 We're gonna take an in-depth look at PF Sense version 2.4. It's gonna be the latest version as of November 2017 Now the first few things are gonna be some slides from a slide show here But don't worry the rest of it goes on to a live demo where I walk you through all the features of PSN So why PF Sense? Built on a very solid BSD platform, which is great has a lot of enterprise networking features Open source code can be audited and that is very important and becoming more and more critical every day They make sure that the firewalls and devices that we have to protect our networks and router networks do not have some type of Hidden backdoors in them and we've actually seen lots of firewall companies for convenience not necessarily nefarious reasons Add backdoors to their system to make it easy to admin such as hard-coded admin passwords horrible idea Very configurable and customizable can be completely managed via well-designed web interface Has full command line access nothing hidden enterprise features such as VPN, Karp and QoS the fail-overs and this is really cool You can actually bridge firewalls together and create fail-over modes For your real enterprise level support a third-party plugins They have a whole database of third-party plugins that are maintained by the PF Sense folks Commercial support available. You can get a gold subscription which adds Some better support options and you get their cool newsletter and then you of course you can actually buy support packages from Netgate directly, which is the people behind PF Sense PF Sense install the Requirements are fairly minimal so it does not take a whole lot of horsepower to run this so you're looking at a 500 Megahertz 512 ram 1 gigahertz recommended 1 giga ram CD-ROM or USB for installation Now they recommend less than four-year-old until our AMD clocked at 500 megahertz I think this is probably a little older because 500 hasn't been around for a lot more than four years Although this is what's still on their page But it can show that you don't need a ton of horsepower to do the routing on this a 2 gigahertz Older AMD will you know route up to 500 makes a second which is faster than most home connections if you're Running this at a business with gigabit fiber Then you may want to look at something a lot faster like an enterprise hardware with PCIe when you go to download from their website They have the options of the AMD 64 bit and they've deprecated the 32 bit Version 241 is the actual latest version right now. So that's the sub versions dot one You can get the daily snapshots as well When you're downloading this you get a USB memstick or CD ISO of your choice I thought that was kind of cool that they have them on there It's kind of strange because when you download it you download one or the other There's not much difference in them But I guess BSD is a little different than Linux when you're pushing it to a thumb stick versus an ISO Then you're brought up to the menu when you first click the install and then from here We're gonna go ahead and jump into the live demo. So after it boots This is the first thing you see you get to accept the code and copy or distribution notice You can do a rescue an install or recover all your data for pfSense is stored in a Config.xml file when it's loaded So that's the only thing you have to recover if a pfSense box somehow becomes unbootable or crash But you can access the drive all as you need is a config.xml file to restore it Oh, yeah, and this does have an option to work to recover it We're just gonna run through an install I'm not gonna change the key map, but you have a bunch of different key map options in here Now this is really cool because you have the auto fs ufs That's a standard version that they've been using forever Then you have auto zfs and this is where it's a really neat feature. They added into 2.4 series So we can choose and this is really kind of neat We're gonna go and do a raid z1 because I've actually added three hard drives here You can create rate arrays not just mirrored, but actual z level rate arrays with zfs for redundancy on your system That's pretty novel. That's makes it pretty cool for doing things like Really solid Installs that you're worried about a hard drive failing instead of just a mirror you can do this is it's probably overkill You can but the fact that you can do is pretty cool You can customize names partition sizes swap sizes Mirror encrypt the swap you can encrypt the disk, but I warn you this is gonna come with the consequence of Going through and having to deal with Every time you boot it up having to put the password in so it's really not that convenient when you do that So we'll go ahead and select this well When you're done, I'm sorry to go back up to the top here and hit boom. Are you sure you want to destroy these? Yes, and Away it goes. It's gonna install and install goes really fast I'll fast forward through this and we'll jump to the web interface Once we're done Well, this takes you through the installer and then I'll show you that What once it boots up so we can look at what the counselor face and then once we look at the counselor face We can jump into the web interface So this is the council from a fresh install by default the wan gets the first Whatever the lowest number is these are virtual network cards So it's em 0 and the land gets the next one and the rest of them are unassigned So if you have multiple network cards for six network cards in here It only assigns the first two when and land Now from here you can assign the interfaces change them around the default when interface is going to be DHCP And a default land interface is always 192.16811 all this is going to be changeable when we run the web wizard You can even start changing it from here if you want But these are the basic options now from this shell and I'm not going to really return here But from here basic functions are all available for Assigning interface send an interface IP addresses so you can start matching your network settings Assigning interface is cool because you also get the option to build VLANs And I have three network virtual network adapters attached to this two of them are attached one of them It is not attached So it tells you to link state of up up and down because don't have any what a virtual network cables plugged into it You can set up your VLANs here and assign them to the interfaces If that's something then you enter the ones or just hit a for auto detection But we're just going to go ahead and enter and cancel out of this You can reboot the system factory reset the system halt the system ping a host make sure something could be Gotten to so you can just you know drop to the show real quick run PF top With option 9 shows you the network connections and status is on there Q brings you out of that update from the council pfs pshell and pfsense tools which is kind of neat so it's got some tool options on here So change password and things like that. We're going to go ahead and exit Restore recent configuration is really important If you have goof things up, but you can get to the council you can go here and Just run a restore and you can say list all the backup options and actually choose different previous backup options When we get to the backup through the web interface you can see by default There's 30 different backup revisions that are kept And easy enough to restore and whenever you do the restore it just applies it and restarts the system real quick and the last thing you can do is Enable secure shell from here or just drop to a shell or if you ssh din This is the same interface you get when you ssh in now all this can be locked out So if you want there's an option in here to lock yourself out of this or lock people out of this That way if they come up to a council they can't just jump on here and do things But I I don't usually do this because on the off chance one if someone goofs up a password You want to be able to reset it fairly easily two if they have physical access They can just take the firewall and you know pull the config file So if they have access it's kind of up to you depends on how secure your Environment is we're not you want to lock this interface out All right, so let's jump into the web configurator So the default login is admin and pf since it does force you to change that in a couple clicks here And now we're into the wizard which is pretty straightforward Nick gate global support is available. They let you know that right off the rip, which is nice They don't annoy you though and that actually makes me really happy They don't like prompt you you should buy support. You should buy support. You can this is completely optional We're going to throw in some dns servers Now these can be overridden and added later I just want to put some in now or it'll will pull them just from pf senses dhcp settings As we left the land here at dhcp we're going to go ahead and choose Detroit as our local now when you're setting this up This is where you can set up dhcp or static if you're doing static and you have a block of ip's Just so you know you only assign the first ip here and later you add the rest of them as ip aliases to this configuration So we're going to leave it at dhcp It does support pptp poe configurations of And uh, I am going to uncheck this Normally you don't have to but block bogon networks, you know block private network rfc 1918s I'm not doing that because we're running this internally and It will cause some issues because it won't be able to Route networks because it says hey wait your wan is actually a LAN address. Yeah, I know So Go ahead and do this 192 168 11 subnet 24. We're going to leave it at default here, but of course put in whatever works for you Admin password Set the admin password It does not check if you typed in a weak password or not Please use a good password though for your firewall And done and that's and it says if you want to learn about support or just click here to continue Accept and all's I do is accept the uh license agreement in here So now we can get started on walking you through all the features of the firewall All right, so once you complete the wizard you're in here with the dashboard And you can customize the dashboard you have the net gate support and once again ask any if you Want to register and the links here easy enough to get rid of just close that if you're not interested And let's customize this a little bit. I like to have the traffic graphs on here We'll go ahead and throw in a uh smart status interface stats the gateways Service stats and we'll go ahead and throw opn vpn on here too Now it's got a lot you can scroll down on here so you can see everything the services I'm going to move them up because I generally like those right here at the top So you get an idea and it's easy enough from here just to you know restart stop a service And once you rearrange something on here, so when we do a move like this the save icon Bring this back up to the top shows up up here and we click save to save the positions of everything that we just moved around On this side, you have the system id now This is the id you use if you do get support by the net gate device id It's a unique identifier that was generated to identify this particular system This tells you some other information cpu type. You can force it to check if there's a new version here Hardware crypto that it's supported in here tells you yes what it has turned on Now this is an issue It's going to come up with version 2.5 Because they said that for version 2.5 no release dates it for but they're going to require the aes support and chips This chip's an older one and still has it. It's been around for a while It's not hard to find a system that has aes support in it But just keep that in mind if you're building something new today And they're not that expensive to find those older processors so and we have our smart status now this is on a Virtual machine so we don't have actual smart status what i'm going to do is jump over to my real machine and Show you kind of what that looks like for a couple parts of this video So it's not that important obviously just says what are not just a problem and there the Gateways this is kind of cool. The gateways will tell you the ping time between the first hop And if you have multiple gateways for things like failover It will tell you the ping time on each of the gateways and determine if there's a problem