 Tom here from Warren systems and we're going to talk about pfSense getting started kind of a start to finish video for Setting up your pfSense firewall building it custom or virtualizing or Buying the hardware no matter which way you want to do it We'll talk about all the methods in the beginning Then we'll walk into some of the hardware and then we'll go through the loading process getting it configured building your networks So kind of a from loaded to multiple networks VLANs, etc It's gonna be kind of in-depth here But I want to go through all the features and options with pfSense and cover them So you can kind of have it all in one place But before we get started let's first feel like to learn more about me and my company head over to Lawrence systems calm If you like to hire short project There's a hires button right at the top if you like to help keep this channel sponsor-free and thank you to everyone Who already has there is a join button here for YouTube and a patreon page your support is greatly appreciated If you're looking for deals or discounts on products and services We offer on this channel check out the affiliate links down below They're in the description of all of our videos including a link to our shirt store We have a wide variety of shirts that we sell and new designs come out well randomly So check back frequently and finally our forums forums dot Lawrence systems comm is where you can have a more in-depth Discussion about this video and other tech topics you've seen on this channel now back to our content And I want to start here with a little bit of history So pfSense is a fully open-source firewall and for those of you that have been doing this for a long time and Especially people like myself who've been an advocate of open-source firewalls since well the early 2000s late 99 I think it's when I first started messing with open source firewalls and I was told I was crazy now They're pretty much very very common now pfSense is used in corporate environments I have a separate video talking about that there will be someone below on Positive that puts their caps lock on and tells me it's not ready for corporate It's not really using corporate your wrong time, but I can tell you because of the amount of consulting We do the page on net gate and some videos I've done deep diving where I show companies large companies including mastercard hiring for pfSense professionals I can tell you it's well used in the corporate even the banking markets So I'm not here to debate that the person with the caps lock. Hi Anyways, I'm not I'm not gonna feed the trolls today. I just want to at least mention. Yes It's used in corporate environments and yes, it can be using your home environment So pfSense is a fork of the monowall project So in 2014 a competing open-source firewall project open sense was forked from pfSense The first official release of January 2015. So yes, I am aware open sense exists that comment comes up almost every video I do on pfSense is please do an open sense open sense is a fork with some different opinions than pfSense I stay with pfSense because it is well well supported well documented and I trust it very well now Important concept any firewall is trust because this is the Divider between you and the internet and all the devices you may have in your network So you have to have something solid and secure and just because something has more features doesn't necessarily mean it's something I need I find the features to be quite adequate in pfSense So that's as much I'll talk about on that topic, but I'll leave a link to this here now a little bit More context open source security This is pfSense.org where you're gonna download pfSense from and it is fully open source This question comes up a lot as well people say was it really open source or partly open source No, it's fully open source. So I'm not sure where people get that misinformation I usually just link them to the github or anywhere you can download all the source code You can compile this all yourself if you so feel the need to I am going to tell you it's much easier to Go to the download option over here and download pfSense It's already compiled for you now. What does it run on? That's an important aspect pfSense does not run on all arm devices It does run on the net gate provided arm devices So no your Raspberry Pi won't run pfSense. Sorry I don't know if there's any plan to ever support something like your Raspberry Pi But the custom arm boards that we're commissioned by net gate the commercial company that Provide support for pfSense and makes the hardware when you buy a net gate piece of hardware that does have an arm board in it They have a custom arm still open source, but they compiled it specifically for arm Now those downloads like I said are not available directly for some other custom arm boards that you have and arms a lot different than building things on x86 because Things have to be custom compiled for that particular arm board to make it work So the only arm proper support that there is right now in August of 2020 is on the net gate devices that are Shipping with custom arm boards in them. So that hopefully that clears that up, but if you're building x86 We're gonna talk real briefly about the hardware before we get into the download part because well if you're going to build it yourself and buy some parts or maybe you have an old computer laying around and You say this is what I want to do is build it I do have and I'll leave a link to this this super micro 1u box that I'm not building it because I think it's the best for pfSense I'm choosing it because I have it laying around and it seemed like a fun thing to do a demo on now This has four on board ports, which is great. That's what you need a few on board ports But let's say you have some other PC and in my 2018 video I just had a motherboard laying around that I don't have well It's not laying around anymore. I got rid of that old one and I'm going to use this Intel card in this But this is the same Intel card. I had recommended before and let me jump over here and show you you can find this Intel card And I'll leave a link to this is the 0809 to P Intel card that I found off of eBay. I think I paid around 35 or 40 dollars worth, which is still what they're going for They're relatively inexpensive. Some people think they're worth more than they are But you can find these relatively Cheap and they work really really well with pfSense. These are four port Intel cards that gives you four Spots you can plug into that if you have just a standard computer Maybe an older one because pfSense does not require a whole lot of processing power to run even doing gigabit networking Just not require really high-end CPUs You can plug these in and away you go and you have four ports on that PC now buying the net gate devices They have a whole list of them on there and they have all the specs listed on their site And as I said when you buy a net gate device one, you're gonna get guaranteed to work pfSense No troubleshooting of hey, I got this weird quirky problem that I ran into This is the same thing with when you virtualize it you have these weird quirky problems You're running to virtualizing is my least favorite way to do pfSense, but there are guides on how to do it I have a guide on even how to set it up inside of XC PNG. There's plenty of documentation on that It's really popular to do but be warned. It is also the most Picky way to do it because you run into weird performance issues That's because you're now creating a virtualization layer and then virtualizing a network interface so there's a lot of Potentially more problems with it Someone will have their caps.com saying they've run it with no problems for some amount of time Yes, if your hardware lines up and everything aligns perfectly you'll have no problems if it doesn't you'll spend a lot of time in forms going Why does it do this weird thing? Why does it only get really slow performance randomly etc, but For commercial installs I do highly recommend buying the neckate hardware and if you're looking for not playing with hardware at all and you're a home user I'm holding in my hand and sg1100 the sg1100 great box works really really well and Does a excellent job of up to five or six hundred megs per second, so it's not good if you have gigabit internet home This is going to be a little bit underpowered for you It's not going to get full gig of it, but for a you know right now They're about 199 or 189 just under $200 you can get a complete well supported And I have done videos that this will even run full ha proxy on here with you know Let's encrypt search and reverse so you can actually get quite a bit done with a tiny little box like this right here anyways Onto the build process because you can spend more time at the neckate site figuring out which one fits for your commercial Project they have all the speeds and everything listed on there So onto the commercial side here and we're non-commercial side of I have a computer and we're just going to build it Let's start here and let's start with downloading and loading it now. So now we can get to that part And we want to download We'll go here architecture 6 a md 64 bit which means it works on Intel works and AMD works on 64 bit processors Are you going to load it to a USB memstick or a CD iso? Those are your two options that you have on there So and pick your download location now for demonstration purposes not for anything more than this video Refresh the page real quick. I'm going to now walk through what the loading process looks like. It's actually really straightforward So this is not installing it on this machine next to me But this is just to show you what the installer looks like and go through the options and there's very few of them So this part's pretty quick. I will mention I've done a video on this before Recover config.xml if you somehow goof up completely break your pf sense install Through some level of corruption or not following documentation properly There is a way to recover it and I thought this is a great feature that they have built in I'll read all the configs are all in one XML file located on here And I've got a separate video just on recovering pf sense But what you do is you can load the pf sense CD and recover the XML file Grab that file and reload all the settings back in there. So there is also a rescue shell option So if you try to fix a broken install great I've had to use this on people who forgot to back up that XML file because you have a really easy way to back This up and a lot of people don't so that gets used more frequently than probably it should but if you have backups You can just reload provide that XML file when you're doing the install and done you're back to your pf sense setup configured Keymap for me. I'm American it defaults to American it configures the American setup So I'm good on the keyboard layout no problem Guy did diss it up auto ufs. That's fine I have a separate video on custom pf sense with zfs where I talk about using zfs If you have multiple drives generally speaking auto ufs is fine auto zfs is fine We're gonna go ahead. We have a single drive in here. Just do the auto ufs. I haven't had a problem with it And now it's installing that's pretty much gonna be it here Goes through installs the base overall pro progress here And depending on the speed of your machine is how fast this is