
As to where captive portals are setup - under the services section
-
Thanks for the help john and gertjan.
John,
I've moved from dd-wrt to pfsense, and on the setup with only 1firewall/router (just pfsense). I ditched the consumer router once I figured out that all I needed as a pass all rule on the OPT interfaces.
I successfully created multiple subnets across all interfaces, but since I had not used captive portal, I wasn't sure if they should be on different 255.255.0.0 subnets. The numbers are arbitrary. I don't mind if they're all 7s or 50s, just as long as the subnet differentiation is correct. So as an example, it could be set as 111.111.1.1 for opt1, and 111.111.2.1 for opt2, and so forth. What I didn't know was if it mattered to vary the largest address range, such as opt1 at 111.111.1.1 and opt 2 at 222.111.1.1.