Unknown when there's nothing hooked up for example We're not using dhcp6, but by default a dhcp6 or ipv6 is turned on So It doesn't have anything to ping right now because nothing in my network is handing that out But it'll give you the status of it and it turns red or yellow when there's a little bit of packet loss and red When there's complete loss or a drop of a gateway on here for the monitoring Also, we have a little wrench icon and we can just say I don't want to show this on here save And we've now removed that from the gateway now the reason it gave me the leave page is because I moved something It didn't hit save and if you do that you'll get the leave page when you're Editing one of the options now comment through the interface on here And let me just pull it up over here for example in the services any of the services is you're going to have these related status Related log entries you're going to see that for all the different services and servers on here so related status related status What these do these bring you to The different options for example You can go and jump right into if there's log entries for it by going from that service To that you go right to the log entries for that particular service This works across the firewall works across a lot of different parts So here's our current firewall rules We can see the status of the firewall rules Or we can jump right to the logs that are in the firewall rules So you'll see that those are common across all of them. They're all also accessible here under all the status page So I can get to a lot of those same statistic things inside of here for example my interface Here is the interfaces And here's the settings for the interface So there's the status of the interface and settings just like I said This is common throughout all of pfSense and on a couple different options like in the logs and on the Dashboard here you get the little wrench which means you can customize that particular view I just want to make sure you're clear on that's the common Way all of this is laid out So let's start from the top system menu advanced So protocol by default is hetbs and it writes and designs its own ssl certificate You and I have actually added Another cert here, which will when we cover that in a ca part You can add your own cert. There is options It's a more advanced and I haven't really played much with it But I know they added features for supporting let's encrypt in case you're wondering If you leave this blank the default tcp port is 443 still Max processes. I've never really had an issue here But you can if I guess a lot of people are using a firewall multiple people using it multiple logins You can set up more processes to handle that Everything else here. I leave at default now disable dns rebinding checks just so you know If you have a alias like firewall dot your domain dot com and that equates to your firewall for remote access You have to add the alternate host names in here if not by default it only wants to use ip So it sees something coming in from a domain Refer it will fail to log in it'll say dns rebind attack You can disable that or add the aliases that you're going to add here So it understands what a ttp refer is when it comes in just a side note there And this is where you can disable all that Enable secure shell. Sure. Let's go ahead and turn it on It gives you the option to disable password authentication and there is an option to drop your keys right in the user So you don't have to enable it push your keys over. You can actually drop them in into the user interface Serial terminal enable first serial port now. This is kind of cool because For a lot of systems they offer serial interfaces It's an older school interface, but it does it is supported here and you can set it to be the primary console if you want Uh, this is also where you password protect the console menu if you want to Go ahead and save and it's going to take a second because I disabled the ssh Now just so you know by default ssh is only accessible internally On the LAN side not the WAN side So it doesn't you know open you up to any security risk or anything like that other than from internally being able to access it Firewall and add options you can leave all these at default But it does have algorithmic actions for higher latency more aggressive more conservative And you can read about what some of those different options do But it's basically how it handles all the state tables and how long before it lets them expire or keeps them going You can disable all packet filtering to firewall scrub. You can really get in a lot of details here set maximum state tables maximum fragmented Static route filtering to bypass firewall rules for traffic on the same interface I've only had to do this one time with a client with an unusual setup But basically if you segment your network, but they're all on one interface But then you have series of routes that push it to different sections of that network You because it doesn't technically pass your pf sense. It's just routing But they're all on one interface not split across them That is something you may need to turn on if you have a weird network like that for most default networks Or when you have pf sense at the middle of your network, no need to change any of these options If you make aliases it has verify hcps for some of the aliased URLs Like I said, there's some more unique things But completely options you can change now net reflection. This is an important one here So net network adjust today's network reflection We're going to change it to pure net what this means for every rule I create I want that same rule to automatically be mirrored internally. So let's say I point to a camera server Which is popular. You have your nvr. You have your external access But then when you're inside the network, you want to be able to get to it What pure net does if you set this as default option, this is going to be changed on a per rule basis This allows it to Create the rule externally and then when they try to access that external one It realizes your inside the network and creates an automatic redirect and that can be turned on and off on a per Rule basis that's just that all that we're setting up here is the default State timeouts if you want to adjust the timings for the state timeouts for different parts You can fine-tune all that I never had a need to adjust it, but it's there Networking allow ipv6 traffic We can turn this off if you don't want any ipv6 You know if you're not using it. I'm yeah, it's there ipv6 is neat. It's fully supported into firewall, but um, obviously as you know, it's not really taken off quite like everyone thought it would Hardware checks some offloading now I really recommend you build these yourself use the intel network cards disable hardware checks some offload is for When the network card handles the offloading You want to make sure the network card can handle the offloading with the driver And it does comment on some of the real tech cards have a problem with this I generally always build these with intel cards You can find them used on ebay for really inexpensive including like the four port ones Build them with the intel cards You don't have to worry about it It works with a lot of different network cards, but the intel ones particular. I know I never had an issue with I've never even had a problem with the real tech ones, but just so you know that's here Miscellaneous, uh, you can run this through a proxy if that's something you have a you know Maybe your provider forces you on to a proxy not really an issue. I've run into Load balancing enabled default gateway switching now. I've had this where I've had to turn this on I don't know if they fixed this but you're supposed to just when you're setting up a load balancing Which we'll get to that on the interface side um Be able to automatically switch I've had it in the earlier versions where I had to enable this but for the most part You should be able to leave this unchecked unless you have some special scenario What it is if one gateway goes down is supposed to roll over to the other one But there's a way you set that up separately in load balancing Power saving options kind of neat that it has it. I uh, don't really imagine I that there's a lot of times people are running a pf sense on battery But if you are uh, it's got options for ac battery and unknown Crypto dev now if you have an a s c i Uh, a s and i supported acceleration in your processor go ahead and turn this on I usually turn on this and the bsd crypto device Uh, just if the longest are enabled you can turn them on If you have thermal sensors you can turn them on here it supports intel and amd thermal sensors Do not kill connection states when schedule expires This is actually kind of interesting because you can schedule the firewall rules and you can Say even though I scheduled the firewalls to block or allow something You then can also say whether or not the connections that occurred while it was in operation Whether or not you want to force them to expire or do not kill them So kind of neat that they give you the option on there Flush all states when a gateway goes down Uh, you may want to use this on the gateway monitoring because What happens is if the gateway goes down and there's some states there You want to make sure that they're all cleared if you're doing failover So it jumps over to the other gateway and there's nothing hanging on there I've checked it. It seems to help with the switch over Instead of using slash temp and slash far you can force them to use memory file system So if you had something or you didn't want a lot of read rates going to a hard drive Like you installed this from a usb stick to a usb stick. That's an option on there save Now I'm not going to get too detailed in here, but we have all this system tunables Uh, you can customize a lot of functions and add your own parameters I don't have a guide to all the ones in here, but uh, kind of neat Here's all the defaults if there's some reason to update those you can notifications Email server smtp support numbers. Yes, it supports smt ssl tls from email address notification email address This is great. Um, first one little note that when you're putting all in here You can't test the functions into you've clicked save once So even if you fill out all your mail server information here, then you click test it fails You have to go down here click save then you can click test and then you'll know if the smtp is working But this allows notifications and changes to the firewall to be sent to your email address such as gateway monitoring If you have failover in it goes down or a problem with the hard drive or some other alert in here We have the alerts up here at the top for the notices. Uh, and what this So you how they work is little bell icon ssh key gen ssh startup And let me know that it generated a new key for that I marked as red and now the bell went away So that's it for all the notifications everything on here next one down is cert manager Here is the uh demo vpn cert va and I'm we're going to walk through the details of this when I get to the vpn Of how this was created, but you can add your own ca's you can import them Create new ones and these are for like doing yourself science certificates for whatever reason you want to do them for In the demo part of course for the vpn Here's the web configurator default. This one's generated on load and this is the lts search. So Lawrence technology services cert. I did for the demo vpn and there's uh certificate revocation built in here General setup. This is where you name the firewall and the domain add the dns servers Now kind of novel you can attach if you have multiple gateways you can attach a dns server to a gateway So whenever the query goes in it goes out over that gateway Kind of novel and probably if the dns servers are local only to that provider You might even need that and you can add more of them just by going here and add as many dns servers as you want And this is where you can go and change the time zone time servers language options, which there's a handful of languages in here This is kind of neat too and I'll switch it once just so you can see It save And we've now changed the theme of pfcent. So, uh, I usually leave it at default kind of novel It's got a couple different options on there. So we're going to put it back at default over here You get