going to install this is all in real time on my zen server and Just about done Do you want to make any more modifications nope reboot That's it. It's gonna reboot and have pf sense up and running That's as easy as the install goes that part is so Straightforward with pf sense now I will show you what it looks like when you boot up to the first time menu if you if you need to look at it So here's the first time boot menu And what was fast forward while it runs through all the uh boot process set up And this is what the boot menu looks like once it started up now the other uh device setting next to me This only had a vga out. That's why I didn't try to do it here I'm showing it through the virtual one But when we do all the rest of the demo we're going to be doing it on this actual hardware right here Not not this now the one thing you may have to figure out and you'll see is going to be different about this Because this has so many network interfaces on it with this little 1u super micro is assigning interfaces I only added two network interfaces virtually to this So they're pretty easy to find and they're both plugged in and running But when we are trying to figure things out which ones which It says up and up if you have a list of them It'll tell you which ones are up and which ones are down. As a matter of fact, let's go ahead and take one down Well, that actually appears to removed it not taking it down But instead of up you get it down anytime there's a cable disconnected So if you are trying to sort this out and figure out which interface is which that's how that'll go Is you have to kind of go through and plug each one and figure out which ones are up And then you can assign the interfaces now if you buy one of the neck eight devices It's kind of small here, but uh, they're all labeled Uh opt lan wan so uh all the neck eight devices come labeled out of the box with all of them Especially the ones with multiple interfaces. They'll have the interfaces listed on there so you can Figure out, you know, which ones which without having to go through the menus at the console level So now we're going to boot this up and start with the getting started part for logging in for the first time And go through that so i'm going to plug this in and jump over to that Okay, this system's booted up running pf sense and ready to be configured so everything's at default And I didn't have to do too much guessing because I know these intel cards quite well That if the card's facing this way, you know with the little lip part at the top, this is igb zero igb one igb two igb three so by default igb Zero is going to be for the wan igb one is going to be for the lan And I have here a edge switch and I have done a review of this This is the edge switch 10x you can find it on my channel if you want to know more details about it I just happen to have it it was black and match this so that's why it's here It's not like i'm absolutely endorsing this is the best switch to work with pf sense I have found pf sense to work with amazing variety of switches. I haven't found one It doesn't work with we've set up sysco hp pro curve Lots of unify obviously and unify being one of my preferenced ones But the edge switch line works fine So there's it's fully standards compliant when it comes to things like setting up v-lands So I haven't had any issues setting that up But what we're going to do now is start setting up and configuring pf sense Once you've decided how you want to do this now a managed switch is not a requirement But if you want to do v-lands a managed switch is a requirement to set up v-lands The other option would be having everything because we've got well plenty of network interfaces on here Having each interface provide its own network now Doing a v-land versus provide its own network v-lands are very convenient I've got an entire video about v-lands, but I will mention that v-lands are a shared medium So if you want to do multiple networks or a v-land, they do share a physical cable So there is bandwidth limitation You cannot get the full amount of two networks simultaneously if they're split up with v-lands So i'm not going to spend too much time on it I have a v-land video a whole explainer on that But we will be covering that how to configure a v-land in this particular video and how to get the networks configured Now pfSense by default Comes up with 192 168 1.1 To log into it and it's a self-signed certificate. So we're going to accept the risk and continue admin pfSense is the password that is from a default load It does not ask you during the install to set up a password It asks you nothing other than those options you set so you have to set up the password yourself Once you go through the wizard now the interesting thing is it's already routing traffic And the way you want to configure the van side on a pfSense generally speaking for most all use cases is going to be You want the let's say concast cable or whoever your internet provider is concast wide open west There's a lot of different providers or if you're out of the country There's more way more than i'm aware of you're going to want to have that set up in bridge mode So your van gets a public ip address or in some cases when we're doing this commercially The public ip addresses are statically assigned and provided to us from the provider So that's an important aspect, but I can't really do that here. This is in my lab So there's going to be an option that we change to allow it to work inside my lab properly hostname pfSense youtube seems like a good name, but you can call it whatever you want dns servers I like 9.9.9 And override dns allow dns servers be overridden if it's on dhcp I do not want that to happen now. You're setting the primary dns server For pfSense to use to get out to the internet or you can just leave it blank and allow override provided as dhcp The options are yours. This is still different than when we get further down in this review and tutorial of How you would set up dns specifically for other things and I have a couple separate videos on that as well But we will cover that. Um, but I choose 9.99 choose the one that makes you happy next I am in detroit, so we're going to choose america detroit, but choose a time zone that works for you So go here. I just like the detroit's in there. It always made me happy It automatically has a time server in there to set the time. That's great. Configure van interface now Normally if you're a home user and you're just getting an IP address from your Provider dhcp works perfectly fine, especially when it's in bridge mode You should get a public IP assigned to it You have the option of ppoe a lot of people have a lot of questions about ppoe And I have no answers for you on it spend time in the forums if you're setting up ppoe and have problems The reason I bring that up is because we just don't see that many of them here in the us We really see very few of them on our clients. Um, it does work with ppoe I do know there are nuances to it that i'm unaware of and have no way to stand up and test So if you are having problems with that, I'm really not the person to ask because I don't have a way to demo that We're going to leave this at dhcp But if you had a custom mac address, you could assign that here too. Maybe you have some reason you want to do that Custom IP addresses anything can all be put all in through here your ppoe or pptp configurations But we are going to uncheck these boxes, which normally you leave checked Block rfc 1918 networks means block your private ip addresses Because this is in my lab. It's going to get a private ip address Therefore I want that private ip address Not to be blocked and not to cause issues and people who are sitting up pfcents in a lab This is often the fix that you'll find that fixes. Hey, I can't get certain things to work And i'm like, yeah, you're probably assigning to win a private ip address because it's your lab and Voila, you can't do it unless you do this. So just go ahead and change that All right LAN ip address now many home networks and That support 192 one or drop to default at 192 168 1.1 I recommend you change this and you can change to any type of private ip address you want I'm going to put 192 168 55.1 just because but if you leave it at 192 168 11 The challenge you run into is let's say you're on another network your friends network But you want a vpn back to your pfcents system? Well, if they have a 1.1 network, which is a default for lots of consumer network products like many of them You will have a trouble routing back to your house because or wherever your pfcents is installed because well You have a problem with the routes matching on both sides So it doesn't know are you trying to go to a local address or that address There's workarounds for that But they're more of a headache if you don't have it set to a common address So you set to something like 192 168 55.1 with a subject mask of 24 That's a Less common one. So you're less likely to have to deal with any of those workarounds. So we'll leave it at 55 Admin password We're going to go real complicated here because I've got to type this a few times So there's my admin password and we're going to click reload Now while i'm clicking reload it's going to reset and configure it But my computer was assigned a 192 168 1 address. So simple solution here I'm just going to unplug the Edge switch here That's going to drop the connection here and the edge switch because it's managed doesn't need an ip address I want the ip address of the edge switch to be in the same 55 range So when I reset it it's going to because it only takes a few minutes from that reload depending on It's your computer where it reconfigures the interfaces It reconfigures the dhcp server So now it's going to be in that 55 range So this is going to get a 55 dot something address and this will get a 55 dot something address So I'll see what address I get. All right, my computer now has 192 168 55 dot 11 as its ip address So we'll go ahead and ping something Okay, I can ping well that didn't respond. Let's find Something that responds to a ping resolved There we go google resolves and responds to pings So I'm online. I have an ip address assigned to my computer. We can log in or pf sense here, so we're going to click finish And because I am plugged and plugged it back in when I click finish It should redirect me and if it doesn't it's going to be I'm impatient. So we'll just do here Oh There we go Now we 55 dot one Except risk and continue admin And my rather short password because I have to type it a lot And we have pf sense loaded and configured So first things to do here is Really up to you. So from the security standpoint, this is the question that comes up all the time is all right I loaded it now. What is it secure? What are those extra things I need to do? What are the defaults I need to change to make this box more secure? And the good news is as long as you have a good password The defaults on pf sense are quite secure. It does not open any ports to the internet It does normally block the wan except for we uncheck those boxes So the out of the box config for pf sense is quite secure if there was a more secure default And this is my quote I've heard them say more than once on the pf sense if you watch their hangouts I think I've heard them say if if there was a more secure default way to set it up We would just make that the