Disclaimer: This won’t be a tutorial or explanation about how to setup things, because that’ll take way too long. I’ll quickly go through some of the choices I’ve made and maybe it can serve as inspiration to others. There are currently a lot of tutorials for setting up some of the details in pfSense, please use google for finding those.

Brief introduction to pfSense

pfSense^® software which I wrote about in the previous blog post, is software specifically tailored for use as a web interface-managed firewall and router. It exists in 2 versions:

1. a free, open source version: pfSense Community Edition (CE) that comes without hardware (=you have to buy your own hardware), see e.g. https://www.pfsense.org/download/
2. a proprietary version: pfSense Plus, which is factory-installed when buying Netgate’s official hardware, see e.g. the Netgate-series products at https://shop.netgate.com/

Furthermore without going too much into deeper into it, there’s also https://opnsense.org/download/ which is a similar product. Enough about that…

My (hardware) setup

pfSense by itself doesn’t really take many resources. I run it as a virtual machine on an upgraded low power thin client I bought on ebay. My hardware:

• a HP T730 Thin Client: https://support.hp.com/us-en/document/c04853546
• Upgraded from 8 to 16 GB RAM (couldn’t find 2×16 GB RAM for a reasonable price, so I went with 2×8 GB instead).
• A low-profile Intel i350-4 PCIe Ethernet card, providing me with 4 extra 1 Gigabit ports (NICs).

It is excellent in terms of power-consumption: It only draws around 25 W so this machine is awake 24/7/365 without contributing too much to my electricity/energy bill and I can use it for a lot of services, e.g. fileserver, running Virtual Machines, containers (LXC/docker etc).

My Proxmox VE setup (not needed for pfSense)

This machine runs Proxmox VE which is a type 1 hypervisor, characterized by running on bare metal, i.e. it runs directly on the underlying computer’s physical hardware instead of being installed on top of e.g. Windows/Linux or another OS (think e.g. VirtualBox, which is a type 2 hypervisor).

While Proxmox isn’t as well-known as VMware ESXi, especially in corporate environments where VMware is market leader (and used practically everywhere), Proxmox VE is Open Source and free to download and use. VMware ESXi on the other hand, is part of VMware vSphere, which is an expensive proprietary technology, although there is a limited free version. Because I prefer to not pay for software that is excellent and runs perfectly fine, I’ve never considered ESXi as an alternative to Proxmox, in my home-setup (maybe I’ll go through this setup in more details in a future blog post).

Shortly about my network-setup

In addition to the hardware above I also have 2 managed switches for controlling my VLANs and my old Netgear R7000 router is currently in use with DDWRT firmware, but acting as a Wireless Access Point. For reasons I’ll not go through here, it’s important that the “DHCP Server” on the R7000-router is disabled and the “Gateway” is pointing to the IP address of the pfSense-interface (=the main router and DHCP-server).

I then physically connect my VLANs through trunk ports, through both managed switches and because DDWRT understands VLANs I can use the DDWRT webUI-interface to assign VLANs to physical access ports. With this setup I have 2 or 3 VLANs going through the DDWRT-router, but everything important related to VLANs (=the firewall) is controlled by pfSense. Those VLANs each have their own subnet, i.e. in my case VLAN 1 is using subnet 192.168.1.0/24, VLAN 10 is using subnet 192.168.10.0/24, VLAN 40 is using 192.168.40.0/24 and so on.

An overview of my pfSense-setup

Let’s start by seeing which VLAN interfaces have currently been defined:

The WAN-interface is what provides access to everything on the internet. I currently have 3 IOT-VLANs although they’re not all active at the same time (VLAN 10, 20 and 30). Furthermore I earlier experimented with routing everything connecting to VLAN 10 through a VPN-connection (known as https://en.wikipedia.org/wiki/Policy-based_routing ), but I haven’t updated the interface-name as seen in the screenshot below.

Interface Assignments

VLAN 100 is a special VLAN I use for a virtual bridge – on VLAN 100 I run my fileserver and it has a special VLAN because it has some special rules, because different individual devices needs access to the fileserver. And then I have the interface “PHYS_PORT3_EMERGENCY” – because I’m sure it has happened to everyone messing with firewalls, that once in a while you accidentally lock yourself out. Unless I totally screwed up, I can now plug in a cable to the physical port 3 and e.g. revert/restore previous configuration settings.

Firewall rules

Firewall rules are very important when it comes to the whole network segmentation and network security discussion. I’ll not go through all the rules I have, but as an example the firewall rules for VLAN 1 is shown below:

VLAN 1-rules

The rules are defined from top to bottom so everything in the top is pass/allow-rules (with the green check mark).