the refresh to page each time when it does even though it saves And away we go you can change all the themes and the colors, uh, you can decide when at the top Scrolls with the page or remains visible at the top of the page I kind of like when it remains visible that way if i'm down here and i'm going to save it And now the pfcent's menu stay at the top. I I don't know. I kind of like that better, but obviously it's options. You can change Uh dashboard columns sort of alphabetically you can turn on or off more associated panels Display what an estate table without a filter. These are all the more little customizations to the ui that you can make including Do you like blue green red purple gray orange? For the login screen Uh show a hostname on login banner like said more customization stuff It's novel that they have this for a firewall that you can play with all those things Now pfc transfer state insertion update and deletion message between firewalls This is a way that you can have high availability sync. So for redundant and fail over firewalls and Create your peer ip's and one system. So you only have to edit one firewall and then the connections will sink between them It's not something I've really set up But if you have an enterprise environment and you want to have redundancy in your firewalls This is how you would do that. It has all the different syncing options and it's granular So you can say, you know toggle all I want all the rules ali says everything about the firewall to sync Or only parts of it to sync because maybe you want the firewalls to be different from each other only sink certain changes that you make Here is where the logout is that just logs us out package manager the package manager is pretty slick and the Open vpn client is one of the packages I loaded. Here's a big list of available packages and we're going to load them real quick So like if top in here I'm going to search for it There it is where I could have just scrolled you run through click the install confirm And it runs through and installs the package for you It also automatically installs on the dependencies that that package may have had it when got them all It does this all through the pf sense repositories Go back to install packages and now we have that package installed we're going to remove a package Click that it removes it really straightforward Uh, this is view from view more information about the package and this also is an update So what it does is it turns yellow here when there's an update available and the icon Looks a little different This will reinstall the package as well So if you've played with the package you've goofed it up you can actually just do this And it'll confirm that you want to reinstall that particular package Now the packages do updates and things like that automatically will update themselves as well When you're doing a system update, but if there's a package update in between system updates You can go here and manually do it. I don't think there's any notification you get when a package is out of date though Not that i've seen routing So your gateways are located here your gateway groups are created here in your static route So if you have a static route that you want to add you can pick which interface you want to add it to And this is where you can do your static routing options Gateways this is where you're going to add a gateway So you can put this in put the gateway name in whether or not it's going to be the default gateway by default everything gets monitored as a gateway But you can override that and disable it You can force the state of it and everything there's a non-parse description so you can give a friendly naming for it You can also simply take and duplicate a current gateway So you meant if the way your network's set up and it's uh, they're very similar You just want to duplicate the same settings. You can do that now the gateway groups. This is kind of clever You create a group and this is what you would do for failover. So we only have one Gateway on here one WAN system. It's but if we wanted to Create a failover group We're going to name it failover You would have each of the gateways in here and you set their tiers of priority So you tier one tier two tier three and that's the order by which they will be used You can say this is the main gateway, but this is my failover one would be the tier two one the third failover tier three So on so forth Also, if you were using this in like a round robin for kind of more load balanced setup You would set them to be the same tier you set each one of the gateways Like I said, there's only one showing up here But you set each one of them to be the same tier and that would allow a load balanced type so you can have Uh, some of the data going between both networks now You can also say what is the determining factor of switching between it from tier one to the next tier down member down packet loss high latency Or a combination of packet loss and high latency these can be fine tuned back in some of the editing Or you can say just how much high latency is high latency But what this does is allows you to determine One it should go to the other one if they're both at the same tier You can also say high latency should just start pushing them over to the other one too So that's an option on there and you create multiple Wang failover groups when you're doing these So you don't have to just have one you can create multiple So if you have a really crazy enterprise network, that's actually something that's supported in here Setup wizard you can just run this again. That's the setup wizard update It's up to date update settings If you want to change to be a release candidate Or any of the other latest development snapshots, that's an option in here The updates just say an update available. You say yes and away they go I think they fixed it, but I know in 2.4 the only bug I seen with the update was Sometimes you had to hit it twice that it would say update failed you say do it again and it would Pass it just wouldn't download the first time but so far since switching to for one That's a problem. I believe that was fixed. So in case you've seen that problem Just clicking it twice fixed it and that was in I believe the note So the 2.4 one update that that was a problem solved All right, the user manager So you can obviously it has its own local database the user manager. It does support adding Either LDAP or radius service for external authentication You can set a couple things like which authentication server auto refresh time session time out You can build groups which by default there is all and admins And then right here is one picture user. Let's just walk you through adding users. We're going to put tom in here You can expire users leave it blank if you don't want them to expire Use individual customized GUI options and a dashboard layout for this user So it allows you like individual customizations Like you can set their theme and a couple other things in there kind of novel Well, what membership they have authorized SSH keys in IP sec pre-shared key Don't save now when we go back and edit this user Then we can fine grain go through all the permission options And this is pretty slick because you can if you have a user that's only Able to do certain things because you say I only want them to admin one thing You can set that up so they only have to admin those things in there Now because this is the way this is a local user database You can give the person no permissions and they would still be able to Access the VPN for example, it doesn't allow them to log into web interface But it can just be used for basic authentication for the VPN side of things So I'm going to go ahead and clear this and go back This is where you add individual certificates if you wanted each user to have their own certificate for the vpn You could add each important existing create create a signing request all the standard certificate options For that particular user it could be assigned And of course, like I said the ssh keys you can also disable the user this user cannot log in This is often what I do with admins Once I create the new user I'll create a secondary admin user And we always disable the admin on admin login But when you disable the admin login in pf sense that also disables the root login via ssh just an fyi So if you're sshing in you can ssh in as the individual users But you can't ssh as root anymore because root privilege was reserved for the admin user So once you disable that you disable root also roots password is whatever the same password for the admin user But ideally you should be using key authentication. So the password doesn't become very relevant at that point So that's it for the user manager pretty straightforward. It does have the option to create a special group special I will just call them the firewall group if I could type firewall group definition Save then we can go back and edit and add the fine grain permissions And let's say we just want to go to everything that's firewall related Now also if you notice there's two rules in each of these one's a rule one's an edit So you can actually have them just view versus that maybe you want to create a user read only If you got that new guy you want to be able to look at the firewall understand it But I'd actually make the changes without supervision. So that's definitely some of the options you may want to choose But it gives you a nice fine grain control here and type in fire And it's a little narrow down everything firewall related and let's do this select save Here's all the firewall permissions for this particular group Save and then we can go back to the user edit the user member of firewall save Now tom's part of the firewall group really it's pretty straightforward user management But I do like that it has it because this relates back to you'll see further in our firewall part where which user did what it does track What where they were logged in from and which user made what changes to things like some firewall rules that's all logged in the change logs interfaces assignments So the interface system allows a lot of different options here So this isn't a signed interface. That's why it's deleteable. Here's an unassigned interface Actually, there's two of them in here so we can choose which one we want and we'll get into that in a second So interface groups you can group interfaces together and that allows you to apply firewall rules to groups of interfaces Which is kind of nice So if I did this and then I selected two interfaces and give it a name I can apply rules and functions to that now What's kind of cool is you can apply this as a group to these or you can provide them individually in the firewall They all show up together like that. So let's actually go over here and give you a little better idea So we're going to add this other network interface Save it and now it's called opt one We're going to enable it. I'm going to add an ip address to it so ipv4 save apply and Now we have this other interface now. I can rename the descriptors on any of the interfaces here So it's opt one when land all these are editable editable not editable So we can edit all these and let's jump back to our assignments interface groups and There it is here And these are our lands Let's call them that save And now they show up As lands right here so I can apply the rules to them So that's what the grouping is for which is really slick that you can do these interface groups And you can delete them just as easy. So we're going to go ahead and remove it and away we go Now wireless i'm going to Uh, I have to skip some of this right now, but you have full wireless support I just don't have any wireless interface plugged into this But it does have full wireless support in setting it up so you can actually plug in a supported wireless card I don't have the active list, but you can find them in a bsd list if it's a supported wireless card in bsd You get all the features of the wi-fi. You know setting up as an access point Setting up the password wpa wpa2 and a lot of the options in there kind of neat. Um If you want to use this at home as a wireless device, definitely possible Vlands vlands are kind of interesting the way they're handled in here because they also add an interface So you offer them on any of the any of the interfaces can have another vlan So we're going to have a vlan attached to our LAN vlan 