default way to set it up So the good news is you're secure. You don't have any ports open out of the box Now it doesn't mean there's not a million things you can do with pf sense to Change it modify it and bend it to your will This is one of the things I really love about pf sense is it's extremely flexible So we're going to go ahead and close this. I mean, this is just letting you know Netgate pf sense community support resources some support links, etc And we'll close that because we don't really need that information on here So we'll start with that customizing the dashboard I like to have the interfaces on the list here. What else do we like? We can put the gateway up here We like to have those on the list We can List our packages, I guess so we can customize that Service status is good too. So we'll throw the service status on here If you're running open vpn, I do like the open vpn being on there And where was the package one again Installed packages and I'm gonna say the finest one the last one it will load on here would probably be maybe the smart status So you got service status gateways captive portal if you're using that carp if you're using that Load balancer picture pictures kind of neat. You can put a picture on there I've seen a few people do that It's kind of nice You can load a picture of for example what the network looks like when you're dealing with remote systems. So you have an idea And we'll put the smart one over here It'll also do thermal status as well if you have those sensors in there Now the smart status is only going to be if the system has the ability to see the smart status on that particular one We're using a drive that does so that works on there Now that's pretty good for the dashboard. It gives you plenty of information on here You can see that this is an intel adam c 2758 At 2.4 gigahertz. Um, there's you know general statistics on here One thing to note is make sure that you have plenty of room on here. So, uh, don't have Too much Space taken up on here. So if you do run out of space on there, that can be a problem This is one reason I have that video on building a custom one with a lot of space But for the most part not too much going on there in terms of space When you first started out it comes down to if you start playing with and customizing the logs now Under the general setup We have the dns settings We have the if we want to change that setting. I already set to allow it or not to allow it override Yeah, that's something That is uh, important whether or not you want to change dns on there Time zone we've already set. So all these things are like I said already configured You can customize the top navigation. We can switch this to a different color interface of leave Right here the login page you can change if you want they have different colors for like the login page color Things like that you could disable dragging of it. There's not a lot. I really change much in here Um show host name in banner. There's a lot of little tweaking you can do I don't do much in terms of that level of tweaking on there But I do like because screens are so much wider now to change that particular one dashboard column So we'll go ahead and hit save and then jump back over to the dashboard here and now We have three columns now if you note when I'm dragging things around here They're pretty easy to drag Just go ahead and hit save though when you're done to save the positions that they're in So if you want to move these around and rearrange it, but as you get more information on your building your dashboard Having a three column layout is a lot easier. And of course, most screens are a lot wider now So it's pretty straightforward to do System advanced now. This is where I do make some changes The default config for pfsense is to put one https open on the land side It is blocked on wan so the out of the box config this cannot be administered remotely I'm not going to bother opening it up remotely. It's not needed for this particular demo But I do like to change the port it's on and the reason for that is if you're starting to run other services Or other things you want to forward or open up the wan in certain ways Having everything at the default port is I'm not saying security through obscurity is a good thing But you know having on a different port because most systems if there's Something on your land is trying it may frequently try that local port Also, if you start running things like ha proxy you run into the problems of Sometimes you're like, hey, it's forwarding to the web interface not to the ha proxy that I set up on 443 that I wanted Those are all issues you can run into so I do recommend changing the tcp port And we're just going to use 10443 out of habit Like I said, it's not hard to figure out if something was scanning your network and find it It's more about just not having it on a common port Uh that will cause conflict with other things you may run Especially if you get something more advanced like an ha proxy setup As far as the rest of this goes, I think everything else in here is pretty straightforward I don't see any reason to change this except I do like to turn on ssh Um, I usually leave pastor to public key on and then once I have my key installed I'll change it to public key only so that's Reasonable to me to set that everything else here as far as defaults works perfectly fine It does have the ability if you have a serial console To redirect all the output if you were setting this up somewhere So we'll mention that that's in there and pastor protect the console menu I've seen people debate about this whether or not they would enhance security. Yes, it does In the fact that if someone has physical access They would have to put a password in to get to the council But if someone has physical access it's kind of game over anyways because if they can get to the machine physically So I it's not something I usually change it to fault because well I figure if they got physical access and they're logging directly into it They can also just reboot with a boot disk grab your xml file and extract your passwords So, um, maybe if it's in an environment, you don't think it's secure where someone may be walking up to it You want to put a password on it, but that is definitely an option that you have Now when you do this redirect so we redirected it here tcp port 104 43 You'll see one moment redirecting to and it's going to make those changes for me and forward me to the updated port and we just have to remember to put colon 104 43 each time we Log in so it's going to keep the IP address the same one i2 168 55 Except the risk continue, but we've now added the 104 43 Now by adding ssh We also got a notice over here for ssh key gen and ssh startup What that did was generate the keys for the ssh It just noticed that you get when you do turn it on nothing to be concerned about it It's just letting you know that it's done and turned on and ssh is also going to be opened up on the land side only Even though we enabled on the firewall unless we create an implicit rule to do so It's not going to open up now I know you see right here when dhcp 6 and it says pending and i'm going to bring it up real quick one I just don't know a lot about dhcp 6 IPv6 i should say in general so it's not something i really use i know there's a lot of people with a lot of questions about it I just don't really use it so that i leave alone So that's not going to be part of this review at all I just don't have a use case for it that much for the most part everything that we run into generally works best over ipv4 So that's all we're going to cover in this particular video Now firewall rules there's no rules on the wan like i said there's no floating rules There are land rules and this anti-lockout rule you can disable this if you uh want to but generally speaking The land is where you want the anti-lockout rule and what this does is it prevents you From creating a rule that stops you from logging into the system So you can't lock yourself out of it So like its namesake is it's an anti-lockout rule because if you were to create a rule to block port 104 43 well that would be an issue you ran into now one more thing i will change under advanced over here is under firewall and nat This is another customization that comes down to how you want to handle things you can do this on a poor rule Basis or you want to do it this way I usually do it this way, but this can be done in each individual rule. This just basically sets the default What you're doing is setting up nat reflection or sometimes people call it hairpinning So let's say i open up a port So i have a port up on my van that opens up something to let's just for example use a camera system And I want that same IP address would be my public IP address to work inside the network and outside the network for convenience For example, when you're on your phone that way when you connect to the land You don't have to change where it connects to you. This is basically creating a hairpin So when nat reflections turned on it's I just like I said I recommend very in the beginning before you start turning these on just make that the default It goes out to the van address And it loops it back and says oh, I seen you ask for the van address in this port But we know that's internal and it hairpins it back to being local So when you're on the land side or any of the internal networks, it brings that back around So that's something I like to turn on and also will save you a lot of time of troubleshooting when you're doing some Opening of ports and things like that So we're just go ahead and hit save And away we go and of minor note I did leave it on but the web GUI redirect You may want to turn that off once again if you're using it because it does listen still on port 80 to redirect you So we'll go ahead and just disable it and say we'll turn that off And all that's doing is redirecting 80 to 104 43 once again if you're running something like a proxy or some other Things on here. You're like, hey, I hit told to hit the firewall. It did and it keeps redirecting me over here Yeah, that's because you have that turned on So that completely gets things off and so you'll just have to manually remember to type in 192 168 55 Dot 1 colon 104 43 every time you want to log into the admin interface It won't you know do those niceties of just redirecting you Now as far as everything else in here Package manager routing setup wizard you can rerun the setup wizard updates pretty straightforward to use update and user manager Another thing of security in here now for the most part Um There's not a lot you need to do with any of these each one of these is for a more advanced use case But user managers another one that i'm going to say out of the box default getting started Yeah, you might want to create something other than admin So if you create another one and we'll just create a user tom And then we create a password for tom Then we'll make tom an admin We'll say his full name is thomas And we can even paste the ssh keys in here and we can click save and we can log out Log back in system user manager again Edit user can't log in Now it's still a level of security by obscurity But by disabling the admin account someone can't just guess through admin passwords if they're on the local network They first have to know what username you're using So it's one more layer and you know at least