Re: [pfSense] Moving traffic between LAN & OPT1

2017-12-22 Thread Eero Volotinen 
Hi,

Check out firewall / rules / interface_name

Eero

2017-12-23 6:25 GMT+02:00 Antonio :

> Hi,
>
> I'm not sure how you move traffic between the above interfaces. I was
> under the impression that all you needed was a "Default allow LAN to any
> rule" and job done. Yet i'm struggling to get devices of different
> interfaces to communicate. What am I missing?
>
>
> Thanks
>
>
>
> --
>
>
> Respect your privacy and that of others, don't give your data to big
> corporations.
> Use alternatives like Signal (https://whispersystems.org/) for your
> messaging or
> Diaspora* (https://joindiaspora.com/) for your social networking.
>
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
>
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

[pfSense] Moving traffic between LAN & OPT1

2017-12-22 Thread Antonio 
Hi,

I'm not sure how you move traffic between the above interfaces. I was
under the impression that all you needed was a "Default allow LAN to any
rule" and job done. Yet i'm struggling to get devices of different
interfaces to communicate. What am I missing?


Thanks



-- 


Respect your privacy and that of others, don't give your data to big 
corporations.
Use alternatives like Signal (https://whispersystems.org/) for your messaging 
or 
Diaspora* (https://joindiaspora.com/) for your social networking.

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Finding the best network setup for pfsense.

2017-12-22 Thread Laz C. Peterson 
Hello,

A couple words from our experiences …

We have quite a few firewalls and many services offered publicly depending on 
which site you’re talking about, and we’ve learned that it really doesn’t pay 
off to try and micro-mange the firewall.  pfSense is done well, so by default, 
you can feel good about not really playing with the settings.  If you want 
security, you really want to have VPN to any clients that are going to access 
your network.  Don’t be opening up ports on the firewall.  So if you wanted to 
have access to your internal network, you could set that up easily with pfSense 
and the client for your OS.

If you wanted to do public services, like a web server etc, then it is what it 
is.  You’ll get hit by who knows what.  People scan IPs and ports all day long. 
 It doesn’t stop.  But then just open the ports, send them to your internal 
sever and call it a day.  No need to worry about those things at the pfSense, 
unless you start having issues (then you can look into security features in 
pfSense).

Blocking private networks is a necessity (unless you have weird network 
requirements) because no WAN IP should have a private address trying to 
communicate with your pfSense.  That would be bad news.

The proxy is great.  You’ll love it for your kids.  Just make sure to disable 
their cellular access ;-) …

Regarding routing, we always make separate subnets.  One internal subnet would 
be “home” and the other would be “work”.  Work network gets to connect to VPNs, 
home does not.  Each network carries its traffic separately internally and to 
the internet, and they cannot communicate with each other.  We do have some 
cases with AppleTV that we want to have mDNS and communication between subnets, 
so we do make special consideration for those — but it’s rare.  But that may be 
of use to you … Streaming devices are always fun to get working with a complex 
(but optimal!) network.

Just some thoughts for you.  Good luck!

~ Laz Peterson
Paravis, LLC

> On Dec 22, 2017, at 6:34 PM, Antonio  wrote:
> 
> You are probably right so I have gone and disconnected the Hawk. I'm a
> bit worried now that my WAN is exposed to attacks. Is it sufficient to
> have the "Block private networks" and "Block bogon networks" active on
> the WAN interface? Any other rules needed?
> 
> 
> Thanks
> 
> Respect your privacy and that of others, don't give your data to big 
> corporations.
> Use alternatives like Signal (https://whispersystems.org/) for your messaging 
> or 
> Diaspora* (https://joindiaspora.com/) for your social networking.
> 
> Il 23/12/2017 00:29, Ryan Coleman ha scritto:
>> I think the overkill is all the extra appliances doing things that
>> pfSense can do.
>> 
>> You want the pfSense to be in the middle, you want the traffic to be
>> filtered and routed… pfSense is great for this very task, you don’t
>> need the Hawk or Netgear firewalls… 
>> 
>> aDSL modem -> pfSense -> switch -> Rest of network
>> 
>> 
>> 
>>> On Dec 22, 2017, at 6:15 PM, Antonio >> > wrote:
>>> 
>>> Sounds cool but maybe a bit overkill for what i need ...
>>> 
>>> Cheers
>>> 
>>> Respect your privacy and that of others, don't give your data to big
>>> corporations.
>>> Use alternatives like Signal (https://whispersystems.org/) for your
>>> messaging or 
>>> Diaspora* (https://joindiaspora.com/) for your social networking.
>>> 
>>> Il 22/12/2017 22:35, Eero Volotinen ha scritto:
 Well,
 
 Just plug pfsense to ADSL and buy managed switch and some unifi wlan
 aps. You can install proxy on pfsense box also..
 