22 test vlan 22 Save Now we've added a vlan You're kind of wondering where did it go? Let's go back over here to interface assignments Vlan 22 we have to add it again over here Save It called it opt 2, but we actually are going to call it opt Vlan so it has a name No spaces in here Let's give it a configuration I gave the other 122s. We'll give this one 222.1. I actually will go 111.1 And it's going to be a slash 24 so hit save Enable apply What forgot to click save Now we're applying So now it's called opt vlan. I like so these can be renamed at any time And now let's look over to firewall There's wan lan opt 1 opt vlan In the firewall rules and in the interfaces here now In case you're wondering the difference between a wan and lan interface So if you want to make multiple wan interfaces wan interfaces have a gateway Lan interfaces do not so if we're over here on a lan interface Add gateway options here once we add a gateway to this it's technically a wan interface So that's some of the differences and that's how pf sense identifies them not at all by name you call them whatever you want The default is wan and lan and opt and So on and so forth But of course you can rename them and what we do for some of our clients make it less confusing is what we'll call the wan interface With redundant connections, maybe concast and the Secondary wan interface at and t if that's their backup would in having it assigned that way makes it very clear This is the concast line. This is the at and t line and we understand which ones which one we're assigning them As you leave the name wan in here, so i'll say like concast wan and at and t wan But it's just a clarification and no big deal. So back over here to the assignments So we created the vlan we assign it and you can see it's attached to that network And it also everywhere else shows up. So it's something else we can create an interface group for Okay, back to the interface assignments link aggregation is supported So you can take and use the link aggregation protocol to link together interfaces bridging is supported gift tunnels and g re tunnels And ppp are supported so you can do some time for the ppp configuration Now i'm not real familiar with it, but i know it's an older Serial interface i believe for ppp. It's not something i'm overly familiar with So but it has a couple different link types in there for ppp ppoe pptp and ltp So uh kind of crazy configuration option or not i don't have much use case for a lot of these I'm not overly familiar with the g re and gift tunnels, but just let you know they are supported in here Now let's get a little bit detailed on the bridging now because the bridging feature in pfsense is really clever You can bridge a couple interfaces together And when you create this let's go ahead and test bridge save Now let's go back and edit this bridge A bridge interface Causes pfsense to treat all the ports you bridge together as a switch So it can act as essentially a standard switch and Where it gets pretty cool is you have spanning ports. You have edge ports auto edge ports It works like a managed switch auto ptp ports sticky ports private ports as in you can set up isolate network isolation on them It supports spanning tree protocol options and both of them rtsp and stp You can choose the interfaces for that to make sure when those are set up and The options for it and lots of details in between here So this is kind of novel for being able to have it so speak act as a switch So if you have a bunch of network interfaces, you want them just to switch together You can do this and without even having to really assign anything to them They'll just act in a switch mode Which kind of kind of neat that it does that i've seen people build 10 gigabit switches with this I don't know how effective it is for thorough put But you can get those dual and quad cards and then use pf sense to Tie them all together in a bridge mode. So kind of novel And so we don't break anything. I'm going to delete the bridge Because i'm sure it'll mess something up that i'm going to test later on So that's pretty much all the interface option assignments in here It also supports this which i'm not overly familiar to the q and q options as well Not not a feature i'm overly familiar with but if you are you know what this is already and you're excited that it's In here So let's look at the interfaces themselves and what can be done on them. So for our way interface, we're going to turn off dhcp Six don't need it. We have it set to dhcp here But we can just as easily statically assign ip addresses if we need to Advanced configuration on this is kind of neat. So as the dhcp client you can force overrides on things So you can Change it from presets Change different Lease requirements send options receive options. You give a lot of little customizations in here, which is kind of cool Now if you're doing the static It's nice that you can add the gateway here and it brings up the add gateway menu So if you're statically assigning it you just type in what you want assigned here The ip address now if you have multiple ip addresses like image before you're going to want to add them secondary You only add the first ip of a block in here and the net mask over here That that's assigned to the ip but you add all the extra ip's elsewhere not here And I kind of like to the leaf shortcuts here to take you right over to the gateway So you can add them here manually as opposed to adding them a little pop-up window But both work once is a pop-up window to keep you at that When gateway when you're adding it without having to go to a second menu when you can put it all in at once Now for the land side like I'd said when there's no ipv4 of train gateway It becomes a land address not a wan Port so pretty straightforward and this is just for an assignment and once again. Here's the ip address and then the net mask over here for it So pretty straightforward on there. Uh, you Can enable disable them right here and just click save at the bottom And there's our other interfaces so on and so forth. No big deal there Now let's jump over to the firewall rules Now because I just mentioned it. I'll actually start at the bottom here virtual ip's So if you want to add another ip to the wan You would type in that address here So when I do that once the wan address right now is what you see up here I know it's internal because this is for my demo So if we had like two two three We would just click add and you can keep adding each virtual ip address With the right net mask to it and that's how you would get all the ip addresses for your wan So if your wan offers you a block of ip addresses, this is where you add them all here Also in the virtual ip options, you can add your carp address for the failover Proxying arp is an option And then there's the other and this is some of the things the other part can be used for I'm just jumping over to the help Can be used for net cannot be used by the firewall itself to run revine services So I guess it's a unique way if you have some unique use case where you want to net something but not have it necessarily Completely controlled by the firewall and everything else like a normal interface. So definitely an option there which is kind of neat So there's all the virtual ip's most of the time. I'm just using the ip alias because Clients have several ip addresses assigned to them. This is a simple, you know Go to the wan that it's related to and assign the ip address. It's pretty straightforward Alias is now this is a great feature in pfsense. Why would you want to alias things? Well convenience So we have the option for all of them to be listed here urls ports or ip Now the urls might not be what you're thinking. We'll get to that in a second But let's say we want to have camera ports here And uh nvr camera server We're going to go ports now. You can choose host ports url ip's network So you only have one create and then this is the filter by choosing what type you're creating So you can create a series of hosts In there and an ip or a fully qualified domain You can use networks. So here's the network of fully qualified name and description The ports and we'll do those in a second here Urls now this is where it gets interesting Enter as many urls desired after saving the url will be downloaded and the item is imported to the alias you can put in a url here that Downloads into the firewall. So instead of having a bunch of stuff typed if you have them saved in a list and web available This allows you to import those in right into here Same with the url for ports. You can just input group support numbers. Let's say you have, you know 300 400 ports you have to set you can then tie them to an alias and then import them from a url This one is interesting as well because this is table of ip's Or table of ports Now when you do this, this isn't a a mask This is actually the number of days for how often you want to pull that so you can actually create these lists Host them on a server and have it every now and then recheck that url based on you know, a schedule that is in here and Refresh that information so after slash is frequency update days So once a day pull from this url and pull these ip's into this list for something So really novel that you have that level of controlling here. We're just going to do ports. So let's say our nvr needs port 80 open is the HTTP Add a port for four three for htps add port Let's say it's a 9000 to 9100 and what I did was just put a colon in there And we'll call these control ports And we're going to hit save apply Now we have an alias for The camera things and we're going to get to these when we get to the firewalls But if I would have called this a url or anything this is so you can categorize all the different things you have in here you can also If you wanted to have a mail server in here and Assign the ip so you can remember it So you put the mail server there. It's a host ip address mail Server and then we can have a hosted one in there. Whoops Oh mail server is apparently a reserved keyword didn't know that The mail There we go save And then when we're setting aliases I can actually put this in instead of ip So this one does nobody else their support and there's all they just show up in a list here So we're going to go ahead and leave these two in Uh, we'll actually we'll add one more. So we'll apply changes add nvr recorder nvr recorder here It's a host What's the ip address and one c eight dot one dot one oh And we'll pretend this is our fake nvr server Forward a camera to save apply All right. Now when we do some firewall rules, we have some aliases to play with So let's start over here at nat So you have Port forwarding one to one if you just want to do a whole one to one Mapping of everything outbound outbound you can leave the same unless And there's a couple exceptions when you're doing peer to peer vpns where you're connecting two pf Sensebox together have a whole separate video on that This is where you're going to want to mess with this because you're going to want to change the way the outbound rules are Right now by default the outbound says send everything out automatically over the wan interface That's fine. That's what you want But you may want to create specific rules and these are all auto generated as I generated those other interfaces It auto generated all these rules inter dynamic It'll keep updating them because it's all set to automatic and what this is allowing you to do is Choose what is the outbound route for a particular piece of traffic? So you can actually turn this into manual and you could say this network goes over this wan This network goes over that wan so it gives you all the options and when we set this to manual all these become Editable and duplicatable so you can get really fine grain. You can also over here and create your own Nat mappings for how things go. These are all real advanced use cases, but it's completely there for the outbound Options now this is different than outbound rules. This is outbound mapping of data as it goes out So let's go over here to Port forwarding because this is mostly what people want to do is some basic port forwarding so interface wan lots of protocol options udp tcp icpp so on and so forth you can even Port forward like gre ipv6 a little bit of everything in here even icmp protocol can be done We're just going to do tcp wan address if you had multiple addresses in here you would