i've disabled the default admin on there and Have it set up. So I have another admin user as this So just one more little thing that I usually do but not really necessary. I kind of leave that up to you Now let's get to the networking part of this and setting up interfaces. So assignments We have A lot of interfaces on here because we have the four port intel card and this has a built-in intel card So all together it starts at zero. So that ends at seven giving us eight interfaces on there and The iGB zero one two three are all on that intel extra adding card that they have on there And then we have the other ones if we wanted to add more interfaces and we can just do those real quick So hey, why not now adding all these interfaces Does not actually activate them at all We have to do something to activate them and these are all physical interfaces not vlands So we click on here to the interface like opt one. It's not enabled. So if we wanted to enable it all right, and we'll call this some other network and static now This sometimes gets a little bit confusing because people say hey How do we set up a second wan and how does pf sense determine wan from land? Well pf sense based on the old school monowall and go back to the even old school how Things used to work. You never really thought about land and when everything was just an interface assignment That interface whether or not it had a gateway That it would get out on determine whether or not it was a destination essentially or a land Where it would then share out the information to become a gateway itself Or it had an upstream gateway and that upstream gateway makes it a wan interface So actually let's just name this one wan To and talk about what I mean here So if this were to be a land interface, I would stop here And just assign an interface, but when it doesn't it has an upstream gateway We can add a gateway So just for sake of doing the demo here. Let's type in let's say this is going to be a 10 dot 1 dot 1 dot 15 We're going to add a new gateway For this one and we'll call it wan 2 It's not going to be our default gateway. Let's pretend this is our backup interface Gateway IP address 10 dot 1 dot 1 dot 1 add And uh, whatever the net mask is given to you by whoever gave you this gateway And away we go so hit save and technically if I was doing this in my lab I'll I make sure these are unchecked as all don't reserve the networks Whoop I gave it the wrong name You have to make sure it's called wan 2 and interface with this name exists. So we give that in the name wan 2 save apply so Now this particular interface is now called wan 2 It's applying the changes right now We know it's igb 2 So it's technically the third port over because they started zero and that would be my failover one Now this became a wan 2 because it has an upstream gateway So that's how it knows to be on that side of the network. So let's go ahead and create another interface We can make that one another lan interface. So let's look at the interface assignments again What do we have here? Let's go with the next one over because this one's wan 2. So we'll take igb 3 and uh We'll call it another lan So we have this one as another lan now the difference here is we're going to go ahead and go static ibv 4 And by the way on the wan 2 I could have said it's a dhcp as well And that would grab a gateway grab everything else and by setting a port to dhcp You're kind of implying that yes, I want a gateway I want all the settings to come from dhcp, which means it's also not going to be a lan But this one will so this one will be another lan and we'll give this a different ip range So 192 dot 168 dot 200 dot 1 that's going to be the ipv 4 static ip of this We'll make it a slash 24 So this is our another lan that we're creating No preference no duplex and uh actually For guests there we go another lan for guests. This will be a dedicated interface for a guest network save apply And now we have another lan for guest interface, but now what's the next step? So next step is creating firewall rules So we go over here another lan for guests. All right pass another lan for guests ipv 4 protocol this defaults to tcp which means for example lots of these other things including dns which runs over udp and ping icmp down in here in the list Right there These won't work if you set it to tcp only which is the default And i've seen a lot of people create these rules on these networks and they create a rule and they say hey It won't work. It won't get um it won't ping things for example, but it seems to have some things working Yes, anything tcp works anything. Um not tcp won't work. So we're going to change this protocol to any So we have action pass and what we're doing is create a rule to pass the traffic on this one another lan for guests The description is going to be allow All oops And why do I have allow and all caps don't need the caps on? These are just really handy descriptive rules We don't really need to get into advance But any rule comes with really advanced options if you want to play with them That goes beyond the scope of this particular tutorial now Both this one and this one work fine matter of fact, let's plug into it and confirm it's working But before we do that we need to have an ip address set up on it. So we're going to go to services And we need to go to dhcp server for every interface you create whether it's a vlan or a physical interface you're attaching it to It does create a list here in the dhcp server. So that's great. We do have to define a range though. So we'll say 100 and to 200 Now you can add a whole series of pools There's way advanced things you can do with dns for most part You usually just set one long range of pool maybe some static on there But now we have essentially this another land for guests There's a space in front. Please note when you copy and paste sometimes you copy a space and if you do that There we go. It'll tell you the ip range is invalid. So go ahead and save all right, so now in terms of interfaces We've got this and we've got this one here. So we can now go and unplug this Which is my computer and we're going to plug it into that other port right here Give my computer a second to get an ip address No, there we go already has it. So 192 168 200 dot 100 so let's go ahead and Log back in now a couple different ways we can log in so we'll go ahead in here And we're still logged in at 55.1. But also just so you know 200 Dot one colon 104 43 also lets us log in Now we call this guest network and probably you don't want your guests logging in So let's talk about creating rules now that stop that from happening. So we're going to go over here to our rules another land for guests Now there's a few different ways to do this and The first thing you want to do is recognize that rules are from top down I have a specific video about getting started with rules where I dive a little more in depth in it But the rules are a top down on a per interface basis. So The first rule it matches is going to be what it matches on and then doesn't go any further So we can put a block rule to our 104 43 104 43 source any Protocol tcp and we're going to say actually the destination It's going to be the firewall itself. You cannot talk to this firewall on 104 43 from that network That's an important thing that you want to make sure Is in there if not anyone on guests can try to get to the interface now granted you have a good password on there I'm assuming so it's not the biggest security risk, but it's not the best The other problem people have is they assume the guest network should have no access to the firewall So they block everything to the firewall. Well, that's a problem because you have DACP on the firewall you have A dns on the firewall and if those are providing those things. Well, now, how are you are you going to get out To the internet they need to at least talk to the firewall, but they don't need to talk to this specific port So we'll go ahead and say this is block Web interface All right, so now we have the web interface blocked And when that rule is applied All right, it is unable so 192 168 200 at 1 104 43 Times out so we're going to plug my computer back in over here To the regular LAN so we can keep administering it and show you how to further lock down that guest network Because even though it can't get to 192 168 200 dot 1 colon 104 43 because we put a block in there It can get over to our primary LAN So if we can get there then it can go into and get to 192 168 55 dot 1 colon 104 43 And we want to make sure we stop that all right back on the 55 network firewall rules And to oops. I'm sorry another LAN for guests So this firewall block port 1443 block web interface Now let's say we wanted to block block things going to LAN, which is our next school So we have this a lot of traffic there's a couple different ways to do this and There's not necessarily one way that is absolutely right and sometimes there's a lot of customization you need to do Where you want it to be able to access some networks and not others. So you can Create an alias for example say alias And we can say like an ip range and we'll add or we'll enable this one my Private networks Because maybe you want to separate things in a couple different networks And you want a list of private networks and that private networks going to be 192 168 dot 55 dot 0 slash 24 Actually, we want to list it as a network. There we go dot zero And we'll call this one LAN and that's maybe we have more than one of these is why you want to do it as an alias Now the advantage of an alias if you have if we had created more than one So maybe there was a 15 network and the same thing We'll do this My other LAN you can then list out all the networks and then have this block in there So when we have once we'll just hit save and show you how an alias works apply Firewall rules Another LAN and we need another block rule So we can say Block and then we can go here block all protocols not just any Where's the destination? Single host or alias and uh My private networks Save Apply so If it tries to go to my private networks right here and for each time I add another private network I add it to the list this is not allowed to have that as a destination So it's not allowed to have the destination firewall and it's not allowed to have the destination These networks on here. So now all that through is update the alias and by updating the alias If I have this rule repeated in different places, it'll work another way to do this is Go ahead and edit this rule here And you can just say invert match and go Right here and say invert match land net save And now we can say The destination as long as the destination exclamation point means not is not the land that we can go But I only specified one network. So then I could specify my private networks Also is an option as an alias and say destination not that so there's a couple different ways You can do it in a single rule separate rules Allow traffic to accept is how I would probably relabel this rule So I would say like, you know, and we'll actually change it to an alias In case we had more than one. So my private networks allow traffic except for my private networks save apply And actually we're going to go ahead and delete this rules. We don't need rules to be twice So block the web interface allow traffic for except for my private networks. So all right That's been applied and