• The first rule tells that on VLAN 1, i.e. on the 192.168.1.0/24 subnet, DNS-traffic (port 53) is allowed as long as it’s from and to 192.168.xx.xx. If this rule weren’t there, we would not automatically obtain a DHCP-address from the DHCP-server.
• The second rule is an “allow everything” from some specific devices (mostly my laptops, they’re used to administer everything). This means that my VLAN 1-laptops can ping/access all devices on all VLANs.
• The third rule is a special printer-rule. Normally VLAN 1-devices are not allowed to communicate with other VLANs, but the printer at IP 192.168.1.10 is allowed to communicate with IPv4 TCP protocol, to the fileserver at 192.168.100.10 (which is a Linux container).
• Next I also allow data on VLAN 1, from everywhere (incl. other VLANs) with destination “Devices_with_full_access, to pass.
• Finally, pretty much everything else is blocked as indicated by the red cross in the left margin.

VLAN 20-rules

For comparison purposes, I’ll here show my VLAN 20-firewall rules:

There are only 4 rules:

• First rule opens up port 137-445, which is for CIFS-access to the fileserver.
• The next rule explicitly allows traffic to 224.0.0.22, which is the multicast address for Internet Group Management Protocol. This rule is made, based on the firewall log because now this traffic will not clog up or fill (as much) up in the log. This makes it easier to see the remaining firewall blocks.
• The third and fourth rule blocks all other traffic.

Investigating the firewall logs

Investigating the firewall logs is the moment where all the hard work begins to pay off and interesting conclusions can be made. There are a lot of things one can look at. For now I’ll show something very simple and easy:

Blocks based on “Source IPs” (the top pie-chart)

Although I have around 42 network devices, my 2nd generation Google Chromecast is aggressively responsible for around 1/3 of the firewall block entries. My Samsung TV is responsible for 27% – and then I have 2 Amazon Echo Dot devices that also take their (more than) fair share of blocks.

If we look at the single IP address that is not coming from my own network, a quick google check reveals that the IP 72.251.235.152 has >2700 user reports, namely “port scan”, “hacking”, “exploited host”, “VPN IP”, “Web App Attack” and so on. So this definitely looks like a malicious IP address that should be completely blocked (see e.g. https://www.abuseipdb.com/check/72.251.235.152 for more details and check out the >2700 user reports).

Blocks based on “Destination IPs” (the lower pie-chart)

This pie-chart reveals the outgoing connection blocks. 47% of blocks are on VLAN 10, which is my IOT-network (=insecure devices). 26% of block-entries is broadcast traffic, i.e. the traffic routed for xx.yy.zz.255 is an address meant for routing messages to be sent to every device within a network. When it appears in the firewall like this, it means that pfSense is blocking what was sent to it and refusing to forward that data to all other devices in the same subnet. More specifically, the IOT-devices will receive the broadcast at layer 2 (see https://www.geeksforgeeks.org/layers-of-osi-model/), unless forwarding is disabled.

I don’t currently think any of my IOT-devices need to talk or communicate with each other:

• Why would my Amazon Echo Dot communicate with my Samsung TV?
• Why would my Chromecast communicate with my temperature sensors? So currently on VLAN 10, this traffic is being blocked.
• Why would my Yamaha receiver communicate with any of my other internal IOT-devices?

The problem is that if one of the IOT-devices becomes infected with malware, it’ll attempt to spread across all devices it can find and in this case it’s a great security precaution to have strong firewall rules.

Next we have 23% of the block firewall entries, for the WAN IP. It’s not unusual to have malicious actors or maybe malware-infected machines, to do a lot of port-scanning and try to find security vulnerabilities so they can get control and maybe use it as part of a larger DDoS botnet.

Finally, after this screenshot was made I realized I had a minor mistake in my firewall rules on VLAN 10, which is illustrated by the following screenshot:

The firewall log tells that one of my trusted devices could not connect to the web server at https://54.76.19.30/en and this was a minor mistake that has now been fixed. The website seem to belong to Samsung:

The Samsung Knox website/IP address is probably (at least) partly responsible for automatically downloading security updates for my Samsung (mobile) phone. If I hadn’t found this minor firewall mistake I probably wouldn’t have added these last extra useful screenshots and I think the description above is useful for illustrating the basic parts of how I work with, debug and update/modify firewall-rules. The firewall rules can be permissive or strict – basically I have very strict rules for the IOT-network and relatively permissive rules for the network where I have my work pc’s.

Conclusion

This and the previous blog posts illustrates the most important part of how pfSense works and why you need it – or a similar firewall-solution. There’s however a lot of other possibilities and settings I’ve not shown. As an example, I’ve also experimented with Intrusion Dectection System‘s and installed Snort and Suricata – maybe this could be the topic for a future blog post, but not now.