 
 Eero
 
 22.12.2017 23.57 "Antonio"  >
 kirjoitti:
 
Hello,
 
I'm trying to design an optimal network setting for my home and was
wondering what people's thoughts were based on my needs:
 
1) Need a single DHCP, DNSMasq server;
 
2) want to route traffic through VPNs only on certain parts of my
network
 
3) want to eventually install a proxy somewhere on the network to
route
traffic from my kids laptops/tablets.
 
4) obviously want to firewall all centrally as best as possible.
 
My setup is as follows:
 
a) I have a little compact mini PC with four ethernet connections (1x
WAN and 3x LAN) - its wifi too
 
b) A Netgear Modem onto ADSL
 
c) A Netgear router Hawk 7000
 
d) a couple of desktop PCs wired to (a) as well as a server
 
e) several mobiles, IoTs that connect wireless to (c)
 
At the moment the connection is (b)->(c)->(a)->PCs but I feel I'm not
getting the best of this setup, particularly pfSense which at the
moment
is just firewalling my PCs/server.
 
I generally consider the wifi network the weak point as guest
 come and

Re: [pfSense] Finding the best network setup for pfsense.

2017-12-22 Thread Antonio 
You are probably right so I have gone and disconnected the Hawk. I'm a
bit worried now that my WAN is exposed to attacks. Is it sufficient to
have the "Block private networks" and "Block bogon networks" active on
the WAN interface? Any other rules needed?


Thanks

Respect your privacy and that of others, don't give your data to big 
corporations.
Use alternatives like Signal (https://whispersystems.org/) for your messaging 
or 
Diaspora* (https://joindiaspora.com/) for your social networking.