hey, why not? Let's go ahead and Try this real quick and we're going to pick something we can ping. So go over here to services dhcp server Uh, we'll go here and we can see what things we have. So here's my laptop at 55 to 11 and we have 55.10 Which is the I think this is probably It's over here Cool, we can see it. This is the edge router. I'm able to ping right now. So from the 55 network I can easily ping this and I shouldn't be able to ping it from that 200 network So we're just going to move my computer back over real quick Okay, it's on the 200 network now. Let's ping google again. Google's responding. Awesome So i'm online, but what about when I try to ping 55.10 Nope, I have now blocked the LAN network from this particular network interface So my guests can get online, but they can't see what's on my land or whatever you put on there Maybe you have your camera system on that separate one and now you've stopped anything from coming over there So now I'm going to go ahead and switch it back and put it back in the normal network And we'll kind of walk through the same scenario, but we're going to do it with a vlan this time So the concept's almost identical the firewall rules dhcp servers can be the same But there's a little bit difference in how we assign the interfaces And I want to make sure that's clear because well vlands are extremely convenient Especially when you have larger networks and you don't have the luxury of running one individual cable to each segment of the network To each individual switch and vlands obviously create a lot of easy ways to segment things So even though they share the bandwidth, um, there's a lot of good reasons to use a vlan to create separate networks Um, and it makes it easy especially when you just need to pivot back and forth between them All right, so creating a vlan interface assignments And we have to know which interface we're attaching this vlan to and we're going to be connecting it to the land Which means that's the shared physical interface that the vlan will be on and we're going to go over here And we'll define a vlan vlan tag 69 the 69 network And right here we assign it And don't worry about the priority. It's up to you. It's advanced and goes out of scope of this If you are using traffic shaping you can set priorities and that can be at the switch level where it prioritizes certain traffic over other traffic Now this is a problem you're going to have and if you say, hey, I've been trying this and it's not working I'm running this virtually you handle if you virtualize to pf sense if you load it into some other hypervisor On a per hypervisor basis, you may handle vlands differently because well, it's not that there's issues with it, but it is a one of the nuances of Having that level of support on the drivers for the hypervisor This is one of the challenges when you have a virtualized when you're running on physical hardware, though Pretty straightforward and easy. You just assign this the exceptions are if you're running a net gate 7100 or net gate 1100 look up the videos I have on those there's a couple extra steps to tag the vlands in there not an issue on The other devices or in this self-built situation with this intel card The vlands just work by assigning them to an interface. So we have igb one Vlan tag 69 and we call it the 69 network now when we go to interface assignments Here's that other assignment. So we're going to go ahead and assign it and like I said, it works just like a normal interface We'll give it a name vlan 69 static 69.1 Make it a slash 24 now this is up to you could make it bigger than the slash 24 But that's pretty much, you know way to do it there if you want If you wanted to be a slash 22 or a bigger range, whichever is up to you and I typed in 61. So let me get that typo fixed save apply firewall rules There's no rules by default So we'll go here and say any Now here comes the next question. Is this another secure network? Do we want to do an invert match and say that same thing single holster network of my private networks or Is uh 69 your private network and you want to keep that in your private network list So instead we're going to say any any we'll make that assumption on this particular network But we could have done either way on this So we won't say invert match because that would make a mess. We'll just say allow all hit apply And now this network's in there, but this network's not set to private Which means the guests can get to it. So we don't want the guests 69. So we're going to go over here and say firewall aliases will edit this alias and we'll um Yeah network It's a dot zero on this part here slash 24 save Apply and now when we go back over to the rules The guests networks now I have both applied to them now. This is one of the reasons It's nice to use an alias So when you know, you're building out private networks and then you've built out different guests or security networks And you don't want them to have access to something Easy enough that when you have the alias it applies everywhere universally So I'd make one change to alias and universally it goes everywhere else And also if you wanted to take this network now we allow this over here We have this right here if we wanted to say but we don't want the 69 network to be able to get to the web interface You'd have to actually do a couple blocks as one it could still get to the 55 interface and get to it But for terms of duplicating it that's what the copy's for And we can just copy it to another network like this and hit apply and now that rule will copy over to the other side So um, you do have to redo the block rule for each network You don't want to have access now what we didn't do yet though was set up a dhcp server Once again, don't forget that part range We'll say 100 Make sure you don't have a space in it this time 100 to 200 save and now that is ready to go and Now I can plug anything I want into that one there But obviously I need to define this in my switch now I'm not going to spend a lot of time on this but the edge switch 10x Let's talk about how it's plugged in real quick We have this port coming from the LAN and goes into port one On the edge switch 10x and then we have port two right now plugged in And going to my laptop and this is going to vary a lot based on The interface for whatever managed switch you're using when you're defining vlands One of the reasons we like the unify platform so much as the unify one specifically That line has got some of the easiest vlan setups. I have videos on that particular topic So really easy to find vlands inside of that when you're defining them in other switches This is where people get stuck because They have similar but not always the same methodology to do this and it varies from sysco It varies from microtik. It varies from edge There's the concept's the same the protocol is standard But the web interface is up to the ui designers So i'm going to show you and i have a review on the edge switch But this is the edge switch to set up a new vlan id tagged 69 right here So we have this set to be the trunk port port one Then we have this to allow all untagged traffic to come in Then we say grab the tag traffic on here and forward it over to here as untagged So and then we want port five excluded that way when port five it doesn't ever give me the land It only gives me the vlan 69 traffic. So it's excluded from the default tag of vlan one So natively vlan one means untagged or basically all the traffic comes on vlan one by default on pretty much Everything including the way pf sense put things out and then we peel out the one pick your vlan So I have a separate review of this if you you can find on my channel Where I talk a little bit more in depth about that but for this particular switch That's how we define it and that's how we define port five So let's see if we have this vlan 69 working and if I did it correctly I should be able to take and move this network cable from here Over to port five And now I should get that other address and it should work Tagged with the vlan. So let's see which ip address my computer gets All right 192 168 69 dot 100 Let's go ahead and ping something like uh google And hey look we're online. It's up and running and working And because we didn't block anything I can still get to the web interface on that particular one Or I could you know copy the block rules and make this a private network So you get the idea to pass that those up So this should give you a good concept on how to get all of those things up and running So let's talk about the plugins or packages that come with pf sense Now these are directly pulled from the pf sense repository They're official and vetted by pf sense by the netgate team And I didn't I already shut this down I didn't want to do it on this because I'm like setting all the plugins up I was going to go over to our production machine and show you what we have installed Now these are not the same plugins we install for every client But there are clients that we use that have all of these needs We decide which packages are installed based on the use case and based on what the needs are So I'm going to walk through because our system pretty much has all the ones we use commonly when there's large projects All set up here So I have separate videos that will break down in detail Any one of these in the configuration guides form and I'll be leaving that in a playlist down below So we'll start at the top here the automated certificate management environment for automated use of let's encrypt certificates is wonderful Combined with and I'll just put them together ha proxy, which you'll see down in here Those two work wonderful together. I've got two separate videos on that one for using wildcards one for just setting up Configuring it, but if you want an automated way to handle certificates and to have reverse proxies and everything else That is just a great plugin for that and that's not something every client needs So it's not like we automatically load that it's just kind of on a as needed basis Art watch once again not something a general small office would use But if you have for example a separate network where you have Certain servers and you want to keep an eye if anything pops up on that network that wasn't supposed to be there Art watch is that tool to do that It looks at the network and if a new MAC address shows up on that network and it shows up in the art table Because hey look what I found and this was unexpected because there was a change It'll also let you know if someone tried to spoof a MAC address because same thing If something changes and the art table changes on any particular segment of the network It lets you know don't do this on your main LAN if you have things coming and going or you'll just get Bond would notice isn't it becomes well ineffective at that point, but on a Network that essentially is not very dynamic and things are statically set and you have this group of servers that run in there Well Art watch is great for watching that the aws wizard is something that comes default with The pf sense installs when you buy the neck heat hardware Just i'm not something i really use dark stat. I've never done a full video on it But dark stat is definitely pretty cool For just getting some general statistics on things Free radius 3 now once again comes down to use case Where do you want your radius server to live for authentication? So if you're going to use radius authentication, you can use this in windows You can then tie attack directory or you can run a standalone free radius server right on your pf sense Why would you do that? Well, I have a video talking about how to use free radius for authentication on your network And specifically with open vpn So those two things work together really well And so if the client doesn't need just standard ovp open vpn install Or is going to use the pf sense for all the authentication Or it's going to use the pf sense for authentication and need something more advanced like free radius That's there when they don't use free radius because it's not necessary for open vpn You use the standard user manager You can create users that don't have admin privileges that really don't have any privileges You're just using them to authenticate So don't use the admin user for pf sense as your user create like another user like Hey, your username underscore vpn or whatever nomenclature or whatever methodology I should say you want to use for naming that Whatever methodology works for you That works but free radius is a completely separate database that can be maintained And then you can point open vpn at it and I have a separate video on that process I have top I don't use this very often It's kind of a novel thing that you can use on the command line to do command lines showing bandwidth per ip address I think I may or may not have done a video on it at some point But it's it's just novel to have installed there Same with iperf iperf is benchmarking and you can Have this and it comes up on a web interface So you can you know do speed testing now that's not doing speed testing through the firewall its speed testing You know from port to port and uh, man, that's still come sometime pretty handy to do So hey, why not? It doesn't really take up much space. It's easy to load I psec profile wizard. This is something else net gate installs. It's not something I really use. I just didn't remove it Same thing with the net gate core boot upgrade This is for updating core boot on net gate devices and something else that if you have a net gate device It's going to come loaded by default end map I like that end map is in here because well I can pivot into a network and get something set up and run end map or having end map right on the PfSense system is handy because then I can take and scan a specific segment network with some end map Go through find or discover things With their pfSense and pfSense of course usually sits at the intersection of all the different networks So being on one box So essentially the pfSense box or at the head end and then pivot through everything to create end map scans So having that built in um, yeah, that's easy Open vpn client export Hands down one of the if they're running a vpn and you always run this When you look at my open vpn videos to understand this package is the executable with the certificates and the settings in it For open vpn. So when you set up open vpn It's you want a one single executable install with everything rolled into it That is the tool that does that for you So if you've watched my videos and I've had a few people skip over that part like I can't find that export It's not built in I almost think this should be a built-in one Because if you're loading if you're going to do anything with open vpn use this and make sure life a lot easier If not, you have to manually set up everything which was tedious When you want to manually create an export file, but this creates it all for you. So that's uh, I one of my favorite features because the way it does the packaging for open vpn pf blocker devil Devil is important, which means development version. I've done videos on pf blocker ng. This one's great I definitely Like that quite a bit as far as you know being able to manage things for blocking and dns Like I got a couple of the videos on that watch the most recent one because the most recent one covers the devil version versus the non-development version Status traffic totals and it gives you some Traffic totals page on the status menu give a total amount of traffic pass in and out over the period of time hours days and months uses the vm stat for collection And seracada, I just did a video on seracada and seracada is extensive great for security also very Extensive the setup and tune That being said it's still not something we load for every client because it provides very limited protection If you're not opening any ports it mostly provides lots of false positives on general generic networks And does require a bit of tuning So it's not like an automatic because it's you know It's an upsell so to speak to have us set up and tune that as opposed to and it means constant tuning So um, it's not for everyone that would be the best way to describe seracada And it kind of depends on the use case on there, especially home users who want to use it generally find themselves If they have no ports open, um, just with a ton of false positives Well, but watch my video on seracada to talk about some of the details on that these zavix agent Well, that's only if we're going to monitor it in zavix and if we're going to actively Watch what this pfSense does, you know watch for uptime zavix is a great way to do this There is a nagios plugin went as well if you're a nagios fan. I don't use nagios I don't have an interest in it. People ask me to review it. I like zavix the competing product to nagios And be models ain't broke don't fix it don't have the time to learn it But it does support both for monitoring on there now in terms of the entire list of every available package That's all listed right here. There's plenty of them in the list You know if you have some other specific thing you want to do And I know someone's going to ask about squid and squid guard. I have a video on that of why I don't like squid It just becomes a headache trying to install certificates on there So don't expect me to run a video or create a video on that topic other than my rant about squid Not a big fan of it Um, this is also interesting and I don't use this but I know there's some use cases people have Is the telegraph plugin? It is an agent written and go for collecting processing aggregating and writing metrics package dependencies, etc I've seen a few people talk about this. It's not something I actively do right now Exporting things with telegraph over to another server for you know getting Data pushed over if you want to do some external analytics on there. So That's kind of neat that they have it. It's not something maybe at some future point. I'll take a look at it and if you want the UPS system for example to shut down The pfSense when there's a power Outage that is built in as well. So you can for controlling all apc UPS models and I think there's that one I believe there's one more plugin. It does the same thing called network UPS tool or nut and it provides monitoring for unartificial power spies and shuts them down So that kind of covers it for the plugins But now where do the plugins show up? That's a little bit more complicated because the answer is really everywhere So if you install plugin that shows up as a service like acme certificates or HAProxy or free radius. Yeah, those are all places those will show up where there's abix agent there In the case of traffic totals and we can go over here to traffic totals That shows up right here So when you're breaking down some of the graphs and things like that, which by the way It is normal for this to pause before it loads any of the information in there That is something that definitely happens when you're doing the traffic graphs. So All right, and it does as I said, it takes a second to load and here's why When it renders the page, whatever they're using how they render it It's a lot of data on there. So when you look at the memory footprint of this particular page You can see it's one of the biggest ones here in my task manager here inside of google chrome So it does take a little while to render this and get all the data But it does break down these kind of cool looking graphs of you know data What we're using on each one. It's kind of nice. I like this plugin and or package works pretty well Now from here, I want to go through all the menu So I've covered, you know getting set up the packages we use kind of all the other process Now I just kind of want to do a general overview of all the features. So it's a I just want to make sure This next part is kind of like just that I'm going to talk through everything but not dive into detail on any of them Just because of brevity and well, how far we are in this video so far and I don't Use all these features, but at least I'll show you that they exist kind of give you a broad sweeping Of all the different things in pf sets even though I don't use them These are kind of neat to have and one of the first things I'm going to talk about was going to be bgp Now I bring this up because this is a real enterprise little feature. There are people who Frequently have set these up in data centers at that edge level And have large blocks of ip address are going to handle a bgp So there are a couple different tools in terms of Ways you can do this this goes well beyond the scope of the video because I am not a bgp expert That is not it's not something I do that very often Frequently I go through the basics and usually if I'm talking to a data center We'll basically load the plug and get it set up follow the data center people of hey Here's the announcements. Here's the Route announced that you need to match in here and go through it I've been thinking about setting up something in the lab to really demonstrate how that works It's a little bit complicated Because bgp itself is not a simple task, but it's also not something even most business users run into It's more goes into if people have large blocks of ip's But I do want to bring up the fact that yes pf sets can handle it and netgate has an entire bgp video in terms of You like talking about and walking you through step by step the bgp features on there now going back over to I mean you could look at the system here Like I said core boot upgrade there's not much to cover in this But we'll walk through some of the other menus and things that are on here And once again things not often used but are had are available in here Is things like the interface groups So if you need to create a group of interfaces to apply rules or features to that's an ability Wireless I have a dedicated video for this, but once again something I rarely use I did the video for fun I'll be cool if there's some future that they have some better wireless cards are supported in there But for the most part when you're doing especially business wi-fi There's better solutions than popping a card in a single router anyways Usually you need something larger more scalable. We covered vlands, but we didn't cover q i n q Those are q and q's and it's it's specific i triple e 802 180 standard so It is networking standard Informally known as q and q as an amendment to the i triple e it was incorporated on the base of that So this technique is also Provider bridging or stacked vlands So if you have one of those unusual unique use cases where you need to use stacked vlands for example That's actually something supported in here. It's not something i've used or have a video on ppp's or point-to-point protocol interface types For 3g 4g modems that is something built in as well. It's not something i've done a video on either They got some documentation here. It's not something we use very often generally speaking If we're going to have a failover device that's 4g it usually provides its own ip address So we just plug it into the secondary wan port and set it up as a failover So that's um, i have a video on doing failover. So it depends on how the device is But yeah, it does have support for certain devices on there setting up gre interfaces once again a feature i don't use very often It's a edge use case, but that's built in there as well And if you're not familiar with gre it's a generic routing encapsulation and then the other one next to it Generic tunnel interface. Uh, those are both supported here So it's very similar to gre both protocols are means to tunnel traffic between hosts without encryption So gre it works at a different it works at the layer so it can encapsulate all the traffic going across and that's something you can You know do on pfSense. Well, like i said, this is one of the amazing things is is they've got so much built in over time that it's been You know Put into pfSense that any type of weird use case There's usually a pfSense solution that it can handle that type of thing Bridging i've done a video on setting up bridges now bridges are particularly cool because When you take a bridge And set this up and i've done a video on how to do a transparent bridge with suricada for filtering which is really neat It basically creates a very customizable switch that you can do all kinds of fun stuff with and Really fine tune it so it's neat that it does this you can set priorities and it sees all the networks You can set rtsp or stp dive through all the protocols Um set the private ports set port mirroring It's a really neat way to bridge interfaces together for special use cases or in the demo video I do have on this setting up transparent bridging so you can essentially passively watch traffic with something like suricada and apply rules to it Now i covered nat rule and aliases, but there are virtual ip's and traffic shaper Those are going to be used for a couple things so virtual ip's really briefly I've covered those when i've done the ha video so this does have full ha ability And i have videos on how to set up high availability on here and you're going to build virtual ip's Virtual ip's are also used for assigning a block of ip's to a wan address for example So you'll have your primary ip set up the gateway and then you can attach virtual ip's You can do it on the land side. You can do it on the wan side There's a couple different options when you do these Whether they're a virtual ip for a j a virtual ip share between more than one device or Just assigning multiple blocks of ip's to a single interface whether it be land or wan Those are all option you can do in virtual ip's and then traffic shaper which i have pulled up here Now the traffic shaper i've never done a deep dive into there's a video by mark and it's called the comprehensive guide to pf sense traffic shaper The visuals in here i think are really really relevant even though it's not an older version of pf sense What really will stick out if you watch this video is you'll gain a better understanding because he does a great job of explaining How traffic shaping works and that's what i think is a key takeaway from this video matter of fact I think the video is More about traffic shaping in terms of And it doesn't matter about pf sense just in general the first half of this hour long video Breaks down all the details on traffic shape matter of fact more than half of it is So this is a great way to learn traffic shaping before even gets the pf sense for the most part in pf sense The wizard works fine and that is still the video because i don't think i can do one better That's the video i frequently refer people to when i say i want to understand traffic shaping better I'm like i mark i don't know if he produces videos anymore But this particular one was really good and i'll leave a link to it below But it's i obviously it's on youtube is called comprehensive guide to pf sense 2.3 part 9 traffic shaper And all the animations and everything are great to explain it So that first will give you a good understanding of one the complexities of traffic shaping 2 Why you should probably just run the wizards and the wizards work really good The other thing i do have a video on is how to set up coddle q limiters and i've got a specific video on this So does the uh neck gate has a hangouts video where they talk about it more in depth That can be a good way to tune it. It can be a little tricky to tune them That's one of the reasons they have the wizards and pf sense to run and do this because traffic shaping is a Complex topic and i think worked at a great job on that so i'll leave that there Now one last thing in a firewall is scheduling If you have a use case for this i don't but i've had people say hey i do this so my kids go to bed at night I have them. I have the firewall set to block their computers. I have rules that are tied to A specific schedule. That's a really cool thing I really do like that a lot the fact that there's a scheduler in there It's just not something I use very often, but it's novels as you can see i'm not Really going through and using it, but hey, it's it's pretty cool If you have that kind of use case Now going down the list here. I've had a few people ask me to do a more detailed video on like a dhcp server There's really to me it seems so self-explanatory on dhcp. You set it up just like I showed earlier in the video But I do like when you go to the log settings in there You can just click the plus and add a static mapping But of note and i'm not going to go any further than this on it, but I will mention that with that setup You do want to make sure that you Don't try to map things in the middle of the pools that is Kind of an annoyance that you can't exactly map something So if the pool goes from 100 to 200 for example, you can't map something statically at 150 You can map it from 99 below or above that 200 so 201 on up In an ip range I bring that up because there is kind of a workaround for it The dhcp server does support multiple pools and we've had to do this because We had someone who had you know, we did a rip and replace their firewall and we put a pf sensor They had static mappings in the middle of the pool. The workaround is you can create multiple dhcp pools It's actually really easy to do in a dhcp server The simple way to do it But annoying is the fact that I can add a pool from 100 to 149 then start another pool that goes from 51 to 200 and then I can statically map the 150 in between Kind of annoying you can't map in the middle of a pool But actually it's I've seen some firewalls that can some firewalls that can't So it's probably better that you don't have things scattered all over the place Generally, you want to put all your servers in one block or grouping and maybe all your other devices in another And I like to have some level of organization for it. But when we take over networks It's not always as easy as that of just swapping everything to it makes us happy Sometimes we have to deal with what we have because it would be greatly disruptive to do it otherwise Now vpn support. I've got separate videos. I've not done a video specifically on ipsec vpns or l2p in there Most of the time you're wanting users to connect if you want users connect open vpn is your go-to it works It's well vetted. It's solid that installer allows you to export a single executable running on a windows computer It works fine in linux as well Not the installer but the export file it creates can be imported I've done a video on that with how to import it into Like in a bunto base distribution open vpn is a great go-to for individual computers connecting when you go site to site ipsec can be a little faster and works really well So no problem running the ipsec on there and we have head clients who have things like ipsec tied into different cloud services We've actually had it's more troubleshooting. We've done ipsec tied to other non-pf sense firewalls as part of a requirement for setting up users Which includes several health care clients. We have require ipsec VPNs matter of fact One large health care provider now has documentation on pf sense that we helped make to how to set up pf sense to connect to Their health care system It was really easy to set up and one thing about pf sense And we're going to not go in depth on this but something worth mentioning is the logging on it is wonderful Matter of fact, it's frequently I find when we're troubleshooting the pf sense is where I'll go to the logs One of the ones we had to set up between another firewall the logs. I was They're bad They just did not have enough detail to ever tell me why things weren't connecting But by looking through the pf sense logs because they're so extensive I was able to figure that out. So that's something that I found really helpful That there is a lot of extensive logging in pf sense But it does have all those vpns and different types you want on there captive portal now this is also under the Services if you want to set up captive portal I might do a video on it at some point in time And once again, this is something you can tie in with free radius as well So captive portal free radius and assign like bandwidth and things like that It's on my to-do list do a video on it. I just loathe captive portal It's a only if I absolutely need it any restaurant that thinks captive portal is the way to get more customers No, it's a way to get people to get aggravated because they are using an iphone It doesn't like your captive portal and it just skips it and because people generally have good internet on their phones here in 2020 Unless they're in an area that doesn't have good internet. They won't bother logging in and agreeing to whatever your terms and conditions are That's well proven. Uh, we even had some Uh commercial restaurants that are franchises that hate the fact that the corporate makes them put a Thing in there because it's the number one complaint that oh god, they hate the stupid splash page They have to get to with the captive portal and it makes people come and talk to my Staff member and this is at a fast food restaurant They actually contacted us the franchise owner and we put wi-fi in there Which I know is against the franchise rules I'm imagining but they're like, yeah, people just want wi-fi and we like having a wi-fi that doesn't make them come up and Ask questions to the people all the time that are serving their burgers So captive portal love hate relationship if it's a necessary evil it does exist inside a pf sense and it Works as well as captive portal works. It's not the fault of Um pf sense or any other captive portal. They always have problems with phones That's your big hand good portal works pretty good when it comes to browsers Even windows 10 has gone much better with captive portal and their sans redirect it and my android pixel phone works good Samsung I don't know what they're thinking. They don't seem to like captive portal and ios is That's a random crapshoot of i'm not i'm not an ios usually I know they have a lot of trouble with they released my experiences Always been they seem to be the more