I hope this blog post maybe inspired someone to look more into these technologies and/or maybe write with suggestions for improvements.

IOT-devices are insecure and exist in every modern home:

With the enormous amount of connected small IOT-devices in peoples’ homes, I think it’s becoming more and more important to separate “dumb IOT” devices that are usually not receiving security/firmware updates a moment after they’ve been bought. Examples of such devices can be old phones/tablets, outdated but still used security cameras, temperature sensors, outdated routers, media/gaming devices etc. Many normal people don’t don’t care much about the risks associated with having insecure devices connected to their primary computer network – especially people not in the IT industry… Luckily it’s however pretty standard to have a builtin firewall in consumer routers.

How many years did it take for me to understand why I needed the solution I have today?

My personal journey with firewalls started probably around 10-15 years ago with https://dd-wrt.com/ because at that time I was also interested in OSS (Open Source Software) and DDWRT. So I bought myself a cheap router of this type: https://en.wikipedia.org/wiki/Linksys_WRT54G_series – and it seemed nice (but wasn’t and that took some years to understand). Back in those days we hadn’t all the options we have today, but the combination of installing a custom firmware on my router opened up for learning and doing more advanced networking things than what is typically possible on consumer routers – and what consumers typically do… So that has shaped me and what I know about networking today…

I could now install a lot of simple Linux packages using e.g. https://wiki.dd-wrt.com/wiki/index.php/Ipkg and https://wiki.dd-wrt.com/wiki/index.php/Installing_Entware on my home router – “wow – that was crazy insane”, I thought… I began to learn a lot of new advanced things about routers and networking, by reading in the corresponding forums, asking questions and so on. After some years I upgraded to the following by still basically similar concept as with DDWRT/AsusWRT):

• https://www.tp-link.com/us/support/download/tl-wr1043nd/
• https://www.asus.com/us/networking-iot-servers/wifi-routers/asus-wifi-routers/rtac87u/ (flashed to https://www.asuswrt-merlin.net/)
• https://www.netgear.com/dk/home/wifi/routers/r7000/

IOT-devices have been around for some years and often these devices rarely receive security firmware updates unlike those we receive on our laptops (Windows Update etc). I think for the past 6-7 years, I obtained an understanding I didn’t have earlier of why I needed to use VLANs to segment my network traffic and I’ll try to convey that understanding below:

What is VLAN segmentation?

Most people know that a LAN is what’s typically behind their (often ISP-supplied) router and WAN is what’s on the other side of the router, i.e. the internet. It doesn’t take long before one learns that router firewalls typically prevents internet traffic from the WAN (outside) to directly connect to anything on the LAN (inside). The firewall typically blocks traffic in one direction (WAN->LAN), but allows everything in the other direction (LAN->WAN). This is the basic concept of a firewall…

A VLAN is a virtual LAN – so instead of having a single LAN we have multiple LANs. We then configure the firewall rules such that e.g. one network of connected internet-devices (e.g. IOT-devices) is only allowed to have traffic forwarded to the outside (the WAN/internet) – but not to any other internally connected devices. This provides protection against hackers, security threats and malware risks because as soon as anyone (or anything, i.e. malware-infected IOT-devices) have access to your LAN, that device can be used to circumvent the firewall and gain access to other machines or maybe if it’s infected by malware it’ll try to spread to different machines. Software vulnerabilities are found every day and security patches are made to protect systems from being compromised. That was the short story…

Understanding the mistakes I did and why I wish I understood the solution to my problems earlier…

For many years I used DDWRT and AsusWRT for setting up VLAN segmentation on my routers – most importantly to setup:

1. a management VLAN (“only for administration of the router”)
2. a VLAN for IOT-devices (=”insecure devices” that never received security updates, e.g. old mobile phones with no software updates, old cameras, internet-connected temperature sensors/heating control, smart-TV etc)
3. a VLAN for desktop and laptop PC’s, printer (“trusted devices” – those that receive security patches and updates, i.e. Windows/Linux – newest Android-phone/tablet)

For many years DDWRT had a problem with their GUI in the sense that it couldn’t be used for really setting up and configuring VLANs – it was broken, but partly worked. Command-line configuration and startup scripts was needed. It was the same with AsusWRT. I spend hundreds (if not thousands) of hours reading, experimenting and asking in the forums about which (often hardware)-specific commands were needed for assigning e.g. VLAN xx to physical port yy of the router. And there were many bugs that prevented solutions that worked on one specific router from working on my router – so it was a real pain!