be able to do those as well So if you had a whole block of addresses they would all show up in this list custom Camera ports now I could type it in or I can autocomplete it. So camera ports Camera ports And we know that where do they want these to go the nvr So here's the nvr recorder. I could type in the ip address here Just the same like it shows here. I could put in the ip of the machine Just like that or it autocompletes with That also it's not case sensitive. So I type in even a lowercase and it'll autocomplete and it's doing an alias look up in In here to find that so there's the camera ports mapped to the nvr real straightforward Nat reflection use system default which is pure nap. This is where we can override that This is also a default add associated filter rules. We're going to hit save and show you what that means So source address source ports, which means any Doesn't matter where they came from what address report they're coming in on if they land And I like the mouse over here on port 8443 or 9000 through 9 d 100 land it on The nvr recorder and this gives me the ip address of the nvr recorder So it's really easy now to update these rules if I move the nvr recorder or if you're doing things like grouping them together This is how it looks now. Let's duplicate the rule And we'll just put port 25. We're going to create a mail server in here But we'll do it all manually just show you the difference So everything's the same in here save Apply And this is what it looks like when you're doing it Here so here we have an aliased So it shows the values and things like that here We're typed it in raw and it auto completed to be that All right, so let's create a couple more mail server rules here And one quick way to do it. I can keep hitting add and creating a new rule each time or I can say Add a new nat rule based on this one So I'm going to change the port this is the only thing we're going to do different So it goes to the same server to go 993 And change this one here You can choose from the list in there, but when you're editing them It's obviously easier to type in custom if you just know the port numbers. You've been doing this a long time It's easier But of course you could choose from and it'll put those in here So if you can't remember what the smtmp or smtmp s ports are or in this case So I know that's the imap s port is 993 Yep, and that's imap s hit save Apply And now we have mail server imap s and if we want to add one more Go in here and we'll actually just duplicate the rule and change this to imap And change this one to imap and this is the imap not secure Save apply and you can kind of see we're quickly building the rules for our pretend mail server here But as you can also see this could get really complicated really fast. So If you go here and we're going to say let's put a separator and these are our mail server rules And we're going to make them green and hit save And drag Then let's put another separator and these are nvr rules I'll leave that one the default color and move it up here. This is a kind of nice thing So the rules are all drag and drop you can move them around Sort them by order this applies to the firewall rules as well So you can actually reorder a firewall rule by drag and dropping it So then we're going to go ahead and hit save and that just saves all the positions in the rules So if you rearrange them, you do have to click the save button You notice how it's kind of grayed out And once we've rearranged stuff You got the it becomes not gray so you can click the save button We can't it's not clickable right now, but yeah putting separators in and uh, then we can say like, you know web server Rules and make those red save And from there we'll add in whoops In fact, I forgot to click save stamp page save Now we can go add again and let's do port 80 80 And we'll just call this HTTP server save apply They put it at the top. I want it underneath here for Making it look pretty And you can see we've quickly built all these port forwarding rules from the wan address to An internal address here now if you want to disable a rule You can just click that hit apply The rule just comes grayed out that means disabled. So you just check the box apply Really easy if you'd want to quickly leave a rule there, but disable it for now now another question It comes up a lot is access to that rule and this is where your sources come in and you can say A single network and you can say let's well, we'll do a single ip address Single host for alias So for example, if you only want a specific ip address to be able to access this You can put in that ip address in here And then only this ip address and we'll go ahead and save here So source address has to be this in order to see that Though it's a common option We actually when we set firewalls up a lot of times when we're doing remote work We quickly throw in only our ip address so where it can easily get to the web interface But don't want anything else to be able to access it So that's a pretty simple way to do that and filter it So it only does there and you can even create an alias list for the addresses So you can keep like a list of addresses that are allowed to access that It's it's a nice way if you if you have a predefined you need some open to the web Would you have a predefined list of ip addresses? This gives you a really easy way to do that and won't change it back to any Save apply back to normal, you know asterisks as in wild card all But Now there's two pieces to the firewall. This is the nat side and now we got to talk about the firewall rules side And when you were doing these and creating the rules and let me just show you at the very bottom again Add associated filter rule. So go back over here. Whoops Yes, sometimes you hit back it does that you're not supposed to click just the back button inside here So we're going to go to the firewall rules You notice how the word nat is in front of each of these nat mail server nat this nat HTTP server these are the other rules we added And the mouse server still works tells you what ports they are and there's no traffic being passed over these right now But it can actually log the traffic. So and this number of states That are associated with this so evaluations packets zero Evaluation so it has you know, give you some fine details in there And what these are doing and the separators and everything else in the drag and drop You can rearrange the order of the rules here You can also disable the rule just like you can so we can disable it there Or there it's the same thing But when you try to edit the rules So here we go and here is the associated filter rule So when you click on a firewall rule, it can take you back to the nat rule that created because obviously I can't change any of this stuff because it was created from here, but It hyperlinks right to that which is really clever. So you can say, okay Here's the rule and here is the nat rule associated with it So we'll go back into the firewall rules And if you want to just add a brand new firewall here firewall rule here Pass block reject disable this rule protocols Same list of protocols are in there actually I think one more because they pf sync You can set the protocols for how that traverses the firewall ipv4 ipv6 The interfaces now another side note here So this is just a filter to say here's the wan ones the lan ones opt 1 opt 1 vlan open vpn rules but When to also when you're creating a firewall rule If I go over here and create it for opt 1 So let's say we want to open up this port here destination any description Save I didn't put a description here, but it now is over here So it didn't add it under whan even though we click the add button under whan because I changed the interface And also if I go here Change save apply It's no longer under here It's now under here for port 666 being open So really the firewall rules when you're looking at them. This is just a filter for the rules But it's moves based on Where you apply it to so whichever option or interface you apply it to here was where the firewall rule will move So a couple more advanced things on the firewall. This is really clever. So you can turn on logging So if you want to log all the Packets handled by this particular rule you can have Inverse matching so for any of these that you can match you can also invert the rule But then the advanced options is really neat. We have source os fingerprinting now Obviously, it's limited to as good as os fingerprinting is and it's very spoofable But it is kind of novel that you could actually create firewall rules That use os fingerprinting and say only accept or pass this rule based on that If it matches this os so this is like fine grain you can actually create a filter rule That creates a tag Then you can filter a secondary rule that filters again on those tags that you created from the first world So this is a rule where you can tag things This is another filter or if it matches a certain tag then apply this So you can kind of create an entire matrix of firewall rules under the advance Of things that have happened to a packet if you have some real advanced use cases There's absolutely a lot of details you can do VLAN priority VLAN priority set Scheduling if we create schedules and I'll show you how the schedule works We can actually have this rule applied to a schedule now You can leave everything at default and then just create the schedule rule Definitely an option and then we have the in out pipes This is a way to choose an out virtual interface For these so once again more rules that can be applied for Where you want to push the data based on certain policies Now let's show the scheduler. So let's go to scheduler. We're going to add a schedule And we want the firewalls to work on these days here I hit add And now Wednesday through Saturday all day is the schedule. We got to give this schedule a name when Sat hit save There's our Wednesday scale. Let's go back to the firewall rules Go to edit our 666 rule advanced schedule And as you can see here Now this is a rule Wednesday through Saturday to make this firewall rule work So it works on a schedule now kind of clever that they have that in here I don't have a lot of use case for it But if you did if you did want to create rules that only work on certain times of day Or a certain days of the week that is certainly an option It also has an option to expire the rule So they don't start working till a certain time and then end at a certain time and date So kind of clever, but definitely interesting how that happens It also has some queue options if you want to create specific firewall rules for some of the traffic shaping Which we're going to get into next so and go ahead and kill this rule as we don't need it apply And if you want to know the status of any of the rules This is the related settings related status, which tells you what the filter is doing This is like the quick on-screen display every time the filter gets reloaded And you can jump right to the log and see any of the filters For this including the logging of this filter dynamic view summary view And then if you want to advance Things like this we'll go ahead and filter it real quick So let's just filter it for a source IP And you can filter it just for a single IP address just like that and follow it through there And what the action taken was Then this is a quickly add a rule to pass that Or add it to a block list you can just mouse over these and create your passes and blocks real quickly But you see how quickly this is easy to jump from the firewall to the rule To filtering something very directly and it this supports regular expressions to do the filtering So let's go back over to our firewall rules And just under the firewall rules is traffic shaping Now it's got options individually that I don't know how to use Where you create all these but obviously that's tedious and creating bandwidth and queue size limits and some of the details That's difficult. We're going to jump right to the wizard which makes it really really easy So the traffic shaping wizard run this how many way interfaces one We have a let's say we're pretend we have a 10 megabit connection Up and then the download is 50 next Actually, I think I chose the wrong one one Local interfaces land I missed that so 10 10, I'm sorry 50 next Prioritize VoIP traffic you've got a couple built-in Generic load delay and if you know your SIP server you can