Basic Setup and Configuring pfsense Firewall Rules For Home

Lawrence Systems

29 Dec 202117:27

Summary

TLDRIn this video, Tom from Orange Systems discusses how to securely set up pfSense for a home network. He shares insights on firewall rules and how to organize different devices, such as media servers, cameras, and IoT devices, into isolated subnets. Tom emphasizes the importance of limiting network access using the principles of least privilege and applying firewall rules to reduce security risks. He also covers the use of VPNs for external access and the setup of devices like Plex, Synology, and TrueNAS. For more advanced users, he touches on tools like pfBlocker and Suricata, though they may be overkill for typical home setups.

Takeaways

😀 Home network setup requires careful firewall rules to ensure security, especially when using systems like pfSense.
😀 Devices like Plex, MB server, TrueNAS, Synology, and cameras should be placed on appropriate subnets to enhance network security.
😀 IoT devices such as phones should be isolated on separate networks to prevent potential risks and lateral movement attacks.
😀 VPNs like WireGuard and OpenVPN are secure alternatives to port forwarding and should be used for remote access to home networks.
😀 Firewall rules should be set to block unnecessary access between networks, like restricting NSFW devices from accessing admin networks.
😀 Camera networks (Cam LAN) should be isolated from the internet to mitigate risks of vulnerabilities and prevent external attacks.
😀 Devices with administrative control, like network controllers and management interfaces, should be on dedicated isolated networks (e.g., LTS Tom network).
😀 It's essential to use principles of least privilege to minimize the risk of internal threats or compromised devices spreading across the network.
😀 External access should be avoided unless absolutely necessary; VPNs should be used to securely access services remotely.
😀 Setting up and managing VLANs and subnets allows for more granular control over network traffic and improves overall security.
😀 Security tools like pfBlocker and Suricata can be helpful, but may be overkill for simple home setups where VPNs already provide adequate protection.

Q & A

What are some common devices typically found in a home network setup?
-Common devices in a home network setup include Plex and MB servers for media streaming, NAS (Network Attached Storage) systems like Synology and TrueNAS for storage, IoT devices such as smart TVs, Chromecasts, cameras, and gaming systems. These devices need careful configuration to ensure security.
Why should phones be placed on the same network as media devices like Chromecasts?
-Phones should be placed on the same network as media devices like Chromecasts because they need to communicate directly for media streaming or casting. Placing them on separate subnets can create connectivity issues and complicate updates.
What is the purpose of creating different subnets for different devices in a home network?
-Creating different subnets for devices in a home network helps improve security by isolating traffic between devices. This prevents one compromised device from affecting others and limits lateral movement across the network.
What is the role of the firewall rules in the PFsense setup?
-Firewall rules in PFsense are used to control the traffic between different subnets and devices. These rules can block unwanted communication, restrict admin access, and ensure that devices in more vulnerable networks like NSFW cannot reach critical network components.
How does PFsense prevent potential security risks from cameras in the home network?
-The PFsense firewall prevents cameras from accessing the internet or other parts of the network by isolating them in a dedicated 'Cam LAN.' This setup limits the ability of the cameras to communicate outside their designated subnet, thus mitigating risks if their firmware contains vulnerabilities.
Why is a VPN recommended instead of opening ports for external access?
-A VPN is recommended because it provides a secure and encrypted connection to the home network, reducing the risk of exposing devices to potential attacks. Using a VPN also eliminates the need for port forwarding, which can expose services to the internet and increase the attack surface.
What does the 'NSFW LAN' refer to in the home network setup?
-'NSFW LAN' refers to a network designated for devices like gaming systems, guest devices, and smart TVs that generate a lot of traffic or noise. It is intentionally isolated from more critical networks to avoid potential security risks from these more vulnerable devices.
What additional security measures are used to secure devices like Synology and TrueNAS?
-Synology and TrueNAS devices are configured with limited firewall access and are placed on separate subnets. Their admin interfaces are locked down to prevent unauthorized access and are only accessible from specific trusted networks, adding an additional layer of security.
How does the PFsense firewall manage access to services like Plex or MB?
-The PFsense firewall ensures that media servers like Plex and MB can communicate with devices on the same network but prevents them from being accessed from other subnets. This prevents unauthorized access to sensitive media storage while allowing authorized devices to stream content.
What is the role of PFBlocker and Suricata in the home network security setup?
-PFBlocker is used to block unwanted IPs and protect the network from external threats, while Suricata is an intrusion detection and prevention system. However, Suricata may be overkill for a home setup where encrypted outbound traffic is common, and its effectiveness may be limited.