Il 23/12/2017 00:29, Ryan Coleman ha scritto:
> I think the overkill is all the extra appliances doing things that
> pfSense can do.
>
> You want the pfSense to be in the middle, you want the traffic to be
> filtered and routed… pfSense is great for this very task, you don’t
> need the Hawk or Netgear firewalls… 
>
> aDSL modem -> pfSense -> switch -> Rest of network
>
>
>
>> On Dec 22, 2017, at 6:15 PM, Antonio > > wrote:
>>
>> Sounds cool but maybe a bit overkill for what i need ...
>>
>> Cheers
>>
>> Respect your privacy and that of others, don't give your data to big
>> corporations.
>> Use alternatives like Signal (https://whispersystems.org/) for your
>> messaging or 
>> Diaspora* (https://joindiaspora.com/) for your social networking.
>>
>> Il 22/12/2017 22:35, Eero Volotinen ha scritto:
>>> Well,
>>>
>>> Just plug pfsense to ADSL and buy managed switch and some unifi wlan
>>> aps. You can install proxy on pfsense box also..
>>>
>>>
>>> Eero
>>>
>>> 22.12.2017 23.57 "Antonio" >>  >
>>> kirjoitti:
>>>
>>>    Hello,
>>>
>>>    I'm trying to design an optimal network setting for my home and was
>>>    wondering what people's thoughts were based on my needs:
>>>
>>>    1) Need a single DHCP, DNSMasq server;
>>>
>>>    2) want to route traffic through VPNs only on certain parts of my
>>>    network
>>>
>>>    3) want to eventually install a proxy somewhere on the network to
>>>    route
>>>    traffic from my kids laptops/tablets.
>>>
>>>    4) obviously want to firewall all centrally as best as possible.
>>>
>>>    My setup is as follows:
>>>
>>>    a) I have a little compact mini PC with four ethernet connections (1x
>>>    WAN and 3x LAN) - its wifi too
>>>
>>>    b) A Netgear Modem onto ADSL
>>>
>>>    c) A Netgear router Hawk 7000
>>>
>>>    d) a couple of desktop PCs wired to (a) as well as a server
>>>
>>>    e) several mobiles, IoTs that connect wireless to (c)
>>>
>>>    At the moment the connection is (b)->(c)->(a)->PCs but I feel I'm not
>>>    getting the best of this setup, particularly pfSense which at the
>>>    moment
>>>    is just firewalling my PCs/server.
>>>
>>>    I generally consider the wifi network the weak point as guest
>>> come and
>>>    connect to it that's why its connected before (a); traffic from (c)
>>>    cannot get past (a) but the PCs/server can get out on the internet. I
>>>    feel that (a) should be connected to (b) and (c) should then be
>>>    connected to one of the LAN ports on (a), say LAN2 (I would have a
>>>    switch on LAN1 with PCs/server). I could then use pfSense to route
>>>    traffic from LAN2 to WAN and firewall LAN1 so that traffic from LAN2
>>>    could not go to LAN1.
>>>
>>>    That way, I could then set up pfSense as my single DHCP and DNSMasq
>>>    server. I could then set up VPNs for just traffic of LAN1 or LAN2.
>>>
>>>    Would you agree with this sort of setup or do you think I could
>>>    implement things better?
>>>
>>>    I look forward to some of your thoughts.
>>>
>>>    Best regards
>>>
>>>    --
>>>    Respect your privacy and that of others, don't give your data to
>>>    big corporations.
>>>    Use alternatives like Signal (https://whispersystems.org/) for
>>>    your messaging or
>>>    Diaspora* (https://joindiaspora.com/) for your social networking.
>>>
>>>    ___
>>>    pfSense mailing list
>>>    https://lists.pfsense.org/mailman/listinfo/list
>>>    
>>>    Support the project with Gold! https://pfsense.org/gold
>>>
>>>
>>
>> ___
>> pfSense mailing list
>> https://lists.pfsense.org/mailman/listinfo/list
>> Support the project with Gold! https://pfsense.org/gold
>

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Finding the best network setup for pfsense.

2017-12-22 Thread Ryan Coleman 
I think the overkill is all the extra appliances doing things that pfSense can 
do.

You want the pfSense to be in the middle, you want the traffic to be filtered 
and routed… pfSense is great for this very task, you don’t need the Hawk or 
Netgear firewalls… 

aDSL modem -> pfSense -> switch -> Rest of network



> On Dec 22, 2017, at 6:15 PM, Antonio  wrote:
> 
> Sounds cool but maybe a bit overkill for what i need ...
> 
> Cheers
> 
> Respect your privacy and that of others, don't give your data to big 
> corporations.
> Use alternatives like Signal (https://whispersystems.org/ 
> ) for your messaging or 
> Diaspora* (https://joindiaspora.com/ ) for your 
> social networking.
> 
> Il 22/12/2017 22:35, Eero Volotinen ha scritto:
>> Well,
>> 
>> Just plug pfsense to ADSL and buy managed switch and some unifi wlan
>> aps. You can install proxy on pfsense box also..
>> 
>> 
>> Eero
>> 
>> 22.12.2017 23.57 "Antonio"  
>> >>
>> kirjoitti:
>> 
>>Hello,
>> 
>>I'm trying to design an optimal network setting for my home and was
>>wondering what people's thoughts were based on my needs:
>> 
>>1) Need a single DHCP, DNSMasq server;
>> 
>>2) want to route traffic through VPNs only on certain parts of my
>>network
>> 
>>3) want to eventually install a proxy somewhere on the network to
>>route
>>traffic from my kids laptops/tablets.
>> 
>>4) obviously want to firewall all centrally as best as possible.
>> 
>>My setup is as follows:
>> 
>>a) I have a little compact mini PC with four ethernet connections (1x
>>WAN and 3x LAN) - its wifi too
>> 
>>b) A Netgear Modem onto ADSL
>> 
>>c) A Netgear router Hawk 7000
>> 
>>d) a couple of desktop PCs wired to (a) as well as a server
>> 
>>e) several mobiles, IoTs that connect wireless to (c)
>> 
>>At the moment the connection is (b)->(c)->(a)->PCs but I feel I'm not
>>getting the best of this setup, particularly pfSense which at the
>>moment
>>is just firewalling my PCs/server.
>> 
>>I generally consider the wifi network the weak point as guest come and
>>connect to it that's why its connected before (a); traffic from (c)
>>cannot get past (a) but the PCs/server can get out on the internet. I
>>feel that (a) should be connected to (b) and (c) should then be
>>connected to one of the LAN ports on (a), say LAN2 (I would have a
>>switch on LAN1 with PCs/server). I could then use pfSense to route
>>traffic from LAN2 to WAN and firewall LAN1 so that traffic from LAN2
>>could not go to LAN1.
>> 
>>That way, I could then set up pfSense as my single DHCP and DNSMasq
>>server. I could then set up VPNs for just traffic of LAN1 or LAN2.
>> 
>>Would you agree with this sort of setup or do you think I could
>>implement things better?
>> 
>>I look forward to some of your thoughts.
>> 
>>Best regards
>> 
>>--
>>Respect your privacy and that of others, don't give your data to
>>big corporations.
>>Use alternatives like Signal (https://whispersystems.org/ 
>> ) for
>>your messaging or
>>Diaspora* (https://joindiaspora.com/ ) for 
>> your social networking.
>> 
>>___
>>pfSense mailing list
>>https://lists.pfsense.org/mailman/listinfo/list 
>> 
>>> >
>>Support the project with Gold! https://pfsense.org/gold 
>> 
>> 
>> 
> 
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list 
> 
> Support the project with Gold! https://pfsense.org/gold 
> 
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Finding the best network setup for pfsense.

