Hello, A couple words from our experiences …
We have quite a few firewalls and many services offered publicly depending on which site you’re talking about, and we’ve learned that it really doesn’t pay off to try and micro-mange the firewall. pfSense is done well, so by default, you can feel good about not really playing with the settings. If you want security, you really want to have VPN to any clients that are going to access your network. Don’t be opening up ports on the firewall. So if you wanted to have access to your internal network, you could set that up easily with pfSense and the client for your OS. If you wanted to do public services, like a web server etc, then it is what it is. You’ll get hit by who knows what. People scan IPs and ports all day long. It doesn’t stop. But then just open the ports, send them to your internal sever and call it a day. No need to worry about those things at the pfSense, unless you start having issues (then you can look into security features in pfSense). Blocking private networks is a necessity (unless you have weird network requirements) because no WAN IP should have a private address trying to communicate with your pfSense. That would be bad news. The proxy is great. You’ll love it for your kids. Just make sure to disable their cellular access ;-) … Regarding routing, we always make separate subnets. One internal subnet would be “home” and the other would be “work”. Work network gets to connect to VPNs, home does not. Each network carries its traffic separately internally and to the internet, and they cannot communicate with each other. We do have some cases with AppleTV that we want to have mDNS and communication between subnets, so we do make special consideration for those — but it’s rare. But that may be of use to you … Streaming devices are always fun to get working with a complex (but optimal!) network. Just some thoughts for you. Good luck! ~ Laz Peterson Paravis, LLC > On Dec 22, 2017, at 6:34 PM, Antonio <m...@geotux.it> wrote: > > You are probably right so I have gone and disconnected the Hawk. I'm a > bit worried now that my WAN is exposed to attacks. Is it sufficient to > have the "Block private networks" and "Block bogon networks" active on > the WAN interface? Any other rules needed? > > > Thanks > > Respect your privacy and that of others, don't give your data to big > corporations. > Use alternatives like Signal (https://whispersystems.org/) for your messaging > or > Diaspora* (https://joindiaspora.com/) for your social networking. > > Il 23/12/2017 00:29, Ryan Coleman ha scritto: >> I think the overkill is all the extra appliances doing things that >> pfSense can do. >> >> You want the pfSense to be in the middle, you want the traffic to be >> filtered and routed… pfSense is great for this very task, you don’t >> need the Hawk or Netgear firewalls… >> >> aDSL modem -> pfSense -> switch -> Rest of network >> >> >> >>> On Dec 22, 2017, at 6:15 PM, Antonio <m...@geotux.it >>> <mailto:m...@geotux.it>> wrote: >>> >>> Sounds cool but maybe a bit overkill for what i need ... >>> >>> Cheers >>> >>> Respect your privacy and that of others, don't give your data to big >>> corporations. >>> Use alternatives like Signal (https://whispersystems.org/) for your >>> messaging or >>> Diaspora* (https://joindiaspora.com/) for your social networking. >>> >>> Il 22/12/2017 22:35, Eero Volotinen ha scritto: >>>> Well, >>>> >>>> Just plug pfsense to ADSL and buy managed switch and some unifi wlan >>>> aps. You can install proxy on pfsense box also.. >>>> >>>> >>>> Eero >>>> >>>> 22.12.2017 23.57 "Antonio" <m...@geotux.it >>>> <mailto:m...@geotux.it> <mailto:m...@geotux.it>> >>>> kirjoitti: >>>> >>>> Hello, >>>> >>>> I'm trying to design an optimal network setting for my home and was >>>> wondering what people's thoughts were based on my needs: >>>> >>>> 1) Need a single DHCP, DNSMasq server; >>>> >>>> 2) want to route traffic through VPNs only on certain parts of my >>>> network >>>> >>>> 3) want to eventually install a proxy somewhere on the network to >>>> route >>>> traffic from my kids laptops/tablets. >>>> >>>> 4) obviously want to firewall all centrally as best as possible. >>>> >>>> My setup is as follows: >>>> >>>> a) I have a little compact mini PC with four ethernet connections (1x >>>> WAN and 3x LAN) - its wifi too >>>> >>>> b) A Netgear Modem onto ADSL >>>> >>>> c) A Netgear router Hawk 7000 >>>> >>>> d) a couple of desktop PCs wired to (a) as well as a server >>>> >>>> e) several mobiles, IoTs that connect wireless to (c) >>>> >>>> At the moment the connection is (b)->(c)->(a)->PCs but I feel I'm not >>>> getting the best of this setup, particularly pfSense which at the >>>> moment >>>> is just firewalling my PCs/server. >>>> >>>> I generally consider the wifi network the weak point as guest >>>> come and >>>> connect to it that's why its connected before (a); traffic from (c) >>>> cannot get past (a) but the PCs/server can get out on the internet. I >>>> feel that (a) should be connected to (b) and (c) should then be >>>> connected to one of the LAN ports on (a), say LAN2 (I would have a >>>> switch on LAN1 with PCs/server). I could then use pfSense to route >>>> traffic from LAN2 to WAN and firewall LAN1 so that traffic from LAN2 >>>> could not go to LAN1. >>>> >>>> That way, I could then set up pfSense as my single DHCP and DNSMasq >>>> server. I could then set up VPNs for just traffic of LAN1 or LAN2. >>>> >>>> Would you agree with this sort of setup or do you think I could >>>> implement things better? >>>> >>>> I look forward to some of your thoughts. >>>> >>>> Best regards >>>> >>>> -- >>>> Respect your privacy and that of others, don't give your data to >>>> big corporations. >>>> Use alternatives like Signal (https://whispersystems.org/) for >>>> your messaging or >>>> Diaspora* (https://joindiaspora.com/) for your social networking. >>>> >>>> _______________________________________________ >>>> pfSense mailing list >>>> https://lists.pfsense.org/mailman/listinfo/list >>>> <https://lists.pfsense.org/mailman/listinfo/list> >>>> Support the project with Gold! https://pfsense.org/gold >>>> >>>> >>> >>> _______________________________________________ >>> pfSense mailing list >>> https://lists.pfsense.org/mailman/listinfo/list >>> Support the project with Gold! https://pfsense.org/gold >> > > _______________________________________________ > pfSense mailing list > https://lists.pfsense.org/mailman/listinfo/list > Support the project with Gold! https://pfsense.org/gold _______________________________________________ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