I’m sometimes stubborn when it comes to learning about IT and IT technologies – but this was just stupid and a complete waste of my time: I spend several years fine-tuning my VLAN-setup on these flashed EEPROM custom-firmware routers and once in a while I read about people having a more advanced setup on another hardware-platform than I was used to… Unfortunately it took me too many years to understand that I should’ve taken this path a lot earlier so I highly recommend:

I recommend setting up either a pfSense or OPNsense firewall (optionally virtualized) instead of doing the mistakes I did:

For too many years I ignored people writing in the networking-forums about: “oh, and then I also have a pfSense-box which I’m using for controlling my firewall”. I thought that such a firewall was only for businesses, not really for simple consumers as myself and I also thought my dead-cheap home router was good enough, because I was clever enough to “tame it”. I didn’t until the end, consider the hundreds of thousands of hours I struggled with fine-tuning the setup – and when all the wasted hours are taken into account, it’s much better to buy a low-power computer, install pfSense on it – and use that graphical and super-easy GUI to do everything in a very intuitive way. What I took years to achieve on DDWRT/AsusWRT took 1-2 months to achieve on pfSense – but after 2 months, the pfSense-setup was even more advanced and superior.

I currently have around 42 internet-connected devices on my network (pfSense -> Status -> DHCP Leases). I’ll explain more about some of the technical details in my next blog post, shortly as this introduction became much longer than I originally anticipated and it’s getting late now.

An introduction:

The story behind this webpage is that I bought this domain back in July 2022. I bought it for learning new things and if I one day screw everything up, no harm is done. I decided to host the web- and mail-server of this domain, on a free Oracle Cloud-account. I by the way highly recommend getting yourself such an account, but don’t misuse it or I’ve read that Oracle doesn’t hesitate to close accounts down without a warning (more details below). For the past weeks, I’ve been thinking about what to do with it:

It’ll be a blog where I hope to sometimes post stuff about what I’m interested in, which is generally everything involving Linux, self-hosting, virtualization (qemu, KVM and Proxmox), docker, clouds, pfSense (and friends) – i.e. networking firewalls, hacking/pen-testing (cyber-sec, I sometimes participate in CTF competitions), devops, software programming, Open Source tools, machine learning etc – the list is not exhaustive.

About the Oracle Cloud setup I’m running

For a hobby-project I can so far highly recommend the generous resources Oracle are throwing in the game, to take market-shares from Azure and AWS. Although I’ve upgraded from the free tier to a normal paid customer account, I’m currently not paying anything for running these instances:

I might tell/explain some more details about this setup in a later blog post. But briefly, as shown, they’re running Ubuntu on ARM architecture with 8 GB RAM and I’ve setup some simple Ansible Playbooks so I can automate e.g. upgrading the system packages.

Two of my instances are currently not running: As I remember it, I received some kind of “Cloud Advisor”-email in which Oracle proposed that if I wanted to save money I should maybe switch off unused instances and there were other recommendations. As I don’t pay anything and am grateful for the generous offer Oracle is giving out here, I think it would be a waste to leave everything on, when I currently don’t need that and in these energy-crisis times it would be stupid to not turn them off and then I can also go to bed and think to myself that I did something good for the climate.

Reminding myself about what I’ll probably write future blog posts about, why I started etc:

• I currently have 2 Proxmox-servers. One of them is running 24/7 with a virtualized pfSense-machine. I think I’ll describe the setup in the future, incl. how I made VLAN segmentation in my home such that all IOT-devices are on their own “unsafe” VLAN.
• Interesting issues/findings on my Proxmox-server and stuff related to self-hosted Open Source network/firewall software (gotta figure out what’s interesting to share – could also be intrusion detection which I’ve however got to play more with before anything interesting can be conveyed).
• A month or 2 ago I was lucky to to grab my hands on a raspberry pi CM4 and I’m going to use it a cheap and modern KVM-switch. So I might go through the setup of a BLIVKM-device (see: https://github.com/ThomasVon2021/blikvm for the CM4-version), when I’m happy with it.
• Maybe I’ll share a programming project related to CAD-files, which I’m currently working on both on my job – and sometimes in my spare time.
• Something related to Docker, Ansible – maybe even K8S although I don’t professionally work with it so this is also gonna take some (a long) time.

I’m a WordPress-noob, so if you have any suggestions feel free to link/write below. If I continue with this blog and write once in a while, hopefully I’ll eventually master everything. If you know about e.g. other free cloud resources as good as the Oracle Cloud free tier, you’re welcome to write in the comments section (I’m currently not sure if it needs to be moderated but I’ll experiment with it and in case of misuse I’ll enable the “A comment is held for moderation”-setting).