2017-12-22 Thread Antonio 
Sounds cool but maybe a bit overkill for what i need ...

Cheers

Respect your privacy and that of others, don't give your data to big 
corporations.
Use alternatives like Signal (https://whispersystems.org/) for your messaging 
or 
Diaspora* (https://joindiaspora.com/) for your social networking.

Il 22/12/2017 22:35, Eero Volotinen ha scritto:
> Well,
>
> Just plug pfsense to ADSL and buy managed switch and some unifi wlan
> aps. You can install proxy on pfsense box also..
>
>
> Eero
>
> 22.12.2017 23.57 "Antonio" >
> kirjoitti:
>
> Hello,
>
> I'm trying to design an optimal network setting for my home and was
> wondering what people's thoughts were based on my needs:
>
> 1) Need a single DHCP, DNSMasq server;
>
> 2) want to route traffic through VPNs only on certain parts of my
> network
>
> 3) want to eventually install a proxy somewhere on the network to
> route
> traffic from my kids laptops/tablets.
>
> 4) obviously want to firewall all centrally as best as possible.
>
> My setup is as follows:
>
> a) I have a little compact mini PC with four ethernet connections (1x
> WAN and 3x LAN) - its wifi too
>
> b) A Netgear Modem onto ADSL
>
> c) A Netgear router Hawk 7000
>
> d) a couple of desktop PCs wired to (a) as well as a server
>
> e) several mobiles, IoTs that connect wireless to (c)
>
> At the moment the connection is (b)->(c)->(a)->PCs but I feel I'm not
> getting the best of this setup, particularly pfSense which at the
> moment
> is just firewalling my PCs/server.
>
> I generally consider the wifi network the weak point as guest come and
> connect to it that's why its connected before (a); traffic from (c)
> cannot get past (a) but the PCs/server can get out on the internet. I
> feel that (a) should be connected to (b) and (c) should then be
> connected to one of the LAN ports on (a), say LAN2 (I would have a
> switch on LAN1 with PCs/server). I could then use pfSense to route
> traffic from LAN2 to WAN and firewall LAN1 so that traffic from LAN2
> could not go to LAN1.
>
> That way, I could then set up pfSense as my single DHCP and DNSMasq
> server. I could then set up VPNs for just traffic of LAN1 or LAN2.
>
> Would you agree with this sort of setup or do you think I could
> implement things better?
>
> I look forward to some of your thoughts.
>
> Best regards
>
> --
> Respect your privacy and that of others, don't give your data to
> big corporations.
> Use alternatives like Signal (https://whispersystems.org/) for
> your messaging or
> Diaspora* (https://joindiaspora.com/) for your social networking.
>
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> 
> Support the project with Gold! https://pfsense.org/gold
>
>

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Finding the best network setup for pfsense.