troubled people wouldn't try to get onto captive portal get signed in But i'm not going to spend too much time dwelling on it. It does exist. Maybe one day. I'll do a video on it Let's move over here to status These are all the statuses for all the different things going on now these statuses you can get to And i'm on a mouse over here related status page That's commonality across pf sense for that you'll see so The top of most services also have a related status page where you can see all the leases and things like that Or you can go here to the general status page and you can see things like let's look at the q status You can see what's in the q what's coming across. This is for the uh traffic shaper And there's a lot of different things near system logs the traffic f That i showed earlier your gateway status at proxy stats interface stats load balancer monitoring, etc Now on to diagnostics Diagnostics are wonderful in pf sense because of the one i use the most which is going to be your pf top I've got some videos where i talk about troubleshooting pf sense I go right to pf top to be able to figure things out all the time It is really helpful In watching and tracing any connections. And of course it's got Filtering so you can filter for a very specific connection even on a very large network You can narrow things down right away to exactly what you're looking for So I probably use that more than anything else in here But there are things like backup restore command prompt dark stat. Um, I mentioned before dark stat gives you some stats DNS look up. This is kind of neat if you're having a weird DNS problem You go here to DNS look up and you can look at this now This is particularly handy if you have a different result than your client and you're remoteed into your client You can remotely go in do DNS look up on their system Okay, what does their system say and kind of start pivoting around and looking around in there? So that's there's something something that's pretty helpful on there Now oddly if you're wondering how to reboot or shut down a pf sense those are located here I always thought they should be under system. There's so many other things in here It would be shorter if they were under system, but um, I don't get to make that choice Perhaps someone has a hack that moves it over there, which would be kind of funny And it's not that I reboot it or halt it very often. I just always thought those were misplaced But um, the designers think otherwise. I'll I'll disagree with them on that. Um, but hey packet capture This now I have videos on how to do full packet capture directly into wire shark using pf sense and ssh And tunneling all the data over but it also just has the ability to create a pcap file So if you want to filter down, which is obviously a better idea than just dumping everything But you can go in here Grab a packet capture download a packet capture even on a remote system And a good example, this is going to be when you're troubleshooting a void phone You're going to go all right. I know the ip address to the phone I don't know why it's not working Give me all the data from that phone and filter it to the host Even the port if you need to and grab all the data related to it Drop it into a pcap file throw it over in wire shark and do the diagnostics Great that that's just a default feature built into pf sense more advanced Like I said, if you look in wire shark and pf sense I have ways you can filter data right out of pf sense right into wire shark Which is great That's about it for the diagnostic. There's ping and arp and authentication testing There's a lot of little things you can do in here that are just general handy utilities And by the way when you do authentication testing Each authentication server you've set up whether it's the rad server or radius server I called rad server or local database Or any other ones you've added especially if you've you know tied in some external authentication This is nice that way if the user can't log in you're like, oh, that's weird You can try the username password here and test it against one of those authentication servers you set up These are all those little tools that just make your life easier when you're going through in troubleshooting Is spend some time going through the diagnostics, but like I said when it comes to tracing There's a lot of that. Well, there is a port test on there for ports are open as well Um, I've suggested people use that quite a bit Which is down here test port host name to look up and this can be internally or externally It is before you port map something and someone will go through nat and say hey I want this opened up and it's not working on my WAN side. I can't seem to get there I'm using some external service. I'll jump inside pf sense and look internally And if I find the device isn't responding internally. Well, it's not going to respond externally So once again, another great troubleshooting on there Now system logs I really Like I said pf sense does a good job on this they dump all the system logs out with a lot of detail That is handy when you're trying to troubleshoot especially vpn. There's going to be a lot of detail in the vpn There's going to be a lot of detail in the firewall logs Make sure if you choose to keep a lot of logs And this is a tunable setting that you also have enough space for them or and The other thing you can do in pf sense Push it to a syslog server And currently this is being pushed all to security union for all the syslog So that is a great way you can do it. You can send everything to a remote syslog server or Multiple syslog servers if you have more than one place you want to land it This is a way to handle without having a massive drive a place to land all the logs So that is definitely feature on there. I will comment though I think log should be in reverse order The default to the newest logs at the bottom to me I always want the newest logs the top so not to scroll down and the gooey log entries defaults to 100 I set it to 200 you can set it to higher so you can dump the logs on Down the list if it's more helpful to you Do you can set it a little higher depends on how fast your Machine is and how not your pf sense machine, but your browser for handling how much gets dumped on the screen at a time so um That's kind of a personal preference on there, but in terms of show logs at top I do wish that was a default, but it's easy enough to change you just do that You can also reset all the logs files and clear them and wipe them all out if you feel the need to do so You can disable writing to local disc. I don't recommend it Because you'd usually want some logs on there because logs are your best friend when it comes to troubleshooting But those are some tuning options in there and because it would reveal lots of details Of names and everything. I'm not going to show you all the logs for open vpn system and everything else But everything does have logs that dumps on there Now the last little advanced thing i'll talk about in pf sense that Kind of goes everywhere that you look so let's pull back up like the dhcp server Sorry, I mean dns server. So so we're at services dns. She's all of our general settings. We'll scroll down a little bit to Custom options now. This is something that is persistent throughout pf sense There's easy ways without going to the command line without opening up special config files and adding something on And this is something that survives upgrades reboots, etc And it's part of the actual config xml file is custom options And I bring it up because for any particular service they have created a lot of menus But maybe they didn't create that one extra thing you want it to do That one extra parameter that you want to pass on the command line And that on many other systems is either impossible to do on some firewalls or Would actually require you to go through and um edit some special config file that probably wouldn't survive the next update pf sense thought of that and they have this option for custom Options and this like I said through many many of the services have this at the very bottom You can just pass whatever parameters you want to add on in the config file without having to go and go to a command line Added the config file So I like this feature quite a bit and it's once again saved for as part of your xml So it survives updates upgrades and is part of the backup So if you have those weird custom things that somehow they didn't make a menu for Which they made a menu for most everything you can then pass those through now in the case of exactly what is this This is the way pf blocker integrates So pf blocker creates a list of the dns blocking information and it wants it Added on so you're saying server includes so hey use the config file plus include this config file and passing a parameter along as well All right, so that's it for getting started with pf sense and this should hopefully get you started get you loaded You're still going to be debating probably which way you want to do this Whether you want to just buy a device or build a device or virtualize it in like I said I mentioned beginning all the different pros and cons of those But this is enough to get you going with it I'm going to make a playlist that I'll leave linked below for any specific topic where I need to go in depth Because some of the videos where I go in depth on like open vpn or how to set that up I'm going to build that list down below So I have all the most recent versions because sometimes there's more than one version of those videos I'll make sure I have the most recent one only in the playlist Because sometimes I leave the old ones in case you're using an older version or have some reason to reference them They're pretty much still the same but when I remake a video I will cover a lot of the nuances and changes that may come with a new version of pf sense And sometimes it's having a time to recreate some of those videos when something changes But you can kind of get through if the menus have changed a little bit and see that it might be a little different But it's enough the same that you can get the idea of how it works So good luck, uh, if you have comments concerns head over to the forums I'll link this over in the forums Where I'll actually probably have a list of the videos as well So we can have a more in-depth discussion of maybe what I need to cover next But hopefully it's not to get you started and get you playing with a pretty outstanding when it comes to features firewall Thanks, and thank you for making it to the end of the video If you like this video, please give it a thumbs up If you'd like to see more content from the channel, hit the subscribe button and hit the bell icon If you like youtube to notify you when new videos come out If you'd like to hire us head over to laurancesystems.com fill out our contact page And let us know what we can help you with and what projects you'd like us to work together on If you want to carry on the discussion head over to forums.laurancesystems.com Where we can carry on the discussion about this video other videos or other tech topics in general even suggestions for new videos They're accepted right there on our forums, which are free Also, if you like to help the channel in other ways head over to our affiliate page We have a lot of great tech offers for you and once again, thanks for watching and see you next time