put that in there And let's say we want a reserve one megabit For the parameters. So this is going to keep that much open based on our traffic You can have a penalty box so you can set a lower priority for a specific IP address Lower priority peer-to-peer traffic And this supports things like Aimster bit torrent buddy share lots of different ones in here I don't know how many of them besides bit torrent is relevant anymore. How's Napster still in there? I don't know how much Napster traffic we're really seeing We'll go ahead and click next Well, uh posted bandwidth Catch all uh unable to all on carrier traffic units Let's just say a percentage Don't let it go to 90 Oh Actually, it says between two and 15 is the value. So we'll put a 15 So keep that much free. I believe is what it wants prioritized gaming traffic. Sure. Let's create cues for all these To make sure my gaming traffic is prioritized It actually has a few old school ones in there. It's got own real tournament wolf and sign some newer ones in here, too so next Enable or not bringing protocols. Sure. Let's say we have uh ms rdp and vnc. We want those to be high priority protocols It's got a bunch of other ones in here Get dns. Why not have dns at a higher priority? Let's have ping at a high priority If you're passing smb keep it at a high priority next Finish And it just created all the rules. It's back over here to traffic shaper Here are all the rules Here's the cue for the games Other and let's uh take a look here at related status And what this is doing is measuring the bandwidth going through each of these cues And automatically is doing what we wanted to do from the wizard That's how quick it is to set up the qos on me So you can build rules that prioritize your void traffic and actually the rest blank is most frequently what we do for our clients They just need the void to work properly. This firewall has no problem doing it I often will put whoever their sip provider is in the sip provider field to make sure understands that that sip Uh fully qualified domain is the right one, but it's that easy to set up a traffic shaping in this and tweak it you can then go inside of here and actually tweak some of the settings Uh directly like I said, I'm not an expert at actually using All the different cue limits, but you don't have to be you know He's just re rerun the wizard if you need to and if you do didn't want the traffic shaper on anymore remove done Cues are all gone Nothing needs to be done You're all set and you can just run the wizard again And it does have a multiple land-wan option and a standard dedicated land-wan for the wizard for traffic shaping So pretty straightforward to use So let's jump over here to captive portal. So that's all we have on the firewall list Captive portal is really interesting that they put this in here. So we're going to create a test zone testing Enable And we're going to put this on the land Now what this allows you to do is like for when someone logs onto your network They can go in And have an authentication web page that comes up for them and it's got lots of details So you can really fine tune this idle timeout maximum concurrent connection So this is using coffee shops for example where you want them to go to a splash page Agree to some terms of service and once you agree terms of service they get on the internet But this goes a lot further than that So here's waiting periods log out pop out windows pre authentication after authentication redirection Usually you want to redirect them to some type of landing page with your specials You know, we've set this up in schools too And it works really well there and you can set passwords. It also has built in default Bandwidth upload limitations and download limitations. So you can use a per user bandwidth restriction and put the restrictions in here It has a voucher option Radius authentication So if you have an external radius server, there's got a couple different options there But the local vouchers is one we're going to talk about here in a second Create your own html file. Kind of clever. You download this little template and customize html around it. These are a couple Parameters that can be passed around there for a username and password An error page and a logout page. You can upload all those here And once you have all those uploaded to the system, you can also push in certain files and things like that also has a cps direction So once you load your assets and create some photos, you can actually load them into pf sense It'll serve them up. This is our authentication page blah, blah, blah and away you go So the vouchers part that's where this gets pretty interesting It has the ability and these are some of the keys you can use and we can do them three four five six And you pick a character sets to use the default character set is everything but Oh, oh and zero one and l it removes them because they're ambiguous And it creates you can generate the keys generate an entire Voucher set for example Series of numbers to hand out to people so this voucher and you say the voucher is valid for however many minutes or However, any long you want them to log in and then once they get disconnected. They have to put a new voucher in It it's really integrated well into here So you can have the tickets all this in here it also supports An external database now they didn't I don't have all the details here But I think there's some forum post how to set this up But still really clever if you wanted to have a ticketed based system to hand out internet You know in a metered way to clients that come in or let's say a hotel where they get a voucher assigned to them based on Their stay you can give them a voucher number it expires and now everyone has a unique trackable System so you understand who got on and when and easy to kick them off So you don't have people leeching at your system And over here is that file manager that we were talking about Where you can upload some of the assets to there such as pictures or whatever else you want to upload for the web serving part of it You also can do things like allowed host names or allowed ip addresses or allowed mac addresses You can just copy your own mac address And permanently pass you or permanently block you This is really clever when setting up the school networks because we just had each of the teachers logged in real quick copy their mac address on here And boom boom boom their systems automatically based on their mac address I know it couldn't be spoof, so i'm not the spoof of mac address But it's on a system of convenience unless they really know the mac address on there of what's passable It makes it really easy to say these computers or devices get on automatically or when you have devices like a chromecast For example or other iot devices that you want on here to bypass the voucher system Well, then you want them to automatically in this list that way they can't just jump on the network and have internet access So that's the captive portal the system does support dhcp relay across different interfaces I've rarely ever had to use this thing one time at a client if you have it in the middle You have a head end dhcp server and another subnet You can have this pass the dhcp services across and have a destination where they get forwarded to so that's dhcp relaying I'm going to jump over here to my firewall to show you the dhcp server because we have Reservations and more things set than I do in my demo server So here's the dhcp server Enabled dhcp server on LAN interface You choose one for each interface so you can turn on dhcp LAN WAN and all the different ones are set up You can add additional pools. So if you had different areas you want like a one range and then another range from there Options override the default gateway override a lot of different things So if you had another something else you want to put in here, that is definitely an option to be able to do that Enable enable static ARP entries So you can actually create some persistent ARP entries in there change dhcp server to utc or local time Enable in the graph dynamic dns mac address controls You can actually filter to deny certain max or ranges of max, which is kind of cool NTP servers, which I have in here as well TFTP servers, which I'm actually using because we have a TFTP server on the network And network booting options. This is really clever. So with the network booting I can specify the bios file name. It's fully UEFI compliant as well, which not all dhcp servers understand UEFI that's built in here And this is actually part of a network boot system. We have set up on our network So that's the other thing I want to show you here. So we actually put this information in we have the server the file The boot files and this is all supported in pf senses system We can also go here to advance if you have a few other Boot pdhcp options those can be added in here as well And down at the bottom we have a few static reservations For things and let's talk about how those got added. So I actually can go here to related settings I'm sorry go to Status And if I wanted to here's our amazon echo happens to be at the top I can add a wake on land mapping Or I can add a static mapping and I just click this Brings me to the static page for this particular device Amazon echo I type in an IP address that's not in the range I can override anything in particular about this including what TFTP server gets So this is kind of clever for example, if you want one network and you want if your phones are all on the same network You wanted them all to go have different TFTP servers for your phones versus some of the other devices You can actually assign all that in detail to each one Another kind of novel thing if it senses the device has wake on land That shows up here too. So things that have wake on land I can actually send a wake on land packet to and this adds a wake on land mapping So we can actually do this land save And this brings us over to the wake on land part Which will just jump to that right now. So dcp server real extensible very Well done One side note and i'm gonna jump here real quick about this 192 once they say 3 0 3 dot 239 When you change to land ip range You have to go in here You'll get an error that you have to go back and change this So you change the land ip first then changes if you change this first It'll tell you it's outside the subnet. So you actually have to change the ip address first Then you go in a dhcp server and edit it just a little side note there, but like it's a pretty pretty straightforward Wake on land we'll just jump to this real quick. You can add wake on land mappings You can wake all devices add a list of devices here kind of neat that they did this you choose Which interface you want to push that across This one because it's already a mapped one already has in there and you can just press that and it wakes up the device edit the device or Go ahead and delete the device Next on the services list dhcp six relays Server rna both those are in here dns forwarder is the old dns server. It's still in here, but by default it's not enabled I don't know if they're going to remove it from future versions, but it's no longer the default Everything's moved over to dns resolver dns resolver Is really nice dns sex support A lot of options in here. We're going to go ahead and view it over here So a lot of options in here. These are all the defaults Everything works perfectly fine as defaults It also has an option like i'd mentioned before pf sense has a lot of these a custom options box. These are where you can pass options Directly to the service from the command line So to speak so i want to add some option It didn't have a check box for you can do that, but the clever thing you can do is this here So we're going to call this test And let's say we wanted to Do this and this is a test server apply Now what this has done is test dot launch systems dot com Will return to this ip address This is really handy when you want things that have external mappings You may not want to use an app reflection on them, but you want to make sure they resolve internally You can simply put them in here. So there's the host. There's that you can also just do a domain override Where you can take a domain Override it to a different ip address now this actually works as well for things like facebook if you put a domain like facebook in here In then redirected it to local host you could redirect it to somewhere else and when they're inside the network so it's a real quick way to Simply add mappings inside of here. We actually have a bunch of stuff internally mapped Uh, so when we because everything went in our office's web base So this is an easy way for us to map all those web based things that are internal But still we want them to have host names attached to them More customizations under the advantages all of our options You can get really fine-grained detail into here including some of the logging levels and things like that You can also create access lists For who you want to access allow denied Denying on local refusing on local More options here once again. So you maybe you only want a certain segment of the network to be able to ask That's your internal dns. That's definitely an option here for the firewall customer or for the dhcp server customizations U pnp completely supported. So if you have a device and This has come up a couple times where people can't get all the mappings to work right for things like an xbox or a Playstation because they support u pnp. You can turn that on and it allows all the different protocols of U pnp nat pnp Nat pnp port mapping what interface is going to be external and what internal interfaces Now this is actually kind of cool because it does support like we created the option vlan If you wanted to put your gaming systems on option vlam and then only Allow u pnp on the option vlam or iot vices in general that may use this This is a great way to do it to keep your network secure So you put everything on its own vlan and then you can enable u pnp not globally But just for the interfaces you want you can select multiple interfaces holding the control key in case you wanted on a more than one interface There's also some restrictions for traffic shaping logging uptime Um specific entries that you can do For u pnp access controllers so you can really narrow down what's allowed to do this Now this does have the option for a ppoe server never set one up I don't have a lot of use case for it, but it's got all the options in here if that's something you wanted to do NTP serving if you wanted to have your own time server This kid's kind of weird because they didn't just put a time server in they let you choose different pools cool You can add More than one if you want so we can add this one here And you just put another one in so whatever the other ones are you can put in each one Go from there go from there select or prefer it So you can put a whole lot of different time servers and that's neat common Access controllers for your time servers kind of cool Serial gps this is weird to me that they put this in here, but great that they did I guess it has a few different generic depending on the protocols used And garmin gps is you can plug a gps and doesn't have it pull this for your timing I don't have a good use case for it. Maybe someone does I think maybe some ham radio operators might want to use this where they're in a remote location Need some type of time sync with the firewall. I'm kind of Not sure on that, but it's kind of cool. It's it's been in here for a while. It even in previous versions IGMP proxying That's an option in here Load balancing now. This is really cool The load balance options and I got a couple things set up in here for load balancing an smtp If we go here and edit this what this is not load balancing Outbound traffic. This is load balancing Inbound traffic And let's say you have three mail servers because you have some incredible volume of mail coming in You can actually take the servers on and off the list here And it can load balance the incoming to that server And it doesn't just support smtp. We call that mail server. You choose the port I mean you could choose port 443 and have it load balance things and on the SSL port you can have it port 80 for standard HTTP Pretty neat. So it's definitely got load balancing options in here. I've not really used it much It also lets you tie them together as a virtual server and then monitor How do you want to monitor it the different options in here It's not something I've really used much of but it's definitely an option here There's some documentation on their site, which of course I think I pointed out before you just click the question mark It'll bring you right to the documentation page for any of these options So they have all the little details of how to set that up Dynamic DNS is the last part we'll cover under services for now You can if you are you know have a changing IP set up dynamic dns So dine dy and dns is a specific company. It's very popular for this and they're supported in here So is hover and namecheap and no ip no ip free Just open dns tons of companies zone at it Cloudflare custom a lot of stuff in here as options, uh, which is kind of cool So it changes the menus based on the different companies Username password and we'll do it and you can put more than once you can have multiple providers in here Which is really clever. It also has some specific options for things that are just rfc 21 36 Which is the dynamic dns rfc 21 36 we'll click here and it'll bring you to that page and get the details the internet standards for tracking protocol So it's got some standardized options in there for that. It also has check ip services So I thought this is kind of cool. It's check ip that dy and dns are going to actually go there Tell your ip address so you can actually add more services that do that And it's a way to parse it and just get that information for your system Moving on to vpns Now it supports ipsec So here's all your standard ipsec settings. It has mobile client options pre-sure keys And some advanced settings for some of the details in here Not an ipsec expert's been a long time since I set one of those firewalls up It does have l2p in here. You can enable the l2p server bind it to one of the interfaces And configure that It has its own user manager for the l2p server, which I think is kind of neat Because open vpn which we have set up here It uses the internal database by default now you can use some of the other options We're going to show you that here now Here is the open vpn with one already set up to use the local database with remote user auth And some of the options now I've done an entire tutorial on how to set these up And I really recommend when you want to set up, especially like a road warrior one Use the wizard the wizard will start with the question of are we doing a local user ldapper radius We're going to local user database. It'll have you created an authority We don't need to add one. We'll just use the same one again next When now we already have one 1194 so it's going to I'll give me an error if I choose this Port or I could choose a different port to bind it to And it'll run you through all the default options and they're pretty much fine Like I said, I have a journal on the details on how to do this But when you're done you end up with open vpn being completely set up and ready to roll through the wizard Now the one thing I added and over here in the package manager Is this open vpn client export utility Absolutely, if you're going to use vpn, you're going to want to load this. Let me show you why So that puts and adds these menus here. This is client export And we scroll down And this is where it's really neat because the open vpn has a windows installer that in line Put everything I needed to authenticate that user except for the username and password in there So I go and create a user and the user manager And then I go and Install the vpn they run it and away it goes it installs vpn They take your username and password now if you do The password a little bit differently and we use the This is remote user But no ssl we use remote user ssl that means create a certificate per user Now even without if it's just remote access user you still have the other keys and certificates that are needed to connect It's just not a per user certificate. So when we're over here doing it it shows Certificate name none. It's actually still has the cert for the system Now if you add certificates per user each user will show up because you'll have to download each user and their certificate And this of course supports the open vpn connect for android Inline client which basically just means an inline file that has everything all continuously in one file That actually works great for linux. You can just go from the command line if you download full type in open vpn Space the file name will sudo or make sure running is root and it'll connect your linux box to that So open vpn is my favorite one to use in here. It works really really well and has a lot of options now Because we have this vpn setup. It shows up under our firewall rules As open vpn and by default we have and I called it open vpn demo wizard the wizard creates the rules for you There's a secondary way that you can add even more rules Like if you wanted the open vpn to also act as a gateway when we're over here in the interface assignments You can actually add it as a network interface So O vpn s1 demo vpn It will add that as another interface so it can act as another interface to add rules to an against and each server You add also can break out more rules that you can add against in my demo video for this I have I kind of detail the use cases for that and when you have to do it and I walk you through a tutorial on that So that's pretty much the whole vpn setup and then the user manager for it Of course, it's just the standard user manager Now the status menus are just a repeat Of what was already the status as you could see for most things like you know, this is the settings For the dhcp and then this is going to be the related statuses or for the dhcp and it's all inherent So we have your dhcp leases your filter reload the gateway statuses Interfaces everything that you've seen Mostly as we've been going through this when we click on a status page You can see is right here. This is just a different way to get to it versus clicking up at the top right here A couple things that aren't in here though is like the services page Now this is the same like we have on the dashboard. We have the services But we go to status services You get a few more options just to restart the service Jump to the settings for that service Related status and related log entry. So it's kind of a quick way to say, okay, these are all services that are running I want to jump to the options. So if I want to jump to the options page for the dns resolver That takes me right there And this is the log entries for the dns resolver. So it's a quicker way to do that so that's on status Traffic graphs. This is not a this is kind of expanded view like you've seen here on the dashboard. We have the traffic graphs Let's me choose the a little more details of things. I want to see your wan local remote where things are going to sort by tree dress hostname fully qualified domain So as I access things that go through the network, I can kind of filter and see in real time What's going through here? The other thing in the status is The system logs are actually under status not diagnostics kind of thought that was a little strange But it's really put them and this gives you all the logging options So you can detail and go through them You always notice you have the plus here and this allows you to use regular expressions to Filter anything that's in there filtered by time process pid Whatever you need to do on the firewall To take a look at that now while you're here and we started at system. We go to settings You can change this over here And increase in the log file size and I usually check this box here Which is shows log entries in reverse order at the top. I like them at the top, but you also have some more Options in here if you want to display as a second row column how you want the logs displayed reset the logs And the option to send everything to a remote logging server. So I hit save Make the size even bigger. I had the wrong number in there Changes have been applied And now the log files it tells you how about the approximate size of the log file here Display currently used as 579 of 149 gig, which is how much is on here For extra storage. So now when I go to the rules, here's all the Things in there and that's displaying the latest one at the top. I just think that's better Also has a summary view for the firewall, which is kind of neat. So it'll tell you interfaces Information about those interfaces data points The ip's it's traversing through it kind of a quick summary page of the firewalls The dynamic view has an auto update updates. I think it's every 10 or 20 seconds It'll refresh and put the latest entries in here But everything in here has different options. So like your open vpn rules when you're looking for something You can find it use record special to find a specific thing This is really handy for troubleshooting because you go through here and you just follow all the Message in there and it's nice too because right here around open vpn Now we're at the open vpn. So you can jump right between the log And the settings Or even this data pages between there to make sure the service is running Really, I like the way pf sense does this right here because now I can just change the setting Log the setting Is there an error without having to jump through any of the menus and it keeps me all related to what I'm looking at So I can okay. I need to check this and do that It's kind of a nice design and layout of the firewall Lastly when it covers the diagnostics pages We have an arp table so we can look up all the arping going on Delete entries things like that authentication testing This is clever. You have local database options. So if I want to know if a password works And it does let's try. What about this guy? authentication failed kind of novel Backup ring store is awesome on this So all's we got to do to back this firewall up. We're going to save the entire config file Hit save now. We've downloaded the config file for it By default it wants to back up everything, but I can just back up a specific thing So if I know all the aliases we created are relevant to another firewall, I can say just give me the alias file Just give me the settings for dns resolver so on and so forth Just give me the settings for open vpn And it will do that including the the ca information will get tied in there as well I always when I'm doing backups, I do an all backup Restore much more fine grain So if you have a backup from another firewall and you want to push it to another firewall You can only restore what you want like static routing tables or the aliases for example So I always do a backup of all but When I'm doing a restore sometimes I want to do a selective restore You just do that it reboots it and away you go. You can encrypt the file probably not a bad idea To keep it password protected, especially if your vpn's in there because if someone has your config file They can extract your vpn credentials and logins out of it And if the file is encrypted it has the password option here And the same thing you put the password here to create the file in there Also has an option at the bottom just to reinstall the packages This gets a step further of cool when you go here to captive portal Now this little plus here by default is keeping 30 backups But you can override that and change it tells you how much backup space is being used This is where it gets neat is because you can differential these so Change system logging options configuration change pfp of sense diff This is an xml file. It will do the diff of what changed. It also tracks who did the changes Uh, what it was a system Or if it was a admin whoever changed the rule options Are all in here. So let's do a diff between like these two See more rule changes diff It highlights the changes between the two versions. Now the cool thing too is these logs or bring back this over here And we're going to go to restore configuration list backups And they're all listed here on the council as well. So I can read and say I have a one two three four. I can just type in the uh restore backup on there And restore to a previous configuration right from here. It'll restart the firewall and have that configuration back in place So it works both ways from the command line And if you do something to lock yourself out easy enough to go back in and do it Going back down the list here command prompt you can grab a file. So Conf.configxml is a location of that config xml file download I can pull the file right out of here If you know where a file is you can just type in that hit download If you want to upload a file you can do that and uh, you can do this too. It likes qphp commands It will do Commands in a shell. So pwd it works out of user local ww. You can actually do an ls and In here too, it'll dump this right to the screen. So you can execute commands without actually logging in dns lookup You can just do this real quick and Look up uh anything you want Kind of clever. So there's the google's mail server Here's the name servers that used here's the results from that and the records related to it You can write from here quickly build an alias on that record This is really handy when we log in the clients when they're saying they're having a problem on their network We can use this to quickly look up to see how it looks from their network Factory reset edit file Edit file is kind of like it sounds it actually lets you edit a file So if we went conf slash config xml load We can load that file in here edit and save it If you want to edit anything into firewall manually, you know the location of it does have a browse option so you can Pull certain files and edit them Factory defaults is like it sounds it'll reset the system factory defaults. It is a two-step process. So uh You can't click it, but you then got to go another step further here halt system. I like it sounds turns it off Limiter info That is if you have any of the limiter set it up under the cues for the traffic shaping it will give you the details on there npd tables packet capture This is pretty cool. You can grab a certain interface and Turn it on pretty mischievous mode It has some limitations on that. I've mastered one of the cards supports it But you can grab all the data a certain count level of detail Full gotta have a fast enough machine to be able to do this Do reverse dns look up on ap's how many counts of packets packet lengths report or a specific host address specific protocol or ipv4 only for example And then you can do a full packet dump and then download the file out of the system pf info this automatically refreshes uh here So you have some nice network statistics on here pftop So you can see some of the connections sort by age sort by uh Expiration or packet reboot. Well, that's pretty obvious Routes show your routing tables. This is really handy when you're trying to sort things out and make sure the routing teams are there Without having to drop to command line And you can see you know all the different options when you're going okay These are all the route tables. These are everything in here when you're troubleshooting vpns. This is your best friend Smart status. I'm going to jump over to my firewall for this I only have one hard drive in my firewall It didn't feel the need to make it redundant But I can actually go here go to all hit view and it dumps the entire smart status of my hard drive and all of the details in here It also has a self test logs You can perform a self test on there the different options that are related to smart and which hard drive you want to test Sockets these are the all socket connections on the firewall directly States you can see every individual state and connection And forcibly delete them now, of course, these are just standard state tables They'll reestablish but at least you can see what states are there and search for them Finding something when you're tracing something out. This is really handy system activity Essentially like top And it's real-time updated. This is kind of neat. These are some of the database tables that are in here So we added these ones like we added nvr recorder and A few others that end up in here So, uh, these are the nat subnets that were added Kind of weird that it's in here, but kind of novel at the same time bogan networks There's essentially database tables inside the system Now test port I like this a lot so If We go here and we know that's google's mail server and we put in port 25 and we get test And it's successfully connected to google's mail server port 25 And down here is the results from that Now this is kind of cool because it lets you choose the different options and source addresses So you can actually come from whichever address you have available ipv4 ipv6 and Do some port testing always works for internal devices as well as external devices And then we have trace route so we can do a source address land land Uh, whichever one we want to go on there Well, now we're going to do reverse lookups And hit trace route and it'll do a trace route and dump it to the screen And it looks like it didn't make it all the way to the destination But it made it a few hops out and dump some details on here But it's not a built-in function on there So that's pretty much it for the pf sense. I will cover one last thing here that I added a package To show you because these are ways the packaging works in a little bit more detail So we added iftop and you may not have seen iftop in any of these lists, but I added it Some of them and you this is where you have to look up each package itself Will do different things like iftop for example Is a command line package so it runs here The open vpn client export tool shows up under open vpn So let's go back to package manager And look for another one. Let's look at darkstat install this confirm Package is installed Darkstat shows up over here. So here's the darkstat settings we click to enable We're going to use this as the capture and web interface Save and access it it's added the interface locally put it here Here's some of the hosts it started collecting data right away So this is the one thing maybe a little bit confusing about pf sense is whenever you add A third-party package there's not a consistent place third-party add-ons goes You have to look up the packages you're doing and when you want to add them in here you want to See where they're going while I was doing this there's a new version of pf sense So let's go ahead and show you how the update works on this. We're going to go ahead and get it confirm And this is all there is to updating it. It's really fast It doesn't take long it's downloading the files This is normal. It kind of swings back and forth while it's doing the updates It says update complete rebooting. So I drag this over here update is complete rebooting So you're getting this broadcast message on here because we had if top open And it does take a second now We have a countdown here and it's going to count down how long it's going to take to reboot It's already in a reboot mode over here Now when it reboots from an update Occasionally it'll pause and extract some extra files that it added That varies from update to update of how long that may take If there's really much to it. It'll also update the packages. There'll be a message someone up here That it's doing that. Yep. Here's the extraction part for the files that we downloaded Well, it downloaded automatically And that's it updates done configuring wan interface. It'll be back up and running here in just a second And it's back up and running that quick for an update It's really not a big deal and just in time because this says seven six five four three two one Rod of patience And now the systems on the latest version updates are pretty pain-free in here I've never really had a problem. We don't mind even doing them remotely. They've Even with some of the different hardware not necessarily all hardware that's from the neck gate We've not had a problem with it. It's really flexible system The nice thing is too you can restore an older backup file So if we have a machine that does brick upon update We replace it and just push their backup file and everything's back to normal like nothing ever happened Not been much of a problem But uh, that was it for psense. It's a good overview of all the systems in here Like I said, I have some separate videos on some specific things A lot of people like to talk about sericada. I did a specific video on the sericada system That's available to check the links and I have an entire playlist just for all my firewall tutorial videos So hopefully those are helpful if there's something I missed or something that should make us more specific video about Let me know if you like the content here like and subscribe. Thank you very much