2017-12-22 Thread Eero Volotinen 
Well,

Just plug pfsense to ADSL and buy managed switch and some unifi wlan aps.
You can install proxy on pfsense box also..


Eero

22.12.2017 23.57 "Antonio"  kirjoitti:

Hello,

I'm trying to design an optimal network setting for my home and was
wondering what people's thoughts were based on my needs:

1) Need a single DHCP, DNSMasq server;

2) want to route traffic through VPNs only on certain parts of my network

3) want to eventually install a proxy somewhere on the network to route
traffic from my kids laptops/tablets.

4) obviously want to firewall all centrally as best as possible.

My setup is as follows:

a) I have a little compact mini PC with four ethernet connections (1x
WAN and 3x LAN) - its wifi too

b) A Netgear Modem onto ADSL

c) A Netgear router Hawk 7000

d) a couple of desktop PCs wired to (a) as well as a server

e) several mobiles, IoTs that connect wireless to (c)

At the moment the connection is (b)->(c)->(a)->PCs but I feel I'm not
getting the best of this setup, particularly pfSense which at the moment
is just firewalling my PCs/server.

I generally consider the wifi network the weak point as guest come and
connect to it that's why its connected before (a); traffic from (c)
cannot get past (a) but the PCs/server can get out on the internet. I
feel that (a) should be connected to (b) and (c) should then be
connected to one of the LAN ports on (a), say LAN2 (I would have a
switch on LAN1 with PCs/server). I could then use pfSense to route
traffic from LAN2 to WAN and firewall LAN1 so that traffic from LAN2
could not go to LAN1.

That way, I could then set up pfSense as my single DHCP and DNSMasq
server. I could then set up VPNs for just traffic of LAN1 or LAN2.

Would you agree with this sort of setup or do you think I could
implement things better?

I look forward to some of your thoughts.

Best regards

--
Respect your privacy and that of others, don't give your data to big
corporations.
Use alternatives like Signal (https://whispersystems.org/) for your
messaging or
Diaspora* (https://joindiaspora.com/) for your social networking.

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

[pfSense] Finding the best network setup for pfsense.

2017-12-22 Thread Antonio 
Hello,

I'm trying to design an optimal network setting for my home and was
wondering what people's thoughts were based on my needs:

1) Need a single DHCP, DNSMasq server;

2) want to route traffic through VPNs only on certain parts of my network

3) want to eventually install a proxy somewhere on the network to route
traffic from my kids laptops/tablets.

4) obviously want to firewall all centrally as best as possible.

My setup is as follows:

a) I have a little compact mini PC with four ethernet connections (1x
WAN and 3x LAN) - its wifi too

b) A Netgear Modem onto ADSL

c) A Netgear router Hawk 7000

d) a couple of desktop PCs wired to (a) as well as a server

e) several mobiles, IoTs that connect wireless to (c)

At the moment the connection is (b)->(c)->(a)->PCs but I feel I'm not
getting the best of this setup, particularly pfSense which at the moment
is just firewalling my PCs/server.

I generally consider the wifi network the weak point as guest come and
connect to it that's why its connected before (a); traffic from (c)
cannot get past (a) but the PCs/server can get out on the internet. I
feel that (a) should be connected to (b) and (c) should then be
connected to one of the LAN ports on (a), say LAN2 (I would have a
switch on LAN1 with PCs/server). I could then use pfSense to route
traffic from LAN2 to WAN and firewall LAN1 so that traffic from LAN2
could not go to LAN1.

That way, I could then set up pfSense as my single DHCP and DNSMasq
server. I could then set up VPNs for just traffic of LAN1 or LAN2.

Would you agree with this sort of setup or do you think I could
implement things better?

I look forward to some of your thoughts.

Best regards

-- 
Respect your privacy and that of others, don't give your data to big 
corporations.
Use alternatives like Signal (https://whispersystems.org/) for your messaging 
or 
Diaspora* (https://joindiaspora.com/) for your social networking.   

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold