Pinning this comment with the Firewall Rules reference material. I strongly suggest reading this yourself as well! Firewall netgate docs: docs.netgate.com/pfsense/en/latest/firewall/index.html
I LOVE your teaching style! There are so many "how to" videos for pfSense that assume advanced knowledge and make it impossible to follow (and thereby LEARN). You assume nothing and even go out of your way to explain the details and give examples. BRILLIANT. You have made this so easy to understand!
Thank you Ruby I really appreciate the kind feedback. Whenever I make these types of guides I really try to remember a younger me just getting into the tech space working for an ISP and wanting someone to teach me in a similar manner. Not being condescending or speak to me as if I was there helping create the firewall/router/switch and know everything about it. As long as these guides help ease at least one person into the sometimes complex world of networking then I am extremely happy!
I bought a Netgate SG-1100 and didn't know what vlans, tcp/udp or any of it meant years ago. Now I feel confident I won't get locked out of the web interface with your thorough breakdown and helping me understand everything. Thank you sir. You have earned yourself a sub here. Cheers🎉
Great tutorial. So many of your peers assume way too much existing knowledge in their viewers. You not only point out pitfalls, you show us how to repair the damage.
I really appreciate the scope of this video! 1 step above an intro, unedited, and still within reasonable scope for someone to get started configuring their firewall properly before moving on to more nitty-gritty content!
Just found your channel while looking for pfsense knowledge. This video was a very helpful with making what I find as a complex subject easier to understand. thank you 👏👏
Thank you for this video, it was very informative 👍🏼, i work with paloalto firewall and the Pfsense interface and rules are very similar. Great job 👏🏾 👍🏼
Great Job! Thank You very much. I will try to "port" my firewall rules from Mikrotik to pfSense. Same logic but different way. Should work the same. Just a note. After I tested pfSense I made pfSense my primary firewall for about 100 users. Hardware, nothing special with 4 gigs of RAM - memory usage 72%.
Glad to see you making content about pfsense. It's a fantastic open source firewall. I currently am using it as a transparent bridge on my network to do network detection on my wan interface.
@@makeitcloudy Hello, I just want to be clear. What I am referring to is not really like a switch. But kind of in a way... Though note you shouldn't use pfsense as a bridge as it is not designed for that work load and neither are the NICs that are most likely in your pfsense box. You want a switch doesn't really matter what kind it's just they are far better at well actual switching and forwarding traffic. Now, if you want to learn about what I am doing you can do that by watching this Lawerence Systems video Bridge with suricate testing.
@@blindside995 thank you, I was watching Lawrence, he was my inspirations for freenas, syncthing and pfsense, before I realized network Berg exist :) cheers!
Very informative video, thank you. If I could ask a favor for your future videos, please try to control the constant quick mouse movement, it's very distracting.
Thank you for suggestion, sorry about distracting you. Sometimes I turn off the mouse pointer in my newer videos. I think at times I just move the mouse around as a pointer to showcase things but at a hyper ADHD level.
Excellent Tutorial - Thank you. I wish the mouse would not giggle so much though. Please move the mouse slowly so we can see where it is without shaking it so often.
very nice video .. i was thinking on 27:00 , you could create a simple LAN rule for INTERNET access by adding the gateway on the advanced tab ,as a result you cut entirely the internal traffic between hosts inside lan and let users to have internet access ,then you use squid proxy or snort to block P2P .how about that
Great video thank you. I noticed your RouterOS hardening video. Would you recommend using the firewall on both the MikroTik RouterOS and also on Pfsense? Another question I have some IoT devices and games on my PS5, and I've tried opening the required ports, but I'm still experiencing issues. I'm considering opening up all ports just for those devices, although I'm hesitant to do so. Do you have any advice on what else I could try?
Great video! Just a quick question: Why did you choose "single host or alias" and not "DMZ address" as destination when creating the WAN rule for the DMZ FTP server? Also, I can't seem to find a similar video for Mikrotik firewall rules, explaining the really basic stuff... Did you ever create one? The first 4-5min of this video was really informative, as I was not actually aware of how the firewalls operated. Thanks again.
Thank you for your kind words, I chose single host as I was going to allow traffic just to the IP of the server in the DMZ. The object DMZ address relates to the IP of the DMZ interface of the FW which is not what I wanted to allow. The other object DMZ net relates to the entire subnet, which is also not a good fit for the policy I wanted to implement. Hmmmm I think the most similar videos I have on the subject for MT is what I covered in my MTCNA course here: 📗MikroTik MTCNA - Firewall Principles (Forward,Input,Output) ru-vid.com/video/%D0%B2%D0%B8%D0%B4%D0%B5%D0%BE-NXvHdZbAuTI.html 📗 MikroTik MTCNA - Firewall Fasttrack, Mangle Rules & Address Lists ru-vid.com/video/%D0%B2%D0%B8%D0%B4%D0%B5%D0%BE-sZzvfyfCtWU.html There is also this video from my live stream, but it is quite lengty: 💻 Taking a look at RouterOS/MikroTik Firewall in EVE-NG Live Lab: Filters, NAT, Mangles etc! ru-vid.com/video/%D0%B2%D0%B8%D0%B4%D0%B5%D0%BE-zA6bkg2KrjE.html
Ironically I did remember setting up firewalls more than 20 years requiring a lot of rules and the first time I setup pfsense (very recently) I was confused because it is too simple now 😅
Thanks and I appreciate this. It is superful to people using pfsense. Let's say you have 10 vlans and you want to block access from your Lan network/vlan to these vlans.How do you implement that in pfsense. For me I would normally create separate alias containing vlans/network for each vlan, then I would create block rule for each vlan.For instance I create an alias Lan_V_Blocks and populate this with the vlans/networks that I want to block access from Lan network/vlan. The problem with this approach is time consuming. Is there any better and faster solution than this. ?
I'm trying to set Blue Iris server in a "DMZ" and only allow access to it from specific network on LAN interface. I've tried setting rules in/out on both interfaces and I still can't get to it.
Good info. Had a question on my setup. I have another rule which is " RFC 1918 networks " being blocked. Is this a pfsense item by default? Not sure if it's something I added or not. Trying to do some port forwarding and it's not working, and I'm not sure if this rule or the other one you're showing for the WAN is what's causing my traffic to not go thru or not. Thanks.
Thanks to Lawrence Systems I have several vlans and an alias "grouping" the private ones including the lan on which pfsense is on. I have a guest vlan, I'm trying to create a Captive Portal So I have this rule thanks Lawrence, which blocks my private interfaces. How do allow the local dns to pas (on lan). I tried allowing dns tcp/udp from gust to lan no joy.
Hello, thank you for the video it was very helpful. I have a quick question, if the load times are really long for the pfsense webconfigurator does that mean I have some sort of firewall conflict with my dns? (I am just setting it all up today)
A slow webconfigurator sounds more like a resource issue, are you running the software on a VM or Hardware? I would highly suggest posting about it on the pfSense forums with your specs to see if someone from Netgate might be able to help out.
I'm re-establishing my pfSense from end of last year when I never fully put it in place. When I boot it up, it is showing "pfSense 2.7.2-RELEASE amd64 20231208-2055" Is this the latest version? When I hit the update option , it says it's up-to-date, but I'm not sure if I'm attempted the update correctly. I'm going to "system" "update" "System Update". Thanks in advance!
I started using Sophos at work, and I miss very much on Pfsense ability to add multiple ports/IPs to one rule, it is so tiresome when you must add all ports one by one...
Haven't needed to access Package Manager until recently. Deleted a package and when I attempted to download the one I wanted... no available packages. Error message something about Internet not available. The firewall works great, and has been doing a flawless job. Maybe I left a remnant of initial setup in, that needs to be removed. Any ideas?
Most people tend to drop ICMP to the wan IP, though you could tweak rules to allow monitoring from a specific source to that you could see if the link ever goes down but no one else would even know the IP was live
so if i use space invaders tutorial to allow upnp for game consoles should i also place them in a dmz? i really have no need to have them on lan access i’ve been trying to figure out netgears vlan rules but it’s complicated for me to understand.
It was really straight forward tutorial, in your video i understood what i couldnt get from probably 5 or more other different sources! Keep it going! Ty! (and subbed ofc)
Not a strange question at all Dennis, there's a few configurations you can run using both a RB3011 and a Netgate firewall. I would prefer putting the RB on the WAN edge and having it be responsible for connections and such where you could leverage the firewall features of the Netgate behind the MikroTik to monitor and restrict access to your internal networks a bit more effectively.
@@TheNetworkBerg That is the answer I was looking for. I have 20 VLANS setup on my 3011 with the last 10 devoted to 10 computers forr all the grandkids and neighberhood kids to utlize them for gaming. I need to get more granular control on the kids use of the internet. Another goal is VLAN internet connection blocking. sould this be acomplished on the Netgate or the 3011? I have a symentrical 1Gb x 1Gb internet connection. All the other Vlans are used for Plex, Unraid, Windows Server 2022, and Wireless networks.
What is your opinion w.r.t. Mikrotik firewall vs PFSense if you disregard the reporting side of PFSense? Would you choose PFSense over a solution with extensive scripting for instance on a CCR that also assists with IDS, blacklisting, tunneling, VPN's etc?
Hi Anthon, I think the statement "With extensive scripting" already summarizes why a SOHO or Medium sized business should rather opt for something like a pfSense firewall as opposed to having the MikroTik doing the firewalling. Scripting in itself can be pretty complex and even if you are just importing scripts from some vendor you are probably going to be paying them for those services, which they do on their own platforms which is most likely just another firewall. If you are going to do your own scripting that also means you are going to have to learn the scripting language or find someone that understands it. It's definitely not the hardest scripting language in the world, but it's still a niche skillset. Very useful, but in the sense of business if I suddenly lost a person that performed all the scripting and that skillset gets lost then I think the business could face some serious trouble. Especially after some software upgrade on ROS that creates some or other bug on a script that you are using. So for ease of use I think pfSense is a much better firewall, although I still think MikroTik is a superior router :D!
@@TheNetworkBerg Thanks for the quick reply - we have several staff quite comfortable with Mikrotik scripting and have about two decades worth of Mikrotik experience so we know them really well. The question for me here is whether we should look at PFSense as a replacement (or addition) for a skillset we already have given that we have no issue with Mikrotik where it stands at present. We supply a service to business in this regard. Your knowledge of Mikrotik and now PFSense makes your opinion matter hense the reason I asked and might save some time playing with something and then realize its not needed. So I guess the real question to ask is then why would you choose PFSense over Mikrotik if skills are not an issue.
@@anthonwalters3706 Valid, but still a tough question to be honnest. I could say and summarize it this way, that if you can afford the effort of scripting by your own, and you are in such comfortable situation that the tests can be performed outside of production, then why not performing all the logic within your scripts, especially when you are sure about the people standing behind the whole logic. The thing is that the code itself, does not scale well if it is not designed properly. Keeping the IaC (Infrastructure as Code) in mind, the real question is about combining the scripts with the processes or other API's which can talk with your functionality. I still can not compare all the plugins available in pfsense, and whether those has the integration with the particular usecase you have in your head for the business case of your's, that's why this question can be probably answered by you only. Unless I'm completelly wrong. Cheers
This video was aimed at how to configure firewall policies, I suggest looking at your logs and creating policies to specifically drop the torrent traffic you are seeing on either their protocols and/or destinations
Good info, but man, CHILL with the spastic zig zagging of the mouse cursor over everthing. Highly distracting and annoying. Calm steady movements win every time.
I was hoping you would discuss explict deny rules between interfaces. For example, I don't want interfaces x to be able to get to interface y. Your allow to any rules would allow that connection which I want blocked.
Then again if anything inside wants to get out all it does is go over 443 like lets say a VPN over 443 and bam you got everything now. Unfortunately outbound port blocking is not what it was in the old days, you got to secure all clients directly and ensure only trusted clients are on the network if you really care what is going outbound.